Alibaba Cloud Discovers the Latest ThinkPHP v5 Vulnerability

The exploitation of software vulnerabilities is one of the initial steps of a cyber-attack. In engineering schools, they teach you that fixing a defect in the implementation stage is 6.5 times higher than fixing it in the design stage1. Applying this principle to ‘cybersecurity school’, we can say that blocking an attack at the vulnerability stage is a dozen times cheaper than stopping it after a device is compromised by an exploit.

In this blog post we present an analysis of a recently detected vulnerability in the ThinkPHP framework, which exposed 10% of all websites using it to remote takeover. The post provides a detailed explanation of an actual code used by an attacker in an attempt to exploit this vulnerability, as well as precise recommendations of how to protect against it (hint: apply the official fix! otherwise, get help from Alibaba Cloud’s Threat Detection Service).

Yohai Einav

Principal Security Researcher, SIL


Vulnerability Analysis

Versions Affected by the Vulnerability

How the Vulnerability Works

Vulnerability Reproduction

Real-Life Case of a Vulnerability Attack

1. Exploit the vulnerability, remotely run download commands.

2. Download webshell remotely by using the file_get_contents and file_put_contents functions.

3. Put a one-liner webshell by using the file_put_contents function.

Vulnerability’s Impact and Attack Trends

Security Recommendations




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store