While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink. \r\n The developers fixed the vulnerability stating that because "the framework does not detect the controller name enough, it may lead to possible 'getshell' vulnerabilities without the forced routing enabled." It appears that the code does not properly sanitize user input allowing an unauthenticated user to specify their own filter function to execute.  The vulnerability has been assigned  CVE-2018-20062 . \r\n There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. \r\n Currently we're seeing  widespread scanning for the ThinkPHP vulnerability.…