I re-checked that the getip vulnerability was completed before 91736. vulnerability file: system/modules/member/index. php public function edit () {if (empty ($ _ COOKIE ['Member _ user']) | empty ($ _ COOKIE ['Member _ userid']) {showmsg (C ("admin_not_exist"), "index. php? M = member & f = login ") ;}$ userid =$ _ COOKIE ['Member _ userid']; $ info = $ this-> mysql-> get_one ("select * from ". DB_PRE. "member where 'userid' = $ userid"); // the vulnerability is located here. $ userid is not filtered and directly stored for query. $ input = base: load_class ('input'); $ field = base: load_cache ("cache_field_member", "_ field"); $ fields = ""; foreach ($ field as $ value) {$ fields. = "<tr> n"; $ fields. = "<td align =" right "> ". $ value ['name']. "£ o </td> n"; $ fields. = "<td> ". $ input-> $ value ['formtype '] ($ value ['field'], $ info [$ value ['field'], $ value ['width'], $ value ['height'], $ value ['initial']). "". $ value ['explain ']. "</td> n"; $ fields. = "</tr> n";} assign ('member', $ info); assign ("fields", $ fields); template ("member/edit ");} in fact, there is also a function edit_save with the same vulnerability. Similarly, it's just an update injection method that everyone will probably use. I will use Firefox's plug-in edit cookies to demonstrate function edit: www.2cto.com is injected with the account password: function edit_save:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
