Here’s a small collection of phishing pages I’ve seen around where the malicious actor forgot to delete the original upload.
Amazon – Includes asking for SSN
Office 365 Advanced
This one is really interesting in that I’m uploading the entire website content. They used a cool PHP stager and followed it up with a nifty post-exploit PHP control panel. Take a look at linux.php and /incoming/i.php.