Since you mentioned "not doing anything illegal", I will just say that, checking peoples doors and windows to see if they are open or weak, is not ok even if it's fun and all (but if the site you are testing on have given you permission, or if you own it, then hack away to your hearts content).
Anyway to the issue at hand. Are you using the latest development version of sqlmap? If not, then I recommend you do that, since it gets new features and updates all the time, and you will probably see your issue solved there. If you don't have git, then get it, and then do: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev //C On 30.08.2012 17:06, Arturs Pavlovs wrote: > Hi! > Basically this question is about what Havij does and how to do the > same w/ SQLMap (or better). I made injections and was able to dump > database with Havij in this site - > http://nhl.id.lv/?cat=stats&position=Goalie&sort=saves through > parameter 'sort'. It used MySQL timebased injection (time is usually > 4.x seconds or 3.x - I was not able to set SQLMap to miliseconds or > seconds with commas or points) and retrieved all the needed data > using > slow guessing letters method. But it did the job although it was very > slow. With SQLMap it detects MySQL timebased blind, but is not able > to > retrieve any data. Payload says that there is a possibility of > IDS/IPS > defence. What should I do to get the database name? Any tampering > scripts or combinations of them? Is it possible to get the names of > DBs and tables faster than Havij slo-mo guessing? > There's another site with which I have a similar problem. That's > http://hack-games.com . I set crawling to 2 and use parameters > 'doaction' or 'pmid' . SQLMap finds blind boolean injection, but once > again hits the IDS/IPS defence. Havij on the same page only without > crawling (I specified the page SQLMap found while crawling, but don't > remember it :D) found the DB, but it wasn't able to get normal > characters instead of square boxes. That is probably just an encoding > issue. > Could anyone help me to sort out this situation? > > P.S. > Havij also does database name character count retrieval, before > guessing the numbers. I'm not sure if SQLMap has such function. > P.P.S. > I won't use your help to do something illegal with SQLMap, I'm just > having fun from hacking. No harm done to any of higher mentioned or > any other webpages. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
