Qiao Weibo's multi-site chicken ribs and repair

I have read about it .. I felt so bad that I didn't continue reading it ..
 
Index. php
 
Local inclusion
 
$ Url = $ _ GET; // GET all parsed URLs jeffxie <[email] jeffxie@gmail.com [/email]>
 
$ Mod = $ url ["view"];
 
 
 
If ($ mod)
 
{
 
If ($ mod = 'uid') {// friends Weibo opens in uid/... format
 
$ Uid = $ _ GET ['do '];
 
$ _ GET ['do '] = 'friend ';
 
}
 
# Echo ucfirst ($ _ GET ['do ']);
 
Include (_ MOD __. "/". $ url ["view"]. "/". ucfirst ($ url ["view"]). ucfirst ($ _ GET ['do ']). ". class. php "); // you have to Truncation
 
Echo _ MOD __. "/". $ url ["view"]. "/". ucfirst ($ url ["view"]). ucfirst ($ _ GET ['do ']). ". class. php ";
 
$ Mod = ucfirst ($ url ["view"]). ucfirst ($ _ GET ['do ']);
 
$ Init = new $ mod ();
 
$ Init-> InitInstance ();
 
}
 
Else {
 
Include (_ MOD _. "/index/Index". "Details. class. php ");
 
$ Mod = "IndexDetails ";
 
$ Init = new $ mod ();
 
$ Init-> InitInstance ();
 
}
 
?> Blind injection is a pain point ..
(You can capture packets by yourself during forwarding)
Class AjaxZf extends Tp {
 
Public function initInstance (){
 
$ This-> uid = $ _ SESSION ["uid"];
 
If ($ _ POST & $ _ GET ["type"] = 1)
 
{
 

 
$ This-> getWindow ($ _ POST );
 
}
 
Else if ($ _ POST & $ _ GET ["type"] = 2 ){
 
// Write to Weibo
 
$ This-> addZf ($ _ POST );
 
}
 
Exit;
 
}
 
..
 
Public function getWindow ($ _ POST)
 
{
 
Global $ biaoqing;
 
$ Aid = $ _ POST ["aid"]; // this...
 
$ Type = $ _ POST ["type"]; // If type = 1, it is original. If type is 6, it is reposted on Weibo, call up all transferred persons according to aid
 
$ Uid = $ _ POST ["uid"];
 
If ($ type = 6) // www.2cto.com reposts Weibo posts and calls out all repost relationships based on aid (at this time, where aid = wid)
 
{
 
$ StrSQL = "SELECT. title AS title,. content AS content, u. nickname AS nickname,. uid AS uid FROM ". _ PREFIX_TAB __. "article ,". _ PREFIX_TAB __. "users u WHERE u. id =. uid AND. id = $ aid order by. pubtime desc limit 1 "; // It is included in the query. Getshell is not a problem ..
(Add a song when publishing Weibo)
The entire php space is not parsed. Create a New 1.php space and write a sentence.
Add your file address to the song .. For the shell path, see the source code ..
Include _ FRAME _. "/getid3/getid3/getid3.php ";
 
Class AjaxAddmusic extends Tp {
 
Public function initInstance (){
 
If ($ _ POST)
 
{
 
$ This-> postData ($ _ POST );
 
Exit;
 
}
 
}
 
 
 
Public function postData ($ data ){
 
$ Filename = $ data ["musicurl"];
 
// Get the file name
 
$ New1 = split ("//", $ filename );
 
$ New2 = split ("/", $ new1 [1]);
 
$ F = file_put_contents ("uploadfiles/mp3/". $ new2 [count ($ new2)-1], file_get_contents ($ filename ));
 
$ GetID3 = new getID3 (); // create an instance of the class
 
 
 
$ ThisFileInfo = $ getID3-> analyze ("uploadfiles/mp3/". $ new2 [count ($ new2)-1]); // analyze the file
 
$ Musicurl = $ data ["musicurl"];
 
$ Pubtime = time ();
 
$ Uid = $ _ SESSION ["uid"];
 
$ Regex = "/http: \/(. *) \. mp3 $/" // although it is determined here, it has been written above .. So... too silly ..

From: http://t00ls.net/thread-20220-1-1.html
 
Repair: timely verification
--------------------------------------------------------------------------------