Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia.
If you keep track of your site’s activity, the following log may look familiar:
POST: /index.php?s=captcha HTTP/1.1 Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig
In December 2018, a working exploit was released for the versions v5.0.23 and v5.1.31. Then, ThinkPHP team released a new version partially fixing the problem. Here is a snippet of the patch:
$method = strtoupper($_POST[Config::get('var_method')]); - $this->{$this->method}($_POST); + if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) { + $this->method = $method; + $this->{$this->method}($_POST); + }
Remote Code Execution on ThinkPHP
Basically, they filtered the parameter method to only accept legit values since later on the code function filterValue() passes the filter parameter directly to the PHP function call_user_func() leading to a remote code execution (RCE). Unfortunately, after reversing the patch, attackers also found that reaching the filterValue() function is still possible with an even simpler payload:
data: a=system&b=id&_method=filter (some important data and more payloads were skipped here)
Affected Versions of ThinkPHP
Versions 5.1.x/ 5.2.x are still affected and since there’s no strict validation of user input, bots were programmed to use a new variety of payloads to evade WAFs and previous fixes.
Attackers are exploiting this vulnerability to upload cryptominers. The following is the most recent domain hosting malicious binaries:
hxxp:// fid[.]hognoob[.]se/download[.]exe
Conclusion
As always, we recommend keeping your software up to date and use a WAF as a second layer of protection since sometimes developers fall short of solving security issues.
Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.