CVE-2018-20062 is a remote code execution vulnerability affecting NoneCms V1.3 through its bundled ThinkPHP application code. The issue is present in thinkphp/library/think/App.php and arises from unsafe handling of attacker-controlled input supplied through the filter parameter. By crafting a request that causes user input to be processed through an arbitrary PHP function, a remote attacker can trigger execution of unintended PHP code. Public descriptions demonstrate exploitation by invoking a PHP function through request parameters, indicating that externally supplied data can reach dangerous dynamic execution paths without adequate validation or restriction.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains RedArrow3.2, a GUI-based exploit tool targeting the remote code execution (RCE) vulnerability in ThinkPHP 5.0.23. The main code files are 'RedArrow3.2/RedArrow3.2.py' (the GUI application) and 'RedArrow3.2/GodzillaLikeShell.py' (the module for persistent, encrypted shell access). The tool allows users to execute arbitrary system commands on a vulnerable ThinkPHP 5.0.23 server via a specified URL (which must include the '?s=captcha' parameter to trigger the vulnerability). It supports both single-command execution and an interactive, AES-encrypted shell (Godzilla-like shell), which can be used for persistent access if the attacker can upload or inject the provided PHP payload. The GUI is implemented in Python with Tkinter, and the tool includes features such as command history, result export, and animated interface elements. The exploit is operational and provides real command execution and shell access, but is not part of a larger exploitation framework. The only hardcoded endpoint is an example URL in the README. The requirements.txt lists dependencies for cryptography and HTTP requests.
This repository contains a Python exploit script (CVE-2018-20062.py) targeting the ThinkPHP 5.0.23 remote code execution vulnerability (CVE-2018-20062). The script provides two main capabilities: (1) checking if a target is vulnerable by sending a POST request to the /index.php?s=captcha endpoint with a payload that triggers phpinfo(), and (2) exploiting the vulnerability to execute arbitrary system commands on the target server by sending a similar POST request with the 'system' filter and the desired command. The script supports scanning a single URL or multiple targets from a file. The README provides a brief description and usage context. The exploit is operational, providing real command execution if the target is vulnerable, and is not part of a larger framework. The main fingerprintable endpoint is /index.php?s=captcha, which is used for both detection and exploitation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific CVE for which exploit code is implemented in native C inside TuxBot, but the exploit engine is dead code and never called at runtime in the analyzed version.
Remote code execution vulnerability in ThinkPHP referenced by template rename to CVE-2018-20062.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.