后台登陆界面存在检查功能，不安全取值导致的SQL注入。

/controller/controller_class.php
    public  function check()
    {
        
        $this->safebox = Safebox::getInstance();
        $this->title='后台登录';
        
        
        $code = $this->safebox->get($this->captchaKey);
        if($code != strtolower(Req::args($this->captchaKey)))
        {
            $this->msg='验证码错误！';
            $this->layout = "";
            $this->redirect('login',false);
        }
        else
        {
            $manager = new Manager(Req::args('name'),Req::args('password'));
            $this->msg='验证码错误！';
            if($manager->getStatus() == 'online')
            {
                $back = Req::args('callback');
                $model = new Model("manager");
                $model->data(array('last_ip'=>Chips::getIP(),'last_login'=>date("Y-m-d H:i:s")))->where("id=".$manager->id)->update();
//这里有一个getIP函数，跟入。
                if($back === null) $back = $this->defaultAction;
                $this->redirect($back,true);
            }
            else
            {
                $this->msg='用户名或者密码错误';
                $this->layout = "";
                $this->redirect('login',false);
            }
        }
}

getip函数跟进。

/framework/lib/util/chips_class.php

public static function getIP()

{

if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];

elseif (isset($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"];

elseif (isset($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"];

elseif (getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR");

elseif (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");

elseif (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");

else $ip = "Unknown";

return $ip;

}



直接获取了$_SERVER["HTTP_X_FORWARDED_FOR"]，gpc也没用了。导致了注入。我输出语句演示。

修复方案：

获取转义