ThinkPHP Remote Code Execution Vulnerability

Recently, ThinkPHP released an advisory, for a high-risk remote code execution (RCE) vulnerability. The vulnerability exists because ThinkPHP framework improperly checks controller names. This may lead to possible getshell vulnerabilities without the forced routing enabled. A proof of concept (PoC) exploiting this vulnerability was also published soon after the advisory. The proof-of-concept code exploits a vulnerability in the ThinkPHP’s invokeFunction method to execute malicious code on the underlying server.

Affected Versions:

ThinkPHP v5.0 versions earlier than 5.0.23
ThinkPHP v5.1 versions earlier than 5.1.31

Vulnerability Exploitation:

Following Curl command can be used to determine if the target instance is vulnerable to this RCE vulnerability:

curl -v -g http://IP-Address/public/?s=index\/\\think\\app/invokefunction\&function=call_user_func_array\&vars[0]=sysars[1][]=id
‘id’ command output

Threat actors actively exploiting this vulnerability to gain control over the web servers or to download and run a malicious binary file on the targeted system.

Exploitation method 1:
Download the malicious binary from attacker’s server and execute it.


Exploitation method 2:
This method directly runs PowerShell code on the target.


Exploitation method 3:
This method exploits the vulnerability to upload a webshell named hydra.php


and executes PowerShell code to launch further attacks.



This vulnerability has been patched in ThinkPHP versions 5.0.23 and 5.1.31. Users are strongly advised to upgrade to a newer version of ThinkPHP. Customers are advised to scan their network for QID#13378 to find vulnerable instances of ThinkPHP.

References & Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *