西湖论剑

Posted on Edited on In

最近正好在挖cms 然后突然想起来去年有一道题 由于期末 到现在都没有能够抽时间复现 一直躺在phpstudy里 今天抽时间给他干了

come to challenge directly

image-20220719230933290

we want to control $mapthname , we need to use ==》 dispalyfile

than we follow this track

we can create $xhrock here

image-20220719231521349

so, let’s find display

I find a vulnerability in getshtmlAction()

then the question is how can we calling this function?

we can create a class indexClassAction by the way in the last picture

image-20220719231601316

i find that the after class created , we can call the function in the class

image-20220719234015392

so our payload is

1
http://xinhu:88/?m=index&a=getshtml&surl=Li4vaW5mbw==

then we can include any php-terminated file (an extra php is typed below)

image-20220719234430497

then we use

利用pearcmd.php从LFI到getshell_bfengj的博客-CSDN博客