大概看了下。。感觉太蛋疼了 就没继续看了。。
 
index.php
 
本地包含
 
$url = $_GET; //获取所有被解析过的url jeffxie <[email]jeffxie@gmail.com[/email]> 2011-09-17
 
$mod = $url["view"];
 
 
 
if($mod)
 
{       
 
        if($mod == 'uid'){        //好友微博以uid/..形式打开
 
                $uid = $_GET['do'];
 
                $_GET['do'] = 'friend';
 
        }
 
        #echo ucfirst($_GET['do']);
 
        include(__MOD__ ."/".$url["view"]. "/" . ucfirst($url["view"]) . ucfirst($_GET['do']) . ".class.php"); //也得靠截断
 
        echo __MOD__ ."/".$url["view"]. "/" . ucfirst($url["view"]) . ucfirst($_GET['do']) . ".class.php";
 
    $mod = ucfirst($url["view"]) . ucfirst($_GET['do']);
 
    $init = new $mod();
 
    $init->InitInstance();
 
}
 
else{
 
    include(__MOD__ . "/index/Index" ."Details.class.php");
 
    $mod = "IndexDetails";
 
    $init = new $mod();
 
    $init->InitInstance();
 
}
 
?>盲注 利用起来比较蛋疼。。
（转发时候可以自己抓包构造）
class AjaxZf extends Tp{
 
        public function initInstance() {
 
                $this->uid = $_SESSION["uid"];
 
                if($_POST && $_GET["type"] == 1)
 
                {
 
               
 
                        $this->getWindow($_POST);
 
                }
 
                else if($_POST && $_GET["type"] == 2){
 
                        //写入微博
 
                        $this->addZf($_POST);
 
                }
 
                exit;
 
        }
 
若干。。
 
public function getWindow($_POST)
 
        {
 
                global $biaoqing;
 
                $aid = $_POST["aid"];//this...
 
                $type = $_POST["type"];//如果type==1就是原创,如果type是6就是转载的微博，需要"根据aid"调出所有被转的人
 
                $uid = $_POST["uid"];               
 
                if($type == 6)// www.2cto.com 转载微博,根据aid调出所有的转载关系(这个时候where aid=wid)
 
                {
 
                        $strSQL = "SELECT a.title AS title,a.content AS content,u.nickname AS nickname,a.uid AS uid FROM " . __PREFIX_TAB__ . "article a,".__PREFIX_TAB__ ."users u WHERE u.id=a.uid AND a.id=$aid ORDER BY a.pubtime DESC LIMIT 1"; //带入查询了。getshell 就这个不鸡肋了。。
（发布微博时候添加歌曲）
整个不解析php的空间 新建一个1.php 里面写一句话
然后添加歌曲里写你的文件地址就行了。。shell路径看源码吧。。
include __FRAME__ . "/getid3/getid3/getid3.php";
 
class AjaxAddmusic extends Tp{
 
        public function initInstance() {
 
                if($_POST)
 
                {
 
                        $this->postData($_POST);
 
                        exit;
 
                }
 
        }
 
 
 
        public function postData($data){
 
                $filename = $data["musicurl"];
 
                //获取文件名
 
$new1 = split("//",$filename);
 
$new2 = split("/",$new1[1]);
 
$f = file_put_contents("uploadfiles/mp3/".$new2[count($new2)-1],file_get_contents($filename)); 
 
$getID3 = new getID3();//创建一个类的实例
 
 
 
$ThisFileInfo = $getID3->analyze("uploadfiles/mp3/".$new2[count($new2)-1]);//分析文件
 
                $musicurl = $data["musicurl"];
 
                $pubtime = time();
 
                $uid = $_SESSION["uid"];
 
                $regex = "/http:\/\/(.*)\.mp3$/" //虽然这里判断了 但是上面已经写入了。。so..太傻比了。。

from:http://t00ls.net/thread-20220-1-1.html
 
 修复：及时验证
--------------------------------------------------------------------------------