转自:https://www.t00ls.net/thread-21381-1-1.html
[php]
//code by helen
public function save_profile() {
$user_info =@ ParamHolder::get('user', array());//获取数组
if (sizeof($user_info) <= 0) {
$this->assign('json', Toolkit::jsonERR(__('Missing user information!')));
return '_result';//www.moonhack.org
}
$passwd_changed = false;
try {
$o_user = new User(SessionHolder::get('user/id'));
if ($user_info['email'] != $o_user->email) {
/* Check duplicates */
if ($o_user->count("email=?", array($user_info['email'])) > 0) {
$this->assign('json', Toolkit::jsonERR(__('User E-mail address exists!')));
return '_result';
}
}
$o_user->set($user_info);
/* Check password */
$passwd_info =@ ParamHolder::get('passwd', array());
if (sizeof($passwd_info) != 2) {
$this->assign('json', Toolkit::jsonERR(__('Invalid Password!')));
return '_result';
}
if (strlen(trim($passwd_info['passwd'])) > 0 ||
strlen(trim($passwd_info['re_passwd'])) > 0) {
if ($passwd_info['passwd'] == $passwd_info['re_passwd']) {
$o_user->passwd = sha1($passwd_info['passwd']);
$passwd_changed = true;
}
}
$o_user->save(); //可以xo了 这里我不跟踪了 这个源码看的我蛋疼
} catch (Exception $ex) {
$this->assign('json', Toolkit::jsonERR($ex->getMessage()));
return '_result';
}
if ($passwd_changed) {
SessionHolder::destroy();
$this->assign('json', Toolkit::jsonOK(array('forward' => 'index.php')));
} else {
$forward_url = Html::uriquery('mod_user', 'edit_profile');
$this->assign('json', Toolkit::jsonOK(array('forward' => $forward_url)));
}
return '_result';
}
[/php]
数据库user表结构
直接改一下包可以秒了
上传文件注意可以看到这个函数
[php]
public static function fire_virus($imgfile){
$val_file = str_replace(strchr($imgfile,'.'),'.txt',$imgfile);
copy($imgfile,str_replace(strchr($imgfile,'.'),'.txt',$imgfile));
$i = 0;
$flag_img = 0;
if (file_exists($val_file)) {
$f= fopen($val_file,"r");
while (!feof($f)){
$line = fgets($f);
if (strpos($line,'eval(') ||strpos($line,'phpinfo') ||strpos($line,'fopen')) {//绕过很简单
@unlink($val_file);
@unlink($imgfile);
echo '该图片文件可能是伪装木马文件,已经将其删除,请换张上传,';
$flag_img = 1;
}
$i++;
if ($i==50) {
break;
}
}
fclose($f);
}
@unlink($val_file);
if ($flag_img) {
exit('上传已经停止');
}else{
return true;
}
}
[/php]