【转载】dvbbs php2.0 的几处 0day

  • A+
所属分类:lcx

作者:T00ls 核心成员 Xhm1n9
时间:2010.8.19

1:joinvipgroup.php  //注入
function up_vipuser(){
global $lang,$db,$dv,$userid,$userinfo,$vipgroupuser;
$groupid=$_POST['vipgroupid'];
$btype=$_POST['Btype'];
$vipmoney=$_POST['vipmoney'];
$vipticket=$_POST['vipticket'];
if($groupid==0 or $vipmoney
   showmsg($lang['join.info4']);
   exit;
}
$issql=$db->scalar("SELECT count(1) FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'");echo $issql;
if($issql>0 AND ($sql=$db->query("SELECT usergroupid,title,usertitle,groupsetting,grouppic FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'"))){
   while ($arr=$db->fetch_array($sql)){
    $vipgroupsetting=explode(",",$arr['groupsetting']);
    $upsetting=explode($lang['join.separator1'], $vipgroupsetting[71]);//'升级到该组所需金币数 金币数§点券数§有效天数§最低天数
    if($btype==1){echo "???";
     $vipmoney=0;
     if(intval($upsetting[3])>0){
      $mustnum=$upsetting[3]*$upsetting[1]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang['join.info5']);
       exit;
      }
     }
     if($userinfo['userticket']
      showmsg($lang['join.info6']);
      exit;
     }
     $updats=$vipticket*$upsetting[2]/$upsetting[1];
     $updats=intval(number_format($updats,0));
    }else{echo "&&&";
     $vipticket=0;
     if($upsetting[3]>0){
      $mustnum=$upsetting[3]*$upsetting[0]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang['join.info5']);
       exit;
      }
     }
                                 var_dump($userinfo['usermoney']
                                   var_dump($vipmoney
     if($userinfo['usermoney']
      showmsg($lang['join.info7']);
      exit;
     }
     $updats=$vipmoney*$upsetting[2]/$upsetting[0];
     $updats=intval(number_format($updats,0));
    }
    if($vipgroupuser===true){echo "%%%";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".($userinfo['vip_endtime']+$updates*24*3600)."' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
    }else{echo "^^^";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".(TIME_NOW+$updates*24*3600)."',vip_startime='".TIME_NOW."' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
    }
   ..............................................................
   $vipmoney变量没有过滤,利用前提是管理员设了vip会员组,有点金币:)

test

http://127.1/dvbbs/joinvipgroup.php?action=upvipuser" enctype="multipart/form-data">





文章来源于lcx.cc:【转载】dvbbs php2.0 的几处 0day

相关推荐: 关于目前国内日益上升的“宅男”问题

写完了“富二代问题”(相见:https://lcx.cc/post/466/),又想起一个“宅男”问题,在这里接着讨论一下。 首先,什么是宅男:宅男是指每天憋在屋子里不出去社会交往,沉迷于玩电脑游戏、网络聊天、泡论坛、看动漫、看电视连续剧的这群人。 宅男,不是…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: