iwebsns1.0 任意文件删除&&2个注入

<?php

   //引入模块公共方法文件

  require("foundation/module_users.php");

require("foundation/aintegral.php");

require("foundation/fcontent_format.php");

require("api/base_support.php");

  //语言包引

  $u_langpackage=new userslp;

  //数据库操作

  dbtarget('w',$dbServs);

  $dbo=new dbex();

  $photo_url=short_check(get_argg('pic'));         //这里这里.

  $user_id=get_sess_userid();//用户ID

  $user_name=get_sess_username();//用户名

  $ico_url=long_check(get_argp('u_ico_url'));

往下看

;

;

;



if(preg_match("/uploadfiles\/photo_store/",$photo_url)){

unlink($photo_url);//删除临时图片文件          // you know

}

//变量声明区

$user_id=get_sess_userid();

$user_name=get_sess_username();

$userico=get_sess_userico();

  $cho=get_argp('pol_cho'); //此处可控未过滤

  $pid=intval(get_argg('pid'));

  $anon=short_check(get_argp('anonymity'));

  $total_credit=intval(get_argp('credit'));

  $per_int=intval(get_argp('percredit'));

  $p_subject=short_check(get_argp('subject'));

往下看

 foreach($cho as $v){

  $option.=",".$v;

  }

  $sql="select `option` from $t_polloption where oid in(0.$option)"; //you know too

<?php

require("foundation/module_users.php");





//引入语言包

$u_langpackage=new userslp;





//变量获得

$user_id =get_sess_userid();

$model = short_check(get_argg('model'));

$birth_year = short_check(get_argp('birth_year'));

$birth_month = short_check(get_argp('birth_month'));

$birth_day = short_check(get_argp('birth_day'));

$reside_city = short_check(get_argp('reside_city'));

$reside_province = short_check(get_argp('reside_province'));

$birth_city = short_check(get_argp('birth_city'));

$birth_province = short_check(get_argp('birth_province'));

$is_finish=intval(get_argg('is_finish'));

$info = get_argp('info');    //看这里

往下看

//更新自定义信息表

if(!empty($info)){

foreach($info as $key => $value){

if($value!==''){

$key=explode('|',$key);

$sql="insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'".$key[0]."','$value')";//直接查询, 不过受Gpc

$dbo -> exeUpdate($sql); 

}

}

}