远程包含漏洞挖掘脚本

<?php
set_time_limit(0);
function tree($directory)
{
$mydir=dir($directory);

while($file=$mydir->read()){
if((is_dir("$directory/$file")) && ($file!=".") && ($file!=".."))
{
tree("$directory/$file");
}
else{
if($file != "." && $file != ".."&&eregi(".php",$file)){
$fd=realpath($directory."/".$file);
$fop = fopen($fd, "r");
$i=0;
while ($buffer = fgets($fop, 4096)) {
$i++;
if((eregi("include",$buffer)||eregi("require",$buffer))&&strpos($buffer,"$")){
countall();
echo "<li><font color=\"#ff00cc\">file path:".$fd."</font></li>"." <td><a href=\"?downfile=".$fd."\">Down&&Open</a> "."<br> the file line<font color=\"#0000FF\">".$i."</font> ::======>". $buffer."<hr>";

}
}
fclose($fop);

}
}
}
$mydir->close();
}
function countall()
{
static $count = 1;
echo "the files number ".$count." :) ";
$count++;
}
if($_GET['act']=="findMM"){
$fuck=$_GET['GUID'];
tree($fuck);

}
if ($_GET['downfile']) {
$downfile=$_GET['downfile'];
if (!@is_file($downfile)) {
echo "<script>alert(\"the file is out\")</script>";
}
$filename = basename($downfile);//
$filename_info = explode('.', $filename);//
$fileext = $filename_info[count($filename_info)-1];
header('Content-type: application/x-'.$fileext);
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Description: PHP3 Generated Data');
readfile($downfile);
exit;
}
?>

<br>
<form action="<? echo $PHP_SELF?>" method="GET">

<table width="600" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="400" height="22">please wirte path(like: /usr/www/)：</td>
<td><input name="GUID" type="text" id="GUID" value="E:\MyPhp\APMServ5.1.2\www\htdocs\ecshop"size="40" /></td>
</tr>
<input type="hidden" name="act" value="findMM" />
<tr>
<td height="22"> </td>
<td><input type="submit" name="Submit" value=" POST fuck " /></td>
</tr>
<tr>
<td height="22"> </td>
<td> </td>
</tr>
</table>
</form>
<center><li><font color="#ff00cc"><b>copy write by %5C E_Mail: isno_sec@163.com[url=mailto:QQ239273079@[/b]