[Alert] Remote Code Execution Vulnerability in Multiple ThinkPHP 5 Versions

  • Source:SANGFOR Security Center
  • Date Published:2018-12-22


On December 9th, 2018, ThinkPHP released the latest security update that addressing a vulnerability of remote code execution.The vulnerability was caused by the framework's insufficient checks on controller names in case forced routing is not enabled. Eventually, GetShell vulnerability in the server may be exploited by hackers, affecting ThinkPHP 5.0, ThinkPHP 5.1 versions. Although it is not hard to exploit the vulnerability, the impact could be destructive.

Definition From Encyclopedia

ThinkPHP is a fast, compatible and simple OOP MVC PHP Framework developed in China. It was found in early 2016, first called FCS, then formally changed its name as ThinkPHP on January 1st, 2007. It follows the Apache 2.0 open source license, utilizes Struts framework and made some improvement, learning from other frameworks and models around the world. ThinkPHP uses object-oriented framework and MVC pattern, integrating core of Struts, TagLib tag library, ORM mapping of RoR and ActiveRecord pattern. ThinkPHP supports environment like windows, Unix and Linux while their official versions could only be supported by PHP 5.0 or later versions. The PHP also support MySql, PgSQL and Sqlite databases, as well as PDO extension. ThinkPHP has no particular requirement on module. The requirement for running environment of application system is dependent on modules involved in development.

According to the statistics from the Internet, among the 330,000+ websites using ThinkPHP, the majority are domestic websites, accounting for approximately 75%. To be more specific, Zhejiang, Beijing and Guangdong take up the highest proportion. The statistical graph below shows the top 10 provinces of usage.


Figure 1  Distribution of ThinkPHP

ThinkPHP is widely-used and is particularly welcomed in government, education and business fields. Due to such extensive application, attackers can use this vulnerability to execute any code on the user’s server, and ultimately GetShell. Therefore, this vulnerability is a major concern of great implication.

Vulnerability Analysis

The security update of ThinkPHP 5.0 increases restrictions on the controller name in library/think/APP.php and that of ThinkPHP 5.1 on the controller name in library/think/route/dispatch/Module.php. Hence, the root cause of this remote code execution vulnerability is that the framework’s insufficient checks on controller names results in the execution of malicious external parameter in case forced routing is not enabled.

图片2.png Figure 2 ThinkPHP 5.0 Patch

图片3.png Figure 3 ThinkPHP 5.1 Patch

First, in library/think/APP.php, the function exec() load class:

图片4.png And then when it loads controllers, it does not filter controller names, which allows attackers to recall any class by introducing symbol \.

图片5.png Vulnerability Reproduction

1. We downloaded ThinkPHP-5.0.20 from the official website to reproduce this vulnerability, and the following page displays:


2. In source code, access the constructed Payload to execute arbitrary code  

siteserver/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls -l

3. The above Payload is used for executing system command to show the file in the directory, and the following page displays. The vulnerability is reproduced successfully:

图片7.pngAffected Versions

Earlier than ThinkPHP v5.0.23

Earlier than ThinkPHP v5.1.31




Remediation Solution

ThinkPHP has released patch for ThinkPHP 5.0 to fix the vulnerability. Download link:


ThinkPHP has released patch for ThinkPHP 5.1 to fix the vulnerability. Download link:https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815

Sangfor Solution

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply turn on the corresponding security protection feature.