VULHUB ™

漏洞文件app/controllers/user/reg.php ``` public function check() { $username = $this->security->xss_clean($this->input->get_post('username', TRUE)); //username $sqlu="SELECT cs_id FROM ".CS_SqlPrefix."user where cs_name='".$username."'"; $row=$this->CsdjDB->get_all($sqlu); if(!$row){ echo 'no'; }else{ echo 'ok'; } } ``` 这是验证$username的存在与否，虽然CSDJCMS有防注入的全局过滤，但可以通过二次编码绕过

漏洞文件app/controllers/user/reg.php ``` public function check() { $username = $this->security->xss_clean($this->input->get_post('username', TRUE)); //username $sqlu="SELECT cs_id FROM ".CS_SqlPrefix."user where cs_name='".$username."'"; $row=$this->CsdjDB->get_all($sqlu); if(!$row){ echo 'no'; }else{ echo 'ok'; } } ``` 这是验证$username的存在与否，虽然CSDJCMS有防注入的全局过滤，但可以通过二次编码绕过