1024cms 2.1.1 SQL Injection

Exploit Title: 1024cms 0 mysqlquery"UPDATE ".$prefix."online SET time='".$now."' WHERE ip='".$ip."'" or die"WHOSONLINE::: Cannot update user: ".mysqlerror; else mysqlquery"INSERT INTO ".$prefix."online time, ip, username, location, uid VALUES '".$now."', '".$ip."', '".$username."', '".$location."...