So I do not bother screenshots directly attached to the code, the code I have good comments.
the set_time_limit (0 ); $ Prescription = TRIM ( $ _GET [ 'q']); // Get the value of parameter q $ id = the intval ( $ _GET [ 'id']); // Get an integer value id $ r_num = 0 ; // THE nUMBER $ LAN =. 3 ; $ PF = "" ; $ pf_l = "" ; IF ( $ Prescription ! = "" ) { $ dreamdb = File ( "Data / yf.dat"); // read take prescription files $ COUNT = COUNT ( $ dreamdb); // number of lines and for ( $ I = 0; $ I < $ COUNT ; $ I ++ ) { $ keyword = the explode ( "", $ Prescription ); // split keyword $ dreamcount = COUNT ( $ keyword ); // number of keywords $ Detail = the explode ( "T", $ dreamdb [ $ I ]); // returns the search data for ( $ AI = 0; $ AI < $ dreamcount ; $ AI ++) { @eval("$found = eregi("$keyword[$ai]","$detail[0]");");//eval..并且可控
Affects file
[Zip articles] loophole file: / Yb / index. PHP [wine party articles] loophole file : / jiufang / index. PHP [porridge Pu articles] loophole file: / zhoupu / index. PHP [Proverb articles] loophole file: / Yanyu / index. PHP [recipe articles]: vulnerability file: / pianfang / index. PHP [riddle articles]: vulnerability file: / miyu / index. PHP [quote articles]: vulnerability file: . / mingyan / index PHP [name of party piece ]: vulnerability file: / Mingfang / index. PHP [dream articles]: vulnerability file: / meng / index. PHP [recipes articles] loophole file: / Yanfang / index. PHP [herbal articles] loophole file: / zhongcaoyao / index. php [articles] twisters: vulnerability file : / xiehouyu / index. php [articles] tongue twister: vulnerability file:/ raokouling / index. PHP [articles] Riddles: File: /naojin/index.php
Vulnerability verification
Exp I will put a hold a successful use of screenshots