草根吧_非盈利论坛_免费discuz插件_discuz风格模板_微擎资源_phpwind插件_phpwind教程

好不容易利用discuz x3.2的一个漏洞搞的一个shell拿到的一个插件，求分析开源！
<?php

if ( !defined( \"IN_DISCUZ\" ) || !defined( \"IN_ADMINCP\" ) )
{
   exit( \"Aecsse Denied\" );
}
global $_G;
global $pluginid;
global $pluginarray;
$table1 = DB::table( \"haoteam_vars\" );
$table2 = DB::table( \"haoteam_lang\" );
$pname = $pluginarray['plugin']['identifier'];
$folder = DISCUZ_ROOT.\"source\".DIRECTORY_SEPARATOR.\"plugin\".DIRECTORY_SEPARATOR.$pname;
if ( !function_exists( \"haoteam_validator\" ) )
{
   if ( file_exists( $folder.DIRECTORY_SEPARATOR.\"vars.func.php\" ) )
   {
   require_once( $folder.DIRECTORY_SEPARATOR.\"vars.func.php\" );
   }
   else
   {
   cpmsg( \"plugin_not_found\" );
   }
}
if ( file_exists( $folder.DIRECTORY_SEPARATOR.\"cert.php\" ) )
{
   require_once( $folder.DIRECTORY_SEPARATOR.\"cert.php\" );
   $sid = $cert[5];
}
$uniqueid = $_G['setting']['siteuniqueid'] ? $_G['setting']['siteuniqueid'] : C::t( \"common_setting\" )->fetch( \"siteuniqueid\" );
$cert = array(
   \"qid\" => $uniqueid,
   \"bbsUrl\" => $_G['siteurl'],
   \"plugin\" => $pname,
   \"sid\" => $sid,
   \"siteurl\" => $_G['setting']['siteurl']
);
$insurl = $_SERVER['QUERY_STRING'];
$sql1 = \"\r\nCREATE TABLE IF NOT EXISTS `\".$table1.\"` (\r\n `pluginvarid` mediumint(8) unsigned NOT NULL auto_increment,\r\n `pluginid` smallint(6) unsigned NOT NULL default '0',\r\n `identifier` varchar(50) NOT NULL,\r\n `displayorder` tinyint(3) NOT NULL default '0',\r\n `title` varchar(100) NOT NULL default '',\r\n `description` text NOT NULL,\r\n `variable` varchar(40) NOT NULL default '',\r\n `type` varchar(255) NOT NULL,\r\n `value` text NOT NULL,\r\n `extra` text NOT NULL,\r\n `module` varchar(255) NOT NULL,\r\n `submenu` varchar(255) NOT NULL,\r\n `subnum` int(10) NOT NULL,\r\n PRIMARY KEY (`pluginvarid`),\r\n KEY `pluginid` (`pluginid`)\r\n) ENGINE=MyISAM DEFAULT CHARSET=gbk;\r\nDELETE FROM {$table1} WHERE identifier = '{$pname}';\";
if ( $admincp->isfounder && $_G['config']['plugindeveloper'] && file_exists( $folder.DIRECTORY_SEPARATOR.\"table\".DIRECTORY_SEPARATOR.\"table_haoteam_lang.php\" ) )
{
   $sql2 = \"CREATE TABLE IF NOT EXISTS \".$table2.\" (\r\n `id` mediumint(8) NOT NULL AUTO_INCREMENT,\r\n `pluginname` varchar(40) NOT NULL,\r\n `system` tinyint(1) NOT NULL DEFAULT '0',\r\n `variable` varchar(40) NOT NULL,\r\n `value` text NOT NULL,\r\n `module` varchar(255) NOT NULL,\r\n PRIMARY KEY (`id`)\r\n) ENGINE=MyISAM DEFAULT CHARSET=gbk;\r\nDELETE FROM {$table2} WHERE pluginname = '{$pname}';\";
}
$table4 = DB::table( \"piaobo_attachment\" );
$table5 = DB::table( \"piaobo_attachment_shar\" );
$table6 = DB::table( \"piaobo_attachment_extcredits\" );
$table_all = array(
   $table4,
   $table5,
   $table6
);
if ( $_GET['step'] )
{
   sleep( 1 );
}
switch ( $_GET['step'] )
{
case \"1\" :
   loadcache( $pname.\"_drk_developer\" );
   if ( !$_G['cache'][$pname.\"_drk_developer\"] )
   {
