置信经典OriTop管理系统sql注入以及任意文件下载

这是一个小的cms，主要是用于医院网站


sql注入点：http://www.eyehospital.com/About.php?id=4

代码如下，参数id只是简单地检测了变量是否设置，然后直接带入查询：
 

<?php
if(!isset($_GET['id']) && !isset($_GET['Id']))
{
echo "<script language=javascript>top.location.replace('./');</script>";
exit;
}
$id = isset($_GET['id']) ? $_GET['id'] : $_GET['Id'];

include "Include/global.php";
include "Include/config.php";
$DataBase = new DataBase;
$DataBase->OpenDataBase();


$qid = mysql_query("SELECT * FROM about WHERE id='$id'");
if(mysql_num_rows($qid) > 0)
{
$row = mysql_fetch_row($qid);
}
else
{
header("location: ./");
exit;
}


include "Template/Header.tpl";
include "Template/About.tpl";
include "Template/Footer.tpl";
?>

任意文件下载http://xtsz.com.cn/ShowFile.php?id=../index.php

代码如下，也是没有验证：
 

<?php
include "Include/global.php";
include "Include/config.php";

if(isset($_GET['id']) && $_GET['id'] != "")
{
$file_name = $_GET['id'];
$file_root_name = "$upfile_root_path/$file_name";

if (!file_exists($file_root_name))
{
echo "文件不存在";
exit;
}

$file_postfix = pathinfo($file_name);
$file_postfix = strtolower($file_postfix["extension"]);


if($file_postfix != "jpg" && $file_postfix != "gif")
{
$file = fopen($file_root_name,"r"); // 打开文件 
// 输入文件标签
Header("Content-type: application/octet-stream");
Header("Accept-Ranges: bytes");
Header("Accept-Length: ".filesize($file_root_name));
Header("Content-Disposition: attachment; filename=" . $file_name);
// 输出文件内容
echo fread($file,filesize($file_root_name));
fclose($file);
exit;
}
else
{
// Content type
header('Content-type: image/gif');
if($file_postfix != "gif")
{
$image = imagecreatefromjpeg($file_root_name);
imagejpeg($image);
}
else
{
$image = imagecreatefromgif($file_root_name);
imagegif($image);
}

// Output
ImageDestroy($image);
}
}
?>