ThinkPHP 5.1 Arbitrary Code Execution Vulnerability via Route Check Function

A vulnerability in ThinkPHP version 5.1 allows remote attackers to execute arbitrary code by exploiting the route check function. This issue is present in ThinkPHP 5.1.0 through 5.1.* on Windows systems, as the vulnerability cannot be exploited on Linux.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, send a request to 'index.php?s=..\..\..\..\thinkphp5.1/xinyi/xinyi' after creating a file named '1.php' in a directory accessible to the web server. This file should contain a PHP payload, such as a call to 'phpinfo()'. Alternatively, use the PHP PEAR command execution proof of concept by sending a request to 'index.php?s=..\..\..\Extensions\php\php7.3.4nts\pear\&+config-create+/<?=phpinfo();?>+1.php'.