ThinkPHP is an open source PHP development framework for agile web application development. The framework is vastly adopted worldwide, a quick Shodan search shows more than 40,000 active deployments.

Recently, an unauthenticated remote code execution vulnerability was discovered in ThinkPHP, which was quickly adopted by large amount of threat actors who started scanning for vulnerable instances.

The root cause of the vulnerability is the way that ThinkPHP parses the requested controller and executes the requested function. The patch committed to the Github repository by the maintainers showed that a regular expression validating the supplied controller name was added.

Figure 1: Vulnerability patched by adding a Regular expression that validates the supplied controller name

The reason for this addition is because ThinkPHP receives the requested module, controller and function to execute within a query parameter and splits it by using the ‘/’ character as a delimiter.

Figure 2: ThinkPHP splits the received string in order to get the module and controller names

Once ThinkPHP parsed the controller name and function, it first creates an instance of the supplied controller name by using reflection and then executes the requested function.

Figure 3: ThinkPHP creates an instance of the requested controller and executes the requested function

 

The two publicly disclosed vectors leading to arbitrary command execution are attempting to load a valid class of ThinkPHP. The two payloads are:

http://thinkphp/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%20-l

http://thinkphp/public/index.php?s=/index/\think\request/cache&key=ls%20-l|system

The first attack vector will attempt to execute the “invokeFunction” method of the ThinkPHP App class, which allows specifying an arbitrary function to execute and passes the required arguments for this function.

Figure 4: invokeFunction method of ThinkPHP App class

 

The second attack vector attempts to execute the cache function of ThinkPHP Request class which attempts to split between a function name and parameter by using the ‘|’ character as delimiter.  And, it later attempts to execute the function with its parameters.

Figure 5: cache method of ThinkPHP Request class

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by a dedicated attack signature recently released to mitigate the mentioned exploitation attempts which can be found in signature sets that include the “Server Side Code Injection” attack type or the “PHP” system.

Figure 6: Exploitation attempt blocked by signature id 200004481

Advanced WAF customers with Threat Intelligence subscription are protected with the following Threat Campaigns:

- ThinkPHP Remote Code Execution - HelloThinkPHP

- ThinkPHP Remote Code Execution - curl zz