### 简要描述:
第二集
### 详细说明:
espcms后台可以在后台把php设为允许的图片类型,然后在广告位上传图片处上传shell(此处方便演示,用了phpinfo)
1.在后台把php文件设为允许的图片类型
```
http://127.0.0.1/espcms/adminsoft/index.php?archive=management&action=syssetting&listfunction=syssetting&groupid=&iframeheightwindow=621&iframewidthwindow=1430
```
[<img src="https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg" alt="a01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg)
2.广告位添加图片处,上传shell
```
http://127.0.0.1/espcms/adminsoft/index.php?archive=advertmain&action=advertadd&atid=1&type=add&freshid=0.8400494705419987&iframename=jerichotabiframe_0&iframeheightwindow=621&iframewidthwindow=1245
```
[<img src="https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg" alt="a02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg)
3.看看成果
[<img src="https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg" alt="a03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg" alt="a03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg)
暂无评论