// Allow the program to work in a register_globals = off Environment
$ Onoff = (function_exists ('ini _ get '))? Ini_get ('register _ globals'): get_reg_var ('register _ globals ');
If ($ Onoff! = 1 ){
@ Extract ($ _ post, extr_skip );
@ Extract ($ _ Get, extr_skip );
}
$ Self = $ _ server ['php _ Self '];
$ Dis_func = get_cfg_var ("disable_functions ");
/* = ======= */
If ($ admin ['check'] = "1 "){
If ($ _ Get ['action'] = "logout "){
Setcookie ("adminpass ","");
Echo "<meta http-equiv = \" Refresh \ "content = \" 3; url = ". $ self." \ "> ";
Echo "<span style = \" font-size: 12px; font-family: verdana \ "> logout successful ...... <p> <a href = \"". $ self. "\"> automatically exit after three seconds or click here to exit the program interface & gt; </a> </span> ";
Exit;
}
If ($ _ post ['do '] = 'login '){
$ Thepass = trim ($ _ post ['adminpass']);
If ($ admin ['pass'] = $ thepass ){
Setcookie ("adminpass", $ thepass, time () + (1*24*3600 ));
Echo "<meta http-equiv = \" Refresh \ "content = \" 3; url = ". $ self." \ "> ";
Echo "<span style = \" font-size: 12px; font-family: verdana \ "> login successful ...... <p> <a href = \"". $ self. "\"> automatically jump in three seconds or click here to enter the program interface & gt; </a> </span> ";
Exit;
}
}
If (isset ($ _ cookie ['adminpass']) {
If ($ _ cookie ['adminpass']! = $ Admin ['pass']) {
Loginpage ();
}
} Else {
Loginpage ();
}
}
/* = ======= */
// Determine the magic_quotes_gpc status
If (get_magic_quotes_gpc ()){
$ _ Get = stripslashes_array ($ _ Get );
$ _ Post = stripslashes_array ($ _ post );
}
Bytes ---------------------------------------------------------------------------------------------------------------------
Http://www.discuz.net/admin/logging.php? Action = Login
You can jump to another directory.
Use
Http://www.discuz.net/search.php? USER % id = 100
Injection ......
Manual injection only
Note: The showpath must contain your own path.
If the limit is exceeded, you can also jump up. When uploading files to superiors, you cannot directly
Http: // www. http://www.discuz.net/user/up/_id=../../....../ (injection Statement)
Contains the user path.
Http://www.discuz.net/member.php? Action = list_usernumber = 1402257ee8f
Otherwise, injection is not allowed.
The File Vulnerability code is as follows:
<?
Define ('_ system_root ','');
Include dirname (_ file _). '/framework_gb/framework. php ';
Using ('System. Data. data ');
Using ('System. Data. plugins. option ');
Using ('System. Page. page ');
Using ('System. Smarty. Smarty ');
Using ('System. functions. Functions ');
Require_once _ system_root. "Global. php ";
Require_once _ system_root. "vars. php ";
$ Db = new stdclass ();
$ Db = $ data-> getdb ();
/*
Echo '<PRE> ';
Print_r ($ data );
*/
?>
You can directly inject it and get the background password.