Miggo Logo
Miggo Vulnerability Database
CVE-2020-17952

CVE-2020-17952: Code injection in topthink/think

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-17952
GHSA ID
GHSA-ch3r-vp46-8g22
EPSS Score
0.83803%
CWE
CWE-74
Published
8/9/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
topthink/thinkcomposer<= 6.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The POC demonstrates exploitation via the 's=index/\think\app/invokefunction' parameter chain. The routeCheck method handles routing based on user-controlled path input, enabling access to invokefunction. The invokefunction method directly uses unvalidated 'function' and 'vars' parameters in call_user_func_array, which executes arbitrary code. Both functions are critical to the attack flow: routeCheck enables the malicious routing, and invokefunction performs the unsafe execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution (R**) vuln*r**ility in /li*r*ry/t*ink/*pp.p*p o* Twot*ink v*.* *llows *tt**k*rs to *x**ut* *r*itr*ry P*P *o**.

Reasoning

T** PO* **monstr*t*s *xploit*tion vi* t** 's=in**x/\t*ink\*pp/invok**un*tion' p*r*m*t*r ***in. T** rout*****k m*t*o* **n*l*s routin* **s** on us*r-*ontroll** p*t* input, *n**lin* ****ss to invok**un*tion. T** invok**un*tion m*t*o* *ir**tly us*s unv*l
ThinkPHP App.php RCE Attack | Miggo