代码:..job.php Line:117 if( eregi(".php",$url) ){ die("ERR"); } $fileurl=str_replace($webdb[www_url],"",$url); if(is_file(PHP168_PATH."$fileurl")&&filesize(PHP168_PATH."$fileurl")<1024*1024*500){ $filename=basename($fileurl); $filetype=substr(strrchr($filename,'.'),1); $_filename=preg_replace("/([\d]+)_(200[\d]+)_([^_]+)\.([^\.]+)/is","\\3",$filename); if(eregi("^([a-z0-9=]+)$",$_filename)&&!eregi("(jpg|gif|png)$",$filename)){ $filename=urldecode(base64_decode($_filename)).".$filetype"; } ob_end_clean(); header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT'); header('Pragma: no-cache'); header('Content-Encoding: none'); header('Content-Disposition: attachment; filename='.$filename); header('Content-type: '.$filetype); header('Content-Length: '.filesize(PHP168_PATH."$fileurl")); readfile(PHP168_PATH."$fileurl"); }else{...
代码:..job.php Line:117 if( eregi(".php",$url) ){ die("ERR"); } $fileurl=str_replace($webdb[www_url],"",$url); if(is_file(PHP168_PATH."$fileurl")&&filesize(PHP168_PATH."$fileurl")<1024*1024*500){ $filename=basename($fileurl); $filetype=substr(strrchr($filename,'.'),1); $_filename=preg_replace("/([\d]+)_(200[\d]+)_([^_]+)\.([^\.]+)/is","\\3",$filename); if(eregi("^([a-z0-9=]+)$",$_filename)&&!eregi("(jpg|gif|png)$",$filename)){ $filename=urldecode(base64_decode($_filename)).".$filetype"; } ob_end_clean(); header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT'); header('Pragma: no-cache'); header('Content-Encoding: none'); header('Content-Disposition: attachment; filename='.$filename); header('Content-type: '.$filetype); header('Content-Length: '.filesize(PHP168_PATH."$fileurl")); readfile(PHP168_PATH."$fileurl"); }else{ $fileurl=strstr($url,"://")?$url:tempdir($fileurl); header("location:$fileurl"); } 在这段代码里,有判断url里是否包含.php,但是在接下来,这里有个替换 $fileurl=str_replace($webdb[www_url],"",$url); .p$webdb[www_url]hp被替换后就是.php,但是可以顺利通过前面的是否存在.php的判断。 我没有安装这个代码,但是搜索了一下代码,$webdb[www_url]应该是Web的URL地址。 Php168 v5.0 <a href=http://www.php168.com target=_blank>http://www.php168.com</a>
