Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-9082 PoC — 顶想信息科技 ThinkPHP 访问控制错误漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-9082.yaml
Associated Vulnerability
Title:顶想信息科技 ThinkPHP 访问控制错误漏洞 (CVE-2019-9082)
Description:顶想信息科技 ThinkPHP是中国顶想信息科技公司的一套基于PHP的、开源的、轻量级Web应用程序开发框架。 ThinkPHP 3.2.4之前版本(使用在Open Source BMS v1.1.1版本和其他设备上)中存在访问控制错误漏洞。远程攻击者可借助public//?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= URL利用该漏洞执行命令。
Description
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality.
File Snapshot

 id: CVE-2019-9082

info:
  name: ThinkPHP < 3.2.4 - Remote Code Execution
  author: 0xanis
  severit

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.