01 Background Recently, Chian Xin released the security risk notice of ThinkPHP 6.0 arbitrary file creation vulnerability. DYSRC analyzed this vulnerability for the first time and successfully reproduced it.
Scope of vulnerability: top-think/framework 6.x < 6.0.2.
02 positioning problem
According to the arbitrary file creation and the recent commit history, it can be inferred that 1bbe75019 is the patch for this problem. It can be seen that in the patch, the sessionid can only be composed of letters and numbers, so the problem is more obvious.
03 principle analysis
Aside from the above questions, let's take a look at how thinkphp stores session.
The system defines the interface thinkcontractsessionhandlerinterface.
The SessionHandlerInterface::write method is executed when the session data is localized, and the system will automatically execute it at the end of each request.
Let's take a look at how the thinksessiondriverFile class is implemented.
First, the file name is generated according to $sessID through getFileName, and then writeFile is written to the file.
Follow up with getFileName and directly splice the incoming $sessID as the file name. Because $sessID is controllable, the file name is controllable.
04 demonstration
At this point, the whole vulnerability process is basically clear. The local demonstration results are given below.
Gxlsystem.com, a lot of free thinkphp introductory tutorials, welcome to learn online!
Copyright Description:No reproduction without permission。
Knowledge sharing community for developers。
Let more developers benefit from it。
Help developers share knowledge through the Internet。
Follow us
Español
Português