   haoteam_validator( $pname.\".plugin\", 0, array( \"check\", \"install\", \"upgrade\", \"vars.func\" ) );
   haoteam_check( \"http://www.51piaobo.com/\", $cert, array( \"check\", \"install\", \"upgrade\", \"vars.func\" ) );
   }
   cpmsg( unie( \"检测环境完成,载入团队数据表……\" ), \"{$insurl}&step=2\", \"loading\" );
   break;
case \"2\" :
   if ( $sql1 )
   {
   runquery( $sql1 );
   }
   cpmsg( unie( \"载入好团队数据完成,导入语言包……\" ), \"{$insurl}&step=3\", \"loading\" );
   break;
case \"3\" :
   if ( $sql2 )
   {
   runquery( $sql2 );
   foreach ( $pluginarray['language'] as $key => $languages )
   {
   foreach ( $languages as $k => $langs )
   {
   $data['pluginname'] = $pname;
   $data['system'] = 0;
   $data['variable'] = $k;
   $data['value'] = $langs;
   $data['module'] = $key;
   C::t( \"#\".$pname.\"#haoteam_lang\" )->insert( $data );
   }
   }
   unset( $data );
   }
   cpmsg( unie( \"导入语言包完成……\" ), \"{$insurl}&step=4\", \"loading\" );
   break;
case \"4\" :
   foreach ( $table_all as $table )
   {
   if ( !check_table_is_exist( $table ) )
   {
   $table_tmp = str_ireplace( $_G['config']['db'][1]['tablepre'], \"\", $table );
   $tmp = explode( \"_\", $table );
   if ( $_G['config']['db'][1]['tablepre'] == $tmp[0] )
   {
   $table_tmp = $tmp[0].$table_tmp;
   }
   require_once( $folder.\"/install/install_\".$table_tmp.\".php\" );
   if ( $piaobo_install )
   {
   @unlink( $folder.\"/install/install_\".$table_tmp.\".php\" );
   }
   }
   }
   savecache( $pname.\"_tables\", $table_all );
   foreach ( $pluginarray['haoteamvars'] as $vars )
   {
   $data = array(
   \"pluginid\" => $pluginid
   );
   foreach ( $vars as $key => $val )
   {
   $data[$key] = $val;
   }
   C::t( \"#\".$pname.\"#haoteam_vars\" )->insert( $data );
   }
   cpmsg( unie( \"导入应用数据表完成...\" ), \"{$insurl}&step=5\", \"loading\" );
   break;
case \"5\" :
   C::t( \"common_plugin\" )->update( $pluginid, array( \"available\" => \"1\" ) );
   updatecache( array( \"plugin\", \"setting\", \"styles\" ) );
   cleartemplatecache( );
   updatemenu( \"plugin\" );
   cpmsg( unie( \"清理缓存……\" ), \"{$insurl}&step=6\", \"loading\" );
   break;
case \"6\" :
   if ( file_exists( $folder.\"/install/install_import.php\" ) )
   {
   require_once( $folder.\"/install/install_import.php\" );
   }
   cpmsg( unie( \"数据导入及临时文件创建\" ), \"{$insurl}&step=7\", \"loading\" );
   break;
case \"7\" :
   $file_exists = $folder.\"/install/install_wsq.php\";
   if ( file_exists( $file_exists ) )
   {
   cpmsg( unie( \"是否启用微社区模块(不影响传统论坛功能)\" ), \"{$insurl}&step=8\", \"form\", array( ), \"\", TRUE, ADMINSCRIPT.( \"?\".$insurl.\"&step=9\" ) );
   }
   else
   {
   cpmsg( unie( \"数据导入及临时文件创建\" ), \"{$insurl}&step=9\", \"loading\" );
   }
   break;
case \"8\" :
   require_once( $folder.\"/install/install_wsq.php\" );
   cpmsg( unie( \"数据导入及临时文件创建\" ), \"{$insurl}&step=10\", \"loading\" );
   break;
case \"9\" :
   $finish = TRUE;
   break;
default :
   cpmsg( unie( \"开始安装前的准备,检测环境...\" ), \"{$insurl}&step=1\", \"loading\" );
}
?>

求小草根分析[好团队]附件收益 20141010(PHP≤5.2)