ThinkPHP 5.x Remote Code Execution
Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia.
If you keep track of your site’s activity, the following log may look familiar:
POST: /index.php?s=captcha HTTP/1.1
Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig
In December 2018, a working exploit was released for the versions v5.0.23 and v5.1.31. Then, ThinkPHP team released a new version partially fixing the problem. Here is a snippet of the patch:
$method = strtoupper($_POST[Config::get(‘var_method’)]);
– $this->{$this->method}($_POST);
+ if (in_array($method, [‘GET’, ‘POST’, ‘DELETE’, ‘PUT’, ‘PATCH’])) {
+ $this->method = $method;
+ $this->{$this->method}($_POST);
+ }
Remote Code Execution on ThinkPHP
Basically, they filtered the parameter method to only accept legit values since later on the code function filterValue() passes the filter parameter directly to the PHP function call_user_func() leading to a remote code execution (RCE).
Continue reading ThinkPHP 5.x Remote Code Execution at Sucuri Blog.