by:xhming

       data/modules/albums/pages_admin/albums_getimage.php

....................................

    $image = $_GET['image'];
if (!ereg("thumb", $image)) {
if (preg_match("#([.*])([/])([A-Za-z0- 九.]{0, 一 一})#", $image, $matches)) {
if ($image != $matches[0]) {
unset($image);
die("A hacking attempt has been detected. For security reasons, we're blocking any code execution.");
   }
}
}
elseif (ereg("thumb", $image)) {
if (preg_match("#([.*])([/])thumb([/])([A-Za-z0- 九.]{0, 一 一})#", $image, $matches)) {                             //邪则婚配有答题!!!
if ($image != $matches[0]) {
unset($image);
die("A hacking attempt has been detected. For security reasons, we're blocking any code execution.");
   }
}
}

if (file_exists("../../../../data/settings/modules/albums/$image")) {
//generate the image, make sure it doesn't end up in the visitors buffer
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Expires: Thu,  一 九 Nov  一 九 八 一 0 八: 五 二:00 GMT");
header("Pragma: no-cache");
header("Content-Type: image/jpeg");
echo readfile("../../../../data/settings/modules/albums/$image");                                   //触领破绽
                  很显著 if (preg_match("#([.*])([/])thumb([/])([A-Za-z0- 九.]{0, 一 一})#", $image, $matches))那个邪则试有答题,只有咱们$image变质有thumb字符便否以绕过它的检测!

   当地 测试如图: