### 简要描述: rt ### 详细说明: 根据http://**.**.**.**/bugs/wooyun-2015-0136712进行测试发现的。 ``` POST /login.php?Cmd=login HTTP/1.1 Host: **.**.**.** Content-Length: 71 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://**.**.**.** Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0 Content-Type: application/x-www-form-urlencoded Referer: http://**.**.**.**/login.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=28283054d2c8717160a08a9a8f504ef8 name=admin&domain=**.**.**.**&passwd=admin&login=-login-&language=-&Lang= ``` 参数name和domain度存在注入。(部分站点需使用tamper=space2comment绕过) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201510/091639500f3b772f2a26a028a1455eedd3c390a0.jpg" alt="aaaaaaaaaaaaaaaa111111111111111111111111.jpg" width="600"...
### 简要描述: rt ### 详细说明: 根据http://**.**.**.**/bugs/wooyun-2015-0136712进行测试发现的。 ``` POST /login.php?Cmd=login HTTP/1.1 Host: **.**.**.** Content-Length: 71 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://**.**.**.** Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0 Content-Type: application/x-www-form-urlencoded Referer: http://**.**.**.**/login.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=28283054d2c8717160a08a9a8f504ef8 name=admin&domain=**.**.**.**&passwd=admin&login=-login-&language=-&Lang= ``` 参数name和domain度存在注入。(部分站点需使用tamper=space2comment绕过) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201510/091639500f3b772f2a26a028a1455eedd3c390a0.jpg" alt="aaaaaaaaaaaaaaaa111111111111111111111111.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/091639500f3b772f2a26a028a1455eedd3c390a0.jpg) [<img src="https://images.seebug.org/upload/201510/091640039b8474d8e8bf5d638c4b320626b55900.jpg" alt="aaaaaaaaaaaaaa222222222222222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/091640039b8474d8e8bf5d638c4b320626b55900.jpg) [<img src="https://images.seebug.org/upload/201510/091640226cc461d6f200ae3424a259e9bad1f795.jpg" alt="aaaaaaaaaaaaaaa3333333333333333333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/091640226cc461d6f200ae3424a259e9bad1f795.jpg) [<img src="https://images.seebug.org/upload/201510/0916413752c857ff8252bf5dcfe4dfdc124a075a.jpg" alt="aaaaaaaaaaaaaaaa444444444444444444444444.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/0916413752c857ff8252bf5dcfe4dfdc124a075a.jpg) [<img src="https://images.seebug.org/upload/201510/09164205d81b15f0c3b516198e3162bf0fc37023.jpg" alt="aaaaaaaaaaaaaaaa5555555555555555555555555.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/09164205d81b15f0c3b516198e3162bf0fc37023.jpg) [<img src="https://images.seebug.org/upload/201510/091642292849ede1f066de506a5453dbcc3f9b20.jpg" alt="aaaaaaaaaaaaaaaa66666666666666666666666.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/091642292849ede1f066de506a5453dbcc3f9b20.jpg) [<img src="https://images.seebug.org/upload/201510/09164400109190c149fb638f96356dc29f11a128.jpg" alt="aaaaaaaaaaaaaaaa77777777777777777777.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/09164400109190c149fb638f96356dc29f11a128.jpg) 案例:
