sycPHPCMS v1.6 cookie sqlinjection

./user/index.php

 1 include "../include/conn.php";
 2 include "../include/function.php";
 3 
 4 $Vipname=SafeRequest("name","get");
 5 $Vippwd=SafeRequest("pwd","get");
 6 $Viplogn=SafeRequest("logname","get");
 7 if(($Vipname=="")||($Vippwd=="")){
 8     if(empty($_COOKIE["S_Name"])||empty($_COOKIE["S_PWD"])){
 9         echo "<script>window.location='userlog.php'</script>";
10         die();
11     }
12     else{
13         $sql="select * from s_users where S_Name='".$_COOKIE["S_Name"]."'";
14         $result=$db->query($sql);
15         if($row=$db->fetch_array($result)){
16 
17 
18 ......

用户名$_COOKIE['S_Name']未经过滤就入库查询了，产生了cookie注入。不过这个漏洞很鸡肋，因为系统默认关闭了用户注册功能，所以基本上，然并卵........