CVE-2018-20062 Scanner

ThinkPHP is a widely used open-source PHP framework primarily utilized in web application development. Developed and maintained by the Chinese PHP community, it simplifies the creation of scalable and maintainable applications. ThinkPHP is adopted by many small and medium-sized enterprises, as well as independent developers, due to its ease of use and strong documentation. It features a model-view-controller (MVC) architecture and supports various modules and components. ThinkPHP is commonly deployed on public-facing servers to power dynamic websites. Because of its wide usage in production environments, any vulnerabilities can have broad security implications.

The vulnerability addressed in this scanner is a critical Remote Code Execution (RCE) flaw affecting ThinkPHP version 5.0.23. It arises from improper handling of query string parameters in the application routing logic. Malicious actors can manipulate certain parameters to inject arbitrary PHP functions. The `filter` parameter is especially dangerous when not properly sanitized. This allows an attacker to execute commands or disclose sensitive server information. The vulnerability does not require authentication and can be exploited remotely, increasing its severity.

This RCE vulnerability is specifically triggered via a GET request to the endpoint that misuses the ThinkPHP routing system. The attacker crafts the request by using `s=index/think\app/invokefunction` and includes dangerous parameters such as `function=call_user_func_array`. With this, the attacker can call PHP's `phpinfo()` or other system functions. ThinkPHP’s internal application class `App.php` is exploited here due to unsafe handling of the input. The scanner detects responses that indicate PHP function execution, such as displaying PHP version details. This is confirmed by checking for keywords like "PHP Extension" and "ThinkPHP" in the response body.

If successfully exploited, this vulnerability allows attackers to fully compromise the target server. They may gain access to sensitive configuration data, execute arbitrary server-side commands, or upload malicious scripts. In the worst-case scenario, the attacker could establish persistent backdoors or pivot to other parts of the network. Organizations running affected ThinkPHP versions risk complete system takeover. This type of exploit often leads to data breaches and regulatory violations. Rapid remediation is necessary to prevent exploitation in the wild.

REFERENCES

• https://github.com/yilin1203/CVE-2018-20062/blob/main/CVE-2018-20062.py
• https://github.com/yilin1203/CVE-2018-20062
• https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce