phpems 多处sql注射

### 简要描述： phpems 多处sql注射 ### 详细说明： 百度搜索： title:PHPEMS无纸化模拟考试系统 [<img src="https://images.seebug.org/upload/201504/071929425a63f822f5851f3d4924460d12ed23a5.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/071929425a63f822f5851f3d4924460d12ed23a5.png) ev.cls.php: ``` public function getClientIp() { if(!isset($this->e['ip'])) { if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) $ip = getenv("HTTP_CLIENT_IP"); else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) $ip = getenv("REMOTE_ADDR"); else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = "unknown"; $this->e['ip'] = $ip; } return $this->e['ip']; } ``` 搜索： getClientIp [<img src="https://images.seebug.org/upload/201504/0719272585a21c6ac7756e3bd3ed65625d53e1f5.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0719272585a21c6ac7756e3bd3ed65625d53e1f5.png) 举一个例子: app.php: ``` public function register() { if($this->ev->get('userregister')) { $fob = array('admin','管理员','站长'); $args = $this->ev->get('args'); $defaultgroup = $this->user->getDefaultGroup(); if(!$defaultgroup['groupid'] || !trim($args['username'])) { $message = array( 'statusCode' => 300, "message" => "用户不能注册" ); exit(json_encode($message)); } $username = $args['username']; foreach($fob as $f) { if(strpos($username,$f) !== false) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "用户已经存在" ); exit(json_encode($message)); } } $user = $this->user->getUserByUserName($username); if($user) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "用户已经存在" ); exit(json_encode($message)); } $email = $args['useremail']; $user = $this->user->getUserByEmail($email); if($user) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "邮箱已经被注册" ); exit(json_encode($message)); } $id = $this->user->insertUser(array('username' => $username,'usergroupid' => $defaultgroup['groupid'],'userpassword' => md5($args['userpassword']),'useremail' => $email)); $this->session->setSessionUser(array('sessionuserid'=>$id,'sessionpassword'=>md5($args['userpassword']),'sessionip'=>$this->ev->getClientIp(),'sessiongroupid'=>$defaultgroup['groupid'],'sessionlogintime'=>TIME,'sessionusername'=>$username)); $message = array( 'statusCode' => 200, "message" => "操作成功", ``` [<img src="https://images.seebug.org/upload/201504/0719283839da18551334594d3a6ce7c5345c2dea.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0719283839da18551334594d3a6ce7c5345c2dea.png) ### 漏洞证明：