看代码\install\install.php
```
<?php
rename("install.php","install.php.bak");
}
?>
```
作用就是安装该cms,然后把install.php改为install.php.bak。由于apache解析问题,改文件还是会解析成php,然后就可以暴力getshell。
数据库连接文件会写到\include\config.inc.php
```
<?php
$cfg_db_host = "localhost";
$cfg_db_user = "root";
$cfg_db_pass = "";
$cfg_db_name= "yiqicms";
$cfg_db_prefix = "yiqicms";
?>
```
由于是双引号可直接shell,无限制。


暂无评论