WooYun.org

if(isset($post_loginsubmit)) {
	//宽字符注入
	if($editor = $db->get_by('*', 'admins', "editor='".$db->addslashes($post_username)."'")) {
		if(ak_md5($post_password, 0, 2) == $editor['password']) {
			if($editor['freeze'] == 1) adminmsg($lan['youarefreeze'], 'index.php', 3, 1);
			if(!empty($post_rememberlogin)) {
				setlogin($post_username, $thetime + 24 * 3600 * 365 * 10);
			} else {
				setlogin($post_username);
			}
			$target = 'index.php';
			if(ifthemeuninstalled()) $target = 'index.php?file=theme&action=themeinstall';
			adminmsg($lan['login_success'], $target);
		} else {
			adminmsg($lan['login_failed'], 'index.php?file=login', 3, 1);
		}
	} else {
		adminmsg($lan['login_failed'], 'index.php?file=login', 3, 1);
	}
} else {
	displaytemplate('login.htm');
}

function get_by($what, $from, $where = '', $orderby = '') {
		$table = $this->fulltablename($from);
		$sql = "SELECT {$what} FROM `{$table}`";
		if($where != '') $sql .= " WHERE {$where}";
		if($orderby != '') $sql .= " ORDER BY {$orderby}";
		if(strpos($what, '(') === false) $sql .= " LIMIT 1";
		$row = $this->get_one($sql);
		if($row === false) {
			return false;
		} elseif(count($row) == 1) {
			return current($row);
		} else {
			return $row;
		}
	}

function get_one($sql) {
		$arr = $this->querytoarray($sql, '', 1);
		if(count($arr) > 0) return array_shift($arr);
		return false;
	}

function querytoarray($sql, $key = '', $num = 1000) {
		global $sqlcaches;
		$results = array();
		if(!empty($GLOBALS['batchcreateitemflag'])) {
			if(!isset($sqlcaches)) $sqlcaches = array();
			$cachekey = $sql.'*'.$num;
			if(isset($sqlcaches[$cachekey])) {
			}
		}
		$query = $this->query($sql);
		$i = 1;
		while($row = $this->fetch_array($query)) {
			if($key == '' || !isset($row[$key])) {
				$results[$i] = $row;
			} else {
				$results[$row[$key]] = $row;
			}
			if($i ++ >= $num) break;
		}
		return $results;
	}

function query($sql, $ignoresafe = 0) {
		global $ifdebug, $slowquery, $thetime;
		if(!empty($ifdebug)) $start = akmicrotime();
		if(empty($ignoresafe)) {
			if(preg_match('/^(select|delete)\s+.*?(select|update|detele|insert|replace)\s+/i', $sql, $match)) {
				eventlog("REJECT\t".$sql, 'sql');
				return false;
			}
		}
		if($ignoresafe == 1 && strpos($sql, ";\n") != false) {
			$sqls = explode(";\n", $sql);
			foreach($sqls as $sql) {
				if(trim($sql) != "") $query = $this->_query($sql);
			}
		} else {
			$query = $this->_query($sql);
		}
		if(!$query) $this->halt($this->error(), $sql);
		if(!empty($ifdebug)) {
			$usedtime = akmicrotime() - $start;
			if(empty($slowquery) || $usedtime > $slowquery) {
				eventlog(msformat(akmicrotime() - $start)."\t".$sql, 'sql');
			}
		}
		if($sql != 'BEGIN;') {
			$this->querynum++;
			if(!empty($ifdebug)) $sql = msformat(akmicrotime() - $start).' '.$sql;
			if($this->querynum < 1000) $this->queries[] = $sql;
		}
		return $query;
	}

if(preg_match('/^(select|delete)\s+.*?(select|update|detele|insert|replace)\s+/i', $sql, $match)) {
				eventlog("REJECT\t".$sql, 'sql');
				return false;
			}

if(isset($_SERVER['HTTP_CONTENT_DISPOSITION']) && preg_match('/attachment;\s+name="(.+?)";\s+filename="(.+?)"/i',$_SERVER['HTTP_CONTENT_DISPOSITION'], $info)){
	//getshell
	$filename = fromutf8(urldecode($info[2]));
	if(fileext($filename) == 'php') aexit();
	$newfilename = get_upload_filename($filename, 0, 0, 'image');
	$a = file_get_contents("php://input");
	if(!checkuploadfile($a)) {
		uploaddanger($lan['danger']);
	} else {
		writetofile($a, FORE_ROOT.$newfilename);
	}
}