标签:max select 影响 php assign result http public exists
路由控制類RCE
/think/App.php
if (!preg_match(‘/^[A-Za-z](\w|\.)*$/‘, $controller)) { throw new HttpException(404, ‘controller not exists:‘ . $controller); }
變量覆蓋RCE
/think/Request.php
if (in_array($method, [‘GET‘, ‘POST‘, ‘DELETE‘, ‘PUT‘, ‘PATCH‘])) { $this->method = $method; $this->{$this->method}($_POST);
SQL:
1.
漏洞影响版本: 5.0.13<=ThinkPHP<=5.0.15 、 5.1.0<=ThinkPHP<=5.1.5 。
$username = request()->get(‘username/a‘); db(‘users‘)->insert([‘username‘ => $username]);
2.
5.1.6<=ThinkPHP<=5.1.7 (非最新的 5.1.8 版本也可利用)。
$username = request()->get(‘username/a‘); db(‘users‘)->where([‘id‘ => 1])->update([‘username‘ => $username]); return ‘Update success‘;
3.
ThinkPHP 中存在的 SQL注入 漏洞( select 方法注入)。ThinkPHP5全版本 。
$username = request()->get(‘username‘); $result = db(‘users‘)->where(‘username‘,‘exp‘,$username)->select(); return ‘select success
‘;
4.。漏洞影响版本: ThinkPHP=5.0.10 。
漏洞环境
$username = request()->get(‘username/a‘); $result = db(‘users‘)->where([‘username‘ => $username])->select(); var_dump($result);
5.
漏洞影响版本: 5.1.16<=ThinkPHP5<=5.1.22 。
$orderby = request()->get(‘orderby‘); $result = db(‘users‘)->where([‘username‘ => ‘mochazz‘])->order($orderby)->find();
6.
漏洞影响版本: 5.0.0<=ThinkPHP<=5.0.21 、 5.1.3<=ThinkPHP5<=5.1.25 。
$options = request()->get(‘options‘); $result = db(‘users‘)->max($options); var_dump($result);
文件包含
5.0.0<=ThinkPHP5<=5.0.18 、5.1.0<=ThinkPHP<=5.1.10。
public function index() { $this->assign(request()->get()); return $this->fetch();
标签:max select 影响 php assign result http public exists
原文地址:https://www.cnblogs.com/0xdd/p/11102426.html
