Here’s a small collection of phishing pages I’ve seen around where the malicious actor forgot to delete the original upload.

Amazon – Includes asking for SSN

Discover Card

Office 365

Office 365 Advanced
This one is really interesting in that I’m uploading the entire website content.  They used a cool PHP stager and followed it up with a nifty post-exploit PHP control panel.  Take a look at linux.php and /incoming/i.php.