1. Home > Web_defense >

Viewing Thinkphp's Historical Vulnerabilities from the Perspective of Protection

1. Preface
At the beginning of 19th, two Thinkphp5 RCE vulnerabilities were disclosed on the Internet. The vulnerabilities are very easy to use, and many attackers use scanners to scan the entire network. We continue to observe a large number of attack traffic using these vulnerabilities for batch getshell attacks through ips devices. This article mainly analyzes and uses thinkphp to perform attacks on the whole network and getshell traffic traces from the traffic perspective.
2. Thinkphp RCE vulnerability and scanning traffic
2.1 Review of vulnerability principle version vulnerability
The principle is that the key class of Thinkphp processing request is Request(thinkphp/library/ think/Request.php), this class can implement some settings for HTTP requests
Thinkphp supports configuring "form camouflage variables". By default, the variable value is _method, so in method(), you can pass " "Form disguise variables" performs variable coverage to call any function of this type, and $_POST is passed in as a parameter of the function. The request can be constructed to achieve the coverage of the Request class attribute value, for example, to cover the filter attribute (the filter attribute saves the function for global filtering), so as to realize the code execution. version vulnerabilities
Similar to the 5.0.x version vulnerabilities, the vulnerabilities all exist in the Request(thinkphp/library/think/Request.php) class, where:< br/>
The $method variable is $this->method, which is equivalent to the "_method" parameter value of POST, which can be used to override the attribute value of $filter (the filter attribute saves The function used for global filtering), so as to achieve code execution.
When the vulnerability is triggered, an exception of the warning level will cause the program to terminate. At this time, you need to set the ignore exception prompt, configure error_reporting(0) in public/index.php to ignore the exception and continue to run the code, as shown below:

2.2Thinkphp vulnerability network scan
From the traffic point of view, the use of Thinkphp vulnerability is to send an http package. We found that a hacker’s scanner first wrote a simple sentence as a fingerprint, and then accessed the file to see if the fingerprint information was returned. Successful access means that the shell has succeeded. Basically, it sends two http packets, and the scanner records the successful writing. The website ip and url of the entered shell are then manually connected with a chopper for subsequent operations.
From IPS device logs and manual verification, the attacker’s attack steps include two steps: 1. Scan the entire network and send exp, and identify whether getshell is based on fingerprints; 2. Connect with a chopper to perform remote control;
2.2. 1 Scanning the whole network and sending exp
Generally, scanning logs are traversing section B or section C, and the time is relatively intensive. A snippet of a recorded scanner log is as follows,

It has 3 features: 1. The destination ip is the same C segment or B segment, 2. The port is relatively fixed, and the scan time is very intensive. The report sent by the scanner confirms that the shell has been written successfully. This article uses fingerprints dedicated to scanners, so ips does not have such detection rules.
2.2.2 Chopper connection
When an attacker manually connects with a chopper to a compromised site, it will also be detected by ips, and trace the source to the thinkphp vulnerability through context correlation as a breakthrough point for the attacker. Select a few typical cases recorded at the time:
The compromised Zhengzhou server 1 (

This website is indeed open for thinkphp5 At that time, the webshell Trojan was still not deleted on the server. The Trojan uploaded by the hacker can be accessed through the server. The fingerprint information is baidu. The scanner uses this fingerprint to automatically determine the success of the getshell and record the URL.

The compromised Sichuan server (
The compromised Sichuan server (
This case Although the Trojan was removed, the server was still connected at the time, and the server was also a thinkphp framework. The username was suspected to be chanpei

The device records that the hacker connects to the Trojan and executes network query commands At the time of the message, the information obtained is consistent with the above error message. And it can be seen that the server is also a machine on the intranet. The screenshot shows that the network contains at least two subnets, and, as shown in the figure below:

The compromised U.S. server (
The webshell on this U.S. server was also cleaned up. After capturing packets from the device, it was found that hackers used the same webshell Trojan horse, namely x .php, suspected to be the same group of hackers.

When the hacker browsed the content of the x.php (webshell) file on the US server, the device recorded the password of x.php as xiao, and the flag bit was also baidu .

It can be seen that using these two Thinkphp high-risk RCE vulnerabilities, a large number of server vulnerabilities were scanned at that time.
3. Summary
Combined with Thinkphp's historical vulnerability principle, this article shares the successful cases of exploiting Thinkphp vulnerabilities. At present, the logs that the device detects the most every day are the logs of direct getshell such as weblogic, struts2, and thinkphp, or the logs of ssh rdp brute force cracking. Once many attackers find the latest exploits, they will equip their scanners to scan the entire network. There may be several shells in a day. Therefore, after high-risk vulnerabilities occur, it is recommended that users apply patches in time and configure security equipment policies. Judging from several actual cases, the risks of scanners are always there. If you can configure the website to prohibit direct ip access, this threat can be mitigated to some extent. Due to the limited level, everyone is welcome to point out the errors in the article and exchange suggestions.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Web_defense/21855.html

Contact Us

Online consultation:click here to give a message