AACMS2.4注入漏洞

PHP代码

//user.action.php文本第98行
elseif ($act=='repassword') {

        $uid = $db->getOne("SELECT uid FROM $_SC[tablepre]members WHERE email='$_REQUEST[email]'"); //明显的。。。

        if($uid){
                echo $uid;
                $password = random(6);

                $smtpemailto = $_REQUEST['email'];
                $mailsubject = '找出密码 - AACMS';
                $mailbody = '您的密码为：' . $password .' 本邮件为系统自动所发，请勿回复！';
                include(S_ROOT . 'include/send_mail.php');

                $db->update("$_SC[tablepre]members",array( 'password' => md5($password) ),'uid='.$uid);

                echo '邮箱发送成功，请查收！';


        }else{
                echo '邮箱未被使用！';
        }

 

201111140833527210.zip