CmsEasy the latest version 5. 5_UTF-8_20140802, the front is the rain God to spare the three Tick: cmseasy bypass patch[SQL injection]()one Tick: continue to bypass cmseasy patches continue to inject Tick: continuous bypass cmseasy two patches continue to inject The latest inside also repair, but the repair is not complete, this is the fourth patch. Continue to bypass[SQL injection]() 来看看文件 :archive_act.php code area function respond_action() { the include_once ROOT . '/lib/plugins/pay/' . front::$get['code'] . '. php'; $payclassname = front::$get['code']; $payobj = new $payclassname(); $uri = $_SERVER["REQUEST_URI"]; $__uriget = strstr($uri, '?'); $__uriget = str_replace('?', ", $__uriget); $__uriget = explode('&', $__uriget); $_GET = array(); foreach ($__uriget as $key => $val) { $tmp = explode('=', $val); $_GET[$tmp[0]] = $tmp[1]; if(preg_match('/\'|select|union|"/i', $tmp1)){ exit('illegal parameters'); } } file_put_contents('logs11.txt', var_export($_GET,true)); $status = $payobj->respond(); if ($status) { echo ''; front::refresh(url('archive/orders/oid/' . front::get('subject'), true)); } else { echo ''; front::refresh(url('archive/orders/oid/' . front::get('subject'), true)); } } Here called$status = $payobj->respond(); Into the respond function to see: 文件 alipay.php to: code area function respond() { if (! empty($_POST)) { foreach($_POST as $key =>$data) { if(preg_match('/(=|<|>|\')/', $data)){ return false; } $_GET[$key] = $data; } } $payment = pay::get_payment($_GET['code']); $seller_email = rawurldecode($_GET['seller_email']); $order_sn = str_replace($_GET['subject'],",$_GET['out_trade_no']); $order_sn = trim($order_sn); if (! pay::check_money($order_sn,$_GET['total_fee'])) { return false; } if($_GET['trade_status'] == "WAIT_SELLER_SEND_GOODS"||$_GET['trade_status'] == "TRADE_FINISHED" || $_GET['trade_status'] == "TRADE_SUCCESS") { pay::changeorders($order_sn,$_GET); return true; }else { return false; } } Here taken directly into the$_POST content Filtered=,<,>,'these Then when trade_status=WAIT_SELLER_SEND_GOODS, enter the pay::changeorders($order_sn,$_GET); Continue to follow up to see changeorders function: code area public static function changeorders($id,$orderlog) { //file_put_contents('logs.txt', $id); $where=array(); $where['id']=$id; $where['status']=4; //$where['orderlog']=serialize($orderlog); $update=orders::getInstance()->rec_update($where,$id); if($update<1) { exit('changing the order status an error occurred, please contact administrator'); } Here$where['id']=$id=$order_sn=str_replace($_GET['subject'],",$_GET['out_trade_no']); Finally into the rec_update($where,$id) **[1] [[2]](<55450_2.htm>) [[3]](<55450_3.htm>) [next](<55450_2.htm>)**

CmsEasy the latest version 5. 5_UTF-8_20140802 bypass the four patches continue to SQL injection-vulnerability warning-the black bar safety net