PHPMyWind一枚注入

### 简要描述： rt ### 详细说明： Finger能把这个合到之前那个洞一起么 类似的 漏洞文件 /member.php ``` else if($a == 'binding') { //初始化参数 $username = empty($username) ? '' : $username; $password = empty($password) ? '' : md5(md5($password)); //验证输入数据 if($username == '' or $password == '') { header('location:?c=binding'); exit(); } $row = $dosql->GetOne("SELECT `id`,`password`,`logintime`,`loginip`,`expval` FROM `#@__member` WHERE `username`='$username'"); //密码错误 if(!is_array($row) or $password!=$row['password']) { ShowMsg('您输入的用户名或密码错误！','-1'); exit(); } else { if(check_app_login('qq')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'"); if(isset($r['id'])) { ShowMsg('该QQ已与其他账号绑定！','-1'); } else { $qqid = $_SESSION['app']['qq']['uid']; $sql = "UPDATE `#@__member` SET `qqid`='$qqid' WHERE `username`='$username'"; } } else if(check_app_login('weibo')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'"); if(isset($r['id'])) { ShowMsg('该微博已与其他账号绑定！','-1'); } else { $weiboid = $_SESSION['app']['weibo']['idstr']; $sql = "UPDATE `#@__member` SET `weiboid`='$weiboid' WHERE `username`='$username'"; } } $dosql->ExecNoneQuery($sql); ``` $sql 未初始化 ### 漏洞证明： 证明： username password要填真实的 [<img src="https://images.seebug.org/upload/201505/291829491275b557854e8ed62af4544396ba7b76.png" alt="QQ图片20150529182909.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/291829491275b557854e8ed62af4544396ba7b76.png) [<img src="https://images.seebug.org/upload/201505/291829564247c9966ea14618c59e272a381d5cc6.png" alt="12312382930.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/291829564247c9966ea14618c59e272a381d5cc6.png)