0

I have tried the following tamper scripts in sqlmap but the connection is still getting dropped by the WAF: tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

are there any other methods that might work? 

WARNING: there is a possibility that the target (or WAF/ISP) is dropping 'suspisious' requests.....

it's a mysql =>5 database. 

[23:18:38] [INFO] testing connection to the target URL
[23:18:41] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[23:18:41] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[23:18:41] [INFO] testing if the target URL content is stable
[23:18:41] [INFO] target URL content is stable
[23:19:11] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:20:12] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[23:20:12] [INFO] testing for SQL injection on POST parameter 'user'
[23:20:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:20:54] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:21:37] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[23:21:37] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:23:10] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:23:25] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[23:23:58] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:25:36] [CRITICAL] connection timed out to the target URL
[23:26:11] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:26:53] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue with further target testing? [y/N] n
[23:33:30] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:35:01] [CRITICAL] connection timed out to the target URL
[23:35:32] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:37:03] [CRITICAL] connection timed out to the target URL
[23:37:41] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:39:12] [CRITICAL] connection timed out to the target URL
[23:39:42] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:40:51] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:42:21] [CRITICAL] connection timed out to the target URL
[23:42:54] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:43:32] [INFO] heuristics detected web page charset 'ascii'
[23:43:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[23:44:08] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:45:51] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:46:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[23:47:19] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:47:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[23:47:35] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[23:48:05] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:48:39] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[23:48:47] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[23:49:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:49:18] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[23:49:20] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[23:49:21] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[23:49:22] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[23:49:23] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[23:49:54] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:51:26] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:51:59] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:53:32] [CRITICAL] connection timed out to the target URL
[23:54:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:54:42] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:56:13] [CRITICAL] connection timed out to the target URL
[23:56:46] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:57:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[23:57:35] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:58:11] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[23:58:15] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[23:58:27] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[23:58:41] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[23:59:42] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:00:02] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[00:00:43] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:02:05] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:02:15] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[00:02:56] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:04:00] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:04:38] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:04:39] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[00:05:37] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:05:41] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[00:06:13] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:06:44] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:07:26] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:08:03] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:08:10] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[00:08:42] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[00:09:07] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[00:09:08] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[00:09:08] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[00:09:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[00:09:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[00:09:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[00:09:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[00:09:13] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[00:09:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[00:09:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[00:09:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[00:10:16] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:10:21] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[00:10:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[00:11:08] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:11:45] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:12:30] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:13:31] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:13:46] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[00:14:58] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:15:36] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[00:16:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[00:17:35] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:17:39] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[00:18:12] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:19:03] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:19:36] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:19:55] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[00:21:14] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:22:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:23:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:23:49] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:24:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:25:47] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:26:06] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:26:39] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:27:12] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:27:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[00:28:32] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:28:57] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[00:29:47] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:31:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:31:50] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[00:32:44] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:33:35] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:34:10] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:34:44] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[00:35:12] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[00:35:52] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:36:20] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[00:36:21] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[00:36:22] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[00:36:23] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:36:24] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[00:36:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[00:36:25] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[00:36:27] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[00:36:28] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[00:36:30] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[00:36:32] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[00:36:34] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[00:36:36] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[00:36:39] [INFO] testing 'MySQL inline queries'
[00:36:40] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[00:36:41] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:36:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:37:06] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[00:37:19] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[00:38:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[00:38:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[00:39:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[00:39:27] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[00:39:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[00:39:59] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[00:40:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:41:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[00:42:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[00:42:52] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[00:43:38] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[00:44:00] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[00:44:54] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[00:45:10] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[00:45:56] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[00:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[00:46:25] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[00:46:49] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[00:47:04] [INFO] testing 'MySQL AND time-based blind (ELT)'
[00:47:25] [INFO] testing 'MySQL OR time-based blind (ELT)'
[00:47:44] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[00:48:01] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[00:48:16] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[00:49:10] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[00:49:22] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[00:49:23] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[00:49:24] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[00:49:24] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[00:49:25] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[00:49:25] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[00:49:25] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[00:49:26] [INFO] testing 'MySQL <= 5.0.11 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
[00:49:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:51:28] [INFO] target URL appears to be UNION injectable with 8 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[00:55:51] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
user2014429
  • 101
  • 2
  • 2
  • 4

1 Answers1

1

At first thought, if your connection is getting dropped, are you sure it's on the sqlpmap side? Meaning is there a network problem, application layer problem, or do you know for a fact that the site is vulnerable to sql injection?

Here's a the process explained:

https://www.sunnyhoi.com/use-sqlmap-to-bypass-cloudflare-waf-and-hack-website-with-sql-injection/

Here's a list of running all scripts at once:

https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423

Am I interpreting your question properly; does this help?

MGoBlue93
  • 185
  • 7
  • hi, yes I used to be able to access the database names so it definetly is injectable, sometimes it does connect, but says 'unable to retrieve database names' – user2014429 Jan 31 '19 at 00:01
  • Please post the terminal output. There dozens of different ways that message can be thrown and often it comes with other messages as clues – MGoBlue93 Jan 31 '19 at 00:08
  • OK I posted the warning message – user2014429 Jan 31 '19 at 00:24
  • That's all there is? Just that one line? If not, please post everything in the terminal from the command you entered to when you get the cursor back. – MGoBlue93 Jan 31 '19 at 00:40
  • ok i posted a terminal output – user2014429 Jan 31 '19 at 01:02
  • Regarding the following line, do you think, given your environment, that it's not meaningful output? [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests – MGoBlue93 Jan 31 '19 at 05:44
  • sure, but how can I avoid it? – user2014429 Jan 31 '19 at 06:56
  • Not sure of how your backend is set up but that warning indicates WAF is protecting the instance. Nobody is going to be 100% successful on any attack. The one thing you can verify for sure is run the same command against DVWA and if it works that tells you you're doing it right (and something else is going on with your DB). – MGoBlue93 Jan 31 '19 at 16:22