Starlight Post Bar 1.3 background SHELL and repair solution

By: Legend of the wind
I analyzed two programs today and sent them all.

Okay, I admit it's a little chicken ..
Let's take a look at this file.
/Common. function. php
 
01functionwrite_file ($ l1, $ l2 = '') {// write a file
02 $ dir = dirname ($ l1 );
03 if (! Is_dir ($ dir )){
04 mkdirss ($ dir );
05}
06 return @ file_put_contents ($ l1, $ l2 );
07}
08functionread_file ($ l1 ){
09 return @ file_get_contents ($ l1 );
10}
11 // Save the array to the file
12functionarr2file ($ filename, $ arr = ''){
13 if (is_array ($ arr )){
14 $ con = var_export ($ arr, true );
15} else {
16 $ con = $ arr;
17}
18 $ con = "<? Php \ nreturn $ con; \ n?> "; // \ N! Defined ('in _ mp') & die (); \ nreturn $ con; \ n
19 write_file ($ filename, $ con );
20}
The above is the defined function. Let's mainly look at the write_file function. OK, let's take a look at the background file l
Admin \ module \ extendMod. class. php
 
1 $ array =$ _ POST; // The array submitted by POST is assigned to $ array
2 if (! Empty ($ array ['ads _ name_sub ']) {
3 if ($ this-> model-> table ('ads ')-> where ('adsname = "'. trim ($ _ POST ['ads _ name_sub ']). '"')-> find ()){
4 $ this-> error ('The ad ID already exists. Please enter a new one! ');
5}
6 $ data ['adsname'] = trim ($ array ['ads _ name_sub ']); // file name
7 $ data ['adscontent'] = stripslashes (trim ($ array ['ads _ content_sub ']); // content
8 $ this-> model-> table ('ads ')-> data ($ data)-> insert ($ data );
9 write_file (ROOT_PATH. '/data/ads /'. $ data ['adsname']. '. js', t2js ($ data ['adscontent']); // write SHELL
Go to the background and browse http://www.bkjia.com/admin/index. php/extend/ads.html
Enter the advertisement ID in 1.php.

Enter the following content for the advertisement: <? Phpinfo ();?>

Then visit http://www.bkjia.com/data/ads/1. php. js to see our cute horse. Of course, the parsing like php. js depends on the environment.

Therefore, it is a SHELL method.

Fixed: filter the two inputs.