DayuCMS 1.525 /member/include/tag.class.php SQL注入漏洞

/member/include/member.class.phpfunction exists$field, $value return $this-db-fetchone"SELECT id FROM $this-table WHERE $this-table.$field='$value' LIMIT 0, 1"; 传入的$field和$value未经过过滤直接带入SQL语句中。 /member/include/msg.class.php function send$msgs global $userid,$username,$member;...