Skip to content

CRITICAL] connection timed out to the target URL #1063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
StupeDZerG opened this issue Dec 24, 2014 · 2 comments
Closed

CRITICAL] connection timed out to the target URL #1063

StupeDZerG opened this issue Dec 24, 2014 · 2 comments
Assignees
@stamparm
Labels
support

Comments

@StupeDZerG
Copy link

D:\Need me\Sql\sqlmap>sqlmap.py -r efi.txt --level 3 --risk 3 --time-sec 6
_
___ _| |___ ___ ___ {1.0-dev-nongit-20141224}
|_ -| . | | | .'| . |
|| |||||,| |
|| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws. Developer
s assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:52:37

[13:52:37] [INFO] parsing HTTP request from 'efi.txt'
custom injection marking character ('') found in option '--data'. Do you want to process it? [Y/n/q
] y
[13:52:46] [INFO] testing connection to the target URL
[13:52:47] [INFO] heuristics detected web page charset 'windows-1251'
[13:52:47] [INFO] testing if the target URL is stable. This can take a couple of seconds
[13:52:50] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence ma
tcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to us
er's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[13:53:14] [INFO] testing if (custom) POST parameter '#1' is dynamic
[13:53:15] WARNING POST parameter '#1_' does not appear dynamic
[13:53:16] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1_' might not be in
jectable
[13:53:18] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[13:53:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:54:58] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:56:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[13:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[13:58:17] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (R
LIKE)'
[13:59:53] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[13:59:57] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)
'
[14:00:04] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[14:00:08] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - ori
ginal value)'
[14:00:12] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (orig
inal value)'
[14:00:17] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[14:00:21] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace (original value)
'
[14:00:25] [INFO] testing 'SAP MaxDB boolean-based blind - Parameter replace (original value)'
[14:00:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[14:00:38] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[14:00:47] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[14:00:56] [INFO] testing 'Oracle boolean-based blind - GROUP BY and ORDER BY clauses'
[14:01:04] [INFO] testing 'Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses'
[14:01:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries'
[14:03:02] [INFO] testing 'PostgreSQL stacked conditional-error blind queries'
[14:04:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[14:04:53] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[14:05:25] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[14:06:00] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[14:06:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:07:04] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[14:07:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
'
[14:08:11] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:08:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDR
ESS)'
[14:09:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[14:09:47] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[14:10:18] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[14:10:50] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[14:11:24] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[14:11:59] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[14:12:34] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[14:13:05] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause'
[14:13:38] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)'

[14:14:11] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[14:14:44] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRE
SS)'
[14:15:15] [INFO] testing 'Firebird OR error-based - WHERE or HAVING clause'
[14:15:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:15:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[14:15:51] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[14:15:52] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[14:15:54] [INFO] testing 'Oracle error-based - Parameter replace'
[14:15:55] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[14:15:58] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[14:16:01] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY clauses'
[14:16:04] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY clause'
[14:16:06] [INFO] testing 'Oracle error-based - GROUP BY and ORDER BY clauses'
[14:16:09] [INFO] testing 'MySQL inline queries'
[14:16:11] [INFO] testing 'PostgreSQL inline queries'
[14:16:12] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:16:14] [INFO] testing 'Oracle inline queries'
[14:16:15] [INFO] testing 'SQLite inline queries'
[14:16:16] [INFO] testing 'Firebird inline queries'
[14:16:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:16:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[14:17:24] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:17:57] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[14:18:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:18:59] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[14:19:30] [INFO] testing 'Firebird stacked queries (heavy query)'
[14:20:01] [INFO] testing 'HSQLDB >= 1.7.2 stacked queries'
[14:20:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[14:21:12] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[14:21:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[14:22:15] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[14:22:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:23:17] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)'
[14:23:52] [INFO] testing 'Oracle AND time-based blind'
[14:24:23] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[14:24:54] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[14:25:28] [INFO] testing 'SAP MaxDB AND time-based blind (heavy query)'
[14:25:59] [INFO] testing 'IBM DB2 AND time-based blind (heavy query)'
[14:26:32] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[14:27:45] INFO POST parameter '#1*' seems to be 'MySQL > 5.0.11 OR time-based blind' inj
ectable
[14:27:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[14:27:45] [INFO] automatically extending ranges for UNION query injection technique tests as there
is at least one other (potential) technique found
[14:28:16] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicious' reques
ts
[14:28:16] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the
request
[14:28:16] [WARNING] most probably web server instance hasn't recovered yet from previous timed base
d payload. If the problem persists please wait for few minutes and rerun without flag T in option '-
-technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-se
c' (e.g. '--time-sec=2')
[14:28:47] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the
request

It seems finds a hole and at once there is a mistake. In what there can be a problem?
@StupeDZerG
Copy link
Author

Men can be closed, I understood))

P.S. who can explain that for parameter - technique=BEUS?

@stamparm
Copy link
Member

You are skipping testing for time-based SQLi then which most probably causes trouble

@stamparm stamparm self-assigned this Dec 25, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stamparm stamparm

Labels
support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stamparm @StupeDZerG