Vulnerability description :

ThinkPHP frame - It is developed and maintained by Shanghai Dingxiang company MVC Open source of structure PHP frame , follow Apache2 Open source protocol release , It's for Agility WEB Application development and simplified enterprise application development .
The vulnerability is due to the framework's failure to adequately detect the controller name , The attacker uses this vulnerability to conduct a remote command execution attack on the target website .

The recurrence process

Remote code execution , Read the current directory

I wanted to try uploading a sentence to the Trojan horse , The website is a little straddling and has been circling , It seems that I can't write it in

Based on previous experience ,flag stay tmp Under the table of contents , Just take it flag 了

Repair suggestions

Use composer install , And keep the latest version used , Use the following instructions to update to the latest version

composer update topthink/framework

5.0 edition
stay thinkApp Class module Method to get the controller code followed by

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    
    throw new HttpException(404, 'controller not exists:' . $controller);
}

5.1 edition
stay thinkroutedispatchUrl Class parseUrl Method , Analyze the controller and add

if ($controller && !preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    
    throw new HttpException(404, 'controller not exists:' . $controller);
}