[WARNING] false positive or unexploitable injection point detected

[Ako0ri]

Hi I have a problem with inject a site I run sqlmap and I get this :

C:\Documents and Settings\Administrator\Desktop\sqlmap3>sqlmap.py -r pentest.txt -p page --dbms mysql --tamper "charencode.py,space2morehash.py,randomcomme nts.py" --level=5 --risk=3 _ **| |_ {1.0-dev-nongit-20140929} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program

[*] starting at 01:18:02

[01:18:02] [INFO] parsing HTTP request from 'talahost.com.txt' [01:18:02] [INFO] loading tamper script 'charencode' [01:18:02] [INFO] loading tamper script 'space2morehash' [01:18:02] [WARNING] tamper script 'space2morehash' is only meant to be run agai nst MySQL > 5.1.13 it seems that you might have mixed the order of tamper scripts. Do you want to a uto resolve this? [Y/n/q] Y [01:18:04] [INFO] loading tamper script 'randomcomments' [01:18:04] [INFO] testing connection to the target URL [01:18:05] [INFO] testing if the target URL is stable. This can take a couple of seconds [01:18:06] [WARNING] target URL is not stable. sqlmap will base the page compari son on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c [01:18:21] [WARNING] heuristic (basic) test shows that GET parameter 'page' migh t not be injectable [01:18:21] [INFO] testing for SQL injection on GET parameter 'page' [01:18:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [01:18:37] [INFO] GET parameter 'page' seems to be 'AND boolean-based blind - WH ERE or HAVING clause' injectable [01:18:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [01:18:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)' [01:18:39] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)' [01:18:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [01:18:41] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'

[01:18:41] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)' [01:18:42] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)' [01:18:43] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'

[01:18:43] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [01:18:43] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [01:18:43] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT VALUE)' [01:18:43] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX ML)' [01:18:43] [INFO] testing 'MySQL inline queries' [01:18:43] [INFO] testing 'MySQL > 5.0.11 stacked queries' [01:18:44] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [01:18:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [01:18:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)' [01:18:46] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [01:18:47] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - co mment)' [01:18:47] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' [01:18:47] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)' [01:18:48] [INFO] testing 'MySQL >= 5.0 time-based blind - Parameter replace' [01:18:48] [INFO] testing 'MySQL < 5.0 time-based blind - Parameter replace (hea vy queries)' [01:18:48] [INFO] testing 'MySQL time-based blind - Parameter replace (bool*int) ' [01:18:48] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET) ' [01:18:48] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)' [01:18:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [01:18:48] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [01:19:03] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns' [01:19:09] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns' [01:19:24] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'

[01:19:29] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns' [01:19:44] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'

[01:19:49] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns' [01:20:05] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'

[01:20:10] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns' [01:20:27] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns ' [01:20:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [01:20:53] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns ' [01:20:58] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns' [01:21:13] [INFO] target URL appears to be UNION injectable with 22 columns injection not exploitable with NULL values. Do you want to try with a random int eger value for option '--union-char'? [Y/n] Y [02:55:56] [INFO] testing 'Generic UNION query (70) - 42 to 60 columns' [02:56:01] [INFO] testing 'Generic UNION query (70) - 62 to 80 columns' [02:56:06] [INFO] testing 'Generic UNION query (70) - 82 to 100 columns' [02:56:12] [INFO] checking if the injection point on GET parameter 'page' is a f alse positive [02:56:12] [WARNING] false positive or unexploitable injection point detected [02:56:12] [WARNING] GET parameter 'page' is not injectable [02:56:12] [CRITICAL] all tested parameters appear to be not injectable. Also, y ou can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 02:56:12

C:\Documents and Settings\Administrator\Desktop\sqlmap3>sqlmap.py -r talahost.co m.txt -p page --dbms mysql --tamper "versionedmorekeywords.py" --level=5 --risk= 3 _ **| |_ {1.0-dev-nongit-20140929} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program

[*] starting at 02:59:07

[02:59:07] [INFO] parsing HTTP request from 'talahost.com.txt' [02:59:07] [INFO] loading tamper script 'versionedmorekeywords' [02:59:07] [WARNING] tamper script 'versionedmorekeywords' is only meant to be r un against MySQL >= 5.1.13 [02:59:07] [INFO] testing connection to the target URL [02:59:09] [INFO] testing if the target URL is stable. This can take a couple of seconds [02:59:12] [WARNING] target URL is not stable. sqlmap will base the page compari son on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C [02:59:16] [WARNING] heuristic (basic) test shows that GET parameter 'page' migh t not be injectable [02:59:16] [INFO] testing for SQL injection on GET parameter 'page' [02:59:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:02:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS QL comment)' [03:02:40] [WARNING] user aborted during detection phase how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext pa rameter/(c)hange verbosity/(q)uit] [03:02:40] [ERROR] user aborted

[*] shutting down at 03:02:40

C:\Documents and Settings\Administrator\Desktop\sqlmap3>sqlmap.py -r talahost.co m.txt -p page --dbms mysql --tamper "charencode.py,space2morehash.py,randomcomme nts.py" --level=5 --risk=3 --tamper=between _ **| |_ {1.0-dev-nongit-20140929} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program

[*] starting at 03:02:47

[03:02:47] [INFO] parsing HTTP request from 'pentest.txt' [03:02:47] [INFO] loading tamper script 'between' [03:02:47] [INFO] testing connection to the target URL [03:02:49] [INFO] testing if the target URL is stable. This can take a couple of seconds [03:02:51] [WARNING] target URL is not stable. sqlmap will base the page compari son on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C [03:02:54] [WARNING] heuristic (basic) test shows that GET parameter 'page' migh t not be injectable [03:02:54] [INFO] testing for SQL injection on GET parameter 'page' [03:02:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:05:16] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicious' requests [03:05:16] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [03:05:47] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [03:06:18] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [03:07:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS QL comment)' [03:09:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen eric comment)' [03:10:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [03:10:47] [INFO] GET parameter 'page' seems to be 'OR boolean-based blind - WHE RE or HAVING clause' injectable [03:10:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [03:10:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)' [03:10:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)' [03:10:49] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [03:10:50] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'

[03:10:50] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)' [03:10:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)' [03:10:51] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'

[03:10:52] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [03:10:52] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [03:10:52] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT VALUE)' [03:10:52] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX ML)' [03:10:53] [INFO] testing 'MySQL inline queries' [03:10:53] [INFO] testing 'MySQL > 5.0.11 stacked queries' [03:10:53] [CRITICAL] considerable lagging has been detected in connection respo nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [03:10:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [03:10:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [03:10:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)' [03:10:56] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [03:10:56] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - co mment)' [03:10:57] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' [03:10:57] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)' [03:10:57] [INFO] testing 'MySQL >= 5.0 time-based blind - Parameter replace' [03:10:58] [INFO] testing 'MySQL < 5.0 time-based blind - Parameter replace (hea vy queries)' [03:10:58] [INFO] testing 'MySQL time-based blind - Parameter replace (bool*int) ' [03:10:58] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET) ' [03:10:58] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)' [03:10:59] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [03:10:59] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [03:10:59] [WARNING] reflective value(s) found and filtering out [03:11:13] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns' [03:11:18] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns' [03:11:35] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'

[03:11:40] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns' [03:11:54] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'

[03:11:59] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns' [03:12:13] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'

[03:12:19] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns' [03:12:32] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns ' [03:12:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [03:12:54] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns ' [03:12:59] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns' [03:13:12] [INFO] testing 'Generic UNION query (random number) - 22 to 40 column s' [03:13:17] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns' [03:13:31] [INFO] target URL appears to be UNION injectable with 43 columns injection not exploitable with NULL values. Do you want to try with a random int eger value for option '--union-char'? [Y/n] y [03:14:53] [INFO] testing 'Generic UNION query (20) - 62 to 80 columns' [03:14:58] [INFO] testing 'Generic UNION query (20) - 82 to 100 columns' [03:15:02] [WARNING] in OR boolean-based injections, please consider usage of sw itch '--drop-set-cookie' if you experience any problems during data retrieval [03:15:02] [INFO] checking if the injection point on GET parameter 'page' is a f alse positive [03:15:03] [WARNING] false positive or unexploitable injection point detected [03:15:03] [WARNING] GET parameter 'page' is not injectable [03:15:03] [CRITICAL] all tested parameters appear to be not injectable. Please retry with the switch '--text-only' (along with --technique=BU) as this case loo ks like a perfect candidate (low textual content along with inability of compari son engine to detect at least one dynamic parameter). Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 03:15:03

C:\Documents and Settings\Administrator\Desktop\sqlmap3>

I use some trick but not use full and in the last I get this error [WARNING] false positive or unexploitable injection point detected

Please help me what I should do

[stamparm]

Nothing. I would say that you have a negative (or, as sqlmap said false positive)

[Ako0ri]

I am sure this site have vulnerability in page parameter and this is blid or time-based But sqlmap can not detect it or I can not use sqlmap techniques as good

[stamparm]

And how are you exactly sure?

[Ako0ri]

I use a trusted web vulnerability scanner and It detect this parameter for SQLi

[stamparm]

And what was the detected payload?

[Ako0ri]

Could you please give me your email?!

[Ako0ri]

If you give me your email I will send you more details

[stamparm]

Sorry. I am currently unavailable for private email conversations.

[Jai-deve]

i have same problem sir false positive or unexploitable point detected even i check time based blind (sleep) vulnerability is available please give me solution sir

[Gems]

Sorry, but it's really true. I tested with the latest version version of sqlmap and its output is:

[16:24:55] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL > 5.0.12 OR time-based blind (heavy query)' injectable 
[16:24:55] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
[16:24:55] [WARNING] false positive or unexploitable injection point detected
[16:24:55] [WARNING] (custom) POST parameter '#1*' does not seem to be injectable

After I enabled the logging and extract the particular payload, I could use it to exploit the vulnerability and exfiltrate the data. It's strange that sqlmap doesn't do it, despite that in another soft off situation it managed to get it done.

I'd be happy to provide more details if needed (like POST data and the way I used the payload).

Though, I'm afraid that it might by design that sqlmap can't use OR time-based blind (heavy query) injections because it requires enumeration to exfiltrate the data. It would be nice to get this assumption confirmed or denied.

Thanks in advance!

[stamparm]

false-positive or unexploitable (with current options/switches) you use. not sure which part of unexploitable is not clear?

[Gems]

@stamparm is unexploitable by design of sqlmap? If so, I'd be happy to contribute to implement one of the relevant algorithms. I need some guidance here.

[stamparm]

@Gems thank you man, but i highly doubt that you can "implement one of the relevant algorithms". please, do your research and try to use some of related options/switches

[stamparm]

just to leave one LOL for is unexploitable by design of sqlmap :)