iwebsns1.0 任意文件删除&&2个注入

2013-08-24 21:20:31 22 3678


action\users\user_ico_cut_save.action.php
<?php
   //引入模块公共方法文件
  require("foundation/module_users.php");
require("foundation/aintegral.php");
require("foundation/fcontent_format.php");
require("api/base_support.php");
  //语言包引
  $u_langpackage=new userslp;
  //数据库操作
  dbtarget('w',$dbServs);
  $dbo=new dbex();
  $photo_url=short_check(get_argg('pic'));         //这里这里.
  $user_id=get_sess_userid();//用户ID
  $user_name=get_sess_username();//用户名
  $ico_url=long_check(get_argp('u_ico_url'));
往下看
;
;
;

if(preg_match("/uploadfiles\/photo_store/",$photo_url)){
unlink($photo_url);//删除临时图片文件          // you know
}
\iwebsns\action\poll\poll_submit.action.php
//变量声明区
$user_id=get_sess_userid();
$user_name=get_sess_username();
$userico=get_sess_userico();
  $cho=get_argp('pol_cho'); //此处可控未过滤
  $pid=intval(get_argg('pid'));
  $anon=short_check(get_argp('anonymity'));
  $total_credit=intval(get_argp('credit'));
  $per_int=intval(get_argp('percredit'));
  $p_subject=short_check(get_argp('subject'));
往下看
foreach($cho as $v){
  $option.=",".$v;
  }
  $sql="select `option` from $t_polloption where oid in(0.$option)"; //you know too
action\users\user_info.action
<?php
require("foundation/module_users.php");


//引入语言包
$u_langpackage=new userslp;


//变量获得
$user_id =get_sess_userid();
$model = short_check(get_argg('model'));
$birth_year = short_check(get_argp('birth_year'));
$birth_month = short_check(get_argp('birth_month'));
$birth_day = short_check(get_argp('birth_day'));
$reside_city = short_check(get_argp('reside_city'));
$reside_province = short_check(get_argp('reside_province'));
$birth_city = short_check(get_argp('birth_city'));
$birth_province = short_check(get_argp('birth_province'));
$is_finish=intval(get_argg('is_finish'));
$info = get_argp('info');    //看这里
往下看
//更新自定义信息表
if(!empty($info)){
foreach($info as $key => $value){
if($value!==''){
$key=explode('|',$key);
$sql="insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'".$key[0]."','$value')";//直接查询, 不过受Gpc
$dbo -> exeUpdate($sql);
}
}
}
大概看了一下这个程序..  远远不止这些
各位看官.脚下留情....

关于作者

残花败柳19篇文章244篇回复

败家博客

评论22次

要评论?请先  登录  或  注册