CVE-2019-9082
CVE-2019-9082
In short
ThinkPHP before 3.2.4 has a flaw that lets attackers run arbitrary commands on the server by crafting a special URL. This happens because the framework doesn't properly restrict which functions can be called, allowing an attacker to execute system commands without permission.
Technical detail
Remote Command Execution via improper function invocation restriction in ThinkPHP's public interface. Attackers can bypass access controls by manipulating URL parameters to invoke call_user_func_array with arbitrary system commands. No authentication required; successful exploitation grants full code execution with application privileges.
Summary generated and translated by AI from the official description.
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 4
cve_referencepacketstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46488/unverifiedexploitdbwww.exploit-db.com/exploits/48333unverifiedexploitdbwww.exploit-db.com/exploits/46488unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →