<?php
header( 'Content-Type:text/html;charset=UTF-8');       
?>
<html>
<head>
<?php
        require 'include/global.php';
        require 'include/config.php';
        require 'include/db.php';
?>
<title>请稍等 - <?php echo $hostname; ?> - Powered by shlan</title>
<meta http-equiv="Content-Language" content="zh-cn">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link href="include/du.css" type=text/css rel=stylesheet>
</head>
<body>
<?php

        $a=strtolower(fileext($_FILES['file']['name']));
        /*判断文件类型*/
        if(!in_array(strtolower(fileext($_FILES['file']['name'])),$type))
        {
                $text=implode(",",$type);
                echo "您只能上传以下类型文件: ",$text,"  <a href=\"".$patch."\">&lt;&lt;&lt;返回</a>";
        }
        else
        {
        $sizsdy=$_FILES['file']['size'];
        if($size >= $sizsdy)
        {

/*fm制作*/
        $bigtext =$_POST["contents"];
        $bigtype =$_POST["type"]; //数组
         foreach($bigtype AS $key=>$type){
         $ztype=$ztype."|".$bigtype[$key];
         }
$atype = explode("|", $ztype);//数组
        $filename=explode(".",$_FILES['file']['name']);
                do
                {
                        $date=date('ym');
                        $filename[0]=random(10); //设置随机数长度,也就是文件前缀
                        $name=implode(".",$filename);
                        $name1=$name.".Yisde";//强制后缀名
                        $uploador=$uploaddir.$date;
                if(!is_dir($uploador)) {
                        //@mkdir($uploador, 0777);
                        @mkdir($uploador, 0666);
                        @chmod($uploador,   0777);
                        @fclose(fopen($uploador.'/index.htm', 'w'));
                        }
                        $uploadfile=$uploaddir.$date.'/'.$name1;//上传文件名后缀数量没有限制
                }
                while(file_exists($uploadfile));

                if (move_uploaded_file($_FILES['file']['tmp_name'],$uploadfile))
                {
                        $filesname=$_FILES['file']['name'];
                        $db=new db;
                        $db->connect($dbhost, $dbuser, $dbpwd, $dbname);
                        $db->query("set names utf8");
                        $sql="insert into wh_list (code,filename,file,contents,type,text) values ('".$filename[0]."','".$filesname."','".$name1."','".$date."','".$ztype."','".$bigtext."')";
                                if($db->query($sql))
                                {
                                        echo "<script>document.location=\"".$patch."links.php?code=".$filename[0]."\"</script>";//下载码,文件前缀
                                }
                                else
                                {
                                        echo"<script language=\"javascript\">
                                        alert(\"数据写入错误,请联系管理员!\");
                                        window.history.back(-1);
                                        </script>";
                                }
                }
        }
        else
        {
                echo"<script language=\"javascript\">
                alert(\"文件≥".$size."bytes无法上传!\");
                window.history.back(-1);
                </script>";
        }
        }
?>
</body>
</html>

利用iis的.php;.txt和apache的.php.g1f 的特性执行,以windows为例,将webshell改名为webshell.php;.txt,上传,上传的文件名及路径url/upfiles/年月/文件前缀.php;.txt.Yisde。