ThinkCMF Privilege Escalation Vulnerability in ThinkPHP 5.0 and Its Mitigation
The article explains a privilege‑escalation flaw in the ThinkCMF CMS built on ThinkPHP 5.0, demonstrates how to exploit it via crafted URLs to invoke arbitrary PHP functions such as phpinfo, and describes the official fix that adds strict controller name validation.
The author discovered that a newly built ThinkCMF blog, which uses the ThinkPHP 5.0 framework, was vulnerable to a privilege‑escalation attack likely caused by automated get‑shell scans. The vulnerability resides in library/think/app.php , where the module, controller, and method are separated by '/' without proper filtering of the controller name.
Because the controller parameter is not validated, an attacker can craft a URL to invoke any PHP function. For example, using a virtual host http://cmf.com , the following URL prints the output of phpinfo() :
<code>http://cmf.com/index.php?s=portal/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1</code>By replacing phpinfo with other functions such as file_put_contents , an attacker can create webshells or other malicious files.
The official ThinkPHP fix for version 5.0 adds a regular‑expression check to the controller retrieval code in the think\App class:
<code>if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}</code>The author used ThinkCMF version 5.0.180901 . The latest release, 5.0.190111 , updates ThinkPHP to 5.0.24 , which includes the security patch and eliminates the privilege‑escalation vulnerability.
For the full original article, see the provided link.
php中文网 Courses
php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.