迅捷网络留言本(原多多留言本) v 1.1 GBK注入漏洞及后台拿WebShell

add.php：

                 if($_POST['unum']==$_SESSION["randValid"]){
                        $username=addslashes(htmlspecialchars($_POST['username']));
                        $email=addslashes(htmlspecialchars($_POST['email']));
                        $content=addslashes(htmlspecialchars($_POST['content']));
                        $userip=$_SERVER["REMOTE_ADDR"];
                        $ifqqh=$_POST["ifqqh"];
                        if(empty($ifqqh)) $ifqqh=0;
                        $systime=date("Y-m-d H:i:s");
                        if(!empty($content) or !empty($username)){
                        $ifshow="";
                        //还原空格和回车
                        if(!empty($content)){
                                $content=str_replace("　","",$content);
                                $content=ereg_replace("n","
　　",ereg_replace(" "," ",$content));
                        }
                        if($ifauditing==1){$ifshow=0;}else{$ifshow=1;}
                        //还原结束
                        $sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";
                        //echo $sql;

$ifqqh=$_POST["ifqqh"];没有过滤。。。。。。。
$sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";$ifqqh没有用   '  来包含。不受magic_quotes_gpc影响

Exp：

admin_set.php：

// write the para file
$filenum = fopen ("include/para.php","w");
ftruncate($filenum, 0);
fwrite($filenum, $parafile);
fclose($filenum);
        echo "设置已保存，请稍候……
如果浏览器没有自动返回，请点击此处返回";
        echo "";
?>