Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

ThinkPHP 5.0.1 - Remote Code Execution

By kannthu

Vidoc logoVidoc Module

What is "ThinkPHP 5.0.1 - Remote Code Execution?"

The "ThinkPHP 5.0.1 - Remote Code Execution" module is designed to detect a critical vulnerability in the ThinkPHP 5.0.1 framework. ThinkPHP is a popular PHP framework used for developing web applications. This module specifically targets the remote code execution (RCE) vulnerability in ThinkPHP 5.0.1.

The severity of this vulnerability is classified as critical, indicating its potential to cause significant harm if exploited. It allows remote attackers to execute arbitrary code by exploiting the 's' parameter.

This module was authored by lark-lab.


If successfully exploited, this vulnerability can lead to unauthorized execution of arbitrary code on the target system. This can result in a complete compromise of the affected application, allowing attackers to gain control over the system, access sensitive data, or perform other malicious activities.

How does the module work?

The "ThinkPHP 5.0.1 - Remote Code Execution" module works by sending a specific HTTP request to the target system. It utilizes a POST request to the "/?s=index/index/index" path with the "Content-Type" header set to "application/x-www-form-urlencoded".

The module includes two matching conditions:

    - Matcher 1: It checks the body of the response for the presence of the word "phpkniht". If this word is found, it indicates a potential vulnerability. - Matcher 2: It verifies that the response status is 200, indicating a successful request.

If both matching conditions are met, the module reports the vulnerability.

For example, the module may send the following HTTP request:

POST /?s=index/index/index HTTP/1.1
Content-Type: application/x-www-form-urlencoded

[request body]

It is important to note that the actual JSON definitions of the module are not shown here for simplicity.

For more information about this vulnerability, you can refer to the Exploit Database.

Module preview

Concurrent Requests (1)
1. HTTP Request template

Content-Type: application/x-www-fo...

Matching conditions
word: phpknihtand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability