Webfront game station has SQL injection (delayed blind injection includes multiple bypassing + encoding)

Webfront game station has SQL injection (delayed blind injection includes multiple bypassing + encoding)

Webfront game station has SQL injection (including multiple bypassing and encoding)

Objective: To detect game.feng.com and find SQL injection in the following places: (delayed blind injection)
Http://game.feng.com/index.php? R = apiw/apiGiftBag/getNewGiftBagNum
Host: game.feng.com
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Proxy-Connection: keep-alive
Accept :*/*
User-Agent: WPForumPortal/4.2 (iPhone; iOS 9.2.1; Scale/2.00)
Accept-Language: zh-Hans-CN; q = 1
Content-Length: 1581
Accept-Encoding: gzip, deflate
Data = bytes
Payload: (delay of 3 seconds)
POST http://game.feng.com/index.php? R = apiw/apiGiftBag/getNewGiftBagNum HTTP/1.1
Content-Length: 1589
Accept-Language: zh-Hans-CN; q = 1
Accept-Encoding: gzip, deflate
Host: game.feng.com
Accept :*/*
User-Agent: WPForumPortal/4.2 (iPhone; iOS 9.2.1; Scale/2.00)
Accept-Charset: ISO-8859-15, UTF-8; q = 0.7, *; q = 0.7
Cookie: nsc_hbnf.gfoh.pmma = ffffffffc3a0ac1345525d5f4f58455e445a4a423660
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: application/x-www-form-urlencoded
Data = bytes
By default, this SQLMap basically does not run data 1 and BASE64 encoding. SQLMap base64 decoding tamper only applies to one parameter and does not apply to all post data. Therefore, it can only use open-source proxies to automatically decode2 and filter data, the test showed that the following characters in Payload all reported an error: space, ORD, equal sign, CURRENT_USER, then use parentheses instead of spaces, ASCII instead of ORD, and like instead of equal signs ...... Screenshot rewriting Proxy:

1. Run out of the current database user

2. Run the current database