ThinkPHP <5.0.24 Request.php 远程代码执行漏洞

日期:2019-02-27 浏览:550次

打开\thinkphp\library\think\Request.php

源代码


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">method</span><span class="hljs-params">($method = false)</span>
    </span>{
        <span class="hljs-keyword">if</span> (<span class="hljs-keyword">true</span> === $method) {
            <span class="hljs-comment">// 获取原始请求类型</span>
            <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;server(<span class="hljs-string">'REQUEST_METHOD'</span>) ?: <span class="hljs-string">'GET'</span>;
        } <span class="hljs-keyword">elseif</span> (!<span class="hljs-keyword">$this</span>-&gt;method) {
            <span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>($_POST[Config::get(<span class="hljs-string">'var_method'</span>)])) {
                <span class="hljs-keyword">$this</span>-&gt;method = strtoupper($_POST[Config::get(<span class="hljs-string">'var_method'</span>)]);
                <span class="hljs-keyword">$this</span>-&gt;{<span class="hljs-keyword">$this</span>-&gt;method}($_POST);
            } <span class="hljs-keyword">elseif</span> (<span class="hljs-keyword">isset</span>($_SERVER[<span class="hljs-string">'HTTP_X_HTTP_METHOD_OVERRIDE'</span>])) {
                <span class="hljs-keyword">$this</span>-&gt;method = strtoupper($_SERVER[<span class="hljs-string">'HTTP_X_HTTP_METHOD_OVERRIDE'</span>]);
            } <span class="hljs-keyword">else</span> {
                <span class="hljs-keyword">$this</span>-&gt;method = <span class="hljs-keyword">$this</span>-&gt;server(<span class="hljs-string">'REQUEST_METHOD'</span>) ?: <span class="hljs-string">'GET'</span>;
            }
        }
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;method;
    }
覆盖为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">method</span><span class="hljs-params">($method = false)</span>
    </span>{
        <span class="hljs-keyword">if</span> (<span class="hljs-keyword">true</span> === $method) {
            <span class="hljs-comment" data-spm-anchor-id="a2c4e.11153940.blogcont686397.i2.46db10bf71pupu">// 获取原始请求类型</span>
            <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;server(<span class="hljs-string">'REQUEST_METHOD'</span>) ?: <span class="hljs-string">'GET'</span>;
        } <span class="hljs-keyword">elseif</span> (!<span class="hljs-keyword">$this</span>-&gt;method) {
            <span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>($_POST[Config::get(<span class="hljs-string">'var_method'</span>)])) {
                $method = strtoupper($_POST[Config::get(<span class="hljs-string">'var_method'</span>)]);
                <span class="hljs-keyword">if</span> (in_array($method, [<span class="hljs-string">'GET'</span>, <span class="hljs-string">'POST'</span>, <span class="hljs-string">'DELETE'</span>, <span class="hljs-string">'PUT'</span>, <span class="hljs-string">'PATCH'</span>])) {
                    <span class="hljs-keyword">$this</span>-&gt;method = $method;
                    <span class="hljs-keyword">$this</span>-&gt;{<span class="hljs-keyword">$this</span>-&gt;method}($_POST);
                } <span class="hljs-keyword">else</span> {
                    <span class="hljs-keyword">$this</span>-&gt;method = <span class="hljs-string">'POST'</span>;
                }
                <span class="hljs-keyword">unset</span>($_POST[Config::get(<span class="hljs-string">'var_method'</span>)]);
            } <span class="hljs-keyword">elseif</span> (<span class="hljs-keyword">isset</span>($_SERVER[<span class="hljs-string">'HTTP_X_HTTP_METHOD_OVERRIDE'</span>])) {
                <span class="hljs-keyword">$this</span>-&gt;method = strtoupper($_SERVER[<span class="hljs-string">'HTTP_X_HTTP_METHOD_OVERRIDE'</span>]);
            } <span class="hljs-keyword">else</span> {
                <span class="hljs-keyword">$this</span>-&gt;method = <span class="hljs-keyword">$this</span>-&gt;server(<span class="hljs-string">'REQUEST_METHOD'</span>) ?: <span class="hljs-string">'GET'</span>;
            }
        }
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;method;
    }

1
 

没有评论

发表评论