WooYun.org

phpmps_v2.3_build121113_utf8
在用户注册时候，虽然做了转移，但是存储到数据库的时候转义符被去掉，从而造成sql二次注入，登陆后跳转截图

此处就是刚才注册时的用户名jkgh009'
然后查看交易详情，可看到用户名被二次利用，触发sql报错
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT count(*) as number FROM phpmps_pay_exchange WHERE username='jkgh009'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''jkgh009''' at line 1 ) [3] => Array ( [errno] => 1064 ) )
此处的逻辑代码为：

由于$_username直接从数据库取出来，未做过滤，所以导致sql注入