御剑扫描网址可以得到 ip/admin/upload1.php,ip/admin/upload2.php
尝试 ip/admin/upload.php,发现直接跳转upload1.php,没有访问权限继续跳转upload2.php
burpsuite抓包,截取upload.php,查看源码得到
forward一下
将uploadmd5更改为 upload_file.php
发送给repeater,go,获得网页源码
可看到文件命名方式:uploadfile/'date'_'verify的值'_'上传的文件名'
菜刀连接,路径为upload/20180801_f247a10a76cfecd9_muma.php
拿到key