### 简要描述:
更新日期: 2014-05-19 12:17:29
### 详细说明:
在control/login.php中
```
if (kekezu::submitcheck(isset($formhash))|| isset($login_type) ==3) {
if($code){
$strCodeCheck = kekezu::check_secode ( $code );
if ($strCodeCheck!=1) {
$tips['errors']['code'] = $strCodeCheck;
kekezu::show_msg ($tips, NULL, NULL, NULL, 'error' );
}
}
isset($hdn_refer) and $_K['refer'] = $hdn_refer;
isset($_COOKIE['kekeloginrefer']) and $_K['refer'] = $_COOKIE['kekeloginrefer'];
$refer_do = array('do'=>null);
$refer = parse_url($_K['refer']);
isset($refer['query']) and parse_str($refer['query'],$refer_do);
!$refer_do['do']&&$do='logout' and $refer_do['do']='logout';
in_array($refer_do['do'],array('logout','register','login','activating')) and $_K['refer'] = 'index.php' or $_K['refer'] =$_K['refer'];
$strCode = isset($code)?$code:"";
$intLoginType = isset($login_type)?$login_type:"";
$ckb_cookie = isset($ckb_cookie)?$ckb_cookie:"";
if (strtoupper ( CHARSET ) == 'GBK') {
$account = kekezu::utftogbk( $account );
}
$objLogin = new keke_user_login_class();
$arrUserInfo = $objLogin->user_login($account, $password,$strCode,$intLogin_type);
$objLogin->save_user_info($arrUserInfo,$account, $ckb_cookie,$intLoginType,intval($autoLogin)
```
$account 未过滤就带入了查询中。。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/25151333fad3500a195e8b86c7ea2f4b6772cf97.jpg" alt="k3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25151333fad3500a195e8b86c7ea2f4b6772cf97.jpg)
[<img src="https://images.seebug.org/upload/201405/25151351f08572349bd5c425020c19626f193ee7.jpg" alt="k4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25151351f08572349bd5c425020c19626f193ee7.jpg)
京公网安备 11010502034610号
暂无评论