adminsoft/index.php
 
$archive = indexget('archive', 'R');
$archive = empty($archive) ? 'adminuser' : $archive;
$action = indexget('action', 'R');
$action = empty($action) ? 'login' : $action;
 
include admin_ROOT . adminfile . "/control/$archive.php";// 包含产生 good nice
$control = new important();
$action = 'on' . $action;
if (method_exists($control, $action)) {
$control->$action();
} else {
 exit('错误：系统方法错误！');
}
 
首先看index.php

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
02 ///省略无关代码
03 $archive = indexget('ac', 'R');  //ac
04 $action = indexget('at', 'R');    //at
05 ///省略无关代码
06 if (empty($archive) || empty($action)) {
07         include admin_ROOT . 'interface/public.php';
08         $mainlist = new mainpage();
09         if (method_exists($mainlist, 'in_index')) {
10                 $mainlist->in_index();
11         } else {
12                 exit('Access error!');
13         }
14 } else {
15         if (in_array($archive, array('article', 'forum', 'search', 'bbssearch', 'forummain', 'messmain', 'special', 'respond', 'public', 'scriptout', 'enquiry', 'enquirymain', 'form', 'formmain', 'ordermain', 'membermain', 'member', 'forum', 'order'))) { //强制，首页包含木有了
16                 $action = 'in_' . $action; /in_$ 函数
17                 if (!file_exists(admin_ROOT . "interface/$archive.php")) { //跟进
18                         exit('Access error!');
19                 }
20                 include admin_ROOT . "interface/$archive.php";
21                 $mainlist = new mainpage();
22                 if (method_exists($mainlist, $action)) {
23                         $mainlist->$action();
24                 } else {
25                         exit('Access error!');
26                 }
27         } else {
28                 exit('Access error!');
29         }
30 }
31 ///省略无关代码
32 跟进到interface/enquity文件
33 ///省略无关代码
34 $filename = $this->fun->accept('filename', 'G'); //filename变量
35                 $filename = empty($filename) ? 'list' : $filename;
36 ///省略无关代码
37 $output = $this->pagetemplate->fetch($lng . '/lib/' . $filename);  '
38 ///省略无关代码
39 ///跟进函数库查看
40         function fetch($tpl_file, $cache_fileID = null, $outHTML = null) {
41                 if (!empty($outHTML)) {
42                         $out = $this->gettemprequire($outHTML);
43                         return $out;
44                 }
45                 require_once 'ectemplates_parser.php';
46
47                 if ($this->libfile) {
48                         $tpl_file = $this->templatesDIR . $tpl_file . '.html';  //html
49                 }
50
51                 $template_file = $this->tpl_dir . $tpl_file;
52
53                 $parsed_file = $this->tpl_c_dir . md5($tpl_file) . '.php';
54
55

 

 
%00
漏洞证明：%00
修复方案：过滤特殊字符